From nobody Mon May 6 10:29:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+42613+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42613+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1560994261; cv=none; d=zoho.com; s=zohoarc; b=bJuYl4hITxBfIWI39m0VeWIivNKXSlBVI60tK3nmAHVnqZ+mnFX/dq/gltWj+7kWCe3d0XwLsspAbbbympHeRdp0z2AREKJyCHYR2KLUJegMoA41tPM/esFz4r4aOfOORfAGj30r/ZRlHqbvQ3Oc8P/Xl0aWbaJchUg78euGk+0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1560994261; h=Cc:Date:From:List-Id:List-Unsubscribe:Message-ID:Reply-To:Sender:Subject:To:ARC-Authentication-Results; bh=5rfWyD0Jlv2hmpprqnhxEdSlsJmUIs4Sc/iMsx0u4XY=; b=df24NkiykDLbSylWb0O2u3tW9hNfabrvFAZkz89S+X2wJm2M8PUcHMvp4KtcD/c8tFFteeaJ+povrgB1Z9P3jvE1ibVou1Vn5muY+04jrXRzc7i4/wjwIyO/Sj+iapAOtqMYfUu6uzmBNOgYbfCE+vJA9slTkmLjiQLwfdGRCZk= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42613+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1560994261532118.08295680343497; Wed, 19 Jun 2019 18:31:01 -0700 (PDT) Return-Path: X-Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by groups.io with SMTP; Wed, 19 Jun 2019 18:31:00 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Jun 2019 18:30:59 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.63,394,1557212400"; d="scan'208";a="358370535" X-Received: from shenglei-dev.ccr.corp.intel.com ([10.239.158.52]) by fmsmga005.fm.intel.com with ESMTP; 19 Jun 2019 18:30:58 -0700 From: "Zhang, Shenglei" To: devel@edk2.groups.io Cc: Chao Zhang , Jiewen Yao , Jian Wang Subject: [edk2-devel] [PATCH] SecurityPkg/DxeDeferImageLoadLib: Remove DxeDeferImageLoadLib Date: Thu, 20 Jun 2019 09:30:54 +0800 Message-Id: <20190620013054.1960-1-shenglei.zhang@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,shenglei.zhang@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1560994261; bh=wW0o/4PzbALIAzNOWzABJyyUYyQssqJy8Sx+y036mT8=; h=Cc:Date:From:Reply-To:Subject:To; b=mEZvSMXgaburOUSLRRhF5iE4NIm/YJMIpPqqAm2iBbRHgcr8C0ziZfAeBjYSwo7S0Sz hc7JQ2Y6JIYBuqHXnqHnjUEVaJlBbLEOO9cEhKYMAu+A4V6ps8fz9lBSInEzHRG/ZI+Yw azB+CuTO0XSyKlrHJuFkWu3KUUf0Q9JVx7M= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The library DxeDeferImageLoadLib supports UID feature and it is conflicted with the driver SecurityStubDxe (Defer3rdPartyImageLoad.c). And the UID feature is dropped. So it should be removed from SecurityPkg. https://bugzilla.tianocore.org/show_bug.cgi?id=3D1919 Cc: Chao Zhang Cc: Jiewen Yao Cc: Jian Wang Signed-off-by: Shenglei Zhang Reviewed-by: Jian J Wang Reviewed-by: jiewen.yao@intel.com --- .../DxeDeferImageLoadLib.c | 927 ------------------ .../DxeDeferImageLoadLib.h | 99 -- .../DxeDeferImageLoadLib.inf | 63 -- .../DxeDeferImageLoadLib.uni | 18 - SecurityPkg/SecurityPkg.dsc | 1 - 5 files changed, 1108 deletions(-) delete mode 100644 SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageL= oadLib.c delete mode 100644 SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageL= oadLib.h delete mode 100644 SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageL= oadLib.inf delete mode 100644 SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageL= oadLib.uni diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.= c b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c deleted file mode 100644 index a6a3fe3cfc68..000000000000 --- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c +++ /dev/null @@ -1,927 +0,0 @@ -/** @file - Implement defer image load services for user identification in UEFI2.2. - -Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#include "DxeDeferImageLoadLib.h" - -// -// Handle for the Deferred Image Load Protocol instance produced by this d= river. -// -EFI_HANDLE mDeferredImageHandle =3D NULL; -BOOLEAN mIsProtocolInstalled =3D FALSE; -EFI_USER_MANAGER_PROTOCOL *mUserManager =3D NULL; -DEFERRED_IMAGE_TABLE mDeferredImage =3D { - 0, // Deferred image count - NULL // The deferred image info -}; - -EFI_DEFERRED_IMAGE_LOAD_PROTOCOL gDeferredImageLoad =3D { - GetDefferedImageInfo -}; - -/** - Get the image type. - - @param[in] File This is a pointer to the device path of the file - that is being dispatched. - - @return UINT32 Image Type - -**/ -UINT32 -GetFileType ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *File - ) -{ - EFI_STATUS Status; - EFI_HANDLE