/** @file Supports Fmp Capsule Dependency Expression. Copyright (c) Microsoft Corporation.
Copyright (c) 2020, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include #include #include #include #include #include #include #include #include // // Define the initial size of the dependency expression evaluation stack // #define DEPEX_STACK_SIZE_INCREMENT 0x1000 // // Type of stack element // typedef enum { BooleanType, VersionType } ELEMENT_TYPE; // // Value of stack element // typedef union { BOOLEAN Boolean; UINT32 Version; } ELEMENT_VALUE; // // Stack element used to evaluate dependency expressions // typedef struct { ELEMENT_VALUE Value; ELEMENT_TYPE Type; } DEPEX_ELEMENT; // // Global stack used to evaluate dependency expressions // DEPEX_ELEMENT *mDepexEvaluationStack = NULL; DEPEX_ELEMENT *mDepexEvaluationStackEnd = NULL; DEPEX_ELEMENT *mDepexEvaluationStackPointer = NULL; /** Grow size of the Depex stack @retval EFI_SUCCESS Stack successfully growed. @retval EFI_OUT_OF_RESOURCES There is not enough system memory to grow the stack. **/ EFI_STATUS GrowDepexStack ( VOID ) { DEPEX_ELEMENT *NewStack; UINTN Size; Size = DEPEX_STACK_SIZE_INCREMENT; if (mDepexEvaluationStack != NULL) { Size = Size + (mDepexEvaluationStackEnd - mDepexEvaluationStack); } NewStack = AllocatePool (Size * sizeof (DEPEX_ELEMENT)); if (NewStack == NULL) { DEBUG ((DEBUG_ERROR, "GrowDepexStack: Cannot allocate memory for dependency evaluation stack!\n")); return EFI_OUT_OF_RESOURCES; } if (mDepexEvaluationStack != NULL) { // // Copy to Old Stack to the New Stack // CopyMem ( NewStack, mDepexEvaluationStack, (mDepexEvaluationStackEnd - mDepexEvaluationStack) * sizeof (DEPEX_ELEMENT) ); // // Free The Old Stack // FreePool (mDepexEvaluationStack); } // // Make the Stack pointer point to the old data in the new stack // mDepexEvaluationStackPointer = NewStack + (mDepexEvaluationStackPointer - mDepexEvaluationStack); mDepexEvaluationStack = NewStack; mDepexEvaluationStackEnd = NewStack + Size; return EFI_SUCCESS; } /** Push an element onto the Stack. @param[in] Value Value to push. @param[in] Type Element Type @retval EFI_SUCCESS The value was pushed onto the stack. @retval EFI_OUT_OF_RESOURCES There is not enough system memory to grow the stack. @retval EFI_INVALID_PARAMETER Wrong stack element type. **/ EFI_STATUS Push ( IN UINT32 Value, IN UINTN Type ) { EFI_STATUS Status; DEPEX_ELEMENT Element; // // Check Type // if ((Type != BooleanType) && (Type != VersionType)) { return EFI_INVALID_PARAMETER; } // // Check for a stack overflow condition // if (mDepexEvaluationStackPointer == mDepexEvaluationStackEnd) { // // Grow the stack // Status = GrowDepexStack (); if (EFI_ERROR (Status)) { return Status; } } Element.Value.Version = Value; Element.Type = Type; // // Push the item onto the stack // *mDepexEvaluationStackPointer = Element; mDepexEvaluationStackPointer++; return EFI_SUCCESS; } /** Pop an element from the stack. @param[out] Element Element to pop. @param[in] Type Type of element. @retval EFI_SUCCESS The value was popped onto the stack. @retval EFI_ACCESS_DENIED The pop operation underflowed the stack. @retval EFI_INVALID_PARAMETER Type is mismatched. **/ EFI_STATUS Pop ( OUT DEPEX_ELEMENT *Element, IN ELEMENT_TYPE Type ) { // // Check for a stack underflow condition // if (mDepexEvaluationStackPointer == mDepexEvaluationStack) { DEBUG ((DEBUG_ERROR, "EvaluateDependency: Stack underflow!\n")); return EFI_ACCESS_DENIED; } // // Pop the item off the stack // mDepexEvaluationStackPointer--; *Element = *mDepexEvaluationStackPointer; if ((*Element).Type != Type) { DEBUG ((DEBUG_ERROR, "EvaluateDependency: Popped element type is mismatched!\n")); return EFI_INVALID_PARAMETER; } return EFI_SUCCESS; } /** Evaluate the dependencies. The caller must search all the Fmp instances and gather their versions into FmpVersions parameter. If there is PUSH_GUID opcode in dependency expression with no FmpVersions provided, the dependency will evaluate to FALSE. @param[in] Dependencies Dependency expressions. @param[in] DependenciesSize Size of Dependency expressions. @param[in] FmpVersions Array of Fmp ImageTypeId and version. This parameter is optional and can be set to NULL. @param[in] FmpVersionsCount Element count of the array. When FmpVersions is NULL, FmpVersionsCount must be 0. @param[out] LastAttemptStatus An optional pointer to a UINT32 that holds the last attempt status to report back to the caller. This function will set the value to