Reviewed-by: Jian J Wang <jian.j.w...@intel.com> > -----Original Message----- > From: Zhang, Shenglei > Sent: Thursday, June 20, 2019 9:31 AM > To: devel@edk2.groups.io > Cc: Zhang, Chao B <chao.b.zh...@intel.com>; Yao, Jiewen > <jiewen....@intel.com>; Wang, Jian J <jian.j.w...@intel.com> > Subject: [PATCH] SecurityPkg/DxeDeferImageLoadLib: Remove > DxeDeferImageLoadLib > > The library DxeDeferImageLoadLib supports UID feature and it is conflicted > with the driver SecurityStubDxe (Defer3rdPartyImageLoad.c). > And the UID feature is dropped. So it should be removed from SecurityPkg. > https://bugzilla.tianocore.org/show_bug.cgi?id=1919 > > Cc: Chao Zhang <chao.b.zh...@intel.com> > Cc: Jiewen Yao <jiewen....@intel.com> > Cc: Jian Wang <jian.j.w...@intel.com> > Signed-off-by: Shenglei Zhang <shenglei.zh...@intel.com> > --- > .../DxeDeferImageLoadLib.c | 927 ------------------ > .../DxeDeferImageLoadLib.h | 99 -- > .../DxeDeferImageLoadLib.inf | 63 -- > .../DxeDeferImageLoadLib.uni | 18 - > SecurityPkg/SecurityPkg.dsc | 1 - > 5 files changed, 1108 deletions(-) > delete mode 100644 > SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c > delete mode 100644 > SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h > delete mode 100644 > SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf > delete mode 100644 > SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni > > diff --git > a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c > b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c > deleted file mode 100644 > index a6a3fe3cfc68..000000000000 > --- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c > +++ /dev/null > @@ -1,927 +0,0 @@ > -/** @file > - Implement defer image load services for user identification in UEFI2.2. > - > -Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > -SPDX-License-Identifier: BSD-2-Clause-Patent > - > -**/ > - > -#include "DxeDeferImageLoadLib.h" > - > -// > -// Handle for the Deferred Image Load Protocol instance produced by this > driver. > -// > -EFI_HANDLE mDeferredImageHandle = NULL; > -BOOLEAN mIsProtocolInstalled = FALSE; > -EFI_USER_MANAGER_PROTOCOL *mUserManager = NULL; > -DEFERRED_IMAGE_TABLE mDeferredImage = { > - 0, // Deferred image count > - NULL // The deferred image info > -}; > - > -EFI_DEFERRED_IMAGE_LOAD_PROTOCOL gDeferredImageLoad = { > - GetDefferedImageInfo > -}; > - > -/** > - Get the image type. > - > - @param[in] File This is a pointer to the device path of the file > - that is being dispatched. > - > - @return UINT32 Image Type > - > -**/ > -UINT32 > -GetFileType ( > - IN CONST EFI_DEVICE_PATH_PROTOCOL *File > - ) > -{ > - EFI_STATUS Status; > - EFI_HANDLE DeviceHandle; > - EFI_DEVICE_PATH_PROTOCOL *TempDevicePath; > - EFI_BLOCK_IO_PROTOCOL *BlockIo; > - > - // > - // First check to see if File is from a Firmware Volume > - // > - DeviceHandle = NULL; > - TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)File; > - Status = gBS->LocateDevicePath ( > - &gEfiFirmwareVolume2ProtocolGuid, > - &TempDevicePath, > - &DeviceHandle > - ); > - if (!EFI_ERROR (Status)) { > - Status = gBS->OpenProtocol ( > - DeviceHandle, > - &gEfiFirmwareVolume2ProtocolGuid, > - NULL, > - NULL, > - NULL, > - EFI_OPEN_PROTOCOL_TEST_PROTOCOL > - ); > - if (!EFI_ERROR (Status)) { > - return IMAGE_FROM_FV; > - } > - } > - > - // > - // Next check to see if File is from a Block I/O device > - // > - DeviceHandle = NULL; > - TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)File; > - Status = gBS->LocateDevicePath ( > - &gEfiBlockIoProtocolGuid, > - &TempDevicePath, > - &DeviceHandle > - ); > - if (!EFI_ERROR (Status)) { > - BlockIo = NULL; > - Status = gBS->OpenProtocol ( > - DeviceHandle, > - &gEfiBlockIoProtocolGuid, > - (VOID **) &BlockIo, > - NULL, > - NULL, > - EFI_OPEN_PROTOCOL_GET_PROTOCOL > - ); > - if (!EFI_ERROR (Status) && BlockIo != NULL) { > - if (BlockIo->Media != NULL) { > - if (BlockIo->Media->RemovableMedia) { > - // > - // Block I/O is present and specifies the media is removable > - // > - return IMAGE_FROM_REMOVABLE_MEDIA; > - } else { > - // > - // Block I/O is present and specifies the media is not removable > - // > - return IMAGE_FROM_FIXED_MEDIA; > - } > - } > - } > - } > - > - // > - // File is not in a Firmware Volume or on a Block I/O device, so check to > see if > - // the device path supports the Simple File System Protocol. > - // > - DeviceHandle = NULL; > - TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)File; > - Status = gBS->LocateDevicePath ( > - &gEfiSimpleFileSystemProtocolGuid, > - &TempDevicePath, > - &DeviceHandle > - ); > - if (!EFI_ERROR (Status)) { > - // > - // Simple File System is present without Block I/O, so assume media is > fixed. > - // > - return IMAGE_FROM_FIXED_MEDIA; > - } > - > - // > - // File is not from an FV, Block I/O or Simple File System, so the only > options > - // left are a PCI Option ROM and a Load File Protocol such as a PXE Boot > from a NIC. > - // > - TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)File; > - while (!IsDevicePathEndType (TempDevicePath)) { > - switch (DevicePathType (TempDevicePath)) { > - > - case MEDIA_DEVICE_PATH: > - if (DevicePathSubType (TempDevicePath) == > MEDIA_RELATIVE_OFFSET_RANGE_DP) { > - return IMAGE_FROM_OPTION_ROM; > - } > - break; > - > - case MESSAGING_DEVICE_PATH: > - if (DevicePathSubType(TempDevicePath) == MSG_MAC_ADDR_DP) { > - return IMAGE_FROM_REMOVABLE_MEDIA; > - } > - break; > - > - default: > - break; > - } > - TempDevicePath = NextDevicePathNode (TempDevicePath); > - } > - return IMAGE_UNKNOWN; > -} > - > - > -/** > - Get current user's access right. > - > - @param[out] AccessControl Points to the user's access control data, the > - caller should free data buffer. > - @param[in] AccessType The type of user access control. > - > - @retval EFI_SUCCESS Get current user access control successfully > - @retval others Fail to get current user access control > - > -**/ > -EFI_STATUS > -GetAccessControl ( > - OUT EFI_USER_INFO_ACCESS_CONTROL **AccessControl, > - IN UINT32 AccessType > - ) > -{ > - EFI_STATUS Status; > - EFI_USER_INFO_HANDLE UserInfo; > - EFI_USER_INFO *Info; > - UINTN InfoSize; > - EFI_USER_INFO_ACCESS_CONTROL *Access; > - EFI_USER_PROFILE_HANDLE CurrentUser; > - UINTN CheckLen; > - EFI_USER_MANAGER_PROTOCOL *UserManager; > - > - CurrentUser = NULL; > - Status = gBS->LocateProtocol ( > - &gEfiUserManagerProtocolGuid, > - NULL, > - (VOID **) &UserManager > - ); > - if (EFI_ERROR (Status)) { > - return EFI_NOT_FOUND; > - } > - > - // > - // Get current user access information. > - // > - UserManager->Current (UserManager, &CurrentUser); > - > - UserInfo = NULL; > - Info = NULL; > - InfoSize = 0; > - while (TRUE) { > - // > - // Get next user information. > - // > - Status = UserManager->GetNextInfo (UserManager, CurrentUser, > &UserInfo); > - if (EFI_ERROR (Status)) { > - return Status; > - } > - > - Status = UserManager->GetInfo ( > - UserManager, > - CurrentUser, > - UserInfo, > - Info, > - &InfoSize > - ); > - if (Status == EFI_BUFFER_TOO_SMALL) { > - if (Info != NULL) { > - FreePool (Info); > - } > - Info = AllocateZeroPool (InfoSize); > - ASSERT (Info != NULL); > - Status = UserManager->GetInfo ( > - UserManager, > - CurrentUser, > - UserInfo, > - Info, > - &InfoSize > - ); > - } > - > - if (EFI_ERROR (Status)) { > - break; > - } > - > - ASSERT (Info != NULL); > - if (Info->InfoType != EFI_USER_INFO_ACCESS_POLICY_RECORD) { > - continue; > - } > - > - // > - // Get specified access information. > - // > - CheckLen = 0; > - while (CheckLen < Info->InfoSize - sizeof (EFI_USER_INFO)) { > - Access = (EFI_USER_INFO_ACCESS_CONTROL *) ((UINT8 *) (Info + 1) + > CheckLen); > - if (Access->Type == AccessType) { > - *AccessControl = AllocateZeroPool (Access->Size); > - ASSERT (*AccessControl != NULL); > - CopyMem (*AccessControl, Access, Access->Size); > - FreePool (Info); > - return EFI_SUCCESS; > - } > - CheckLen += Access->Size; > - } > - } > - > - if (Info != NULL) { > - FreePool (Info); > - } > - return EFI_NOT_FOUND; > -} > - > -/** > - Get file name from device path. > - > - The file name may contain one or more device path node. Save the file > name in a > - buffer if file name is found. The caller is responsible to free the buffer. > - > - @param[in] DevicePath A pointer to a device path. > - @param[out] FileName The callee allocated buffer to save the file > name if file name is found. > - @param[out] FileNameOffset The offset of file name in device path if file > name is found. > - > - @retval UINTN The file name length. 0 means file name is not > found. > - > -**/ > -UINTN > -GetFileName ( > - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath, > - OUT UINT8 **FileName, > - OUT UINTN *FileNameOffset > - ) > -{ > - UINTN Length; > - EFI_DEVICE_PATH_PROTOCOL *TmpDevicePath; > - EFI_DEVICE_PATH_PROTOCOL *RootDevicePath; > - CHAR8 *NodeStr; > - UINTN NodeStrLength; > - CHAR16 LastNodeChar; > - CHAR16 FirstNodeChar; > - > - // > - // Get the length of DevicePath before file name. > - // > - Length = 0; > - RootDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)DevicePath; > - while (!IsDevicePathEnd (RootDevicePath)) { > - if ((DevicePathType(RootDevicePath) == MEDIA_DEVICE_PATH) && > (DevicePathSubType(RootDevicePath) == MEDIA_FILEPATH_DP)) { > - break; > - } > - Length += DevicePathNodeLength (RootDevicePath); > - RootDevicePath = NextDevicePathNode (RootDevicePath); > - } > - > - *FileNameOffset = Length; > - if (Length == 0) { > - return 0; > - } > - > - // > - // Get the file name length. > - // > - Length = 0; > - TmpDevicePath = RootDevicePath; > - while (!IsDevicePathEnd (TmpDevicePath)) { > - if ((DevicePathType(TmpDevicePath) != MEDIA_DEVICE_PATH) || > (DevicePathSubType(TmpDevicePath) != MEDIA_FILEPATH_DP)) { > - break; > - } > - Length += DevicePathNodeLength (TmpDevicePath) - sizeof > (EFI_DEVICE_PATH_PROTOCOL); > - TmpDevicePath = NextDevicePathNode (TmpDevicePath); > - } > - if (Length == 0) { > - return 0; > - } > - > - *FileName = AllocateZeroPool (Length); > - ASSERT (*FileName != NULL); > - > - // > - // Copy the file name to the buffer. > - // > - Length = 0; > - LastNodeChar = '\\'; > - TmpDevicePath = RootDevicePath; > - while (!IsDevicePathEnd (TmpDevicePath)) { > - if ((DevicePathType(TmpDevicePath) != MEDIA_DEVICE_PATH) || > (DevicePathSubType(TmpDevicePath) != MEDIA_FILEPATH_DP)) { > - break; > - } > - > - FirstNodeChar = (CHAR16) ReadUnaligned16 ((UINT16 *)((UINT8 > *)TmpDevicePath + sizeof (EFI_DEVICE_PATH_PROTOCOL))); > - NodeStr = (CHAR8 *)TmpDevicePath + sizeof > (EFI_DEVICE_PATH_PROTOCOL); > - NodeStrLength = DevicePathNodeLength (TmpDevicePath) - sizeof > (EFI_DEVICE_PATH_PROTOCOL) - sizeof(CHAR16); > - > - if ((FirstNodeChar == '\\') && (LastNodeChar == '\\')) { > - // > - // Skip separator "\" when there are two separators. > - // > - NodeStr += sizeof (CHAR16); > - NodeStrLength -= sizeof (CHAR16); > - } else if ((FirstNodeChar != '\\') && (LastNodeChar != '\\')) { > - // > - // Add separator "\" when there is no separator. > - // > - WriteUnaligned16 ((UINT16 *)(*FileName + Length), '\\'); > - Length += sizeof (CHAR16); > - } > - CopyMem (*FileName + Length, NodeStr, NodeStrLength); > - Length += NodeStrLength; > - > - LastNodeChar = (CHAR16) ReadUnaligned16 ((UINT16 *) (NodeStr + > NodeStrLength - sizeof(CHAR16))); > - TmpDevicePath = NextDevicePathNode (TmpDevicePath); > - } > - > - return Length; > -} > - > - > -/** > - Check whether the DevicePath2 is identical with DevicePath1, or identical > with > - DevicePath1's child device path. > - > - If DevicePath2 is identical with DevicePath1, or with DevicePath1's child > device > - path, then TRUE returned. Otherwise, FALSE is returned. > - > - If DevicePath1 is NULL, then ASSERT(). > - If DevicePath2 is NULL, then ASSERT(). > - > - @param[in] DevicePath1 A pointer to a device path. > - @param[in] DevicePath2 A pointer to a device path. > - > - @retval TRUE Two device paths are identical , or DevicePath2 > is > - DevicePath1's child device path. > - @retval FALSE Two device paths are not identical, and > DevicePath2 > - is not DevicePath1's child device path. > - > -**/ > -BOOLEAN > -CheckDevicePath ( > - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath1, > - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath2 > - ) > -{ > - UINTN DevicePathSize; > - UINTN FileNameSize1; > - UINTN FileNameSize2; > - UINT8 *FileName1; > - UINT8 *FileName2; > - UINTN FileNameOffset1; > - UINTN FileNameOffset2; > - BOOLEAN DevicePathEqual; > - > - FileName1 = NULL; > - FileName2 = NULL; > - DevicePathEqual = TRUE; > - > - ASSERT (DevicePath1 != NULL); > - ASSERT (DevicePath2 != NULL); > - if (IsDevicePathEnd (DevicePath1)) { > - return FALSE; > - } > - > - // > - // The file name may contain one or more device path node. > - // To compare the file name, copy file name to a buffer and compare the > buffer. > - // > - FileNameSize1 = GetFileName (DevicePath1, &FileName1, > &FileNameOffset1); > - if (FileNameSize1 != 0) { > - FileNameSize2 = GetFileName (DevicePath2, &FileName2, > &FileNameOffset2); > - if (FileNameOffset1 != FileNameOffset2) { > - DevicePathEqual = FALSE; > - goto Done; > - } > - if (CompareMem (DevicePath1, DevicePath2, FileNameOffset1) != 0) { > - DevicePathEqual = FALSE; > - goto Done; > - } > - if (FileNameSize1 > FileNameSize2) { > - DevicePathEqual = FALSE; > - goto Done; > - } > - if (CompareMem (FileName1, FileName2, FileNameSize1) != 0) { > - DevicePathEqual = FALSE; > - goto Done; > - } > - DevicePathEqual = TRUE; > - goto Done; > - } > - > - DevicePathSize = GetDevicePathSize (DevicePath1); > - if (DevicePathSize > GetDevicePathSize (DevicePath2)) { > - return FALSE; > - } > - > - // > - // Exclude the end of device path node. > - // > - DevicePathSize -= sizeof (EFI_DEVICE_PATH_PROTOCOL); > - if (CompareMem (DevicePath1, DevicePath2, DevicePathSize) != 0) { > - DevicePathEqual = FALSE; > - } > - > -Done: > - if (FileName1 != NULL) { > - FreePool (FileName1); > - } > - if (FileName2 != NULL) { > - FreePool (FileName2); > - } > - return DevicePathEqual; > -} > - > - > -/** > - Check whether the image pointed to by DevicePath is in the device path > list > - specified by AccessType. > - > - @param[in] DevicePath Points to device path. > - @param[in] AccessType The type of user access control. > - > - @retval TRUE The DevicePath is in the specified List. > - @retval FALSE The DevicePath is not in the specified List. > - > -**/ > -BOOLEAN > -IsDevicePathInList ( > - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath, > - IN UINT32 AccessType > - ) > -{ > - EFI_STATUS Status; > - EFI_USER_INFO_ACCESS_CONTROL *Access; > - EFI_DEVICE_PATH_PROTOCOL *Path; > - UINTN OffSet; > - > - Status = GetAccessControl (&Access, AccessType); > - if (EFI_ERROR (Status)) { > - return FALSE; > - } > - > - OffSet = 0; > - while (OffSet < Access->Size - sizeof (EFI_USER_INFO_ACCESS_CONTROL)) > { > - Path = (EFI_DEVICE_PATH_PROTOCOL*)((UINT8*)(Access + 1) + OffSet); > - if (CheckDevicePath (Path, DevicePath)) { > - // > - // The device path is found in list. > - // > - FreePool (Access); > - return TRUE; > - } > - OffSet += GetDevicePathSize (Path); > - } > - > - FreePool (Access); > - return FALSE; > -} > - > - > -/** > - Check whether the image pointed to by DevicePath is permitted to load. > - > - @param[in] DevicePath Points to device path > - > - @retval TRUE The image pointed by DevicePath is permitted to > load. > - @retval FALSE The image pointed by DevicePath is forbidden to > load. > - > -**/ > -BOOLEAN > -VerifyDevicePath ( > - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath > - ) > -{ > - if (IsDevicePathInList (DevicePath, > EFI_USER_INFO_ACCESS_PERMIT_LOAD)) { > - // > - // This access control overrides any restrictions put in place by the > - // EFI_USER_INFO_ACCESS_FORBID_LOAD record. > - // > - return TRUE; > - } > - > - if (IsDevicePathInList (DevicePath, > EFI_USER_INFO_ACCESS_FORBID_LOAD)) { > - // > - // The device path is found in the forbidden list. > - // > - return FALSE; > - } > - > - return TRUE; > -} > - > - > -/** > - Check the image pointed by DevicePath is a boot option or not. > - > - @param[in] DevicePath Points to device path. > - > - @retval TRUE The image pointed by DevicePath is a boot option. > - @retval FALSE The image pointed by DevicePath is not a boot > option. > - > -**/ > -BOOLEAN > -IsBootOption ( > - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath > - ) > -{ > - EFI_STATUS Status; > - UINT16 *BootOrderList; > - UINTN BootOrderListSize; > - UINTN Index; > - CHAR16 StrTemp[20]; > - UINT8 *OptionBuffer; > - UINT8 *OptionPtr; > - EFI_DEVICE_PATH_PROTOCOL *OptionDevicePath; > - > - // > - // Get BootOrder > - // > - BootOrderListSize = 0; > - BootOrderList = NULL; > - Status = gRT->GetVariable ( > - L"BootOrder", > - &gEfiGlobalVariableGuid, > - NULL, > - &BootOrderListSize, > - NULL > - ); > - if (Status == EFI_BUFFER_TOO_SMALL) { > - BootOrderList = AllocateZeroPool (BootOrderListSize); > - ASSERT (BootOrderList != NULL); > - Status = gRT->GetVariable ( > - L"BootOrder", > - &gEfiGlobalVariableGuid, > - NULL, > - &BootOrderListSize, > - BootOrderList > - ); > - } > - > - if (EFI_ERROR (Status)) { > - // > - // No Boot option > - // > - return FALSE; > - } > - > - OptionBuffer = NULL; > - for (Index = 0; Index < BootOrderListSize / sizeof (UINT16); Index++) { > - // > - // Try to find the DevicePath in BootOption > - // > - UnicodeSPrint (StrTemp, sizeof (StrTemp), L"Boot%04x", Index); > - GetEfiGlobalVariable2 (StrTemp, (VOID**)&OptionBuffer, NULL); > - if (OptionBuffer == NULL) { > - continue; > - } > - > - // > - // Check