summaryrefslogtreecommitdiff
path: root/SecurityPkg
diff options
context:
space:
mode:
Diffstat (limited to 'SecurityPkg')
-rw-r--r--SecurityPkg/FvReportPei/FvReportPei.c29
1 files changed, 25 insertions, 4 deletions
diff --git a/SecurityPkg/FvReportPei/FvReportPei.c b/SecurityPkg/FvReportPei/FvReportPei.c
index 50773db056..6c92e7379d 100644
--- a/SecurityPkg/FvReportPei/FvReportPei.c
+++ b/SecurityPkg/FvReportPei/FvReportPei.c
@@ -343,17 +343,38 @@ GetHashInfo (
}
/**
- Verify and report pre-hashed FVs.
+ Verifies and reports pre-hashed Firmware Volumes (FVs).
- Doing this must be at post-memory to make sure there's enough memory to hold
- all FVs to be verified. This is necessary for mitigating TOCTOU issue.
+ This function should be called after memory initialization (post-memory phase)
+ to ensure sufficient memory is available to hold all FVs for verification.
- This function will never return if the verification is failed.
+ Verifying FVs at this stage is critical to mitigate Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities.
+
+ FV Verification Step:
+
+ This function relies upon an instance of gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid being installed. If
+ an instance of the PPI is not found, EFI_NOT_FOUND is returned.
+
+ If the gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid PPI instance does not have valid hash information for the
+ current boot mode (hash info is NULL), verification is treated as successful.
+
+ FV Reporting Step:
+
+ If FV verification is successful, the function reports the FVs to PEI and/or DXE core for further processing by:
+
+ 1. Installing a FV HOB.
+ 2. Installing a FV Info PPI.
+ 3. Reporting a status code with the value from PcdStatusCodeFvVerificationPass to indicate that FV verification
+ passed.
+
+ If FV verification fails, the function reports a status code with the value from PcdStatusCodeFvVerificationFail
+ and returns a failure status code.
@param[in] PeiServices General purpose services available to every PEIM.
@param[in] BootMode Current boot mode.
@retval EFI_SUCCESS The function completed successfully.
+ @retval EFI_NOT_FOUND No valid gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid PPI instance found.
**/
STATIC
EFI_STATUS