DeviceHandle; - EFI_DEVICE_PATH_PROTOCOL *TempDevicePath; - EFI_BLOCK_IO_PROTOCOL *BlockIo; - - // - // First check to see if File is from a Firmware Volume - // - DeviceHandle =3D NULL; - TempDevicePath =3D (EFI_DEVICE_PATH_PROTOCOL *)File; - Status =3D gBS->LocateDevicePath ( - &gEfiFirmwareVolume2ProtocolGuid, - &TempDevicePath, - &DeviceHandle - ); - if (!EFI_ERROR (Status)) { - Status =3D gBS->OpenProtocol ( - DeviceHandle, - &gEfiFirmwareVolume2ProtocolGuid, - NULL, - NULL, - NULL, - EFI_OPEN_PROTOCOL_TEST_PROTOCOL - ); - if (!EFI_ERROR (Status)) { - return IMAGE_FROM_FV; - } - } - - // - // Next check to see if File is from a Block I/O device - // - DeviceHandle =3D NULL; - TempDevicePath =3D (EFI_DEVICE_PATH_PROTOCOL *)File; - Status =3D gBS->LocateDevicePath ( - &gEfiBlockIoProtocolGuid, - &TempDevicePath, - &DeviceHandle - ); - if (!EFI_ERROR (Status)) { - BlockIo =3D NULL; - Status =3D gBS->OpenProtocol ( - DeviceHandle, - &gEfiBlockIoProtocolGuid, - (VOID **) &BlockIo, - NULL, - NULL, - EFI_OPEN_PROTOCOL_GET_PROTOCOL - ); - if (!EFI_ERROR (Status) && BlockIo !=3D NULL) { - if (BlockIo->Media !=3D NULL) { - if (BlockIo->Media->RemovableMedia) { - // - // Block I/O is present and specifies the media is removable - // - return IMAGE_FROM_REMOVABLE_MEDIA; - } else { - // - // Block I/O is present and specifies the media is not removable - // - return IMAGE_FROM_FIXED_MEDIA; - } - } - } - } - - // - // File is not in a Firmware Volume or on a Block I/O device, so check t= o see if - // the device path supports the Simple File System Protocol. - // - DeviceHandle =3D NULL; - TempDevicePath =3D (EFI_DEVICE_PATH_PROTOCOL *)File; - Status =3D gBS->LocateDevicePath ( - &gEfiSimpleFileSystemProtocolGuid, - &TempDevicePath, - &DeviceHandle - ); - if (!EFI_ERROR (Status)) { - // - // Simple File System is present without Block I/O, so assume media is= fixed. - // - return IMAGE_FROM_FIXED_MEDIA; - } - - // - // File is not from an FV, Block I/O or Simple File System, so the only = options - // left are a PCI Option ROM and a Load File Protocol such as a PXE Boot= from a NIC. - // - TempDevicePath =3D (EFI_DEVICE_PATH_PROTOCOL *)File; - while (!IsDevicePathEndType (TempDevicePath)) { - switch (DevicePathType (TempDevicePath)) { - - case MEDIA_DEVICE_PATH: - if (DevicePathSubType (TempDevicePath) =3D=3D MEDIA_RELATIVE_OFFSET_= RANGE_DP) { - return IMAGE_FROM_OPTION_ROM; - } - break; - - case MESSAGING_DEVICE_PATH: - if (DevicePathSubType(TempDevicePath) =3D=3D MSG_MAC_ADDR_DP) { - return IMAGE_FROM_REMOVABLE_MEDIA; - } - break; - - default: - break; - } - TempDevicePath =3D NextDevicePathNode (TempDevicePath); - } - return IMAGE_UNKNOWN; -} - - -/** - Get current user's access right. - - @param[out] AccessControl Points to the user's access control data, the - caller should free data buffer. - @param[in] AccessType The type of user access control. - - @retval EFI_SUCCESS Get current user access control successfully - @retval others Fail to get current user access control - -**/ -EFI_STATUS -GetAccessControl ( - OUT EFI_USER_INFO_ACCESS_CONTROL **AccessControl, - IN UINT32 AccessType - ) -{ - EFI_STATUS Status; - EFI_USER_INFO_HANDLE UserInfo; - EFI_USER_INFO *Info; - UINTN InfoSize; - EFI_USER_INFO_ACCESS_CONTROL *Access; - EFI_USER_PROFILE_HANDLE CurrentUser; - UINTN CheckLen; - EFI_USER_MANAGER_PROTOCOL *UserManager; - - CurrentUser =3D NULL; - Status =3D gBS->LocateProtocol ( - &gEfiUserManagerProtocolGuid, - NULL, - (VOID **) &UserManager - ); - if (EFI_ERROR (Status)) { - return EFI_NOT_FOUND; - } - - // - // Get current user access information. - // - UserManager->Current (UserManager, &CurrentUser); - - UserInfo =3D NULL; - Info =3D NULL; - InfoSize =3D 0; - while (TRUE) { - // - // Get next user information. - // - Status =3D UserManager->GetNextInfo (UserManager, CurrentUser, &UserIn= fo); - if (EFI_ERROR (Status)) { - return Status; - } - - Status =3D UserManager->GetInfo ( - UserManager, - CurrentUser, - UserInfo, - Info, - &InfoSize - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - if (Info !=3D NULL) { - FreePool (Info); - } - Info =3D AllocateZeroPool (InfoSize); - ASSERT (Info !=3D NULL); - Status =3D UserManager->GetInfo ( - UserManager, - CurrentUser, - UserInfo, - Info, - &InfoSize - ); - } - - if (EFI_ERROR (Status)) { - break; - } - - ASSERT (Info !