From: "Zhang, Shenglei" <shenglei.zhang@intel.com>
To: devel@edk2.groups.io
Cc: Chao Zhang <chao.b.zhang@intel.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Jian Wang <jian.j.wang@intel.com>
Subject: [PATCH] SecurityPkg/DxeDeferImageLoadLib: Remove DxeDeferImageLoadLib
Date: Thu, 20 Jun 2019 09:30:54 +0800 [thread overview]
Message-ID: <20190620013054.1960-1-shenglei.zhang@intel.com> (raw)
The library DxeDeferImageLoadLib supports UID feature and it is conflicted
with the driver SecurityStubDxe (Defer3rdPartyImageLoad.c).
And the UID feature is dropped. So it should be removed from SecurityPkg.
https://bugzilla.tianocore.org/show_bug.cgi?id=1919
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
---
.../DxeDeferImageLoadLib.c | 927 ------------------
.../DxeDeferImageLoadLib.h | 99 --
.../DxeDeferImageLoadLib.inf | 63 --
.../DxeDeferImageLoadLib.uni | 18 -
SecurityPkg/SecurityPkg.dsc | 1 -
5 files changed, 1108 deletions(-)
delete mode 100644 SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c
delete mode 100644 SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h
delete mode 100644 SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf
delete mode 100644 SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni
diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c
deleted file mode 100644
index a6a3fe3cfc68..000000000000
--- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.c
+++ /dev/null
@@ -1,927 +0,0 @@
-/** @file
- Implement defer image load services for user identification in UEFI2.2.
-
-Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "DxeDeferImageLoadLib.h"
-
-//
-// Handle for the Deferred Image Load Protocol instance produced by this driver.
-//
-EFI_HANDLE mDeferredImageHandle = NULL;
-BOOLEAN mIsProtocolInstalled = FALSE;
-EFI_USER_MANAGER_PROTOCOL *mUserManager = NULL;
-DEFERRED_IMAGE_TABLE mDeferredImage = {
- 0, // Deferred image count
- NULL // The deferred image info
-};
-
-EFI_DEFERRED_IMAGE_LOAD_PROTOCOL gDeferredImageLoad = {
- GetDefferedImageInfo
-};
-
-/**
- Get the image type.
-
- @param[in] File This is a pointer to the device path of the file
- that is being dispatched.
-
- @return UINT32 Image Type
-
-**/
-UINT32
-GetFileType (
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File
- )
-{
- EFI_STATUS Status;
- EFI_HANDLE DeviceHandle;
- EFI_DEVICE_PATH_PROTOCOL *TempDevicePath;
- EFI_BLOCK_IO_PROTOCOL *BlockIo;
-
- //
- // First check to see if File is from a Firmware Volume
- //
- DeviceHandle = NULL;
- TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)File;
- Status = gBS->LocateDevicePath (
- &gEfiFirmwareVolume2ProtocolGuid,
- &TempDevicePath,
- &DeviceHandle
- );
- if (!EFI_ERROR (Status)) {
- Status = gBS->OpenProtocol (
- DeviceHandle,
- &gEfiFirmwareVolume2ProtocolGuid,
- NULL,
- NULL,
- NULL,
- EFI_OPEN_PROTOCOL_TEST_PROTOCOL
- );
- if (!EFI_ERROR (Status)) {
- return IMAGE_FROM_FV;
- }
- }
-
- //
- // Next check to see if File is from a Block I/O device
- //
- DeviceHandle = NULL;
- TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)File;
- Status = gBS->LocateDevicePath (
- &gEfiBlockIoProtocolGuid,
- &TempDevicePath,
- &DeviceHandle
- );
- if (!EFI_ERROR (Status)) {
- BlockIo = NULL;
- Status = gBS->OpenProtocol (
- DeviceHandle,
- &gEfiBlockIoProtocolGuid,
- (VOID **) &BlockIo,
- NULL,
- NULL,
- EFI_OPEN_PROTOCOL_GET_PROTOCOL
- );
- if (!EFI_ERROR (Status) && BlockIo != NULL) {
- if (BlockIo->Media != NULL) {
- if (BlockIo->Media->RemovableMedia) {
- //
- // Block I/O is present and specifies the media is removable
- //
- return IMAGE_FROM_REMOVABLE_MEDIA;
- } else {
- //
- // Block I/O is present and specifies the media is not removable
- //
- return IMAGE_FROM_FIXED_MEDIA;
- }
- }
- }
- }
-
- //
- // File is not in a Firmware Volume or on a Block I/O device, so check to see if
- // the device path supports the Simple File System Protocol.
- //
- DeviceHandle = NULL;
- TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)File;
- Status = gBS->LocateDevicePath (
- &gEfiSimpleFileSystemProtocolGuid,
- &TempDevicePath,
- &DeviceHandle
- );
- if (!EFI_ERROR (Status)) {
- //
- // Simple File System is present without Block I/O, so assume media is fixed.
