diff options
| author | Michael Kubacki <michael.kubacki@microsoft.com> | 2025-08-08 20:41:10 +0300 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2025-08-30 04:00:08 +0300 |
| commit | 060bb0e5a75946729defa4824fa899cf4cc0528b (patch) | |
| tree | 3a48b116430adec7c81c0b3c5c51b83c5a754d3e /SecurityPkg | |
| parent | 5025fc1eda686d9daae6dc8a5b045a501cde12d3 (diff) | |
| download | edk2-master.tar.xz | |
Adds more detail to the function description so the dependencies
and outcomes of the verification process are easier for a reviewer
and consumer to understand.
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Diffstat (limited to 'SecurityPkg')
| -rw-r--r-- | SecurityPkg/FvReportPei/FvReportPei.c | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/SecurityPkg/FvReportPei/FvReportPei.c b/SecurityPkg/FvReportPei/FvReportPei.c index 50773db056..6c92e7379d 100644 --- a/SecurityPkg/FvReportPei/FvReportPei.c +++ b/SecurityPkg/FvReportPei/FvReportPei.c @@ -343,17 +343,38 @@ GetHashInfo ( }
/**
- Verify and report pre-hashed FVs.
+ Verifies and reports pre-hashed Firmware Volumes (FVs).
- Doing this must be at post-memory to make sure there's enough memory to hold
- all FVs to be verified. This is necessary for mitigating TOCTOU issue.
+ This function should be called after memory initialization (post-memory phase)
+ to ensure sufficient memory is available to hold all FVs for verification.
- This function will never return if the verification is failed.
+ Verifying FVs at this stage is critical to mitigate Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities.
+
+ FV Verification Step:
+
+ This function relies upon an instance of gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid being installed. If
+ an instance of the PPI is not found, EFI_NOT_FOUND is returned.
+
+ If the gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid PPI instance does not have valid hash information for the
+ current boot mode (hash info is NULL), verification is treated as successful.
+
+ FV Reporting Step:
+
+ If FV verification is successful, the function reports the FVs to PEI and/or DXE core for further processing by:
+
+ 1. Installing a FV HOB.
+ 2. Installing a FV Info PPI.
+ 3. Reporting a status code with the value from PcdStatusCodeFvVerificationPass to indicate that FV verification
+ passed.
+
+ If FV verification fails, the function reports a status code with the value from PcdStatusCodeFvVerificationFail
+ and returns a failure status code.
@param[in] PeiServices General purpose services available to every PEIM.
@param[in] BootMode Current boot mode.
@retval EFI_SUCCESS The function completed successfully.
+ @retval EFI_NOT_FOUND No valid gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid PPI instance found.
**/
STATIC
EFI_STATUS
|