=3D NULL); - if (Info->InfoType !=3D EFI_USER_INFO_ACCESS_POLICY_RECORD) { - continue; - } - - // - // Get specified access information. - // - CheckLen =3D 0; - while (CheckLen < Info->InfoSize - sizeof (EFI_USER_INFO)) { - Access =3D (EFI_USER_INFO_ACCESS_CONTROL *) ((UINT8 *) (Info + 1) + = CheckLen); - if (Access->Type =3D=3D AccessType) { - *AccessControl =3D AllocateZeroPool (Access->Size); - ASSERT (*AccessControl !=3D NULL); - CopyMem (*AccessControl, Access, Access->Size); - FreePool (Info); - return EFI_SUCCESS; - } - CheckLen +=3D Access->Size; - } - } - - if (Info !=3D NULL) { - FreePool (Info); - } - return EFI_NOT_FOUND; -} - -/** - Get file name from device path. - - The file name may contain one or more device path node. Save the file na= me in a - buffer if file name is found. The caller is responsible to free the buff= er. - - @param[in] DevicePath A pointer to a device path. - @param[out] FileName The callee allocated buffer to save the file = name if file name is found. - @param[out] FileNameOffset The offset of file name in device path if fil= e name is found. - - @retval UINTN The file name length. 0 means file name is no= t found. - -**/ -UINTN -GetFileName ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath, - OUT UINT8 **FileName, - OUT UINTN *FileNameOffset - ) -{ - UINTN Length; - EFI_DEVICE_PATH_PROTOCOL *TmpDevicePath; - EFI_DEVICE_PATH_PROTOCOL *RootDevicePath; - CHAR8 *NodeStr; - UINTN NodeStrLength; - CHAR16 LastNodeChar; - CHAR16 FirstNodeChar; - - // - // Get the length of DevicePath before file name. - // - Length =3D 0; - RootDevicePath =3D (EFI_DEVICE_PATH_PROTOCOL *)DevicePath; - while (!IsDevicePathEnd (RootDevicePath)) { - if ((DevicePathType(RootDevicePath) =3D=3D MEDIA_DEVICE_PATH) && (Devi= cePathSubType(RootDevicePath) =3D=3D MEDIA_FILEPATH_DP)) { - break; - } - Length +=3D DevicePathNodeLength (RootDevicePath); - RootDevicePath =3D NextDevicePathNode (RootDevicePath); - } - - *FileNameOffset =3D Length; - if (Length =3D=3D 0) { - return 0; - } - - // - // Get the file name length. - // - Length =3D 0; - TmpDevicePath =3D RootDevicePath; - while (!IsDevicePathEnd (TmpDevicePath)) { - if ((DevicePathType(TmpDevicePath) !=3D MEDIA_DEVICE_PATH) || (DeviceP= athSubType(TmpDevicePath) !=3D MEDIA_FILEPATH_DP)) { - break; - } - Length +=3D DevicePathNodeLength (TmpDevicePath) - sizeof (EFI_DEVICE_= PATH_PROTOCOL); - TmpDevicePath =3D NextDevicePathNode (TmpDevicePath); - } - if (Length =3D=3D 0) { - return 0; - } - - *FileName =3D AllocateZeroPool (Length); - ASSERT (*FileName !=3D NULL); - - // - // Copy the file name to the buffer. - // - Length =3D 0; - LastNodeChar =3D '\\'; - TmpDevicePath =3D RootDevicePath; - while (!IsDevicePathEnd (TmpDevicePath)) { - if ((DevicePathType(TmpDevicePath) !=3D MEDIA_DEVICE_PATH) || (DeviceP= athSubType(TmpDevicePath) !=3D MEDIA_FILEPATH_DP)) { - break; - } - - FirstNodeChar =3D (CHAR16) ReadUnaligned16 ((UINT16 *)((UINT8 *)TmpDev= icePath + sizeof (EFI_DEVICE_PATH_PROTOCOL))); - NodeStr =3D (CHAR8 *)TmpDevicePath + sizeof (EFI_DEVICE_PATH_PROTOCOL); - NodeStrLength =3D DevicePathNodeLength (TmpDevicePath) - sizeof (EFI_D= EVICE_PATH_PROTOCOL) - sizeof(CHAR16); - - if ((FirstNodeChar =3D=3D '\\') && (LastNodeChar =3D=3D '\\')) { - // - // Skip separator "\" when there are two separators. - // - NodeStr +=3D sizeof (CHAR16); - NodeStrLength -=3D sizeof (CHAR16); - } else if ((FirstNodeChar !=3D '\\') && (LastNodeChar !=3D '\\')) { - // - // Add separator "\" when there is no separator. - // - WriteUnaligned16 ((UINT16 *)(*FileName + Length), '\\'); - Length +=3D sizeof (CHAR16); - } - CopyMem (*FileName + Length, NodeStr, NodeStrLength); - Length +=3D NodeStrLength; - - LastNodeChar =3D (CHAR16) ReadUnaligned16 ((UINT16 *) (NodeStr + Node= StrLength - sizeof(CHAR16))); - TmpDevicePath =3D NextDevicePathNode (TmpDevicePath); - } - - return Length; -} - - -/** - Check whether the DevicePath2 is identical with DevicePath1, or identica= l with - DevicePath1's child device path. - - If DevicePath2 is identical with DevicePath1, or with DevicePath1's chil= d device - path, then TRUE returned. Otherwise, FALSE is returned. - - If DevicePath1 is NULL, then ASSERT(). - If DevicePath2 is NULL, then