whether the image is forbidden. > - // > - > - OptionPtr = OptionBuffer; > - // > - // Skip attribute. > - // > - OptionPtr += sizeof (UINT32); > - > - // > - // Skip device path length. > - // > - OptionPtr += sizeof (UINT16); > - > - // > - // Skip descript string > - // > - OptionPtr += StrSize ((UINT16 *) OptionPtr); > - > - // > - // Now OptionPtr points to Device Path. > - // > - OptionDevicePath = (EFI_DEVICE_PATH_PROTOCOL *) OptionPtr; > - > - if (CheckDevicePath (DevicePath, OptionDevicePath)) { > - FreePool (OptionBuffer); > - OptionBuffer = NULL; > - return TRUE; > - } > - FreePool (OptionBuffer); > - OptionBuffer = NULL; > - } > - > - if (BootOrderList != NULL) { > - FreePool (BootOrderList); > - } > - > - return FALSE; > -} > - > - > -/** > - Add the image info to a deferred image list. > - > - @param[in] ImageDevicePath A pointer to the device path of a image. > - @param[in] Image Points to the first byte of the image, or > NULL if > the > - image is not available. > - @param[in] ImageSize The size of the image, or 0 if the image is > not > available. > - > -**/ > -VOID > -PutDefferedImageInfo ( > - IN CONST EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath, > - IN VOID *Image, > - IN UINTN ImageSize > - ) > -{ > - DEFERRED_IMAGE_INFO *CurImageInfo; > - UINTN PathSize; > - > - // > - // Expand memory for the new deferred image. > - // > - if (mDeferredImage.Count == 0) { > - mDeferredImage.ImageInfo = AllocatePool (sizeof > (DEFERRED_IMAGE_INFO)); > - ASSERT (mDeferredImage.ImageInfo != NULL); > - } else { > - CurImageInfo = AllocatePool ((mDeferredImage.Count + 1) * sizeof > (DEFERRED_IMAGE_INFO)); > - ASSERT (CurImageInfo != NULL); > - > - CopyMem ( > - CurImageInfo, > - mDeferredImage.ImageInfo, > - mDeferredImage.Count * sizeof (DEFERRED_IMAGE_INFO) > - ); > - FreePool (mDeferredImage.ImageInfo); > - mDeferredImage.ImageInfo = CurImageInfo; > - } > - mDeferredImage.Count++; > - > - // > - // Save the deferred image information. > - // > - CurImageInfo = &mDeferredImage.ImageInfo[mDeferredImage.Count - 1]; > - PathSize = GetDevicePathSize (ImageDevicePath); > - CurImageInfo->ImageDevicePath = AllocateZeroPool (PathSize); > - ASSERT (CurImageInfo->ImageDevicePath != NULL); > - CopyMem (CurImageInfo->ImageDevicePath, ImageDevicePath, PathSize); > - > - CurImageInfo->Image = Image; > - CurImageInfo->ImageSize = ImageSize; > - CurImageInfo->BootOption = IsBootOption (ImageDevicePath); > -} > - > - > -/** > - Returns information about a deferred image. > - > - This function returns information about a single deferred image. The > deferred images are > - numbered consecutively, starting with 0. If there is no image which > corresponds to > - ImageIndex, then EFI_NOT_FOUND is returned. All deferred images may > be returned by > - iteratively calling this function until EFI_NOT_FOUND is returned. > - Image may be NULL and ImageSize set to 0 if the decision to defer > execution was made > - because of the location of the executable image, rather than its actual > contents. > - > - @param[in] This Points to this instance of the > EFI_DEFERRED_IMAGE_LOAD_PROTOCOL. > - @param[in] ImageIndex Zero-based index of the deferred index. > - @param[out] ImageDevicePath On return, points to a pointer to the > device path of the image. > - The device path should not be freed by the > caller. > - @param[out] Image On return, points to the first byte of the > image > or NULL if the > - image is not available. The image should not > be freed by > the caller > - unless LoadImage() has been successfully > called. > - @param[out] ImageSize On return, the size of the image, or 0 if the > image is not available. > - @param[out] BootOption On return, points to TRUE if the image was > intended as a boot option > - or FALSE if it was not intended as a boot > option. > - > - @retval EFI_SUCCESS Image information returned successfully. > - @retval EFI_NOT_FOUND ImageIndex does not refer to a valid image. > - @retval EFI_INVALID_PARAMETER ImageDevicePath is NULL or Image is > NULL or ImageSize is NULL or > - BootOption is NULL. > - > -**/ > -EFI_STATUS > -EFIAPI > -GetDefferedImageInfo ( > - IN EFI_DEFERRED_IMAGE_LOAD_PROTOCOL *This, > - IN UINTN ImageIndex, > - OUT EFI_DEVICE_PATH_PROTOCOL **ImageDevicePath, > - OUT VOID **Image, > - OUT UINTN *ImageSize, > - OUT BOOLEAN *BootOption > - ) > -{ > - DEFERRED_IMAGE_INFO *ReqImageInfo; > - > - // > - // Check