LAST_ATTEMPT_STATUS_SUCCESS if an error code is not set. @retval TRUE Dependency expressions evaluate to TRUE. @retval FALSE Dependency expressions evaluate to FALSE. **/ BOOLEAN EFIAPI EvaluateDependency ( IN EFI_FIRMWARE_IMAGE_DEP *Dependencies, IN UINTN DependenciesSize, IN FMP_DEPEX_CHECK_VERSION_DATA *FmpVersions OPTIONAL, IN UINTN FmpVersionsCount, OUT UINT32 *LastAttemptStatus OPTIONAL ) { EFI_STATUS Status; UINT8 *Iterator; UINT8 Index; DEPEX_ELEMENT Element1; DEPEX_ELEMENT Element2; GUID ImageTypeId; UINT32 Version; UINT32 LocalLastAttemptStatus; LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_SUCCESS; // // Check if parameter is valid. // if ((Dependencies == NULL) || (DependenciesSize == 0)) { return FALSE; } if ((FmpVersions == NULL) && (FmpVersionsCount > 0)) { return FALSE; } // // Clean out memory leaks in Depex Boolean stack. Leaks are only caused by // incorrectly formed DEPEX expressions // mDepexEvaluationStackPointer = mDepexEvaluationStack; Iterator = (UINT8 *)Dependencies->Dependencies; while (Iterator < (UINT8 *)Dependencies->Dependencies + DependenciesSize) { switch (*Iterator) { case EFI_FMP_DEP_PUSH_GUID: if (Iterator + sizeof (EFI_GUID) >= (UINT8 *)Dependencies->Dependencies + DependenciesSize) { DEBUG ((DEBUG_ERROR, "EvaluateDependency: GUID extends beyond end of dependency expression!\n")); LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_GUID_BEYOND_DEPEX; goto Error; } CopyGuid (&ImageTypeId, (EFI_GUID *)(Iterator + 1)); Iterator = Iterator + sizeof (EFI_GUID); for (Index = 0; Index < FmpVersionsCount; Index++) { if (CompareGuid (&FmpVersions[Index].ImageTypeId, &ImageTypeId)) { Status = Push (FmpVersions[Index].Version, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; } } if (Index == FmpVersionsCount) { DEBUG ((DEBUG_ERROR, "EvaluateDependency: %g is not found!\n", &ImageTypeId)); LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_FMP_NOT_FOUND; goto Error; } break; case EFI_FMP_DEP_PUSH_VERSION: if (Iterator + sizeof (UINT32) >= (UINT8 *)Dependencies->Dependencies + DependenciesSize ) { DEBUG ((DEBUG_ERROR, "EvaluateDependency: VERSION extends beyond end of dependency expression!\n")); LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_VERSION_BEYOND_DEPEX; goto Error; } Version = *(UINT32 *)(Iterator + 1); Status = Push (Version, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } Iterator = Iterator + sizeof (UINT32); break; case EFI_FMP_DEP_VERSION_STR: Iterator += AsciiStrnLenS ((CHAR8 *)Iterator, DependenciesSize - (Iterator - Dependencies->Dependencies)); if (Iterator == (UINT8 *)Dependencies->Dependencies + DependenciesSize) { DEBUG ((DEBUG_ERROR, "EvaluateDependency: STRING extends beyond end of dependency expression!\n")); LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_VERSION_STR_BEYOND_DEPEX; goto Error; } break; case EFI_FMP_DEP_AND: Status = Pop (&Element1, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Pop (&Element2, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Push (Element1.Value.Boolean & Element2.Value.Boolean, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_OR: Status = Pop (&Element1, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Pop (&Element2, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Push (Element1.Value.Boolean | Element2.Value.Boolean, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_NOT: Status = Pop (&Element1, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Push (!(Element1.Value.Boolean), BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_TRUE: Status = Push (TRUE, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_FALSE: Status = Push (FALSE, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_EQ: Status = Pop (&Element1, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Pop (&Element2, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = (Element1.Value.Version == Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_GT: Status = Pop (&Element1, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Pop (&Element2, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = (Element1.Value.Version > Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_GTE: Status = Pop (&Element1, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Pop (&Element2, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = (Element1.Value.Version >= Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_LT: Status = Pop (&Element1, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Pop (&Element2, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = (Element1.Value.Version < Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_LTE: Status = Pop (&Element1, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = Pop (&Element2, VersionType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } Status = (Element1.Value.Version <= Element2.Value.Version) ? Push (TRUE, BooleanType) : Push (FALSE, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_PUSH_FAILURE; goto Error; } break; case EFI_FMP_DEP_END: Status = Pop (&Element1, BooleanType); if (EFI_ERROR (Status)) { LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_POP_FAILURE; goto Error; } return Element1.Value.Boolean; default: DEBUG ((DEBUG_ERROR, "EvaluateDependency: Unknown Opcode - %02x!\n", *Iterator)); LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_UNKNOWN_OPCODE; goto Error; } Iterator++; } DEBUG ((DEBUG_ERROR, "EvaluateDependency: No EFI_FMP_DEP_END Opcode in expression!\n")); LocalLastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_NO_END_OPCODE; Error: if (LastAttemptStatus != NULL) { *LastAttemptStatus = LocalLastAttemptStatus; } return FALSE; } /** Validate the dependency expression and output its size. @param[in] Dependencies Pointer to the EFI_FIRMWARE_IMAGE_DEP. @param[in] MaxDepexSize Max size of the dependency. @param[out] DepexSize Size of dependency. @param[out] LastAttemptStatus An optional pointer to a UINT32 that holds the last attempt status to report back to the caller. If a last attempt status error code is not returned, this function will not modify the LastAttemptStatus value. @retval TRUE The dependency expression is valid. @retval FALSE The dependency expression is invalid. **/ BOOLEAN EFIAPI ValidateDependency ( IN EFI_FIRMWARE_IMAGE_DEP *Dependencies, IN UINTN MaxDepexSize, OUT UINT32 *DepexSize, OUT UINT32 *LastAttemptStatus OPTIONAL ) { UINT8 *Depex; if (DepexSize != NULL) { *DepexSize = 0; } if (Dependencies == NULL) { return FALSE; } Depex = Dependencies->Dependencies; while (Depex < Dependencies->Dependencies + MaxDepexSize) { switch (*Depex) { case EFI_FMP_DEP_PUSH_GUID: Depex += sizeof (EFI_GUID) + 1; break; case EFI_FMP_DEP_PUSH_VERSION: Depex += sizeof (UINT32) + 1; break; case EFI_FMP_DEP_VERSION_STR: Depex += AsciiStrnLenS ((CHAR8 *)Depex, Dependencies->Dependencies + MaxDepexSize - Depex) + 1; break; case EFI_FMP_DEP_AND: case EFI_FMP_DEP_OR: case EFI_FMP_DEP_NOT: case EFI_FMP_DEP_TRUE: case EFI_FMP_DEP_FALSE: case EFI_FMP_DEP_EQ: case EFI_FMP_DEP_GT: case EFI_FMP_DEP_GTE: case EFI_FMP_DEP_LT: case EFI_FMP_DEP_LTE: Depex += 1; break; case EFI_FMP_DEP_END: Depex += 1; if (DepexSize != NULL) { *DepexSize = (UINT32)(Depex - Dependencies->Dependencies); } return TRUE; default: return FALSE; } } if (LastAttemptStatus != NULL) { *LastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_NO_END_OPCODE; } return FALSE; } /** Get dependency from firmware image. @param[in] Image Points to the firmware image. @param[in] ImageSize Size, in bytes, of the firmware image. @param[out] DepexSize Size, in bytes, of the dependency. @param[out] LastAttemptStatus An optional pointer to a UINT32 that holds the last attempt status to report back to the caller. If a last attempt status error code is not returned, this function will not modify the LastAttemptStatus value. @retval The pointer to dependency. @retval Null **/ EFI_FIRMWARE_IMAGE_DEP * EFIAPI GetImageDependency ( IN EFI_FIRMWARE_IMAGE_AUTHENTICATION *Image, IN UINTN ImageSize, OUT UINT32 *DepexSize, OUT UINT32 *LastAttemptStatus OPTIONAL ) { EFI_FIRMWARE_IMAGE_DEP *Depex; UINTN MaxDepexSize; if (Image == NULL) { return NULL; } // // Check to make sure that operation can be safely performed. // if ((((UINTN)Image + sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) < (UINTN)Image) || \ (((UINTN)Image + sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength) >= (UINTN)Image + ImageSize)) { // // Pointer overflow. Invalid image. // if (LastAttemptStatus != NULL) { *LastAttemptStatus = LAST_ATTEMPT_STATUS_DEPENDENCY_LIB_ERROR_GET_DEPEX_FAILURE; } return NULL; } Depex = (EFI_FIRMWARE_IMAGE_DEP *)((UINT8 *)Image + sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength); MaxDepexSize = ImageSize - (sizeof (Image->MonotonicCount) + Image->AuthInfo.Hdr.dwLength); // // Validate the dependency and get the size of dependency // if (ValidateDependency (Depex, MaxDepexSize, DepexSize, LastAttemptStatus)) { return Depex; } return NULL; }