ASSERT(). - - @param[in] DevicePath1 A pointer to a device path. - @param[in] DevicePath2 A pointer to a device path. - - @retval TRUE Two device paths are identical , or DevicePath= 2 is - DevicePath1's child device path. - @retval FALSE Two device paths are not identical, and Device= Path2 - is not DevicePath1's child device path. - -**/ -BOOLEAN -CheckDevicePath ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath1, - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath2 - ) -{ - UINTN DevicePathSize; - UINTN FileNameSize1; - UINTN FileNameSize2; - UINT8 *FileName1; - UINT8 *FileName2; - UINTN FileNameOffset1; - UINTN FileNameOffset2; - BOOLEAN DevicePathEqual; - - FileName1 =3D NULL; - FileName2 =3D NULL; - DevicePathEqual =3D TRUE; - - ASSERT (DevicePath1 !=3D NULL); - ASSERT (DevicePath2 !=3D NULL); - if (IsDevicePathEnd (DevicePath1)) { - return FALSE; - } - - // - // The file name may contain one or more device path node. - // To compare the file name, copy file name to a buffer and compare the = buffer. - // - FileNameSize1 =3D GetFileName (DevicePath1, &FileName1, &FileNameOffset1= ); - if (FileNameSize1 !=3D 0) { - FileNameSize2 =3D GetFileName (DevicePath2, &FileName2, &FileNameOffse= t2); - if (FileNameOffset1 !=3D FileNameOffset2) { - DevicePathEqual =3D FALSE; - goto Done; - } - if (CompareMem (DevicePath1, DevicePath2, FileNameOffset1) !=3D 0) { - DevicePathEqual =3D FALSE; - goto Done; - } - if (FileNameSize1 > FileNameSize2) { - DevicePathEqual =3D FALSE; - goto Done; - } - if (CompareMem (FileName1, FileName2, FileNameSize1) !=3D 0) { - DevicePathEqual =3D FALSE; - goto Done; - } - DevicePathEqual =3D TRUE; - goto Done; - } - - DevicePathSize =3D GetDevicePathSize (DevicePath1); - if (DevicePathSize > GetDevicePathSize (DevicePath2)) { - return FALSE; - } - - // - // Exclude the end of device path node. - // - DevicePathSize -=3D sizeof (EFI_DEVICE_PATH_PROTOCOL); - if (CompareMem (DevicePath1, DevicePath2, DevicePathSize) !=3D 0) { - DevicePathEqual =3D FALSE; - } - -Done: - if (FileName1 !=3D NULL) { - FreePool (FileName1); - } - if (FileName2 !=3D NULL) { - FreePool (FileName2); - } - return DevicePathEqual; -} - - -/** - Check whether the image pointed to by DevicePath is in the device path l= ist - specified by AccessType. - - @param[in] DevicePath Points to device path. - @param[in] AccessType The type of user access control. - - @retval TRUE The DevicePath is in the specified List. - @retval FALSE The DevicePath is not in the specified List. - -**/ -BOOLEAN -IsDevicePathInList ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath, - IN UINT32 AccessType - ) -{ - EFI_STATUS Status; - EFI_USER_INFO_ACCESS_CONTROL *Access; - EFI_DEVICE_PATH_PROTOCOL *Path; - UINTN OffSet; - - Status =3D GetAccessControl (&Access, AccessType); - if (EFI_ERROR (Status)) { - return FALSE; - } - - OffSet =3D 0; - while (OffSet < Access->Size - sizeof (EFI_USER_INFO_ACCESS_CONTROL)) { - Path =3D (EFI_DEVICE_PATH_PROTOCOL*)((UINT8*)(Access + 1) + OffSet); - if (CheckDevicePath (Path, DevicePath)) { - // - // The device path is found in list. - // - FreePool (Access); - return TRUE; - } - OffSet +=3D GetDevicePathSize (Path); - } - - FreePool (Access); - return FALSE; -} - - -/** - Check whether the image pointed to by DevicePath is permitted to load. - - @param[in] DevicePath Points to device path - - @retval TRUE The image pointed by DevicePath is permitted to l= oad. - @retval FALSE The image pointed by DevicePath is forbidden to l= oad. - -**/ -BOOLEAN -VerifyDevicePath ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath - ) -{ - if (IsDevicePathInList (DevicePath, EFI_USER_INFO_ACCESS_PERMIT_LOAD)) { - // - // This access control overrides any restrictions put in place by the - // EFI_USER_INFO_ACCESS_FORBID_LOAD record. - // - return TRUE; - } - - if (IsDevicePathInList (DevicePath, EFI_USER_INFO_ACCESS_FORBID_LOAD)) { - // - // The device path is found in the forbidden list. - // - return FALSE; - } - - return TRUE; -} - - -/** - Check the image pointed by DevicePath is a boot option or not. - - @param[in] DevicePath Points to device path. - - @retval TRUE The image pointed by DevicePath is a boot option. - @retval FALSE The image pointed by DevicePath is not a boot opt= ion. - -**/ -BOOLEAN -IsBootOption ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath - ) -{ - EFI_STATUS Status; - UINT16 *BootOrderList; - UINTN BootOrderListSize; - UINTN Index; - CHAR16 StrTemp[20]; - UINT8 *OptionBuffer; - UINT8 *OptionPtr; - EFI_DEVICE_PATH_PROTOCOL *OptionDevicePath; - - // - // Get BootOrder - // - BootOrderListSize =3D 0; - BootOrderList =3D NULL; - Status =3D gRT->GetVariable ( - L"BootOrder", - &gEfiGlobalVariableGuid, - NULL, - &BootOrderListSize, - NULL - ); - if (Status =3D=3D EFI_BUFFER_TOO_SMALL) { - BootOrderList =3D AllocateZeroPool (BootOrderListSize); - ASSERT (BootOrderList !