- //
- return IMAGE_FROM_FIXED_MEDIA;
- }
-
- //
- // File is not from an FV, Block I/O or Simple File System, so the only options
- // left are a PCI Option ROM and a Load File Protocol such as a PXE Boot from a NIC.
- //
- TempDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)File;
- while (!IsDevicePathEndType (TempDevicePath)) {
- switch (DevicePathType (TempDevicePath)) {
-
- case MEDIA_DEVICE_PATH:
- if (DevicePathSubType (TempDevicePath) == MEDIA_RELATIVE_OFFSET_RANGE_DP) {
- return IMAGE_FROM_OPTION_ROM;
- }
- break;
-
- case MESSAGING_DEVICE_PATH:
- if (DevicePathSubType(TempDevicePath) == MSG_MAC_ADDR_DP) {
- return IMAGE_FROM_REMOVABLE_MEDIA;
- }
- break;
-
- default:
- break;
- }
- TempDevicePath = NextDevicePathNode (TempDevicePath);
- }
- return IMAGE_UNKNOWN;
-}
-
-
-/**
- Get current user's access right.
-
- @param[out] AccessControl Points to the user's access control data, the
- caller should free data buffer.
- @param[in] AccessType The type of user access control.
-
- @retval EFI_SUCCESS Get current user access control successfully
- @retval others Fail to get current user access control
-
-**/
-EFI_STATUS
-GetAccessControl (
- OUT EFI_USER_INFO_ACCESS_CONTROL **AccessControl,
- IN UINT32 AccessType
- )
-{
- EFI_STATUS Status;
- EFI_USER_INFO_HANDLE UserInfo;
- EFI_USER_INFO *Info;
- UINTN InfoSize;
- EFI_USER_INFO_ACCESS_CONTROL *Access;
- EFI_USER_PROFILE_HANDLE CurrentUser;
- UINTN CheckLen;
- EFI_USER_MANAGER_PROTOCOL *UserManager;
-
- CurrentUser = NULL;
- Status = gBS->LocateProtocol (
- &gEfiUserManagerProtocolGuid,
- NULL,
- (VOID **) &UserManager
- );
- if (EFI_ERROR (Status)) {
- return EFI_NOT_FOUND;
- }
-
- //
- // Get current user access information.
- //
- UserManager->Current (UserManager, &CurrentUser);
-
- UserInfo = NULL;
- Info = NULL;
- InfoSize = 0;
- while (TRUE) {
- //
- // Get next user information.
- //
- Status = UserManager->GetNextInfo (UserManager, CurrentUser, &UserInfo);
- if (EFI_ERROR (Status)) {
- return Status;
- }
-
- Status = UserManager->GetInfo (
- UserManager,
- CurrentUser,
- UserInfo,
- Info,
- &InfoSize
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- if (Info != NULL) {
- FreePool (Info);
- }
- Info = AllocateZeroPool (InfoSize);
- ASSERT (Info != NULL);
- Status = UserManager->GetInfo (
- UserManager,
- CurrentUser,
- UserInfo,
- Info,
- &InfoSize
- );
- }
-
- if (EFI_ERROR (Status)) {
- break;
- }
-
- ASSERT (Info != NULL);
- if (Info->InfoType != EFI_USER_INFO_ACCESS_POLICY_RECORD) {
- continue;
- }
-
- //
- // Get specified access information.
- //
- CheckLen = 0;
- while (CheckLen < Info->InfoSize - sizeof (EFI_USER_INFO)) {
- Access = (EFI_USER_INFO_ACCESS_CONTROL *) ((UINT8 *) (Info + 1) + CheckLen);
- if (Access->Type == AccessType) {
- *AccessControl = AllocateZeroPool (Access->Size);
- ASSERT (*AccessControl != NULL);
- CopyMem (*AccessControl, Access, Access->Size);
- FreePool (Info);
- return EFI_SUCCESS;
- }
- CheckLen += Access->Size;
- }
- }
-
- if (Info != NULL) {
- FreePool (Info);
- }
- return EFI_NOT_FOUND;
-}
-
-/**
- Get file name from device path.
-
- The file name may contain one or more device path node. Save the file name in a
- buffer if file name is found. The caller is responsible to free the buffer.
-
- @param[in] DevicePath A pointer to a device path.
- @param[out] FileName The callee allocated buffer to save the file name if file name is found.
- @param[out] FileNameOffset The offset of file name in device path if file name is found.
-
- @retval UINTN The file name length. 0 means file name is not found.
-
-**/
-UINTN
-GetFileName (
- IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath,
- OUT UINT8 **FileName,
- OUT UINTN *FileNameOffset
- )
-{
- UINTN Length;
- EFI_DEVICE_PATH_PROTOCOL *TmpDevicePath;
- EFI_DEVICE_PATH_PROTOCOL *RootDevicePath;
- CHAR8 *NodeStr;
- UINTN NodeStrLength;
- CHAR16 LastNodeChar;
- CHAR16 FirstNodeChar;
-
- //
- // Get the length of DevicePath before file name.
