mirror of
https://github.com/tianocore/edk2.git
synced 2025-09-16 16:43:03 +00:00
SecurityPkg/FvReportPei: Improve CheckStoredHashFv() description
Some checks failed
CodeQL / Analyze (IA32, CryptoPkg) (push) Has been cancelled
CodeQL / Analyze (IA32, MdeModulePkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, DynamicTablesPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, FatPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, FmpDevicePkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, IntelFsp2Pkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, IntelFsp2WrapperPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, MdePkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, PcAtChipsetPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, PrmPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, SecurityPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, ShellPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, SourceLevelDebugPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, StandaloneMmPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, UefiCpuPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, UnitTestFrameworkPkg) (push) Has been cancelled
CodeQL / Analyze (X64, CryptoPkg) (push) Has been cancelled
CodeQL / Analyze (X64, MdeModulePkg) (push) Has been cancelled
UPL Build / Build UPL VS2022 (FIT_BUILD=FALSE, windows-latest, 3.12, DEBUG, VS2022) (push) Has been cancelled
UPL Build / Build UPL VS2022 (FIT_BUILD=TRUE, windows-latest, 3.12, DEBUG, VS2022) (push) Has been cancelled
UPL Build / Build UPL GCC (FIT_BUILD=FALSE, ubuntu-latest, 3.12, DEBUG, GCC) (push) Has been cancelled
UPL Build / Build UPL GCC (FIT_BUILD=TRUE, ubuntu-latest, 3.12, DEBUG, GCC) (push) Has been cancelled
Some checks failed
CodeQL / Analyze (IA32, CryptoPkg) (push) Has been cancelled
CodeQL / Analyze (IA32, MdeModulePkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, DynamicTablesPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, FatPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, FmpDevicePkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, IntelFsp2Pkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, IntelFsp2WrapperPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, MdePkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, PcAtChipsetPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, PrmPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, SecurityPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, ShellPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, SourceLevelDebugPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, StandaloneMmPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, UefiCpuPkg) (push) Has been cancelled
CodeQL / Analyze (IA32,X64, UnitTestFrameworkPkg) (push) Has been cancelled
CodeQL / Analyze (X64, CryptoPkg) (push) Has been cancelled
CodeQL / Analyze (X64, MdeModulePkg) (push) Has been cancelled
UPL Build / Build UPL VS2022 (FIT_BUILD=FALSE, windows-latest, 3.12, DEBUG, VS2022) (push) Has been cancelled
UPL Build / Build UPL VS2022 (FIT_BUILD=TRUE, windows-latest, 3.12, DEBUG, VS2022) (push) Has been cancelled
UPL Build / Build UPL GCC (FIT_BUILD=FALSE, ubuntu-latest, 3.12, DEBUG, GCC) (push) Has been cancelled
UPL Build / Build UPL GCC (FIT_BUILD=TRUE, ubuntu-latest, 3.12, DEBUG, GCC) (push) Has been cancelled
Adds more detail to the function description so the dependencies and outcomes of the verification process are easier for a reviewer and consumer to understand. Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
This commit is contained in:
Michael Kubacki
mergify[bot]
parent
5025fc1eda
commit
060bb0e5a7
@ -343,17 +343,38 @@ GetHashInfo (
|
||||
}
|
||||
|
||||
/**
|
||||
Verify and report pre-hashed FVs.
|
||||
Verifies and reports pre-hashed Firmware Volumes (FVs).
|
||||
|
||||
Doing this must be at post-memory to make sure there's enough memory to hold
|
||||
all FVs to be verified. This is necessary for mitigating TOCTOU issue.
|
||||
This function should be called after memory initialization (post-memory phase)
|
||||
to ensure sufficient memory is available to hold all FVs for verification.
|
||||
|
||||
This function will never return if the verification is failed.
|
||||
Verifying FVs at this stage is critical to mitigate Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities.
|
||||
|
||||
FV Verification Step:
|
||||
|
||||
This function relies upon an instance of gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid being installed. If
|
||||
an instance of the PPI is not found, EFI_NOT_FOUND is returned.
|
||||
|
||||
If the gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid PPI instance does not have valid hash information for the
|
||||
current boot mode (hash info is NULL), verification is treated as successful.
|
||||
|
||||
FV Reporting Step:
|
||||
|
||||
If FV verification is successful, the function reports the FVs to PEI and/or DXE core for further processing by:
|
||||
|
||||
1. Installing a FV HOB.
|
||||
2. Installing a FV Info PPI.
|
||||
3. Reporting a status code with the value from PcdStatusCodeFvVerificationPass to indicate that FV verification
|
||||
passed.
|
||||
|
||||
If FV verification fails, the function reports a status code with the value from PcdStatusCodeFvVerificationFail
|
||||
and returns a failure status code.
|
||||
|
||||
@param[in] PeiServices General purpose services available to every PEIM.
|
||||
@param[in] BootMode Current boot mode.
|
||||
|
||||
@retval EFI_SUCCESS The function completed successfully.
|
||||
@retval EFI_NOT_FOUND No valid gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid PPI instance found.
|
||||
**/
|
||||
STATIC
|
||||
EFI_STATUS
|
||||
|
||||
Loading…
Reference in New Issue
Block a user