=3D NULL); - Status =3D gRT->GetVariable ( - L"BootOrder", - &gEfiGlobalVariableGuid, - NULL, - &BootOrderListSize, - BootOrderList - ); - } - - if (EFI_ERROR (Status)) { - // - // No Boot option - // - return FALSE; - } - - OptionBuffer =3D NULL; - for (Index =3D 0; Index < BootOrderListSize / sizeof (UINT16); Index++) { - // - // Try to find the DevicePath in BootOption - // - UnicodeSPrint (StrTemp, sizeof (StrTemp), L"Boot%04x", Index); - GetEfiGlobalVariable2 (StrTemp, (VOID**)&OptionBuffer, NULL); - if (OptionBuffer =3D=3D NULL) { - continue; - } - - // - // Check whether the image is forbidden. - // - - OptionPtr =3D OptionBuffer; - // - // Skip attribute. - // - OptionPtr +=3D sizeof (UINT32); - - // - // Skip device path length. - // - OptionPtr +=3D sizeof (UINT16); - - // - // Skip descript string - // - OptionPtr +=3D StrSize ((UINT16 *) OptionPtr); - - // - // Now OptionPtr points to Device Path. - // - OptionDevicePath =3D (EFI_DEVICE_PATH_PROTOCOL *) OptionPtr; - - if (CheckDevicePath (DevicePath, OptionDevicePath)) { - FreePool (OptionBuffer); - OptionBuffer =3D NULL; - return TRUE; - } - FreePool (OptionBuffer); - OptionBuffer =3D NULL; - } - - if (BootOrderList !=3D NULL) { - FreePool (BootOrderList); - } - - return FALSE; -} - - -/** - Add the image info to a deferred image list. - - @param[in] ImageDevicePath A pointer to the device path of a image. - @param[in] Image Points to the first byte of the image, or N= ULL if the - image is not available. - @param[in] ImageSize The size of the image, or 0 if the image is= not available. - -**/ -VOID -PutDefferedImageInfo ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath, - IN VOID *Image, - IN UINTN ImageSize - ) -{ - DEFERRED_IMAGE_INFO *CurImageInfo; - UINTN PathSize; - - // - // Expand memory for the new deferred image. - // - if (mDeferredImage.Count =3D=3D 0) { - mDeferredImage.ImageInfo =3D AllocatePool (sizeof (DEFERRED_IMAGE_INFO= )); - ASSERT (mDeferredImage.ImageInfo !=3D NULL); - } else { - CurImageInfo =3D AllocatePool ((mDeferredImage.Count + 1) * sizeof (DE= FERRED_IMAGE_INFO)); - ASSERT (CurImageInfo !=3D NULL); - - CopyMem ( - CurImageInfo, - mDeferredImage.ImageInfo, - mDeferredImage.Count * sizeof (DEFERRED_IMAGE_INFO) - ); - FreePool (mDeferredImage.ImageInfo); - mDeferredImage.ImageInfo =3D CurImageInfo; - } - mDeferredImage.Count++; - - // - // Save the deferred image information. - // - CurImageInfo =3D &mDeferredImage.ImageInfo[mDeferredImage.Count - 1]; - PathSize =3D GetDevicePathSize (ImageDevicePath); - CurImageInfo->ImageDevicePath =3D AllocateZeroPool (PathSize); - ASSERT (CurImageInfo->ImageDevicePath !=3D NULL); - CopyMem (CurImageInfo->ImageDevicePath, ImageDevicePath, PathSize); - - CurImageInfo->Image =3D Image; - CurImageInfo->ImageSize =3D ImageSize; - CurImageInfo->BootOption =3D IsBootOption (ImageDevicePath); -} - - -/** - Returns information about a deferred image. - - This function returns information about a single deferred image. The def= erred images are - numbered consecutively, starting with 0. If there is no image which cor= responds to - ImageIndex, then EFI_NOT_FOUND is returned. All deferred images may be r= eturned by - iteratively calling this function until EFI_NOT_FOUND is returned. - Image may be NULL and ImageSize set to 0 if the decision to defer execut= ion was made - because of the location of the executable image, rather than its actual = contents. - - @param[in] This Points to this instance of the EFI_DEFERRED= _IMAGE_LOAD_PROTOCOL. - @param[in] ImageIndex Zero-based index of the deferred index. - @param[out] ImageDevicePath On return, points to a pointer to the devic= e path