- //
- Length = 0;
- RootDevicePath = (EFI_DEVICE_PATH_PROTOCOL *)DevicePath;
- while (!IsDevicePathEnd (RootDevicePath)) {
- if ((DevicePathType(RootDevicePath) == MEDIA_DEVICE_PATH) && (DevicePathSubType(RootDevicePath) == MEDIA_FILEPATH_DP)) {
- break;
- }
- Length += DevicePathNodeLength (RootDevicePath);
- RootDevicePath = NextDevicePathNode (RootDevicePath);
- }
-
- *FileNameOffset = Length;
- if (Length == 0) {
- return 0;
- }
-
- //
- // Get the file name length.
- //
- Length = 0;
- TmpDevicePath = RootDevicePath;
- while (!IsDevicePathEnd (TmpDevicePath)) {
- if ((DevicePathType(TmpDevicePath) != MEDIA_DEVICE_PATH) || (DevicePathSubType(TmpDevicePath) != MEDIA_FILEPATH_DP)) {
- break;
- }
- Length += DevicePathNodeLength (TmpDevicePath) - sizeof (EFI_DEVICE_PATH_PROTOCOL);
- TmpDevicePath = NextDevicePathNode (TmpDevicePath);
- }
- if (Length == 0) {
- return 0;
- }
-
- *FileName = AllocateZeroPool (Length);
- ASSERT (*FileName != NULL);
-
- //
- // Copy the file name to the buffer.
- //
- Length = 0;
- LastNodeChar = '\\';
- TmpDevicePath = RootDevicePath;
- while (!IsDevicePathEnd (TmpDevicePath)) {
- if ((DevicePathType(TmpDevicePath) != MEDIA_DEVICE_PATH) || (DevicePathSubType(TmpDevicePath) != MEDIA_FILEPATH_DP)) {
- break;
- }
-
- FirstNodeChar = (CHAR16) ReadUnaligned16 ((UINT16 *)((UINT8 *)TmpDevicePath + sizeof (EFI_DEVICE_PATH_PROTOCOL)));
- NodeStr = (CHAR8 *)TmpDevicePath + sizeof (EFI_DEVICE_PATH_PROTOCOL);
- NodeStrLength = DevicePathNodeLength (TmpDevicePath) - sizeof (EFI_DEVICE_PATH_PROTOCOL) - sizeof(CHAR16);
-
- if ((FirstNodeChar == '\\') && (LastNodeChar == '\\')) {
- //
- // Skip separator "\" when there are two separators.
- //
- NodeStr += sizeof (CHAR16);
- NodeStrLength -= sizeof (CHAR16);
- } else if ((FirstNodeChar != '\\') && (LastNodeChar != '\\')) {
- //
- // Add separator "\" when there is no separator.
- //
- WriteUnaligned16 ((UINT16 *)(*FileName + Length), '\\');
- Length += sizeof (CHAR16);
- }
- CopyMem (*FileName + Length, NodeStr, NodeStrLength);
- Length += NodeStrLength;
-
- LastNodeChar = (CHAR16) ReadUnaligned16 ((UINT16 *) (NodeStr + NodeStrLength - sizeof(CHAR16)));
- TmpDevicePath = NextDevicePathNode (TmpDevicePath);
- }
-
- return Length;
-}
-
-
-/**
- Check whether the DevicePath2 is identical with DevicePath1, or identical with
- DevicePath1's child device path.
-
- If DevicePath2 is identical with DevicePath1, or with DevicePath1's child device
- path, then TRUE returned. Otherwise, FALSE is returned.
-
- If DevicePath1 is NULL, then ASSERT().
- If DevicePath2 is NULL, then ASSERT().
-
- @param[in] DevicePath1 A pointer to a device path.
- @param[in] DevicePath2 A pointer to a device path.
-
- @retval TRUE Two device paths are identical , or DevicePath2 is
- DevicePath1's child device path.
- @retval FALSE Two device paths are not identical, and DevicePath2
- is not DevicePath1's child device path.
-
-**/
-BOOLEAN
-CheckDevicePath (
- IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath1,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath2
- )
-{
- UINTN DevicePathSize;
- UINTN FileNameSize1;
- UINTN FileNameSize2;
- UINT8 *FileName1;
- UINT8 *FileName2;
- UINTN FileNameOffset1;
- UINTN FileNameOffset2;
- BOOLEAN DevicePathEqual;
-
- FileName1 = NULL;
- FileName2 = NULL;
- DevicePathEqual = TRUE;
-
- ASSERT (DevicePath1 != NULL);
- ASSERT (DevicePath2 != NULL);
- if (IsDevicePathEnd (DevicePath1)) {
- return FALSE;
- }
-
- //
- // The file name may contain one or more device path node.
