[edk2-devel] [PATCH v1 4/8] OvmfPkg/QemuKernelLoaderFsDxe: Add ability to verify loaded items
Dov Murik
dovmurik at linux.ibm.com
Tue May 25 05:31:12 UTC 2021
From: James Bottomley <jejb at linux.ibm.com>
Allow registering a verifier which is then called for each blob passed
via QEMU's fw_cfg.
Cc: Laszlo Ersek <lersek at redhat.com>
Cc: Ard Biesheuvel <ardb+tianocore at kernel.org>
Cc: Jordan Justen <jordan.l.justen at intel.com>
Cc: Ashish Kalra <ashish.kalra at amd.com>
Cc: Brijesh Singh <brijesh.singh at amd.com>
Cc: Erdem Aktas <erdemaktas at google.com>
Cc: James Bottomley <jejb at linux.ibm.com>
Cc: Jiewen Yao <jiewen.yao at intel.com>
Cc: Min Xu <min.m.xu at intel.com>
Cc: Tom Lendacky <thomas.lendacky at amd.com>
Signed-off-by: James Bottomley <jejb at linux.ibm.com>
---
OvmfPkg/Include/Library/QemuFwCfgLib.h | 35 ++++++++++++++++++++
OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c | 31 +++++++++++++++++
2 files changed, 66 insertions(+)
diff --git a/OvmfPkg/Include/Library/QemuFwCfgLib.h b/OvmfPkg/Include/Library/QemuFwCfgLib.h
index 68002bb654e6..1095efad5878 100644
--- a/OvmfPkg/Include/Library/QemuFwCfgLib.h
+++ b/OvmfPkg/Include/Library/QemuFwCfgLib.h
@@ -173,5 +173,40 @@ QemuFwCfgFindFile (
OUT UINTN *Size
);
+/**
+ The verifier is used to abstract a hash verification operation when
+ A firmware config item is accessed via a filesystem and has some type
+ of integrity information passed in.
+
+ @param[in] Name The name of the config file to verify.
+ @param[in] Buffer A pointer to the loaded config information.
+ @param[in] Size The size of the buffer.
+
+ @retval EFI_SUCCESS The buffer verified OK.
+
+ @retval EFI_ACCESS_DENIED The buffer failed the integrity check.
+
+**/
+typedef
+RETURN_STATUS
+(EFIAPI *FW_CFG_VERIFIER) (
+ IN CONST CHAR16 *Name,
+ IN VOID *Buffer,
+ IN UINTN Size
+ );
+
+/**
+ Register a verifier for the Firmware Configuration Filesystem to use
+
+ @param[in] Verifier The verifier to register
+
+ @retval EFI_SUCCESS The verifier was successfully registered
+**/
+RETURN_STATUS
+EFIAPI
+RegisterFwCfgVerifier (
+ IN FW_CFG_VERIFIER Verifier
+ );
+
#endif
diff --git a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
index b09ff6a3590d..9823d23d1005 100644
--- a/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
+++ b/OvmfPkg/QemuKernelLoaderFsDxe/QemuKernelLoaderFsDxe.c
@@ -982,6 +982,27 @@ FetchBlob (
return EFI_SUCCESS;
}
+STATIC FW_CFG_VERIFIER mVerifier = NULL;
+
+/**
+ Register a verifier for the Firmware Configuration Filesystem to use
+
+ @param[in] Verifier The verifier to register
+
+ @retval EFI_SUCCESS The verifier was successfully registered
+**/
+EFI_STATUS
+EFIAPI
+RegisterFwCfgVerifier (
+ IN FW_CFG_VERIFIER Verifier
+ )
+{
+ if (mVerifier != NULL) {
+ return EFI_OUT_OF_RESOURCES;
+ }
+ mVerifier = Verifier;
+ return EFI_SUCCESS;
+}
//
// The entry point of the feature.
@@ -1033,6 +1054,16 @@ QemuKernelLoaderFsDxeEntrypoint (
if (EFI_ERROR (Status)) {
goto FreeBlobs;
}
+ if (mVerifier != NULL) {
+ Status = mVerifier (
+ CurrentBlob->Name,
+ CurrentBlob->Data,
+ CurrentBlob->Size
+ );
+ if (EFI_ERROR (Status)) {
+ goto FreeBlobs;
+ }
+ }
mTotalBlobBytes += CurrentBlob->Size;
}
KernelBlob = &mKernelBlob[KernelBlobTypeKernel];
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#75571): https://edk2.groups.io/g/devel/message/75571
Mute This Topic: https://groups.io/mt/83074455/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list