of the image. - The device path should not be freed by the = caller. - @param[out] Image On return, points to the first byte of the = image or NULL if the - image is not available. The image should no= t be freed by the caller - unless LoadImage() has been successfully ca= lled. - @param[out] ImageSize On return, the size of the image, or 0 if t= he image is not available. - @param[out] BootOption On return, points to TRUE if the image was = intended as a boot option - or FALSE if it was not intended as a boot o= ption. - - @retval EFI_SUCCESS Image information returned successfully. - @retval EFI_NOT_FOUND ImageIndex does not refer to a valid image. - @retval EFI_INVALID_PARAMETER ImageDevicePath is NULL or Image is NULL o= r ImageSize is NULL or - BootOption is NULL. - -**/ -EFI_STATUS -EFIAPI -GetDefferedImageInfo ( - IN EFI_DEFERRED_IMAGE_LOAD_PROTOCOL *This, - IN UINTN ImageIndex, - OUT EFI_DEVICE_PATH_PROTOCOL **ImageDevicePath, - OUT VOID **Image, - OUT UINTN *ImageSize, - OUT BOOLEAN *BootOption - ) -{ - DEFERRED_IMAGE_INFO *ReqImageInfo; - - // - // Check the parameter. - // - - if ((This =3D=3D NULL) || (ImageSize =3D=3D NULL) || (Image =3D=3D NULL)= ) { - return EFI_INVALID_PARAMETER; - } - - if ((ImageDevicePath =3D=3D NULL) || (BootOption =3D=3D NULL)) { - return EFI_INVALID_PARAMETER; - } - - if (ImageIndex >=3D mDeferredImage.Count) { - return EFI_NOT_FOUND; - } - - // - // Get the request deferred image. - // - ReqImageInfo =3D &mDeferredImage.ImageInfo[ImageIndex]; - - *ImageDevicePath =3D ReqImageInfo->ImageDevicePath; - *Image =3D ReqImageInfo->Image; - *ImageSize =3D ReqImageInfo->ImageSize; - *BootOption =3D ReqImageInfo->BootOption; - - return EFI_SUCCESS; -} - - -/** - Provides the service of deferring image load based on platform policy co= ntrol, - and installs Deferred Image Load Protocol. - - @param[in] AuthenticationStatus This is the authentication status retu= rned from the - security measurement services for the = input file. - @param[in] File This is a pointer to the device path o= f the file that - is being dispatched. This will optiona= lly be used for - logging. - @param[in] FileBuffer File buffer matches the input file dev= ice path. - @param[in] FileSize Size of File buffer matches the input = file device path. - @param[in] BootPolicy A boot policy that was used to call Lo= adImage() UEFI service. - - @retval EFI_SUCCESS FileBuffer is NULL and current user ha= s permission to start - UEFI device drivers on the device path= specified by DevicePath. - @retval EFI_SUCCESS The file specified by DevicePath and n= on-NULL - FileBuffer did authenticate, and the p= latform policy dictates - that the DXE Foundation may use the fi= le. - @retval EFI_SECURITY_VIOLATION FileBuffer is NULL and the user has no - permission to start UEFI device driver= s on the device path specified - by DevicePath. - @retval EFI_SECURITY_VIOLATION FileBuffer is not NULL and the user ha= s no permission to load - drivers from the device path specified= by DevicePath. The - image has been added into the list of = the deferred images. - @retval EFI_ACCESS_DENIED The file specified by File and FileBuf= fer did not - authenticate, and the platform policy = dictates that the DXE - Foundation many not use File. - -**/ -EFI_STATUS -EFIAPI -DxeDeferImageLoadHandler ( - IN UINT32 AuthenticationStatus, - IN CONST EFI_DEVICE_PATH_PROTOCOL *File, - IN VOID *FileBuffer, - IN UINTN FileSize, - IN BOOLEAN BootPolicy - ) -{ - EFI_STATUS Status; - EFI_USER_PROFILE_HANDLE CurrentUser; - UINT32 Policy; - UINT32 FileType; - - // - // Ignore if File is NULL. - // - if (File =3D=3D NULL) { - return EFI_SUCCESS; - } - - // - // Check whether user has a logon. - // - CurrentUser =3D NULL; - if (mUserManager !=3D NULL) { - mUserManager->Current (mUserManager, &CurrentUser); - if (CurrentUser !=3D NULL) { - // - // The user is logon; verify the FilePath by current user access pol= icy. - // - if (!VerifyDevicePath (File)) { - DEBUG ((EFI_D_ERROR, "[Security] The image is forbidden to load!\n= ")); - return EFI_SECURITY_VIOLATION; - } - return EFI_SUCCESS; - } - } - - // - // Still no user logon. - // Check the file type and get policy setting. - // - FileType =3D GetFileType (File); - Policy =3D PcdGet32 (PcdDeferImageLoadPolicy); - if ((Policy & FileType) =3D=3D FileType) { - // - // This file type is secure to load. - // - return EFI_SUCCESS; - } - - DEBUG ((EFI_D_INFO, "[Security] No user identified, the image is deferre= d to load!