From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com [209.85.215.194])
 by mx.groups.io with SMTP id smtpd.web12.8369.1591167586365820930
 for <devel@edk2.groups.io>;
 Tue, 02 Jun 2020 23:59:46 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=2K8Xk550;
 spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.215.194, mailfrom: bret@corthon.com)
Received: by mail-pg1-f194.google.com with SMTP id p30so1089261pgl.11
        for <devel@edk2.groups.io>; Tue, 02 Jun 2020 23:59:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=corthon-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=mZUzc0OfYieMpPBtZi8pllDbrKX4iIjbPL4HKaQKp4M=;
        b=2K8Xk550rfKE50Ik87Kw9pUC52FK5KI3tFwqjavwoaz5XWbiUaWG8dO6H2VL+HR8CD
         BBYqaIuDgsQSUXwyDGYETpXJSjg+mHbvShnwdhM2Dq32y/4ABasn5k33JmLCOU6Y+zVA
         tChS7NSd3l0rAfbzM40lCO59Ds0lecFYdzSrEh6iAy9SAC9BgSC5y/PbHLZqiOFFQOOY
         Q0K0BUaXHvrYL/0JvLZOI57Y70eGu5p80DZZi1ytqx0xlx07bC+nT8tUURQtSJ5boN6p
         L8E4bWbS8Do6CQcukFYSDMqVgDk7+AehZzpL4CWvpUG85NbIL6XicEe6jHA2sj0fcGpD
         fqQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=mZUzc0OfYieMpPBtZi8pllDbrKX4iIjbPL4HKaQKp4M=;
        b=IkWVN1CasdLUay7iMuvm4nAEFjVrN9w8f0j+E8pkX9CwSMG4CvQgvsJs1vWzQu6v9X
         l3BZTaHoeN+rh2VudM+4u5QVjj4jg5cG6EJaYTE1lZsphBOD+ej6wmZyFr7cryM2xKPS
         mkw5gDh9IW0p8mO5BHEpX5BG0eIjUA0I/d1kreIpJ2mXG/5tWrMBKbEfc93uFD5vcCnp
         xk1osVJ8Wwyq/+T0RyeJi3GFhUq4MySy/jORvJbpLkGILfMlcbVnnu42dl5/+NpVEu+k
         VbRcatXFwpG5mvP4R1eeNNX1631KaMXnvhjIWZC8Byu5HqtRPYiIGuHhVhS+6H951PnO
         jTMQ==
X-Gm-Message-State: AOAM531GONpg4mQ9TEQeOx6PGWS3VotvxQYSlC++ZJRjA7n0y3N1lWF1
	7LmDeiV8wt3QOQ1CJ4CVn6+WhSLp/D0=
X-Google-Smtp-Source: ABdhPJx2n5vu9PurmJLx31ID2Yy2kgblI64AUMg26XUkw3FC7L/eac57pMyKmj9I/Cj9tlU4cfeNTw==
X-Received: by 2002:a17:90a:3b09:: with SMTP id d9mr4083141pjc.225.1591167585725;
        Tue, 02 Jun 2020 23:59:45 -0700 (PDT)
Return-Path: <bret@corthon.com>
Received: from localhost.localdomain ([71.212.144.72])
        by smtp.gmail.com with ESMTPSA id y6sm1262003pjn.37.2020.06.02.23.59.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jun 2020 23:59:45 -0700 (PDT)
From: Bret Barkelew <bret@corthon.com>
X-Google-Original-From: Bret Barkelew <brbarkel@microsoft.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>,
	Liming Gao <liming.gao@intel.com>
Subject: [PATCH v5 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables
Date: Tue,  2 Jun 2020 23:58:06 -0700
Message-Id: <20200603065810.806-11-brbarkel@microsoft.com>
X-Mailer: git-send-email 2.26.2.windows.1.8.g01c50adf56.20200515075929
In-Reply-To: <20200603065810.806-1-brbarkel@microsoft.com>
References: <20200603065810.806-1-brbarkel@microsoft.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

TcgMorLockSmm provides special protections for
the TCG MOR variables. This will check
IsVariablePolicyEnabled() before enforcing
them to allow variable deletion when policy
engine is disabled.

Only allows deletion, not modification.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c          | 10 +=
+++++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M=
deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 6d80eb64341a..085f82035f4b 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -5,6 +5,7 @@
   This module adds Variable Hook and check MemoryOverwriteRequestControlLo=
ck.=0D
 =0D
 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
 SPDX-License-Identifier: BSD-2-Clause-Patent=0D
 =0D
 **/=0D
@@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/BaseMemoryLib.h>=0D
 #include "Variable.h"=0D
 =0D
+#include <Protocol/VariablePolicy.h>=0D
+=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
 typedef struct {=0D
   CHAR16                                 *VariableName;=0D
   EFI_GUID                               *VendorGuid;=0D
@@ -341,6 +346,11 @@ SetVariableCheckHandlerMor (
     return EFI_SUCCESS;=0D
   }=0D
 =0D
+  // Permit deletion when policy is disabled.=0D
+  if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0) || (DataSize =
=3D=3D 0))) {=0D
+    return EFI_SUCCESS;=0D
+  }=0D
+=0D
   //=0D
   // MorLock variable=0D
   //=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM=
m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index 6e17f6cdf588..d8f480be27cc 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -20,6 +20,7 @@
 #=0D
 # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>=0D
 # Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
 # SPDX-License-Identifier: BSD-2-Clause-Patent=0D
 #=0D
 ##=0D
@@ -74,6 +75,7 @@ [LibraryClasses]
   StandaloneMmDriverEntryPoint=0D
   SynchronizationLib=0D
   VarCheckLib=0D
+  VariablePolicyLib=0D
 =0D
 [Protocols]=0D
   gEfiSmmFirmwareVolumeBlockProtocolGuid        ## CONSUMES=0D
--=20
2.26.2.windows.1.8.g01c50adf56.20200515075929