From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=134.134.136.100; helo=mga07.intel.com; envelope-from=star.zeng@intel.com; receiver=edk2-devel@lists.01.org Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id AC95421CEB137 for ; Tue, 24 Oct 2017 18:30:16 -0700 (PDT) Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP; 24 Oct 2017 18:34:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.43,430,1503385200"; d="scan'208";a="1029008116" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by orsmga003.jf.intel.com with ESMTP; 24 Oct 2017 18:34:00 -0700 Received: from fmsmsx157.amr.corp.intel.com (10.18.116.73) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 24 Oct 2017 18:34:00 -0700 Received: from shsmsx104.ccr.corp.intel.com (10.239.4.70) by FMSMSX157.amr.corp.intel.com (10.18.116.73) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 24 Oct 2017 18:33:59 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.175]) by SHSMSX104.ccr.corp.intel.com ([169.254.5.152]) with mapi id 14.03.0319.002; Wed, 25 Oct 2017 09:33:59 +0800 From: "Zeng, Star" To: Laszlo Ersek , edk2-devel-01 CC: "Yao, Jiewen" , "Dong, Eric" , "Zeng, Star" Thread-Topic: [edk2] [PATCH v2] MdeModulePkg/Variable/RuntimeDxe: delete & lock MOR in the absence of SMM Thread-Index: AQHTTN4yG8DNUBthfkWedIMz7ve4IKLzyNrA Date: Wed, 25 Oct 2017 01:33:58 +0000 Message-ID: <0C09AFA07DD0434D9E2A0C6AEB0483103B9AD669@shsmsx102.ccr.corp.intel.com> References: <20171024153825.7908-1-lersek@redhat.com> In-Reply-To: <20171024153825.7908-1-lersek@redhat.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [PATCH v2] MdeModulePkg/Variable/RuntimeDxe: delete & lock MOR in the absence of SMM X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2017 01:30:16 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Reviewed-by: Star Zeng -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Lasz= lo Ersek Sent: Tuesday, October 24, 2017 11:38 PM To: edk2-devel-01 Cc: Yao, Jiewen ; Dong, Eric ; Z= eng, Star Subject: [edk2] [PATCH v2] MdeModulePkg/Variable/RuntimeDxe: delete & lock = MOR in the absence of SMM VariableRuntimeDxe deletes and locks the MorLock variable in MorLockInit(), with the argument that any protection provided by MorLock can be circumvented if MorLock can be overwritten by unprivileged code (i.e., outside of SMM). Extend the argument and the logic to the MOR variable, which is supposed to be protected by MorLock. Pass Attributes=3D0 when deleting MorLock and MOR both. This change was suggested by Star; it is inspired by earlier VariableSmm commit fda8f631edbb ("MdeModulePkg/Variable/RuntimeDxe: delete and lock OS-created MOR variable", 2017-10-03). Cc: Eric Dong Cc: Jiewen Yao Cc: Star Zeng Suggested-by: Star Zeng Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek --- Notes: v2: - Use Attributes=3D0 for deleting MorLock too [Star] - Branch: del_and_lock_mor_without_smm_v2 =20 v1: - Branch: del_and_lock_mor_without_smm =20 Repo: https://github.com/lersek/edk2.git MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 30 ++++++++++= ++++++++-- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c index 7142e2da2073..fb4e13ab25a7 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -78,15 +78,39 @@ MorLockInit ( VariableServiceSetVariable ( MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARI= ABLE_RUNTIME_ACCESS, - 0, - NULL + 0, // Attributes + 0, // DataSize + NULL // Data ); =20 // // Need set this variable to be read-only to prevent other module set it= . // VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONT= ROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid); + + // + // The MOR variable can effectively improve platform security only when = the + // MorLock variable protects the MOR variable. In turn MorLock cannot be= made + // secure without SMM support in the platform firmware (see above). + // + // Thus, delete the MOR variable, should it exist for any reason (some O= Ses + // are known to create MOR unintentionally, in an attempt to set it), th= en + // also lock the MOR variable, in order to prevent other modules from + // creating it. + // + VariableServiceSetVariable ( + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, + &gEfiMemoryOverwriteControlDataGuid, + 0, // Attributes + 0, // DataSize + NULL // Data + ); + VariableLockRequestToLock ( + &mVariableLock, + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, + &gEfiMemoryOverwriteControlDataGuid + ); + return EFI_SUCCESS; } =20 --=20 2.14.1.3.gb7cf6e02401b _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel