xinb
/
alder_lake_bios
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
alder_lake_bios/Insyde/InsydeModulePkg/Universal/Security/HstiDxe/HstiDxe.c

344 lines
7.9 KiB
C
Raw Permalink Blame History

/** @file
HSTI DXE Driver
;******************************************************************************
;* Copyright (c) 2015 - 2019, Insyde Software Corp. All Rights Reserved.
;*
;* You may not reproduce, distribute, publish, display, perform, modify, adapt,
;* transmit, broadcast, present, recite, release, license or otherwise exploit
;* any part of this publication in any form, by any means, without the prior
;* written permission of Insyde Software Corporation.
;*
;******************************************************************************
*/
#include "HstiDxe.h"
/**
Internal function to init IBV HSTI Platform Security State Interface
**/
STATIC
EFI_STATUS
InitHstiIbvData (
VOID
)
{
ADAPTER_INFO_PLATFORM_SECURITY *Hsti;
UINTN HstiSize;
UINT8 *HstiData;
UINT8 FeatureBitField;
//
// Total HstiSize is structure size + requirement/implement/Verify feature size + a null string for error string
//
HstiSize = sizeof (ADAPTER_INFO_PLATFORM_SECURITY) + 3 * HSTI_IBV_FEATUER_SIZE + sizeof (CHAR16);
Hsti = AllocateZeroPool (HstiSize);
if (Hsti == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Initialize HSTI table
//
Hsti->Version = PLATFORM_SECURITY_VERSION_VNEXTCS;
Hsti->Role = PLATFORM_SECURITY_ROLE_PLATFORM_IBV;
StrCpyS (Hsti->ImplementationID, sizeof(Hsti->ImplementationID) / sizeof(CHAR16), HSTI_IBV_IMPLEMENT_ID);
Hsti->SecurityFeaturesSize = HSTI_IBV_FEATUER_SIZE;
FeatureBitField = HSTI_FEATURE_ALL_ENABLE;
if (!FeaturePcdGet (PcdSecureFlashSupported) &&
!FeaturePcdGet (PcdH2OCapsuleUpdateSupported) &&
!FeaturePcdGet (PcdUefiCapsuleUpdateSupported)) {
FeatureBitField &= (UINT8)(~(SEUCRE_FIRMWARE_UPDATE));
}
if (!FeaturePcdGet (PcdH2OSecureBootSupported)) {
FeatureBitField &= (UINT8)(~(SEUCRE_BOOT_POLICY));
}
if (!FeaturePcdGet (PcdNoExternalDmaSupported)) {
FeatureBitField &= (UINT8)(~(EXTERNAL_DMA_PROTECT));
}
//
// Requirement
//
HstiData = (UINT8 *) (Hsti + 1);
HstiData[HSTI_IBV_FEATUER_SIZE - 1] = FeatureBitField;
//
// Implementation
//
HstiData += HSTI_IBV_FEATUER_SIZE;
HstiData[HSTI_IBV_FEATUER_SIZE - 1] = FeatureBitField;
//
// Verified
//
HstiData += HSTI_IBV_FEATUER_SIZE;
HstiData[HSTI_IBV_FEATUER_SIZE - 1] = FeatureBitField;
//
// Install HSTI table.
//
return HstiLibSetTable ((VOID *) Hsti, HstiSize);
}
/**
Internal function to check whether support SHA256 and RSA2048 secure feature.
**/
STATIC
VOID
CheckSecurityStrength (
VOID
)
{
EFI_STATUS Status;
CRYPTO_SERVICES_PROTOCOL *Crypto;
EFI_HASH_PROTOCOL *Hash;
Status = gBS->LocateProtocol (&gCryptoServicesProtocolGuid, NULL, (VOID **)&Crypto);
if (Status != EFI_SUCCESS) {
return;
}
Status = gBS->LocateProtocol (&gEfiHashProtocolGuid, NULL, (VOID **)&Hash);
if (Status != EFI_SUCCESS) {
return;
}
HstiLibSetFeaturesVerified (
PLATFORM_SECURITY_ROLE_PLATFORM_IBV,
HSTI_IBV_IMPLEMENT_ID,
HSTI_IBV_FEATUER_SIZE - 1,
RSA2048_SHA256_SUPPORT
);
}
/**
Internal function to update check CSM policy secure feature result.
**/
STATIC
VOID
CheckCsmPolicy (
VOID
)
{
EFI_STATUS Status;
EFI_LEGACY_BIOS_PROTOCOL *LegacyBios;
UINTN DataSize;
UINT8 SecureBoot;
Status = gBS->LocateProtocol (&gEfiLegacyBiosProtocolGuid, NULL, (VOID **)&LegacyBios);
if (Status == EFI_SUCCESS) {
DataSize = sizeof(UINT8);
Status = gRT->GetVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
NULL,
&DataSize,
&SecureBoot
);
if (Status == EFI_SUCCESS && SecureBoot == 1) {
HstiLibSetErrorString (
PLATFORM_SECURITY_ROLE_PLATFORM_IBV,
HSTI_IBV_IMPLEMENT_ID,
L"Error!! Secure boot Must be disabled if CSM is enabled. Now, secure boot is enabled in CSM is enabled environment."
);
return;
}
}
HstiLibSetFeaturesVerified (
PLATFORM_SECURITY_ROLE_PLATFORM_IBV,
HSTI_IBV_IMPLEMENT_ID,
HSTI_IBV_FEATUER_SIZE - 1,
CSM_SECURITY_POLICY
);
}
/**
Internal function to update firmware code protect secure feature result.
**/
STATIC
VOID
CheckFirmwareCodeProtect (
VOID
)
{
if (!FeaturePcdGet (PcdSecureFlashSupported) &&
!FeaturePcdGet (PcdH2OCapsuleUpdateSupported) &&
!FeaturePcdGet (PcdUefiCapsuleUpdateSupported)) {
return;
}
HstiLibSetFeaturesVerified (
PLATFORM_SECURITY_ROLE_PLATFORM_IBV,
HSTI_IBV_IMPLEMENT_ID,
HSTI_IBV_FEATUER_SIZE - 1,
FIRMWARE_CODE_PROTECT
);
}
/**
Internal function to update secure firmware update secure feature result.
**/
STATIC
VOID
CheckSecureFirmwareUpdate (
VOID
)
{
HstiLibSetFeaturesVerified (
PLATFORM_SECURITY_ROLE_PLATFORM_IBV,
HSTI_IBV_IMPLEMENT_ID,
HSTI_IBV_FEATUER_SIZE - 1,
SEUCRE_FIRMWARE_UPDATE
);
}
/**
Internal function to update secure boot policy secure feature result.
**/
STATIC
VOID
CheckSecureBootPolicy (
VOID
)
{
UINTN DataSize;
UINT8 SecureBoot;
EFI_STATUS Status;
if (!FeaturePcdGet (PcdH2OSecureBootSupported)) {
return;
}
DataSize = sizeof(UINT8);
Status = gRT->GetVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
NULL,
&DataSize,
&SecureBoot
);
if (Status != EFI_SUCCESS) {
return;
}
Status = gRT->SetVariable (
EFI_SECURE_BOOT_MODE_NAME,
&gEfiGlobalVariableGuid,
0,
0,
NULL
);
if (Status == EFI_SUCCESS) {
HstiLibSetErrorString (
PLATFORM_SECURITY_ROLE_PLATFORM_IBV,
HSTI_IBV_IMPLEMENT_ID,
L"Error!! SecureBoot variable must be read-only. But this variable can be deleted."
);
return;
}
HstiLibSetFeaturesVerified (
PLATFORM_SECURITY_ROLE_PLATFORM_IBV,
HSTI_IBV_IMPLEMENT_ID,
HSTI_IBV_FEATUER_SIZE - 1,
SEUCRE_BOOT_POLICY
);
}
/**
Internal function to update External DMA protect secure feature result.
**/
STATIC
VOID
CheckExternalDmaProtect (
VOID
)
{
if (!FeaturePcdGet (PcdNoExternalDmaSupported)) {
return;
}
HstiLibSetFeaturesVerified (
PLATFORM_SECURITY_ROLE_PLATFORM_IBV,
HSTI_IBV_IMPLEMENT_ID,
HSTI_IBV_FEATUER_SIZE - 1,
EXTERNAL_DMA_PROTECT
);
}
/**
Internal function to update HSTI related data.
**/
STATIC
VOID
UpdateHstiData (
VOID
)
{
CheckSecurityStrength ();
CheckCsmPolicy ();
CheckFirmwareCodeProtect ();
CheckSecureFirmwareUpdate ();
CheckSecureBootPolicy ();
CheckExternalDmaProtect ();
}
/**
Callback function for ready to boot event to update HSTI related data.
@param Event - Event whose notification function is being invoked.
@param Context - Pointer to the notification function's context.
**/
STATIC
VOID
EFIAPI
OnReadyToBoot (
EFI_EVENT Event,
VOID *Context
)
{
UpdateHstiData ();
if (Event != NULL) {
gBS->CloseEvent (Event);
}
}
/**
The HSTI driver's entry point.
Create IBV gAdapterInfoPlatformSecurityGuid protocol
@param[in] ImageHandle The firmware allocated handle for the EFI image.
@param[in] SystemTable A pointer to the EFI System Table.
@retval EFI_SUCCESS The entry point is executed successfully.
**/
EFI_STATUS
EFIAPI
HstiEntryPoint (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
EFI_STATUS Status;
EFI_EVENT Event;
Status = InitHstiIbvData ();
if (Status != EFI_SUCCESS) {
return Status;
}
Status = EfiCreateEventReadyToBootEx (
TPL_CALLBACK - 1,
OnReadyToBoot,
NULL,
&Event
);
return Status;
}
Reference in New Issue View Git Blame Copy Permalink