From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by mx.groups.io with SMTP id smtpd.web10.8481.1591167597499435479 for ; Tue, 02 Jun 2020 23:59:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=DKDrUDH0; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.210.193, mailfrom: bret@corthon.com) Received: by mail-pf1-f193.google.com with SMTP id h185so994560pfg.2 for ; Tue, 02 Jun 2020 23:59:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eh9jazlhC+CCJqHP0B1awpqVOxNEojWlhSRQs+j0DuU=; b=DKDrUDH0WHEBEP3cPEJHH9ulb8y6TKMbrILYSvPTxNMsLGb6Kkk7RKGxD678p5rChe LDszfTwoT9YdZpaGjqWHaKiyJ3cc1ta7Y2+sBz7CbRKRcGaV87rRfoVIjNhVIM6fqAUU Bk3KXNq/MumFd+Be1KPFr2BQP5BVWiBI3BFciaauY0Hnb3OdP9O2WTyDLguG+tM/w1tK cfL2xv39kF84IOXVIxnvhmzEKoHWj2dymdm7XhrEy3rU3HnsPoC2OhBavDyd/11Oz2px GaCTLvYGa2XIDz4yjcQ3KxspTHDR+OyjTXFZW2CPnsfBSq8dWO4vv11whWYcpJhmHKok sbEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eh9jazlhC+CCJqHP0B1awpqVOxNEojWlhSRQs+j0DuU=; b=tOd6xMnD/lVsJhz+qpa4WAJwn4H/a4tCTf/z7lJxtNIlQmTjHV/jHn/V12MEJJbwh5 jJENdCFYmxFEFktlcJB193pTlvHMGwPgdJ6FvI3/NernNR8xnYsPdBRqmXjvQs5+YIKC ipXhaaJ70FHCUwvLw4E9zzyyixz3aMwX2OJeUJ7OLKlDpBozPhWlzSkZqb6nbFuzxgjx FF6BSF/QXHqZNwiKtcI/u/Vo5CaSkbWXyv9DRtXaZojncqJaXZmhxSSPyEuHSTJL4+A3 aeXk4FCid9cWi8rU4IA9VisM54BekuPvXpaEAKYgG7bsy6HR87ofc5GBDytNxeEsqGCk wjDw== X-Gm-Message-State: AOAM533y+kwsmBjTAxKvY5bX/TqSzyY//5b4ZmC5BoIGdZq/O4KswFqe U5jwcj7e0x6mTU1ImSR9utcYP5/3saw= X-Google-Smtp-Source: ABdhPJzHMnTPVrfs6jZKp0VN+rWPwbbofMOnch2smyVAL9z3MtU1jaaIQ3KR3g0ubO4j0qLrX7t5Eg== X-Received: by 2002:a62:76d5:: with SMTP id r204mr20421041pfc.46.1591167596446; Tue, 02 Jun 2020 23:59:56 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([71.212.144.72]) by smtp.gmail.com with ESMTPSA id y6sm1262003pjn.37.2020.06.02.23.59.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jun 2020 23:59:56 -0700 (PDT) From: Bret Barkelew X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao Subject: [PATCH v5 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Date: Tue, 2 Jun 2020 23:58:08 -0700 Message-Id: <20200603065810.806-13-brbarkel@microsoft.com> X-Mailer: git-send-email 2.26.2.windows.1.8.g01c50adf56.20200515075929 In-Reply-To: <20200603065810.806-1-brbarkel@microsoft.com> References: <20200603065810.806-1-brbarkel@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 These were previously using VarLock, which is being deprecated. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 += +++++++++++++------ MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 52 += ++++++++++++++----- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1 + 4 files changed, 82 insertions(+), 25 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c index e7accf4ed806..b85f08c48c11 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -5,6 +5,7 @@ MOR lock control unsupported.=0D =0D Copyright (c) 2016, Intel Corporation. All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include "Variable.h"=0D =0D -extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;=0D +#include =0D +#include =0D =0D /**=0D This service is an MOR/MorLock checker handler for the SetVariable().=0D @@ -77,11 +79,6 @@ MorLockInit ( NULL // Data=0D );=0D =0D - //=0D - // Need set this variable to be read-only to prevent other module set it= .=0D - //=0D - VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONT= ROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);=0D -=0D //=0D // The MOR variable can effectively improve platform security only when = the=0D // MorLock variable protects the MOR variable. In turn MorLock cannot be= made=0D @@ -99,11 +96,6 @@ MorLockInit ( 0, // DataSize=0D NULL // Data=0D );=0D - VariableLockRequestToLock (=0D - &mVariableLock,=0D - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D - &gEfiMemoryOverwriteControlDataGuid=0D - );=0D =0D return EFI_SUCCESS;=0D }=0D @@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe ( VOID=0D )=0D {=0D - //=0D - // Do nothing.