- // To compare the file name, copy file name to a buffer and compare the buffer.
- //
- FileNameSize1 = GetFileName (DevicePath1, &FileName1, &FileNameOffset1);
- if (FileNameSize1 != 0) {
- FileNameSize2 = GetFileName (DevicePath2, &FileName2, &FileNameOffset2);
- if (FileNameOffset1 != FileNameOffset2) {
- DevicePathEqual = FALSE;
- goto Done;
- }
- if (CompareMem (DevicePath1, DevicePath2, FileNameOffset1) != 0) {
- DevicePathEqual = FALSE;
- goto Done;
- }
- if (FileNameSize1 > FileNameSize2) {
- DevicePathEqual = FALSE;
- goto Done;
- }
- if (CompareMem (FileName1, FileName2, FileNameSize1) != 0) {
- DevicePathEqual = FALSE;
- goto Done;
- }
- DevicePathEqual = TRUE;
- goto Done;
- }
-
- DevicePathSize = GetDevicePathSize (DevicePath1);
- if (DevicePathSize > GetDevicePathSize (DevicePath2)) {
- return FALSE;
- }
-
- //
- // Exclude the end of device path node.
- //
- DevicePathSize -= sizeof (EFI_DEVICE_PATH_PROTOCOL);
- if (CompareMem (DevicePath1, DevicePath2, DevicePathSize) != 0) {
- DevicePathEqual = FALSE;
- }
-
-Done:
- if (FileName1 != NULL) {
- FreePool (FileName1);
- }
- if (FileName2 != NULL) {
- FreePool (FileName2);
- }
- return DevicePathEqual;
-}
-
-
-/**
- Check whether the image pointed to by DevicePath is in the device path list
- specified by AccessType.
-
- @param[in] DevicePath Points to device path.
- @param[in] AccessType The type of user access control.
-
- @retval TRUE The DevicePath is in the specified List.
- @retval FALSE The DevicePath is not in the specified List.
-
-**/
-BOOLEAN
-IsDevicePathInList (
- IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath,
- IN UINT32 AccessType
- )
-{
- EFI_STATUS Status;
- EFI_USER_INFO_ACCESS_CONTROL *Access;
- EFI_DEVICE_PATH_PROTOCOL *Path;
- UINTN OffSet;
-
- Status = GetAccessControl (&Access, AccessType);
- if (EFI_ERROR (Status)) {
- return FALSE;
- }
-
- OffSet = 0;
- while (OffSet < Access->Size - sizeof (EFI_USER_INFO_ACCESS_CONTROL)) {
- Path = (EFI_DEVICE_PATH_PROTOCOL*)((UINT8*)(Access + 1) + OffSet);
- if (CheckDevicePath (Path, DevicePath)) {
- //
- // The device path is found in list.
- //
- FreePool (Access);
- return TRUE;
- }
- OffSet += GetDevicePathSize (Path);
- }
-
- FreePool (Access);
- return FALSE;
-}
-
-
-/**
- Check whether the image pointed to by DevicePath is permitted to load.
-
- @param[in] DevicePath Points to device path
-
- @retval TRUE The image pointed by DevicePath is permitted to load.
- @retval FALSE The image pointed by DevicePath is forbidden to load.
-
-**/
-BOOLEAN
-VerifyDevicePath (
- IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath
- )
-{
- if (IsDevicePathInList (DevicePath, EFI_USER_INFO_ACCESS_PERMIT_LOAD)) {
- //
- // This access control overrides any restrictions put in place by the
- // EFI_USER_INFO_ACCESS_FORBID_LOAD record.
- //
- return TRUE;
- }
-
- if (IsDevicePathInList (DevicePath, EFI_USER_INFO_ACCESS_FORBID_LOAD)) {
- //
- // The device path is found in the forbidden list.
- //
- return FALSE;
- }
-
- return TRUE;
-}
-
-
-/**
- Check the image pointed by DevicePath is a boot option or not.
-
- @param[in] DevicePath Points to device path.
-
- @retval TRUE The image pointed by DevicePath is a boot option.
- @retval FALSE The image pointed by DevicePath is not a boot option.