\n")); - PutDefferedImageInfo (File, FileBuffer, FileSize); - - // - // Install the Deferred Image Load Protocol onto a new handle. - // - if (!mIsProtocolInstalled) { - Status =3D gBS->InstallMultipleProtocolInterfaces ( - &mDeferredImageHandle, - &gEfiDeferredImageLoadProtocolGuid, - &gDeferredImageLoad, - NULL - ); - ASSERT_EFI_ERROR (Status); - mIsProtocolInstalled =3D TRUE; - } - - return EFI_ACCESS_DENIED; -} - -/** - Locate user manager protocol when user manager is installed. - - @param[in] Event The Event that is being processed, not used. - @param[in] Context Event Context, not used. - -**/ -VOID -EFIAPI -FindUserManagerProtocol ( - IN EFI_EVENT Event, - IN VOID* Context - ) -{ - gBS->LocateProtocol ( - &gEfiUserManagerProtocolGuid, - NULL, - (VOID **) &mUserManager - ); - -} - - -/** - Register security handler for deferred image load. - - @param[in] ImageHandle ImageHandle of the loaded driver. - @param[in] SystemTable Pointer to the EFI System Table. - - @retval EFI_SUCCESS The handlers were registered successfully. -**/ -EFI_STATUS -EFIAPI -DxeDeferImageLoadLibConstructor ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable - ) -{ - VOID *Registration; - - // - // Register user manager notification function. - // - EfiCreateProtocolNotifyEvent ( - &gEfiUserManagerProtocolGuid, - TPL_CALLBACK, - FindUserManagerProtocol, - NULL, - &Registration - ); - - return RegisterSecurity2Handler ( - DxeDeferImageLoadHandler, - EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD - ); -} - - diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.= h b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h deleted file mode 100644 index 6f7991761711..000000000000 --- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h +++ /dev/null @@ -1,99 +0,0 @@ -/** @file - The internal header file includes the common header files, defines - internal structure and functions used by DeferImageLoadLib. - -Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-SPDX-License-Identifier: BSD-2-Clause-Patent - -**/ - -#ifndef __DEFER_IMAGE_LOAD_LIB_H__ -#define __DEFER_IMAGE_LOAD_LIB_H__ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#include - -// -// Image type definitions. -// -#define IMAGE_UNKNOWN 0x00000001 -#define IMAGE_FROM_FV 0x00000002 -#define IMAGE_FROM_OPTION_ROM 0x00000004 -#define IMAGE_FROM_REMOVABLE_MEDIA 0x00000008 -#define IMAGE_FROM_FIXED_MEDIA 0x00000010 - -// -// The struct to save the deferred image information. -// -typedef struct { - EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath; - VOID *Image; - UINTN ImageSize; - BOOLEAN BootOption; -} DEFERRED_IMAGE_INFO; - -// -// The table to save the deferred image item. -// -typedef struct { - UINTN Count; ///< deferred image cou= nt - DEFERRED_IMAGE_INFO *ImageInfo; ///< deferred image item -} DEFERRED_IMAGE_TABLE; - -/** - Returns information about a deferred image. - - This function returns information about a single deferred image. The def= erred images are - numbered consecutively, starting with 0. If there is no image which cor= responds to - ImageIndex, then EFI_NOT_FOUND is returned. All deferred images may be r= eturned by - iteratively calling this function until EFI_NOT_FOUND is returned. - Image may be NULL and ImageSize set to 0 if the decision to defer execut= ion was made - because of the location of the executable image, rather than its actual = contents. - - @param[in] This Points to this instance of the EFI_DEFERRE= D_IMAGE_LOAD_PROTOCOL. - @param[in] ImageIndex Zero-based index of the deferred index. - @param[out] ImageDevicePath On return, points to a pointer to the devi= ce path of the image. - The device path should not be freed by the= caller. - @param[out] Image On return, points to the first byte of the= image or NULL if the - image is not available. The image should n= ot be freed by the caller - unless LoadImage() has been called success= fully. - @param[out] ImageSize On return, the size of the image, or 0 if = the image is not available. - @param[out] BootOption On return, points to TRUE if the image