=0D - //=0D + EFI_STATUS Status;=0D + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;=0D +=0D + // First, we obviously need to locate the VariablePolicy protocol.=0D + Status =3D gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL,= (VOID**)&VariablePolicy );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %= r\n", __FUNCTION__, Status ));=0D + return;=0D + }=0D +=0D + // If we're successful, go ahead and set the policies to protect the tar= get variables.=0D + Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D + &gEfiMemoryOverwriteRequestControl= LockGuid,=0D + MEMORY_OVERWRITE_REQUEST_CONTROL_L= OCK_NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D + }=0D + Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D + &gEfiMemoryOverwriteControlDataGui= d,=0D + MEMORY_OVERWRITE_REQUEST_VARIABLE_= NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D + }=0D +=0D + return;=0D }=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 085f82035f4b..ee37942a6b0c 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "Variable.h"=0D =0D #include =0D -=0D +#include =0D #include =0D =0D typedef struct {=0D @@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe ( {=0D UINTN MorSize;=0D EFI_STATUS MorStatus;=0D + EFI_STATUS Status;=0D + VARIABLE_POLICY_ENTRY *NewPolicy;=0D =0D if (!mMorLockInitializationRequired) {=0D //=0D @@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe ( // The MOR variable is absent; the platform firmware does not support it= .=0D // Lock the variable so that no other module may create it.=0D //=0D - VariableLockRequestToLock (=0D - NULL, // This=0D - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D - &gEfiMemoryOverwriteControlDataGuid=0D - );=0D + NewPolicy =3D NULL;=0D + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGui= d,=0D + MEMORY_OVERWRITE_REQUEST_VARIABLE_NA= ME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW,=0D + &NewPolicy );=0D + if (!EFI_ERROR( Status )) {=0D + Status =3D RegisterVariablePolicy( NewPolicy );=0D + }=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D + ASSERT_EFI_ERROR( Status );=0D + }=0D + if (NewPolicy !=3D NULL) {=0D + FreePool( NewPolicy );=0D + }=0D =0D //=0D // Delete the MOR Control Lock variable too (should it exists for some=0D @@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe ( );=0D mMorLockPassThru =3D FALSE;=0D =0D - VariableLockRequestToLock (=0D - NULL, // This=0D - MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,=0D - &gEfiMemoryOverwriteRequestControlLockGuid=0D - );=0D + NewPolicy =3D NULL;=0D + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControl= LockGuid,=0D + MEMORY_OVERWRITE_REQUEST_CONTROL_LOC= K_NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW,=0D + &NewPolicy );=0D + if (!EFI_ERROR( Status )) {=0D + Status =3D RegisterVariablePolicy( NewPolicy );=0D + }=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D + ASSERT_EFI_ERROR( Status );=0D + }=0D + if (NewPolicy !=3D NULL) {=0D + FreePool( NewPolicy );=0D + }=0D }=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.= inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 48ac167906f7..8debc560e6dc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -71,6 +71,7 @@ [LibraryClasses] AuthVariableLib=0D VarCheckLib=0D VariablePolicyLib=0D + VariablePolicyHelperLib=0D =0D [Protocols]=0D gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D @@ -80,6 +81,7 @@ [Protocols] gEfiVariableWriteArchProtocolGuid ## PRODUCES=0D gEfiVariableArchProtocolGuid ## PRODUCES=0D gEdkiiVariableLockProtocolGuid ## PRODUCES=0D + gEdkiiVariablePolicyProtocolGuid ## CONSUMES=0D gEdkiiVarCheckProtocolGuid ## PRODUCES=0D =0D [Guids]=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index d8f480be27cc..62f2f9252f43 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -76,6 +76,7 @@ [LibraryClasses] SynchronizationLib=0D VarCheckLib=0D VariablePolicyLib=0D + VariablePolicyHelperLib=0D =0D [Protocols]=0D gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D --=20 2.26.2.windows.1.8.g01c50adf56.20200515075929