the parameter. > - // > - > - if ((This == NULL) || (ImageSize == NULL) || (Image == NULL)) { > - return EFI_INVALID_PARAMETER; > - } > - > - if ((ImageDevicePath == NULL) || (BootOption == NULL)) { > - return EFI_INVALID_PARAMETER; > - } > - > - if (ImageIndex >= mDeferredImage.Count) { > - return EFI_NOT_FOUND; > - } > - > - // > - // Get the request deferred image. > - // > - ReqImageInfo = &mDeferredImage.ImageInfo[ImageIndex]; > - > - *ImageDevicePath = ReqImageInfo->ImageDevicePath; > - *Image = ReqImageInfo->Image; > - *ImageSize = ReqImageInfo->ImageSize; > - *BootOption = ReqImageInfo->BootOption; > - > - return EFI_SUCCESS; > -} > - > - > -/** > - Provides the service of deferring image load based on platform policy > control, > - and installs Deferred Image Load Protocol. > - > - @param[in] AuthenticationStatus This is the authentication status > returned from the > - security measurement services for the > input file. > - @param[in] File This is a pointer to the device path of > the file > that > - is being dispatched. This will > optionally be used for > - logging. > - @param[in] FileBuffer File buffer matches the input file > device path. > - @param[in] FileSize Size of File buffer matches the input > file > device path. > - @param[in] BootPolicy A boot policy that was used to call > LoadImage() UEFI service. > - > - @retval EFI_SUCCESS FileBuffer is NULL and current user has > permission to start > - UEFI device drivers on the device path > specified by > DevicePath. > - @retval EFI_SUCCESS The file specified by DevicePath and non- > NULL > - FileBuffer did authenticate, and the > platform policy > dictates > - that the DXE Foundation may use the file. > - @retval EFI_SECURITY_VIOLATION FileBuffer is NULL and the user has no > - permission to start UEFI device drivers > on the device > path specified > - by DevicePath. > - @retval EFI_SECURITY_VIOLATION FileBuffer is not NULL and the user > has no permission to load > - drivers from the device path specified > by DevicePath. > The > - image has been added into the list of > the deferred > images. > - @retval EFI_ACCESS_DENIED The file specified by File and FileBuffer > did not > - authenticate, and the platform policy > dictates that the > DXE > - Foundation many not use File. > - > -**/ > -EFI_STATUS > -EFIAPI > -DxeDeferImageLoadHandler ( > - IN UINT32 AuthenticationStatus, > - IN CONST EFI_DEVICE_PATH_PROTOCOL *File, > - IN VOID *FileBuffer, > - IN UINTN FileSize, > - IN BOOLEAN BootPolicy > - ) > -{ > - EFI_STATUS Status; > - EFI_USER_PROFILE_HANDLE CurrentUser; > - UINT32 Policy; > - UINT32 FileType; > - > - // > - // Ignore if File is NULL. > - // > - if (File == NULL) { > - return EFI_SUCCESS; > - } > - > - // > - // Check whether user has a logon. > - // > - CurrentUser = NULL; > - if (mUserManager != NULL) { > - mUserManager->Current (mUserManager, &CurrentUser); > - if (CurrentUser != NULL) { > - // > - // The user is logon; verify the FilePath by current user access > policy. > - // > - if (!VerifyDevicePath (File)) { > - DEBUG ((EFI_D_ERROR, "[Security] The image is forbidden to > load!\n")); > - return EFI_SECURITY_VIOLATION; > - } > - return EFI_SUCCESS; > - } > - } > - > - // > - // Still no user logon. > - // Check the file type and get policy setting. > - // > - FileType = GetFileType (File); > - Policy = PcdGet32 (PcdDeferImageLoadPolicy); > - if ((Policy & FileType) == FileType) { > - // > - // This file type is secure to load. > - // > - return EFI_SUCCESS; > - } > - > - DEBUG ((EFI_D_INFO, "[Security] No user identified, the image is deferred > to load!\n")); > - PutDefferedImageInfo (File, FileBuffer, FileSize); > - > - // > - // Install the Deferred Image Load Protocol onto a new handle. > - // > - if (!mIsProtocolInstalled) { > - Status = gBS->InstallMultipleProtocolInterfaces ( > - &mDeferredImageHandle, > - &gEfiDeferredImageLoadProtocolGuid, > - &gDeferredImageLoad, > - NULL > - ); > - ASSERT_EFI_ERROR (Status); > - mIsProtocolInstalled = TRUE; > - } > - > - return EFI_ACCESS_DENIED; > -} > - > -/** > - Locate user manager protocol when user manager is installed. > - > - @param[in] Event The Event that is being processed, not used. > - @param[in] Context Event Context, not used. > - > -**/ > -VOID > -EFIAPI > -FindUserManagerProtocol ( > - IN EFI_EVENT Event, > - IN VOID* Context > - ) > -{ > - gBS->LocateProtocol ( > - &gEfiUserManagerProtocolGuid, > - NULL, > - (VOID **) &mUserManager > - ); > - > -} > - > - > -/** > - Register security handler for deferred image load. > - > - @param[in] ImageHandle ImageHandle of the loaded driver. > - @param[in] SystemTable Pointer to the EFI System Table. > - > - @retval EFI_SUCCESS The handlers were registered successfully. > -**/ > -EFI_STATUS > -EFIAPI > -DxeDeferImageLoadLibConstructor ( > - IN EFI_HANDLE ImageHandle, > - IN EFI_SYSTEM_TABLE *SystemTable > - ) > -{ > - VOID *Registration; > - > - // > - // Register user manager notification function. > - // > - EfiCreateProtocolNotifyEvent ( > - &gEfiUserManagerProtocolGuid, > - TPL_CALLBACK, > - FindUserManagerProtocol, > - NULL, > - &Registration > - ); > - > - return RegisterSecurity2Handler ( > - DxeDeferImageLoadHandler, > - EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD > - ); > -} > - > - > diff --git > a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h > b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h > deleted file mode 100644 > index 6f7991761711..000000000000 > --- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h > +++ /dev/null > @@ -1,99 +0,0 @@ > -/** @file > - The internal header file includes the common header files, defines > - internal structure and functions used by DeferImageLoadLib. > - > -Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > -SPDX-License-Identifier: BSD-2-Clause-Patent > - > -**/ > - > -#ifndef __DEFER_IMAGE_LOAD_LIB_H__ > -#define __DEFER_IMAGE_LOAD_LIB_H__ > - > -#include <PiDxe.h> > -#include <Library/UefiRuntimeServicesTableLib.h> > -#include <Library/UefiBootServicesTableLib.h> > -#include <Library/SecurityManagementLib.h> > -#include <Library/MemoryAllocationLib.h> > -#include <Library/DevicePathLib.h> > -#include <Library/BaseMemoryLib.h> > -#include <Library/PrintLib.h> > -#include <Library/DebugLib.h> > -#include <Library/UefiLib.h> > -#include <Library/PcdLib.h> > - > -#include <Protocol/FirmwareVolume2.h> > -#include <Protocol/BlockIo.h> > -#include <Protocol/SimpleFileSystem.h> > -#include <Protocol/DeferredImageLoad.h> > -#include <Protocol/UserCredential.h> > -#include <Protocol/UserManager.h> > - > -#include <Guid/GlobalVariable.h> > - > -// > -// Image type definitions. > -// > -#define IMAGE_UNKNOWN 0x00000001 > -#define IMAGE_FROM_FV 0x00000002 > -#define IMAGE_FROM_OPTION_ROM 0x00000004 > -#define IMAGE_FROM_REMOVABLE_MEDIA 0x00000008 > -#define IMAGE_FROM_FIXED_MEDIA 0x00000010 > - > -// > -// The struct to save the deferred image information. > -// > -typedef struct { > - EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath; > - VOID *Image; > - UINTN ImageSize; > - BOOLEAN BootOption; > -} DEFERRED_IMAGE_INFO; > - > -// > -// The table to save the deferred image item. > -// > -typedef struct { > - UINTN Count; ///< deferred image count > - DEFERRED_IMAGE_INFO *ImageInfo; ///< deferred image item > -} DEFERRED_IMAGE_TABLE; > - > -/** > - Returns information about a deferred image. > - > - This function returns information about a single deferred image. The > deferred images are > - numbered consecutively, starting with 0. If there is no image which > corresponds to > - ImageIndex, then EFI_NOT_FOUND is returned. All deferred images may > be returned by > - iteratively calling this function until EFI_NOT_FOUND is returned. > - Image may be NULL and ImageSize set to 0 if the decision to defer > execution was made > - because of the location of the executable image, rather than its actual > contents. > - > - @param[in] This Points to this instance of the > EFI_DEFERRED_IMAGE_LOAD_PROTOCOL. > - @param[in] ImageIndex Zero-based index of the deferred index. > - @param[out] ImageDevicePath On return, points to a pointer to the > device path of the image. > - The device path should not be freed by the > caller. > - @param[out] Image On return, points to the first byte of the > image > or NULL if the > - image is not available. The image should not > be freed by > the caller > - unless LoadImage() has been called > successfully. > - @param[out] ImageSize On return, the size of the image, or 0 if the > image is not available. > - @param[out] BootOption On return, points to TRUE if the image was > intended as a boot option > - or FALSE if it was not intended as a boot > option. > - > - @retval EFI_SUCCESS Image information returned successfully. > - @retval EFI_NOT_FOUND ImageIndex does not refer