-
-**/
-BOOLEAN
-IsBootOption (
- IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath
- )
-{
- EFI_STATUS Status;
- UINT16 *BootOrderList;
- UINTN BootOrderListSize;
- UINTN Index;
- CHAR16 StrTemp[20];
- UINT8 *OptionBuffer;
- UINT8 *OptionPtr;
- EFI_DEVICE_PATH_PROTOCOL *OptionDevicePath;
-
- //
- // Get BootOrder
- //
- BootOrderListSize = 0;
- BootOrderList = NULL;
- Status = gRT->GetVariable (
- L"BootOrder",
- &gEfiGlobalVariableGuid,
- NULL,
- &BootOrderListSize,
- NULL
- );
- if (Status == EFI_BUFFER_TOO_SMALL) {
- BootOrderList = AllocateZeroPool (BootOrderListSize);
- ASSERT (BootOrderList != NULL);
- Status = gRT->GetVariable (
- L"BootOrder",
- &gEfiGlobalVariableGuid,
- NULL,
- &BootOrderListSize,
- BootOrderList
- );
- }
-
- if (EFI_ERROR (Status)) {
- //
- // No Boot option
- //
- return FALSE;
- }
-
- OptionBuffer = NULL;
- for (Index = 0; Index < BootOrderListSize / sizeof (UINT16); Index++) {
- //
- // Try to find the DevicePath in BootOption
- //
- UnicodeSPrint (StrTemp, sizeof (StrTemp), L"Boot%04x", Index);
- GetEfiGlobalVariable2 (StrTemp, (VOID**)&OptionBuffer, NULL);
- if (OptionBuffer == NULL) {
- continue;
- }
-
- //
- // Check whether the image is forbidden.
- //
-
- OptionPtr = OptionBuffer;
- //
- // Skip attribute.
- //
- OptionPtr += sizeof (UINT32);
-
- //
- // Skip device path length.
- //
- OptionPtr += sizeof (UINT16);
-
- //
- // Skip descript string
- //
- OptionPtr += StrSize ((UINT16 *) OptionPtr);
-
- //
- // Now OptionPtr points to Device Path.
- //
- OptionDevicePath = (EFI_DEVICE_PATH_PROTOCOL *) OptionPtr;
-
- if (CheckDevicePath (DevicePath, OptionDevicePath)) {
- FreePool (OptionBuffer);
- OptionBuffer = NULL;
- return TRUE;
- }
- FreePool (OptionBuffer);
- OptionBuffer = NULL;
- }
-
- if (BootOrderList != NULL) {
- FreePool (BootOrderList);
- }
-
- return FALSE;
-}
-
-
-/**
- Add the image info to a deferred image list.
-
- @param[in] ImageDevicePath A pointer to the device path of a image.
- @param[in] Image Points to the first byte of the image, or NULL if the
- image is not available.
- @param[in] ImageSize The size of the image, or 0 if the image is not available.
-
-**/
-VOID
-PutDefferedImageInfo (
- IN CONST EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath,
- IN VOID *Image,
- IN UINTN ImageSize
- )
-{
- DEFERRED_IMAGE_INFO *CurImageInfo;
- UINTN PathSize;
-
- //
- // Expand memory for the new deferred image.
- //
- if (mDeferredImage.Count == 0) {
- mDeferredImage.ImageInfo = AllocatePool (sizeof (DEFERRED_IMAGE_INFO));
- ASSERT (mDeferredImage.ImageInfo != NULL);
- } else {
- CurImageInfo = AllocatePool ((mDeferredImage.Count + 1) * sizeof (DEFERRED_IMAGE_INFO));
- ASSERT (CurImageInfo != NULL);
-
- CopyMem (
- CurImageInfo,
- mDeferredImage.ImageInfo,
- mDeferredImage.Count * sizeof (DEFERRED_IMAGE_INFO)
- );
- FreePool (mDeferredImage.ImageInfo);
- mDeferredImage.ImageInfo = CurImageInfo;
- }
- mDeferredImage.Count++;
-
- //
- // Save the deferred image information.
- //
- CurImageInfo = &mDeferredImage.ImageInfo[mDeferredImage.Count - 1];
- PathSize = GetDevicePathSize (ImageDevicePath);
- CurImageInfo->ImageDevicePath = AllocateZeroPool (PathSize);
- ASSERT (CurImageInfo->ImageDevicePath != NULL);
- CopyMem (CurImageInfo->ImageDevicePath, ImageDevicePath, PathSize);
-
- CurImageInfo->Image = Image;
- CurImageInfo->ImageSize = ImageSize;
- CurImageInfo->BootOption = IsBootOption (ImageDevicePath);
-}
-
-
-/**
- Returns information about a deferred image.
-
- This function returns information about a single deferred image. The deferred images are
- numbered consecutively, starting with 0. If there is no image which corresponds to
- ImageIndex, then EFI_NOT_FOUND is returned. All deferred images may be returned by
- iteratively calling this function until EFI_NOT_FOUND is returned.
- Image may be NULL and ImageSize set to 0 if the decision to defer execution was made
- because of the location of the executable image, rather than its actual contents.
-
- @param[in] This Points to this instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL.
- @param[in] ImageIndex Zero-based index of the deferred index.
- @param[out] ImageDevicePath On return, points to a pointer to the device path of the image.
- The device path should not be freed by the caller.
- @param[out] Image On return, points to the first byte of the image or NULL if the
- image is not available. The image should not be freed by the caller
- unless LoadImage() has been successfully called.
- @param[out] ImageSize On return, the size of the image, or 0 if the image is not available.
