Cc: Jiewen Yao <jiewen.yao@intel.com> Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu <hao.a.wu@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
		
			
				
	
	
		
			266 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			266 lines
		
	
	
		
			11 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /** @file
 | |
|   SetImage instance to report system firmware and act as agent to system update.
 | |
| 
 | |
|   Caution: This module requires additional review when modified.
 | |
|   This module will have external input - capsule image.
 | |
|   This external input must be validated carefully to avoid security issue like
 | |
|   buffer overflow, integer overflow.
 | |
| 
 | |
|   FmpSetImage() will receive untrusted input and do basic validation.
 | |
| 
 | |
|   Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
 | |
|   This program and the accompanying materials
 | |
|   are licensed and made available under the terms and conditions of the BSD License
 | |
|   which accompanies this distribution.  The full text of the license may be found at
 | |
|   http://opensource.org/licenses/bsd-license.php
 | |
| 
 | |
|   THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
 | |
|   WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 | |
| 
 | |
| **/
 | |
| 
 | |
| #include "SystemFirmwareDxe.h"
 | |
| 
 | |
| //
 | |
| // SystemFmp driver private data
 | |
| //
 | |
| SYSTEM_FMP_PRIVATE_DATA *mSystemFmpPrivate = NULL;
 | |
| 
 | |
| /**
 | |
|   Dispatch system FMP images.
 | |
| 
 | |
|   Caution: This function may receive untrusted input.
 | |
| 
 | |
|   @param[in]  Image              The EDKII system FMP capsule image.
 | |
|   @param[in]  ImageSize          The size of the EDKII system FMP capsule image in bytes.
 | |
|   @param[out] LastAttemptVersion The last attempt version, which will be recorded in ESRT and FMP EFI_FIRMWARE_IMAGE_DESCRIPTOR.
 | |
|   @param[out] LastAttemptStatus  The last attempt status, which will be recorded in ESRT and FMP EFI_FIRMWARE_IMAGE_DESCRIPTOR.
 | |
| 
 | |
|   @retval EFI_SUCESS            Process Capsule Image successfully.
 | |
|   @retval EFI_UNSUPPORTED       Capsule image is not supported by the firmware.
 | |
|   @retval EFI_VOLUME_CORRUPTED  FV volume in the capsule is corrupted.
 | |
|   @retval EFI_OUT_OF_RESOURCES  Not enough memory.
 | |
| **/
 | |
| EFI_STATUS
 | |
| DispatchSystemFmpImages (
 | |
|   IN VOID                         *Image,
 | |
|   IN UINTN                        ImageSize,
 | |
|   OUT UINT32                      *LastAttemptVersion,
 | |
|   OUT UINT32                      *LastAttemptStatus
 | |
|   )
 | |
| {
 | |
|   EFI_STATUS                                    Status;
 | |
|   VOID                                          *AuthenticatedImage;
 | |
|   UINTN                                         AuthenticatedImageSize;
 | |
|   VOID                                          *DispatchFvImage;
 | |
|   UINTN                                         DispatchFvImageSize;
 | |
|   EFI_HANDLE                                    FvProtocolHandle;
 | |
|   EFI_FIRMWARE_VOLUME_HEADER                    *FvImage;
 | |
|   BOOLEAN                                       Result;
 | |
| 
 | |
|   AuthenticatedImage     = NULL;
 | |
|   AuthenticatedImageSize = 0;
 | |
| 
 | |
|   DEBUG((DEBUG_INFO, "DispatchSystemFmpImages\n"));
 | |
| 
 | |
|   //
 | |
|   // Verify
 | |
|   //
 | |
|   Status = CapsuleAuthenticateSystemFirmware(Image, ImageSize, FALSE, LastAttemptVersion, LastAttemptStatus, &AuthenticatedImage, &AuthenticatedImageSize);
 | |
|   if (EFI_ERROR(Status)) {
 | |
|     DEBUG((DEBUG_INFO, "SystemFirmwareAuthenticateImage - %r\n", Status));
 | |
|     return Status;
 | |
|   }
 | |
| 
 | |
|   //
 | |
|   // Get FV
 | |
|   //
 | |
|   Result = ExtractDriverFvImage(AuthenticatedImage, AuthenticatedImageSize, &DispatchFvImage, &DispatchFvImageSize);
 | |
|   if (Result) {
 | |
|     DEBUG((DEBUG_INFO, "ExtractDriverFvImage\n"));
 | |
|     //
 | |
|     // Dispatch
 | |
|     //
 | |
|     if (((EFI_FIRMWARE_VOLUME_HEADER *)DispatchFvImage)->FvLength == DispatchFvImageSize) {
 | |
|       FvImage = AllocatePages(EFI_SIZE_TO_PAGES(DispatchFvImageSize));
 | |
|       if (FvImage != NULL) {
 | |
|         CopyMem(FvImage, DispatchFvImage, DispatchFvImageSize);
 | |
|         Status = gDS->ProcessFirmwareVolume(
 | |
|                         (VOID *)FvImage,
