1/** @file
2  Implement image authentication status check in UEFI2.3.1.
3
4Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
5This program and the accompanying materials
6are licensed and made available under the terms and conditions of the BSD License
7which accompanies this distribution.  The full text of the license may be found at
8http://opensource.org/licenses/bsd-license.php
9
10THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
12
13**/
14
15#include <PiDxe.h>
16#include <Library/SecurityManagementLib.h>
17
18
19/**
20  Check image authentication status returned from Section Extraction Protocol
21
22  @param[in]    AuthenticationStatus  This is the authentication status returned from
23                             the Section Extraction Protocol when reading the input file.
24  @param[in]    File       This is a pointer to the device path of the file that is
25                           being dispatched. This will optionally be used for logging.
26  @param[in]    FileBuffer File buffer matches the input file device path.
27  @param[in]    FileSize   Size of File buffer matches the input file device path.
28  @param[in]    BootPolicy A boot policy that was used to call LoadImage() UEFI service.
29
30  @retval EFI_SUCCESS            The input file specified by File did authenticate, and the
31                                 platform policy dictates that the DXE Core may use File.
32  @retval EFI_ACCESS_DENIED      The file specified by File and FileBuffer did not
33                                 authenticate, and the platform policy dictates that the DXE
34                                 Foundation many not use File.
35
36**/
37EFI_STATUS
38EFIAPI
39DxeImageAuthenticationStatusHandler (
40  IN  UINT32                           AuthenticationStatus,
41  IN  CONST EFI_DEVICE_PATH_PROTOCOL   *File,
42  IN  VOID                             *FileBuffer,
43  IN  UINTN                            FileSize,
44  IN  BOOLEAN                          BootPolicy
45  )
46{
47  if ((AuthenticationStatus & EFI_AUTH_STATUS_IMAGE_SIGNED) != 0) {
48    if ((AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED | EFI_AUTH_STATUS_NOT_TESTED)) != 0) {
49      return EFI_ACCESS_DENIED;
50    }
51  }
52
53  return EFI_SUCCESS;
54}
55
56
57/**
58  Register image authenticaion status check handler.
59
60  @param  ImageHandle   ImageHandle of the loaded driver.
61  @param  SystemTable   Pointer to the EFI System Table.
62
63  @retval EFI_SUCCESS   The handlers were registered successfully.
64**/
65EFI_STATUS
66EFIAPI
67DxeImageAuthenticationStatusLibConstructor (
68  IN EFI_HANDLE        ImageHandle,
69  IN EFI_SYSTEM_TABLE  *SystemTable
70  )
71{
72  return RegisterSecurity2Handler (
73           DxeImageAuthenticationStatusHandler,
74           EFI_AUTH_OPERATION_AUTHENTICATION_STATE
75           );
76}
77