MdeModulePkg/SecurityStubDxe: Defer 3rd party image before EndOfDxe

The images not from FV are treated as 3rd party images. They will
be deferred to dispatch when they are dispatched before EndOfDxe
event.
It's a new feature in the BS.LoadImage() path which can disallow
executing 3rd party images before EndOfDxe and re-execute them
after EndOfDxe (through EfiBootManagerDispatchDeferredImages
introduced in next commit).

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
Reviewed-by: Sunny Wang <sunnywang@hpe.com>
This commit is contained in:
Ruiyu Ni
2016-10-31 16:31:44 +08:00
parent 83155d7eb4
commit 8be37a5cee
4 changed files with 468 additions and 2 deletions

View File

@@ -1,7 +1,7 @@
/** @file
This driver produces Security2 and Security architectural protocol based on SecurityManagementLib.
Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -20,6 +20,7 @@
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiDriverEntryPoint.h>
#include <Library/SecurityManagementLib.h>
#include "Defer3rdPartyImageLoad.h"
//
// Handle for the Security Architectural Protocol instance produced by this driver
@@ -140,6 +141,15 @@ Security2StubAuthenticate (
IN BOOLEAN BootPolicy
)
{
EFI_STATUS Status;
if (FileBuffer != NULL) {
Status = Defer3rdPartyImageLoad (File, BootPolicy);
if (EFI_ERROR (Status)) {
return Status;
}
}
return ExecuteSecurity2Handlers (EFI_AUTH_OPERATION_VERIFY_IMAGE |
EFI_AUTH_OPERATION_DEFER_IMAGE_LOAD |
EFI_AUTH_OPERATION_MEASURE_IMAGE |
@@ -200,5 +210,7 @@ SecurityStubInitialize (
);
ASSERT_EFI_ERROR (Status);
Defer3rdPartyImageLoadInitialize ();
return EFI_SUCCESS;
}