 | |
|                         (UINTN)FvImage->FvLength,
 | |
|                         &FvProtocolHandle
 | |
|                         );
 | |
|         DEBUG((DEBUG_INFO, "ProcessFirmwareVolume - %r\n", Status));
 | |
|         if (!EFI_ERROR(Status)) {
 | |
|           gDS->Dispatch();
 | |
|           DEBUG((DEBUG_INFO, "Dispatch Done\n"));
 | |
|         }
 | |
|       }
 | |
|     }
 | |
|   }
 | |
| 
 | |
|   return EFI_SUCCESS;
 | |
| }
 | |
| 
 | |
| /**
 | |
|   Updates the firmware image of the device.
 | |
| 
 | |
|   This function updates the hardware with the new firmware image.
 | |
|   This function returns EFI_UNSUPPORTED if the firmware image is not updatable.
 | |
|   If the firmware image is updatable, the function should perform the following minimal validations
 | |
|   before proceeding to do the firmware image update.
 | |
|   - Validate the image authentication if image has attribute
 | |
|     IMAGE_ATTRIBUTE_AUTHENTICATION_REQUIRED. The function returns
 | |
|     EFI_SECURITY_VIOLATION if the validation fails.
 | |
|   - Validate the image is a supported image for this device. The function returns EFI_ABORTED if
 | |
|     the image is unsupported. The function can optionally provide more detailed information on
 | |
|     why the image is not a supported image.
 | |
|   - Validate the data from VendorCode if not null. Image validation must be performed before
 | |
|     VendorCode data validation. VendorCode data is ignored or considered invalid if image
 | |
|     validation failed. The function returns EFI_ABORTED if the data is invalid.
 | |
| 
 | |
|   VendorCode enables vendor to implement vendor-specific firmware image update policy. Null if
 | |
|   the caller did not specify the policy or use the default policy. As an example, vendor can implement
 | |
|   a policy to allow an option to force a firmware image update when the abort reason is due to the new
 | |
|   firmware image version is older than the current firmware image version or bad image checksum.
 | |
|   Sensitive operations such as those wiping the entire firmware image and render the device to be
 | |
|   non-functional should be encoded in the image itself rather than passed with the VendorCode.
 | |
|   AbortReason enables vendor to have the option to provide a more detailed description of the abort
 | |
|   reason to the caller.
 | |
| 
 | |
|   @param[in]  This               A pointer to the EFI_FIRMWARE_MANAGEMENT_PROTOCOL instance.
 | |
|   @param[in]  ImageIndex         A unique number identifying the firmware image(s) within the device.
 | |
|                                  The number is between 1 and DescriptorCount.
 | |
|   @param[in]  Image              Points to the new image.
 | |
|   @param[in]  ImageSize          Size of the new image in bytes.
 | |
|   @param[in]  VendorCode         This enables vendor to implement vendor-specific firmware image update policy.
 | |
|                                  Null indicates the caller did not specify the policy or use the default policy.
 | |
|   @param[in]  Progress           A function used by the driver to report the progress of the firmware update.
 | |
|   @param[out] AbortReason        A pointer to a pointer to a null-terminated string providing more
 | |
|                                  details for the aborted operation. The buffer is allocated by this function
 | |
|                                  with AllocatePool(), and it is the caller's responsibility to free it with a
 | |
|                                  call to FreePool().
 | |
| 
 | |
|   @retval EFI_SUCCESS            The device was successfully updated with the new image.
 | |
|   @retval EFI_ABORTED            The operation is aborted.
 | |
|   @retval EFI_INVALID_PARAMETER  The Image was NULL.
 | |
|   @retval EFI_UNSUPPORTED        The operation is not supported.
 | |
|   @retval EFI_SECURITY_VIOLATIO  The operation could not be performed due to an authentication failure.
 | |
| 
 | |
| **/
 | |
| EFI_STATUS
 | |
| EFIAPI
 | |
| FmpSetImage (
 | |
|   IN  EFI_FIRMWARE_MANAGEMENT_PROTOCOL                 *This,
 | |
|   IN  UINT8                                            ImageIndex,
 | |
|   IN  CONST VOID                                       *Image,
 | |
|   IN  UINTN                                            ImageSize,
 | |
|   IN  CONST VOID                                       *VendorCode,