was= intended as a boot option - or FALSE if it was not intended as a boot = option. - - @retval EFI_SUCCESS Image information returned successfully. - @retval EFI_NOT_FOUND ImageIndex does not refer to a valid image. - @retval EFI_INVALID_PARAMETER ImageDevicePath is NULL or Image is NULL o= r ImageSize is NULL or - BootOption is NULL. - -**/ -EFI_STATUS -EFIAPI -GetDefferedImageInfo ( - IN EFI_DEFERRED_IMAGE_LOAD_PROTOCOL *This, - IN UINTN ImageIndex, - OUT EFI_DEVICE_PATH_PROTOCOL **ImageDevicePath, - OUT VOID **Image, - OUT UINTN *ImageSize, - OUT BOOLEAN *BootOption - ); - -#endif diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.= inf b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf deleted file mode 100644 index 6005b8730977..000000000000 --- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf +++ /dev/null @@ -1,63 +0,0 @@ -## @file -# Provides security service of deferred image load -# -# The platform may need to defer the execution of an image because of sec= urity -# considerations. These deferred images will be recorded and then reporte= d by -# installing an instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL. -# -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
-# SPDX-License-Identifier: BSD-2-Clause-Patent -# -## - -[Defines] - INF_VERSION =3D 0x00010005 - BASE_NAME =3D DxeDeferImageLoadLib - MODULE_UNI_FILE =3D DxeDeferImageLoadLib.uni - FILE_GUID =3D 5E2FAE1F-41DA-4fbd-BC81-603CE5CD8497 - MODULE_TYPE =3D DXE_DRIVER - VERSION_STRING =3D 1.0 - LIBRARY_CLASS =3D NULL|DXE_DRIVER UEFI_DRIVER DXE_RUNTI= ME_DRIVER UEFI_APPLICATION - CONSTRUCTOR =3D DxeDeferImageLoadLibConstructor - -# -# The following information is for reference only and not required by the = build tools. -# -# VALID_ARCHITECTURES =3D IA32 X64 EBC -# - -[Sources] - DxeDeferImageLoadLib.c - DxeDeferImageLoadLib.h - -[Packages] - MdePkg/MdePkg.dec - MdeModulePkg/MdeModulePkg.dec - SecurityPkg/SecurityPkg.dec - -[LibraryClasses] - UefiRuntimeServicesTableLib - UefiBootServicesTableLib - SecurityManagementLib - MemoryAllocationLib - DevicePathLib - BaseMemoryLib - PrintLib - DebugLib - UefiLib - PcdLib - -[Protocols] - gEfiFirmwareVolume2ProtocolGuid ## SOMETIMES_CONS= UMES - gEfiBlockIoProtocolGuid ## SOMETIMES_CONS= UMES - gEfiSimpleFileSystemProtocolGuid ## SOMETIMES_CONS= UMES - gEfiDeferredImageLoadProtocolGuid ## SOMETIMES_PROD= UCES - ## SOMETIMES_CONSUMES - ## NOTIFY - gEfiUserManagerProtocolGuid - -[Guids] - gEfiGlobalVariableGuid ## SOMETIMES_CON= SUMES ## Variable:L"BootOrder" - -[Pcd] - gEfiSecurityPkgTokenSpaceGuid.PcdDeferImageLoadPolicy ## SOMETIMES_CON= SUMES diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.= uni b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni deleted file mode 100644 index 69c381369359..000000000000 --- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni +++ /dev/null @@ -1,18 +0,0 @@ -// /** @file -// Provides security service of deferred image load -// -// The platform may need to defer the execution of an image because of sec= urity -// considerations. These deferred images will be recorded and then reporte= d by -// installing an instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL. -// -// Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.
-// -// SPDX-License-Identifier: BSD-2-Clause-Patent -// -// **/ - - -#string STR_MODULE_ABSTRACT #language en-US "Provides security= service of deferred image load" - -#string STR_MODULE_DESCRIPTION #language en-US "The platform may = need to defer the execution of an image because of security considerations.= These deferred images will be recorded and then reported by installing an = instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL." - diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index a2ee0528f0d2..a8d31196b616 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -149,7 +149,6 @@ [PcdsDynamicHii.common.DEFAULT] =20 [Components] SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf - #SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticati= onStatusLib.inf =20 # --=20 2.18.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#42613): https://edk2.groups.io/g/devel/message/42613 Mute This Topic: https://groups.io/mt/32139635/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-