to a valid image. > - @retval EFI_INVALID_PARAMETER ImageDevicePath is NULL or Image is > NULL or ImageSize is NULL or > - BootOption is NULL. > - > -**/ > -EFI_STATUS > -EFIAPI > -GetDefferedImageInfo ( > - IN EFI_DEFERRED_IMAGE_LOAD_PROTOCOL *This, > - IN UINTN ImageIndex, > - OUT EFI_DEVICE_PATH_PROTOCOL **ImageDevicePath, > - OUT VOID **Image, > - OUT UINTN *ImageSize, > - OUT BOOLEAN *BootOption > - ); > - > -#endif > diff --git > a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf > b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf > deleted file mode 100644 > index 6005b8730977..000000000000 > --- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf > +++ /dev/null > @@ -1,63 +0,0 @@ > -## @file > -# Provides security service of deferred image load > -# > -# The platform may need to defer the execution of an image because of > security > -# considerations. These deferred images will be recorded and then > reported by > -# installing an instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL. > -# > -# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR> > -# SPDX-License-Identifier: BSD-2-Clause-Patent > -# > -## > - > -[Defines] > - INF_VERSION = 0x00010005 > - BASE_NAME = DxeDeferImageLoadLib > - MODULE_UNI_FILE = DxeDeferImageLoadLib.uni > - FILE_GUID = 5E2FAE1F-41DA-4fbd-BC81-603CE5CD8497 > - MODULE_TYPE = DXE_DRIVER > - VERSION_STRING = 1.0 > - LIBRARY_CLASS = NULL|DXE_DRIVER UEFI_DRIVER > DXE_RUNTIME_DRIVER UEFI_APPLICATION > - CONSTRUCTOR = DxeDeferImageLoadLibConstructor > - > -# > -# The following information is for reference only and not required by the > build tools. > -# > -# VALID_ARCHITECTURES = IA32 X64 EBC > -# > - > -[Sources] > - DxeDeferImageLoadLib.c > - DxeDeferImageLoadLib.h > - > -[Packages] > - MdePkg/MdePkg.dec > - MdeModulePkg/MdeModulePkg.dec > - SecurityPkg/SecurityPkg.dec > - > -[LibraryClasses] > - UefiRuntimeServicesTableLib > - UefiBootServicesTableLib > - SecurityManagementLib > - MemoryAllocationLib > - DevicePathLib > - BaseMemoryLib > - PrintLib > - DebugLib > - UefiLib > - PcdLib > - > -[Protocols] > - gEfiFirmwareVolume2ProtocolGuid ## > SOMETIMES_CONSUMES > - gEfiBlockIoProtocolGuid ## > SOMETIMES_CONSUMES > - gEfiSimpleFileSystemProtocolGuid ## > SOMETIMES_CONSUMES > - gEfiDeferredImageLoadProtocolGuid ## > SOMETIMES_PRODUCES > - ## SOMETIMES_CONSUMES > - ## NOTIFY > - gEfiUserManagerProtocolGuid > - > -[Guids] > - gEfiGlobalVariableGuid ## > SOMETIMES_CONSUMES > ## Variable:L"BootOrder" > - > -[Pcd] > - gEfiSecurityPkgTokenSpaceGuid.PcdDeferImageLoadPolicy ## > SOMETIMES_CONSUMES > diff --git > a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni > b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni > deleted file mode 100644 > index 69c381369359..000000000000 > --- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni > +++ /dev/null > @@ -1,18 +0,0 @@ > -// /** @file > -// Provides security service of deferred image load > -// > -// The platform may need to defer the execution of an image because of > security > -// considerations. These deferred images will be recorded and then > reported by > -// installing an instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL. > -// > -// Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR> > -// > -// SPDX-License-Identifier: BSD-2-Clause-Patent > -// > -// **/ > - > - > -#string STR_MODULE_ABSTRACT #language en-US "Provides > security service of deferred image load" > - > -#string STR_MODULE_DESCRIPTION #language en-US "The platform > may need to defer the execution of an image because of security > considerations. These deferred images will be recorded and then reported > by installing an instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL." > - > diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc > index a2ee0528f0d2..a8d31196b616 100644 > --- a/SecurityPkg/SecurityPkg.dsc > +++ b/SecurityPkg/SecurityPkg.dsc > @@ -149,7 +149,6 @@ [PcdsDynamicHii.common.DEFAULT] > > [Components] > SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf > - #SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf > > SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthentica > tionStatusLib.inf > > # > -- > 2.18.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#42963): https://edk2.groups.io/g/devel/message/42963 Mute This Topic: https://groups.io/mt/32139635/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
