pkcs7verify: add protocol locate function

Add a function which tries to locate the protocol but then tries to
load the Pkcs7VerifyDxe.efi file to provide it if it's not found.
This allows us to rely on pkcs7verify always being present in the
platform, because we can supply it simply by placing a signed copy
from tianocore in the root directory.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

3 files changed, 63 insertions, 1 deletions

diff --git a/include/pkcs7verify.h b/include/pkcs7verify.h
index 32ed118..5ed85f2 100644
--- a/include/pkcs7verify.h
+++ b/include/pkcs7verify.h
@@ -206,4 +206,7 @@ struct _EFI_PKCS7_VERIFY_PROTOCOL {
   EFI_PKCS7_VERIFY_SIGNATURE      VerifySignature;
 };
 
+EFI_STATUS
+pkcs7verify_get_protocol(EFI_HANDLE image, EFI_PKCS7_VERIFY_PROTOCOL **p7vp, CHAR16 **error);
+
 #endif
diff --git a/lib/Makefile b/lib/Makefile
index e527cd7..ded03f7 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -1,6 +1,6 @@
 FILES = simple_file.o pecoff.o guid.o sha256.o console.o \
 	execute.o configtable.o shell.o security_policy.o \
-	shim_protocol.o
+	shim_protocol.o pkcs7verify.o
 
 LIBFILES = $(FILES) kernel_efivars.o
 EFILIBFILES = $(patsubst %.o,%.efi.o,$(FILES)) variables.o 
diff --git a/lib/pkcs7verify.c b/lib/pkcs7verify.c
new file mode 100644
index 0000000..9aaf540
--- /dev/null
+++ b/lib/pkcs7verify.c
@@ -0,0 +1,59 @@
+#include <efi.h>
+#include <efilib.h>
+
+#include <efiauthenticated.h>
+#include <guid.h>
+#include <pkcs7verify.h>
+#include <execute.h>
+
+CHAR16 *p7bin = L"\\Pkcs7VerifyDxe.efi";
+
+EFI_STATUS
+pkcs7verify_get_protocol(EFI_HANDLE image, EFI_PKCS7_VERIFY_PROTOCOL **p7vp, CHAR16 **error)
+{
+	EFI_LOADED_IMAGE *li;
+	EFI_DEVICE_PATH *loadpath = NULL;
+	CHAR16 *PathName = NULL;
+	EFI_HANDLE loader_handle;
+	EFI_STATUS status;
+
+	status = BS->LocateProtocol(&PKCS7_VERIFY_PROTOCOL_GUID,
+				    NULL, (VOID **)p7vp);
+
+	if (status == EFI_SUCCESS)
+		return status;
+
+	Print(L"Platform doesn't provide PKCS7_VERIFY protocol, trying to load\n");
+
+	status = BS->HandleProtocol(image, &IMAGE_PROTOCOL, (VOID **)&li);
+	if (status != EFI_SUCCESS) {
+		*error = L"Can't find loaded image protocol";
+		return status;
+	}
+
+	status = generate_path(p7bin, li, &loadpath, &PathName);
+	if (status != EFI_SUCCESS) {
+		*error = L"generate_path failed";
+		return status;
+	}
+
+	status = BS->LoadImage(FALSE, image, loadpath, NULL, 0, &loader_handle);
+	if (status != EFI_SUCCESS) {
+		*error = L"LoadImage failed for external module";
+		return status;
+	}
+
+	status = BS->StartImage(loader_handle, NULL, NULL);
+	if (status != EFI_SUCCESS) {
+		*error = L"StartImage failed for external module (loaded OK)";
+		return status;
+	}
+
+	status = BS->LocateProtocol(&PKCS7_VERIFY_PROTOCOL_GUID,
+				    NULL, (VOID **)p7vp);
+
+	if (status != EFI_SUCCESS)
+		*error = L"Loaded module but it didn't provide the pkcs7Verify protocol";
+
+	return status;
+}