From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f65.google.com (mail-pj1-f65.google.com [209.85.216.65]) by mx.groups.io with SMTP id smtpd.web10.1728.1592894704325537164 for ; Mon, 22 Jun 2020 23:45:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=vRcrJrRr; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.216.65, mailfrom: bret@corthon.com) Received: by mail-pj1-f65.google.com with SMTP id ga6so1062064pjb.1 for ; Mon, 22 Jun 2020 23:45:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mZUzc0OfYieMpPBtZi8pllDbrKX4iIjbPL4HKaQKp4M=; b=vRcrJrRrdErpKOxNtqnTyCK6zO05IOILZPEJKZk1Nl8s2JNwiPGy3qmSE5cXbr315N aH2fCsUlUYc881NGW/p1gLSmF1PXcN4PIEsg7eoH0QbiCXSGYRLVZ8jtE2aI7IAKl3Zb 17OSNCZvPHV/vyu4kriLuZvOS6FRihmly7Fa/3g6vFpHQ3K8oR5FeWxtoqvqxGi7RCkK igFnlkpUWPJyeZbtp311ypWYqJ/JVIFQLGwXcmoxBpmgAd+goxbZXia6q2cAWNLonDPZ KLzCzkT8hJgEGWP1uTALXP/M2QBHCY7A9P1DE8Gysbl5OaBP9T6ULS/aPNYVfvmWPMwL wjGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mZUzc0OfYieMpPBtZi8pllDbrKX4iIjbPL4HKaQKp4M=; b=pa8OAaoyN/FTWyR2gHcPe+IPcK7DAsluk6rtcVQLEbMQ9JSR2u9Z+6ZXJx4/C2t2hg sxq8qENXYePr+yYEdIu7aWVVRmScRsQmHQe/eeclxNGxBGHpZ07v/bzdK3B2F1e2xpdy fmFtideXZPmInycSuxH7gI8V/jEAGLxiAbAjsj9cfZlDPS+AnyYkO58hExpKgSaO5h4n nxYF9PVR0PZk+czaqHPLsT1xSBSLUAbZuO5B3mRmpBPnmHjO2ZMIJwwOtdGdcHT9zJSp coboBppiytvkIF2KuNQwCCl6S/QCw8F4nDkZGTmmu/26Vhtm0LXGCRtdYK/ouECmZYaC 5EHg== X-Gm-Message-State: AOAM530plouxybc1Alz8FXAYDvtvA1hkG1KlUrEmm83cEK3KXcpoyvWh zKnkdsAFYepG/Ni7K7UTBQEKOqBT6uXbtg== X-Google-Smtp-Source: ABdhPJwVvG8T/7KSBZBy2RGqfRzUS+MKkALmwJhur0gq7o202kbWLwQamE+FLTbGOgGqMcGnSuLKew== X-Received: by 2002:a17:902:ba81:: with SMTP id k1mr22915966pls.218.1592894703649; Mon, 22 Jun 2020 23:45:03 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-80-75.tukw.qwest.net. [174.21.80.75]) by smtp.gmail.com with ESMTPSA id d6sm1383818pjh.5.2020.06.22.23.45.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2020 23:45:03 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao Subject: [PATCH v6 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Date: Mon, 22 Jun 2020 23:41:00 -0700 Message-Id: <20200623064104.1908-11-brbarkel@microsoft.com> X-Mailer: git-send-email 2.26.2.windows.1.8.g01c50adf56.20200515075929 In-Reply-To: <20200623064104.1908-1-brbarkel@microsoft.com> References: <20200623064104.1908-1-brbarkel@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 TcgMorLockSmm provides special protections for the TCG MOR variables. This will check IsVariablePolicyEnabled() before enforcing them to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 += +++++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 2 ++ 2 files changed, 12 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 6d80eb64341a..085f82035f4b 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -5,6 +5,7 @@ This module adds Variable Hook and check MemoryOverwriteRequestControlLo= ck.=0D =0D Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include "Variable.h"=0D =0D +#include =0D +=0D +#include =0D +=0D typedef struct {=0D CHAR16 *VariableName;=0D EFI_GUID *VendorGuid;=0D @@ -341,6 +346,11 @@ SetVariableCheckHandlerMor ( return EFI_SUCCESS;=0D }=0D =0D + // Permit deletion when policy is disabled.=0D + if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0) || (DataSize = =3D=3D 0))) {=0D + return EFI_SUCCESS;=0D + }=0D +=0D //=0D // MorLock variable=0D //=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index 6e17f6cdf588..d8f480be27cc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -20,6 +20,7 @@ #=0D # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
=0D # Copyright (c) 2018, Linaro, Ltd. All rights reserved.
=0D +# Copyright (c) Microsoft Corporation.=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -74,6 +75,7 @@ [LibraryClasses] StandaloneMmDriverEntryPoint=0D SynchronizationLib=0D VarCheckLib=0D + VariablePolicyLib=0D =0D [Protocols]=0D gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D --=20 2.26.2.windows.1.8.g01c50adf56.20200515075929