- @param[out] BootOption On return, points to TRUE if the image was intended as a boot option
- or FALSE if it was not intended as a boot option.
-
- @retval EFI_SUCCESS Image information returned successfully.
- @retval EFI_NOT_FOUND ImageIndex does not refer to a valid image.
- @retval EFI_INVALID_PARAMETER ImageDevicePath is NULL or Image is NULL or ImageSize is NULL or
- BootOption is NULL.
-
-**/
-EFI_STATUS
-EFIAPI
-GetDefferedImageInfo (
- IN EFI_DEFERRED_IMAGE_LOAD_PROTOCOL *This,
- IN UINTN ImageIndex,
- OUT EFI_DEVICE_PATH_PROTOCOL **ImageDevicePath,
- OUT VOID **Image,
- OUT UINTN *ImageSize,
- OUT BOOLEAN *BootOption
- )
-{
- DEFERRED_IMAGE_INFO *ReqImageInfo;
-
- //
- // Check the parameter.
- //
-
- if ((This == NULL) || (ImageSize == NULL) || (Image == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- if ((ImageDevicePath == NULL) || (BootOption == NULL)) {
- return EFI_INVALID_PARAMETER;
- }
-
- if (ImageIndex >= mDeferredImage.Count) {
- return EFI_NOT_FOUND;
- }
-
- //
- // Get the request deferred image.
- //
- ReqImageInfo = &mDeferredImage.ImageInfo[ImageIndex];
-
- *ImageDevicePath = ReqImageInfo->ImageDevicePath;
- *Image = ReqImageInfo->Image;
- *ImageSize = ReqImageInfo->ImageSize;
- *BootOption = ReqImageInfo->BootOption;
-
- return EFI_SUCCESS;
-}
-
-
-/**
- Provides the service of deferring image load based on platform policy control,
- and installs Deferred Image Load Protocol.
-
- @param[in] AuthenticationStatus This is the authentication status returned from the
- security measurement services for the input file.
- @param[in] File This is a pointer to the device path of the file that
- is being dispatched. This will optionally be used for
- logging.
- @param[in] FileBuffer File buffer matches the input file device path.
- @param[in] FileSize Size of File buffer matches the input file device path.
- @param[in] BootPolicy A boot policy that was used to call LoadImage() UEFI service.
-
- @retval EFI_SUCCESS FileBuffer is NULL and current user has permission to start
- UEFI device drivers on the device path specified by DevicePath.
- @retval EFI_SUCCESS The file specified by DevicePath and non-NULL
- FileBuffer did authenticate, and the platform policy dictates
- that the DXE Foundation may use the file.
- @retval EFI_SECURITY_VIOLATION FileBuffer is NULL and the user has no
- permission to start UEFI device drivers on the device path specified
- by DevicePath.
- @retval EFI_SECURITY_VIOLATION FileBuffer is not NULL and the user has no permission to load
- drivers from the device path specified by DevicePath. The
- image has been added into the list of the deferred images.
- @retval EFI_ACCESS_DENIED The file specified by File and FileBuffer did not
- authenticate, and the platform policy dictates that the DXE
- Foundation many not use File.
-
-**/
-EFI_STATUS
-EFIAPI
-DxeDeferImageLoadHandler (
- IN UINT32 AuthenticationStatus,
- IN CONST EFI_DEVICE_PATH_PROTOCOL *File,
- IN VOID *FileBuffer,
- IN UINTN FileSize,
- IN BOOLEAN BootPolicy
- )
-{
- EFI_STATUS Status;
- EFI_USER_PROFILE_HANDLE CurrentUser;
- UINT32 Policy;
- UINT32 FileType;
-
- //
- // Ignore if File is NULL.
- //
- if (File == NULL) {
- return EFI_SUCCESS;
- }
-
- //
- // Check whether user has a logon.
- //
- CurrentUser = NULL;
- if (mUserManager != NULL) {
- mUserManager->Current (mUserManager, &CurrentUser);
- if (CurrentUser != NULL) {
- //
- // The user is logon; verify the FilePath by current user access policy.
- //
- if (!VerifyDevicePath (File)) {
- DEBUG ((EFI_D_ERROR, "[Security] The image is forbidden to load!\n"));
- return EFI_SECURITY_VIOLATION;
- }
- return EFI_SUCCESS;
- }
- }
-
- //
- // Still no user logon.
- // Check the file type and get policy setting.
- //
- FileType = GetFileType (File);
- Policy = PcdGet32 (PcdDeferImageLoadPolicy);
- if ((Policy & FileType) == FileType) {
- //
- // This file type is secure to load.
- //
- return EFI_SUCCESS;
- }
-
- DEBUG ((EFI_D_INFO, "[Security] No user identified, the image is deferred to load!\n"));
- PutDefferedImageInfo (File, FileBuffer, FileSize);
-
- //
- // Install the Deferred Image Load Protocol onto a new handle.
- //
- if (!mIsProtocolInstalled) {
- Status = gBS->InstallMultipleProtocolInterfaces (
- &mDeferredImageHandle,
- &gEfiDeferredImageLoadProtocolGuid,
- &gDeferredImageLoad,
- NULL
- );
- ASSERT_EFI_ERROR (Status);
- mIsProtocolInstalled = TRUE;
- }
-
- return EFI_ACCESS_DENIED;
-}
-
-/**
- Locate user manager protocol when user manager is installed.
-
- @param[in] Event The Event that is being processed, not used.
- @param[in] Context Event Context, not used.
-
-**/
-VOID
-EFIAPI
-FindUserManagerProtocol (
- IN EFI_EVENT Event,
- IN VOID* Context
- )
-{
- gBS->LocateProtocol (
- &gEfiUserManagerProtocolGuid,
- NULL,
- (VOID **) &mUserManager
- );
-
-}
-
-
-/**
- Register security handler for deferred image load.
-
- @param[in] ImageHandle ImageHandle of the loaded driver.
- @param[in] SystemTable Pointer to the EFI System Table.
-
- @retval EFI_SUCCESS The handlers were registered successfully.
-**/
-EFI_STATUS
-EFIAPI
-DxeDeferImageLoadLibConstructor (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
- )
-{
- VOID *Registration;
-
- //
- // Register user manager notification function.
- //
- EfiCreateProtocolNotifyEvent (
- &gEfiUserManagerProtocolGuid,
- TPL_CALLBACK,
- FindUserManagerProtocol,
- NULL,
- &Registration
- );
-
- return RegisterSecurity2Handler (
- DxeDeferImageLoadHandler,
- EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD
- );
-}
-
-
diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h
deleted file mode 100644
index 6f7991761711..000000000000
--- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/** @file
- The internal header file includes the common header files, defines
- internal structure and functions used by DeferImageLoadLib.
-
-Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#ifndef __DEFER_IMAGE_LOAD_LIB_H__
-#define __DEFER_IMAGE_LOAD_LIB_H__
-
-#include <PiDxe.h>
-#include <Library/UefiRuntimeServicesTableLib.h>
-#include <Library/UefiBootServicesTableLib.h>
-#include <Library/SecurityManagementLib.h>
-#include <Library/MemoryAllocationLib.h>
-#include <Library/DevicePathLib.h>
-#include <Library/BaseMemoryLib.h>
-#include <Library/PrintLib.h>
-#include <Library/DebugLib.h>
-#include <Library/UefiLib.h>
-#include <Library/PcdLib.h>
-
-#include <Protocol/FirmwareVolume2.h>
-#include <Protocol/BlockIo.h>
-#include <Protocol/SimpleFileSystem.h>
-#include <Protocol/DeferredImageLoad.h>
-#include <Protocol/UserCredential.h>
-#include <Protocol/UserManager.h>
-
-#include <Guid/GlobalVariable.h>
-
-//
-// Image type definitions.
-//
-#define IMAGE_UNKNOWN 0x00000001
-#define IMAGE_FROM_FV 0x00000002
-#define IMAGE_FROM_OPTION_ROM 0x00000004
-#define IMAGE_FROM_REMOVABLE_MEDIA 0x00000008
-#define IMAGE_FROM_FIXED_MEDIA 0x00000010
-
-//
-// The struct to save the deferred image information.
-//
-typedef struct {
- EFI_DEVICE_PATH_PROTOCOL *ImageDevicePath;
- VOID *Image;
- UINTN ImageSize;
- BOOLEAN BootOption;
-} DEFERRED_IMAGE_INFO;
-
-//
-// The table to save the deferred image item.
-//
-typedef struct {
- UINTN Count; ///< deferred image count
- DEFERRED_IMAGE_INFO *ImageInfo; ///< deferred image item
-} DEFERRED_IMAGE_TABLE;
-
-/**
- Returns information about a deferred image.
-
- This function returns information about a single deferred image. The deferred images are
- numbered consecutively, starting with 0. If there is no image which corresponds to
- ImageIndex, then EFI_NOT_FOUND is returned. All deferred images may be returned by
- iteratively calling this function until EFI_NOT_FOUND is returned.
- Image may be NULL and ImageSize set to 0 if the decision to defer execution was made
- because of the location of the executable image, rather than its actual contents.
-
- @param[in] This Points to this instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL.
- @param[in] ImageIndex Zero-based index of the deferred index.
- @param[out] ImageDevicePath On return, points to a pointer to the device path of the image.
- The device path should not be freed by the caller.
- @param[out] Image On return, points to the first byte of the image or NULL if the
- image is not available. The image should not be freed by the caller
- unless LoadImage() has been called successfully.
- @param[out] ImageSize On return, the size of the image, or 0 if the image is not available.
- @param[out] BootOption On return, points to TRUE if the image was intended as a boot option
- or FALSE if it was not intended as a boot option.
-
- @retval EFI_SUCCESS Image information returned successfully.
- @retval EFI_NOT_FOUND ImageIndex does not refer to a valid image.
- @retval EFI_INVALID_PARAMETER ImageDevicePath is NULL or Image is NULL or ImageSize is NULL or
- BootOption is NULL.
-
-**/
-EFI_STATUS
-EFIAPI
-GetDefferedImageInfo (
- IN EFI_DEFERRED_IMAGE_LOAD_PROTOCOL *This,
- IN UINTN ImageIndex,
- OUT EFI_DEVICE_PATH_PROTOCOL **ImageDevicePath,
- OUT VOID **Image,
- OUT UINTN *ImageSize,
- OUT BOOLEAN *BootOption
- );
-
-#endif
diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf
deleted file mode 100644
index 6005b8730977..000000000000
--- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf
+++ /dev/null
@@ -1,63 +0,0 @@
-## @file
-# Provides security service of deferred image load
-#
-# The platform may need to defer the execution of an image because of security
-# considerations. These deferred images will be recorded and then reported by
-# installing an instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL.
-#
-# Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
-# SPDX-License-Identifier: BSD-2-Clause-Patent
-#
-##
-
-[Defines]
- INF_VERSION = 0x00010005
- BASE_NAME = DxeDeferImageLoadLib
- MODULE_UNI_FILE = DxeDeferImageLoadLib.uni
- FILE_GUID = 5E2FAE1F-41DA-4fbd-BC81-603CE5CD8497
- MODULE_TYPE = DXE_DRIVER
- VERSION_STRING = 1.0
- LIBRARY_CLASS = NULL|DXE_DRIVER UEFI_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
- CONSTRUCTOR = DxeDeferImageLoadLibConstructor
-
-#
-# The following information is for reference only and not required by the build tools.
-#
-# VALID_ARCHITECTURES = IA32 X64 EBC
-#
-
-[Sources]
- DxeDeferImageLoadLib.c
- DxeDeferImageLoadLib.h
-
-[Packages]
- MdePkg/MdePkg.dec
- MdeModulePkg/MdeModulePkg.dec
- SecurityPkg/SecurityPkg.dec
-
-[LibraryClasses]
- UefiRuntimeServicesTableLib
- UefiBootServicesTableLib
- SecurityManagementLib
- MemoryAllocationLib
- DevicePathLib
- BaseMemoryLib
- PrintLib
- DebugLib
- UefiLib
- PcdLib
-
-[Protocols]
- gEfiFirmwareVolume2ProtocolGuid ## SOMETIMES_CONSUMES
- gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
- gEfiSimpleFileSystemProtocolGuid ## SOMETIMES_CONSUMES
- gEfiDeferredImageLoadProtocolGuid ## SOMETIMES_PRODUCES
- ## SOMETIMES_CONSUMES
- ## NOTIFY
- gEfiUserManagerProtocolGuid
-
-[Guids]
- gEfiGlobalVariableGuid ## SOMETIMES_CONSUMES ## Variable:L"BootOrder"
-
-[Pcd]
- gEfiSecurityPkgTokenSpaceGuid.PcdDeferImageLoadPolicy ## SOMETIMES_CONSUMES
diff --git a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni b/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni
deleted file mode 100644
index 69c381369359..000000000000
--- a/SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.uni
+++ /dev/null
@@ -1,18 +0,0 @@
-// /** @file
-// Provides security service of deferred image load
-//
-// The platform may need to defer the execution of an image because of security
-// considerations. These deferred images will be recorded and then reported by
-// installing an instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL.
-//
-// Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
-//
-// SPDX-License-Identifier: BSD-2-Clause-Patent
-//
-// **/
-
-
-#string STR_MODULE_ABSTRACT #language en-US "Provides security service of deferred image load"
-
-#string STR_MODULE_DESCRIPTION #language en-US "The platform may need to defer the execution of an image because of security considerations. These deferred images will be recorded and then reported by installing an instance of the EFI_DEFERRED_IMAGE_LOAD_PROTOCOL."
-
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index a2ee0528f0d2..a8d31196b616 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -149,7 +149,6 @@ [PcdsDynamicHii.common.DEFAULT]
[Components]
SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib.inf
- #SecurityPkg/Library/DxeDeferImageLoadLib/DxeDeferImageLoadLib.inf
SecurityPkg/Library/DxeImageAuthenticationStatusLib/DxeImageAuthenticationStatusLib.inf
#
--
2.18.0.windows.1
next reply other threads:[~2019-06-20 1:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-20 1:30 Zhang, Shenglei [this message]
2019-06-28 3:11 ` [PATCH] SecurityPkg/DxeDeferImageLoadLib: Remove DxeDeferImageLoadLib Wang, Jian J
2019-07-01 2:53 ` Yao, Jiewen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190620013054.1960-1-shenglei.zhang@intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox