[edk2-devel] [PATCH v1 4/8] OvmfPkg/QemuKernelLoaderFsDxe: Add ability to verify loaded items

Tue, 25 May 2021 05:26:56 -0700 

From: James Bottomley <j...@linux.ibm.com>

Allow registering a verifier which is then called for each blob passed
via QEMU's fw_cfg.

Cc: Laszlo Ersek <ler...@redhat.com>
Cc: Ard Biesheuvel <ardb+tianoc...@kernel.org>
Cc: Jordan Justen <jordan.l.jus...@intel.com>
Cc: Ashish Kalra <ashish.ka...@amd.com>
Cc: Brijesh Singh <brijesh.si...@amd.com>
Cc: Erdem Aktas <erdemak...@google.com>
Cc: James Bottomley <j...@linux.ibm.com>
Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Min Xu <min.m...@intel.com>
Cc: Tom Lendacky <thomas.lenda...@amd.com>
Signed-off-by: James Bottomley <j...@linux.ibm.com>
---
 OvmfPkg/Include/Library/QemuFwCfgLib.h                | 35 ++++++++++++++++++++
 OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 31 +++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/OvmfPkg/Include/Library/QemuFwCfgLib.h 
b/OvmfPkg/Include/Library/QemuFwCfgLib.h
index 68002bb654e6..1095efad5878 100644
--- a/OvmfPkg/Include/Library/QemuFwCfgLib.h
+++ b/OvmfPkg/Include/Library/QemuFwCfgLib.h
@@ -173,5 +173,40 @@ QemuFwCfgFindFile (
   OUT  UINTN                 *Size
   );
 
+/**
+  The verifier is used to abstract a hash verification operation when
+  A firmware config item is accessed via a filesystem and has some type
+  of integrity information passed in.
+
+  @param[in]    Name       The name of the config file to verify.
+  @param[in]    Buffer     A pointer to the loaded config information.
+  @param[in]    Size       The size of the buffer.
+
+  @retval EFI_SUCCESS          The buffer verified OK.
+
+  @retval EFI_ACCESS_DENIED    The buffer failed the integrity check.
+
+**/
+typedef
+RETURN_STATUS
+(EFIAPI *FW_CFG_VERIFIER) (
+  IN  CONST CHAR16    *Name,
+  IN  VOID            *Buffer,
+  IN  UINTN           Size
+  );
+
+/**
+  Register a verifier for the Firmware Configuration Filesystem to use
+
+  @param[in]  Verifier     The verifier to register
+
+  @retval EFI_SUCCESS      The verifier was successfully registered
+**/
+RETURN_STATUS
+EFIAPI
+RegisterFwCfgVerifier (
+  IN FW_CFG_VERIFIER    Verifier
+  );
+
 #endif
 
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c 
b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
index b09ff6a3590d..9823d23d1005 100644
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
@@ -982,6 +982,27 @@ FetchBlob (
   return EFI_SUCCESS;
 }
 
+STATIC FW_CFG_VERIFIER mVerifier = NULL;
+
+/**
+  Register a verifier for the Firmware Configuration Filesystem to use
+
+  @param[in]  Verifier     The verifier to register
+
+  @retval EFI_SUCCESS      The verifier was successfully registered
+**/
+EFI_STATUS
+EFIAPI
+RegisterFwCfgVerifier (
+  IN FW_CFG_VERIFIER    Verifier
+  )
+{
+  if (mVerifier != NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+  mVerifier = Verifier;
+  return EFI_SUCCESS;
+}
 
 //
 // The entry point of the feature.
@@ -1033,6 +1054,16 @@ QemuKernelLoaderFsDxeEntrypoint (
     if (EFI_ERROR (Status)) {
       goto FreeBlobs;
     }
+    if (mVerifier != NULL) {
+      Status = mVerifier (
+        CurrentBlob->Name,
+        CurrentBlob->Data,
+        CurrentBlob->Size
+      );
+      if (EFI_ERROR (Status)) {
+        goto FreeBlobs;
+      }
+    }
     mTotalBlobBytes += CurrentBlob->Size;
   }
   KernelBlob      = &mKernelBlob[KernelBlobTypeKernel];
-- 
2.25.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75571): https://edk2.groups.io/g/devel/message/75571
Mute This Topic: https://groups.io/mt/83074455/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to