Update PeiCore to follow PI spec to retrieve GUIDED section data when ExtractionPpi is not found.

Enhance PeiCore Security Policy to check AuthenticationStatus when SecurityPpi is not found. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Gao, Liming <liming.gao@intel.com> Reviewed-by: Zeng, Star <star.zeng@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@15817 6f19259b-4bc3-4df7-8a09-765794883524
author: Gao, Liming <liming.gao@intel.com> 2014-08-18 05:43:06 +0000
committer: lgao4 <lgao4@6f19259b-4bc3-4df7-8a09-765794883524> 2014-08-18 05:43:06 +0000
commit: 9d8de12c31628da255155a544641ae7473581f04 (patch)
tree: 4919231a76303131fe9d5986602f234299ca331b /MdeModulePkg/Core
parent: 03af27533236a08309b60ba1f3236234f3de46bc (diff)
2 files changed, 30 insertions, 5 deletions
diff --git a/MdeModulePkg/Core/Pei/FwVol/FwVol.c b/MdeModulePkg/Core/Pei/FwVol/FwVol.c
index a347129be..357f0979e 100644
--- a/MdeModulePkg/Core/Pei/FwVol/FwVol.c
+++ b/MdeModulePkg/Core/Pei/FwVol/FwVol.c
@@ -735,6 +735,7 @@ ProcessSection (
   BOOLEAN                                 SectionCached;
   VOID                                    *TempOutputBuffer;
   UINT32                                  TempAuthenticationStatus;
+  UINT16                                  GuidedSectionAttributes;
 
   PrivateData   = PEI_CORE_INSTANCE_FROM_PS_THIS (PeiServices);
   *OutputBuffer = NULL;
@@ -834,9 +835,11 @@ ProcessSection (
         Authentication = 0;
         if (Section->Type == EFI_SECTION_GUID_DEFINED) {
           if (IS_SECTION2 (Section)) {
-            SectionDefinitionGuid = &((EFI_GUID_DEFINED_SECTION2 *)Section)->SectionDefinitionGuid;
+            SectionDefinitionGuid   = &((EFI_GUID_DEFINED_SECTION2 *)Section)->SectionDefinitionGuid;
+            GuidedSectionAttributes = ((EFI_GUID_DEFINED_SECTION2 *)Section)->Attributes;
           } else {
-            SectionDefinitionGuid = &((EFI_GUID_DEFINED_SECTION *)Section)->SectionDefinitionGuid;
+            SectionDefinitionGuid   = &((EFI_GUID_DEFINED_SECTION *)Section)->SectionDefinitionGuid;
+            GuidedSectionAttributes = ((EFI_GUID_DEFINED_SECTION *)Section)->Attributes;
           }
           if (VerifyGuidedSectionGuid (SectionDefinitionGuid, &GuidSectionPpi)) {
             Status = GuidSectionPpi->ExtractSection (
@@ -846,6 +849,21 @@ ProcessSection (
                                        &PpiOutputSize,
                                        &Authentication
                                        );
+          } else if ((GuidedSectionAttributes & EFI_GUIDED_SECTION_PROCESSING_REQUIRED) == 0) {
+            //
+            // Figure out the proper authentication status for GUIDED section without processing required
+            //
+            Status = EFI_SUCCESS;
+            if ((GuidedSectionAttributes & EFI_GUIDED_SECTION_AUTH_STATUS_VALID) == EFI_GUIDED_SECTION_AUTH_STATUS_VALID) {
+              Authentication |= EFI_AUTH_STATUS_IMAGE_SIGNED | EFI_AUTH_STATUS_NOT_TESTED;
+            }
+            if (IS_SECTION2 (Section)) {
+              PpiOutputSize = SECTION2_SIZE (Section) - ((EFI_GUID_DEFINED_SECTION2 *) Section)->DataOffset;
+              PpiOutput     = (UINT8 *) Section + ((EFI_GUID_DEFINED_SECTION2 *) Section)->DataOffset;
+            } else {
+              PpiOutputSize = SECTION_SIZE (Section) - ((EFI_GUID_DEFINED_SECTION *) Section)->DataOffset;
+              PpiOutput     = (UINT8 *) Section + ((EFI_GUID_DEFINED_SECTION *) Section)->DataOffset;
+            }
           }
         } else if (Section->Type == EFI_SECTION_COMPRESSION) {
           Status = PeiServicesLocatePpi (&gEfiPeiDecompressPpiGuid, 0, NULL, (VOID **) &DecompressPpi);
diff --git a/MdeModulePkg/Core/Pei/Security/Security.c b/MdeModulePkg/Core/Pei/Security/Security.c
index f08926766..763126057 100644
--- a/MdeModulePkg/Core/Pei/Security/Security.c
+++ b/MdeModulePkg/Core/Pei/Security/Security.c
@@ -1,7 +1,7 @@
 /** @file
   EFI PEI Core Security services
   
-Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials                          
 are licensed and made available under the terms and conditions of the BSD License         
 which accompanies this distribution.  The full text of the license may be found at        
@@ -100,9 +100,16 @@ VerifyPeim (
   EFI_STATUS                      Status;
   BOOLEAN                         DeferExection;
 
-
+  Status = EFI_NOT_FOUND;
   if (PrivateData->PrivateSecurityPpi == NULL) {
-    Status = EFI_NOT_FOUND;
+    //
+    // Check AuthenticationStatus first.
+    //
+    if ((AuthenticationStatus & EFI_AUTH_STATUS_IMAGE_SIGNED) != 0) {
+      if ((AuthenticationStatus & (EFI_AUTH_STATUS_TEST_FAILED | EFI_AUTH_STATUS_NOT_TESTED)) != 0) {
+        Status = EFI_SECURITY_VIOLATION;
+      }
+    }
   } else {
     //
     // Check to see if the image is OK
author	Gao, Liming <liming.gao@intel.com>	2014-08-18 05:43:06 +0000
committer	lgao4 <lgao4@6f19259b-4bc3-4df7-8a09-765794883524>	2014-08-18 05:43:06 +0000
commit	9d8de12c31628da255155a544641ae7473581f04 (patch)
tree	4919231a76303131fe9d5986602f234299ca331b /MdeModulePkg/Core
parent	03af27533236a08309b60ba1f3236234f3de46bc (diff)