From 060bb0e5a75946729defa4824fa899cf4cc0528b Mon Sep 17 00:00:00 2001 From: Michael Kubacki Date: Fri, 8 Aug 2025 13:41:10 -0400 Subject: [PATCH] SecurityPkg/FvReportPei: Improve CheckStoredHashFv() description Adds more detail to the function description so the dependencies and outcomes of the verification process are easier for a reviewer and consumer to understand. Signed-off-by: Michael Kubacki --- SecurityPkg/FvReportPei/FvReportPei.c | 29 +++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/SecurityPkg/FvReportPei/FvReportPei.c b/SecurityPkg/FvReportPei/FvReportPei.c index 50773db056..6c92e7379d 100644 --- a/SecurityPkg/FvReportPei/FvReportPei.c +++ b/SecurityPkg/FvReportPei/FvReportPei.c @@ -343,17 +343,38 @@ GetHashInfo ( } /** - Verify and report pre-hashed FVs. + Verifies and reports pre-hashed Firmware Volumes (FVs). - Doing this must be at post-memory to make sure there's enough memory to hold - all FVs to be verified. This is necessary for mitigating TOCTOU issue. + This function should be called after memory initialization (post-memory phase) + to ensure sufficient memory is available to hold all FVs for verification. - This function will never return if the verification is failed. + Verifying FVs at this stage is critical to mitigate Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities. + + FV Verification Step: + + This function relies upon an instance of gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid being installed. If + an instance of the PPI is not found, EFI_NOT_FOUND is returned. + + If the gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid PPI instance does not have valid hash information for the + current boot mode (hash info is NULL), verification is treated as successful. + + FV Reporting Step: + + If FV verification is successful, the function reports the FVs to PEI and/or DXE core for further processing by: + + 1. Installing a FV HOB. + 2. Installing a FV Info PPI. + 3. Reporting a status code with the value from PcdStatusCodeFvVerificationPass to indicate that FV verification + passed. + + If FV verification fails, the function reports a status code with the value from PcdStatusCodeFvVerificationFail + and returns a failure status code. @param[in] PeiServices General purpose services available to every PEIM. @param[in] BootMode Current boot mode. @retval EFI_SUCCESS The function completed successfully. + @retval EFI_NOT_FOUND No valid gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid PPI instance found. **/ STATIC EFI_STATUS