 | |
|   IN  EFI_FIRMWARE_MANAGEMENT_UPDATE_IMAGE_PROGRESS    Progress,
 | |
|   OUT CHAR16                                           **AbortReason
 | |
|   )
 | |
| {
 | |
|   SYSTEM_FMP_PRIVATE_DATA             *SystemFmpPrivate;
 | |
|   EFI_FIRMWARE_MANAGEMENT_PROTOCOL    *SystemFmp;
 | |
|   EFI_STATUS                          Status;
 | |
|   EFI_STATUS                          VarStatus;
 | |
| 
 | |
|   if (Image == NULL || ImageSize == 0 || AbortReason == NULL) {
 | |
|     return EFI_INVALID_PARAMETER;
 | |
|   }
 | |
| 
 | |
|   SystemFmpPrivate = SYSTEM_FMP_PRIVATE_DATA_FROM_FMP(This);
 | |
|   *AbortReason     = NULL;
 | |
| 
 | |
|   if (ImageIndex == 0 || ImageIndex > SystemFmpPrivate->DescriptorCount) {
 | |
|     return EFI_INVALID_PARAMETER;
 | |
|   }
 | |
| 
 | |
|   //
 | |
|   // Process FV
 | |
|   //
 | |
|   Status = DispatchSystemFmpImages((VOID *)Image, ImageSize, &SystemFmpPrivate->LastAttempt.LastAttemptVersion, &SystemFmpPrivate->LastAttempt.LastAttemptStatus);
 | |
|   DEBUG((DEBUG_INFO, "(Agent)SetImage - LastAttemp Version - 0x%x, State - 0x%x\n", SystemFmpPrivate->LastAttempt.LastAttemptVersion, SystemFmpPrivate->LastAttempt.LastAttemptStatus));
 | |
|   if (EFI_ERROR(Status)) {
 | |
|     VarStatus = gRT->SetVariable(
 | |
|                        SYSTEM_FMP_LAST_ATTEMPT_VARIABLE_NAME,
 | |
|                        &gSystemFmpLastAttemptVariableGuid,
 | |
|                        EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
 | |
|                        sizeof(SystemFmpPrivate->LastAttempt),
 | |
|                        &SystemFmpPrivate->LastAttempt
 | |
|                        );
 | |
|     DEBUG((DEBUG_INFO, "(Agent)SetLastAttemp - %r\n", VarStatus));
 | |
|     return Status;
 | |
|   }
 | |
| 
 | |
|   //
 | |
|   // Pass Thru
 | |
|   //
 | |
|   Status = gBS->LocateProtocol(&gSystemFmpProtocolGuid, NULL, (VOID **)&SystemFmp);
 | |
|   if (EFI_ERROR(Status)) {
 | |
|     DEBUG((DEBUG_INFO, "(Agent)SetImage - SystemFmpProtocol - %r\n", Status));
 | |
|     SystemFmpPrivate->LastAttempt.LastAttemptStatus = LAST_ATTEMPT_STATUS_ERROR_INVALID_FORMAT;
 | |
|     VarStatus = gRT->SetVariable(
 | |
|                        SYSTEM_FMP_LAST_ATTEMPT_VARIABLE_NAME,
 | |
|                        &gSystemFmpLastAttemptVariableGuid,
 | |
|                        EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS,
 | |
|                        sizeof(SystemFmpPrivate->LastAttempt),
 | |
|                        &SystemFmpPrivate->LastAttempt
 | |
|                        );
 | |
|     DEBUG((DEBUG_INFO, "(Agent)SetLastAttemp - %r\n", VarStatus));
 | |
|     return Status;
 | |
|   }
 | |
| 
 | |
|   return SystemFmp->SetImage(SystemFmp, ImageIndex, Image, ImageSize, VendorCode, Progress, AbortReason);
 | |
| }
 | |
| 
 | |
| /**
 | |
|   System FMP module entrypoint
 | |
| 
 | |
|   @param[in]  ImageHandle       The firmware allocated handle for the EFI image.
 | |
|   @param[in]  SystemTable       A pointer to the EFI System Table.
 | |
| 
 | |
|   @return EFI_SUCCESS System FMP module is initialized.
 | |
| **/
 | |
| EFI_STATUS
 | |
| EFIAPI
 | |
| SystemFirmwareReportMainDxe (
 | |
|   IN EFI_HANDLE                         ImageHandle,
 | |
|   IN EFI_SYSTEM_TABLE                   *SystemTable
 | |
|   )
 | |
| {
 | |
|   EFI_STATUS                                      Status;
 | |
| 
 | |
|   //
 | |
|   // Initialize SystemFmpPrivateData
 | |
|   //
 | |
|   mSystemFmpPrivate = AllocateZeroPool (sizeof(SYSTEM_FMP_PRIVATE_DATA));
 | |
|   if (mSystemFmpPrivate == NULL) {
 | |
|     return EFI_OUT_OF_RESOURCES;
 | |
|   }
 | |
| 
 | |
|   Status = InitializePrivateData(mSystemFmpPrivate);
 | |
|   if (EFI_ERROR(Status)) {
 | |
|     FreePool(mSystemFmpPrivate);
 | |
|     mSystemFmpPrivate = NULL;
 | |
|     return Status;
 | |
|   }
 | |
| 
 | |
|   //
 | |
|   // Install FMP protocol.
 | |
|   //
 | |
|   Status = gBS->InstallProtocolInterface (
 | |
|                   &mSystemFmpPrivate->Handle,
 | |
|                   &gEfiFirmwareManagementProtocolGuid,
 | |
|                   EFI_NATIVE_INTERFACE,
 | |
|                   &mSystemFmpPrivate->Fmp
 | |
|                   );
 | |
|   if (EFI_ERROR (Status)) {
 | |
|     FreePool(mSystemFmpPrivate);
 | |
|     mSystemFmpPrivate = NULL;
 | |
|     return Status;
 | |
|   }
 | |
| 
 | |
|   return Status;
 | |
| }
 |