From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) by mx.groups.io with SMTP id smtpd.web12.1800.1592894706108791754 for ; Mon, 22 Jun 2020 23:45:06 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=BuKipxEa; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.210.193, mailfrom: bret@corthon.com) Received: by mail-pf1-f193.google.com with SMTP id a127so9614754pfa.12 for ; Mon, 22 Jun 2020 23:45:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eh9jazlhC+CCJqHP0B1awpqVOxNEojWlhSRQs+j0DuU=; b=BuKipxEaBBBbeU4Oh7n7LObcgxXD6umxVIcmmVqmm7l2qO5eWJEk1PPKd45MCfCWKG El/eZxgqdFxKQshTy3D7O2BpcLGHJiBDBo0Xj2ajWbtfFrfb8D//hs2umxR0EIQ0+2G/ xjZI+v1rqosI2b899ufWUtEmPjmvWF1f7e1ZyPsi+ujHYLWjj+PqPjiGl4h+qvFhNw3F 2nrSOIET3QWO9aMOJrdR/3hUI9GTO1ZYaPdfa/ZVFVcGmnK0t23/6E7sL0pvrvi02zYY rcgcxXZAbo7WolvK9ODSwUpt87ITlFr6196hUWxGK6qZh5Ldrlsc2iYuKgI5cqJfljVe I3zw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eh9jazlhC+CCJqHP0B1awpqVOxNEojWlhSRQs+j0DuU=; b=Xpg1K4KZSn1odxFAo8kTjF4NBqLYWTx/WDwdUGIvQF4lWl2Os0s0M5io3FAOUFWJ3/ sm2L5BetWLD8b4wVIQVM+HVpm1Ywrv1cVM1to15rKVPdB1dfbHkLgqWk+eakpoEsew3y St7EoI6qGSW3xKZzgnROhF0nYEguAXQ2l72Gh/cF0JUzAUL0aL7MxmLi0BOSm3ks3z4F xbQTUXnp8Y68n+j4aBIpmR6nTe3sgBM9q3qCR+Fp7T9DGIwm/6LAt6RfYNtfEhKXM6Qq sXrE42d112BeaQQ2dAmgCY+FcGR4w/PLevmbpt84DaYp5C1BjSNl3/aqTnaeESa0UNTE nfUA== X-Gm-Message-State: AOAM530NGPTuH6dyEAej0SiRI+c5RlFlydOkdRQJqUYFkWJwoyqyEHzC FVa+82Ni3sBCAPttr2Jqrvg0ZjydtRrYIA== X-Google-Smtp-Source: ABdhPJybAH3jc36+XwbqsPORORG1iZcYtK9WjwVt5Hrzmj6tdnnLKzn0DqefcmDpCvfV6PzSX33r4Q== X-Received: by 2002:a63:545e:: with SMTP id e30mr16294409pgm.62.1592894705365; Mon, 22 Jun 2020 23:45:05 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-80-75.tukw.qwest.net. [174.21.80.75]) by smtp.gmail.com with ESMTPSA id d6sm1383818pjh.5.2020.06.22.23.45.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2020 23:45:04 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao Subject: [PATCH v6 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Date: Mon, 22 Jun 2020 23:41:02 -0700 Message-Id: <20200623064104.1908-13-brbarkel@microsoft.com> X-Mailer: git-send-email 2.26.2.windows.1.8.g01c50adf56.20200515075929 In-Reply-To: <20200623064104.1908-1-brbarkel@microsoft.com> References: <20200623064104.1908-1-brbarkel@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 These were previously using VarLock, which is being deprecated. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 += +++++++++++++------ MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 52 += ++++++++++++++----- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1 + 4 files changed, 82 insertions(+), 25 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c index e7accf4ed806..b85f08c48c11 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -5,6 +5,7 @@ MOR lock control unsupported.=0D =0D Copyright (c) 2016, Intel Corporation. All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include "Variable.h"=0D =0D -extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;=0D +#include =0D +#include =0D =0D /**=0D This service is an MOR/MorLock checker handler for the SetVariable().=0D @@ -77,11 +79,6 @@ MorLockInit ( NULL // Data=0D );=0D =0D - //=0D - // Need set this variable to be read-only to prevent other module set it= .=0D - //=0D - VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONT= ROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);=0D -=0D //=0D // The MOR variable can effectively improve platform security only when = the=0D // MorLock variable protects the MOR variable. In turn MorLock cannot be= made=0D @@ -99,11 +96,6 @@ MorLockInit ( 0, // DataSize=0D NULL // Data=0D );=0D - VariableLockRequestToLock (=0D - &mVariableLock,=0D - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D - &gEfiMemoryOverwriteControlDataGuid=0D - );=0D =0D return EFI_SUCCESS;=0D }=0D @@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe ( VOID=0D )=0D {=0D - //=0D - // Do nothing.=0D - //=0D + EFI_STATUS Status;=0D + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;=0D +=0D + // First, we obviously need to locate the VariablePolicy protocol.=0D + Status =3D gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL,= (VOID**)&VariablePolicy );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %= r\n", __FUNCTION__, Status ));=0D + return;=0D + }=0D +=0D + // If we're successful, go ahead and set the policies to protect the tar= get variables.=0D + Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D + &gEfiMemoryOverwriteRequestControl= LockGuid,=0D + MEMORY_OVERWRITE_REQUEST_CONTROL_L= OCK_NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D + }=0D + Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D + &gEfiMemoryOverwriteControlDataGui= d,=0D + MEMORY_OVERWRITE_REQUEST_VARIABLE_= NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D + }=0D +=0D + return;=0D }=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 085f82035f4b..ee37942a6b0c 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "Variable.h"=0D =0D #include =0D -=0D +#include =0D #include =0D =0D typedef struct {=0D @@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe ( {=0D UINTN MorSize;=0D EFI_STATUS MorStatus;=0D + EFI_STATUS Status;=0D + VARIABLE_POLICY_ENTRY *NewPolicy;=0D =0D if (!mMorLockInitializationRequired) {=0D //=0D @@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe ( // The MOR variable is absent; the platform firmware does not support it= .=0D // Lock the variable so that no other module may create it.=0D //=0D - VariableLockRequestToLock (=0D - NULL, // This=0D - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D - &gEfiMemoryOverwriteControlDataGuid=0D - );=0D + NewPolicy =3D NULL;=0D + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGui= d,=0D + MEMORY_OVERWRITE_REQUEST_VARIABLE_NA= ME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW,=0D + &NewPolicy );=0D + if (!EFI_ERROR( Status )) {=0D + Status =3D RegisterVariablePolicy( NewPolicy );=0D + }=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D + ASSERT_EFI_ERROR( Status );=0D + }=0D + if (NewPolicy !=3D NULL) {=0D + FreePool( NewPolicy );=0D + }=0D =0D //=0D // Delete the MOR Control Lock variable too (should it exists for some=0D @@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe ( );=0D mMorLockPassThru =3D FALSE;=0D =0D - VariableLockRequestToLock (=0D - NULL, // This=0D - MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,=0D - &gEfiMemoryOverwriteRequestControlLockGuid=0D - );=0D + NewPolicy =3D NULL;=0D + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControl= LockGuid,=0D + MEMORY_OVERWRITE_REQUEST_CONTROL_LOC= K_NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW,=0D + &NewPolicy );=0D + if (!EFI_ERROR( Status )) {=0D + Status =3D RegisterVariablePolicy( NewPolicy );=0D + }=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D + ASSERT_EFI_ERROR( Status );=0D + }=0D + if (NewPolicy !=3D NULL) {=0D + FreePool( NewPolicy );=0D + }=0D }=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.= inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 48ac167906f7..8debc560e6dc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -71,6 +71,7 @@ [LibraryClasses] AuthVariableLib=0D VarCheckLib=0D VariablePolicyLib=0D + VariablePolicyHelperLib=0D =0D [Protocols]=0D gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D @@ -80,6 +81,7 @@ [Protocols] gEfiVariableWriteArchProtocolGuid ## PRODUCES=0D gEfiVariableArchProtocolGuid ## PRODUCES=0D gEdkiiVariableLockProtocolGuid ## PRODUCES=0D + gEdkiiVariablePolicyProtocolGuid ## CONSUMES=0D gEdkiiVarCheckProtocolGuid ## PRODUCES=0D =0D [Guids]=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index d8f480be27cc..62f2f9252f43 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -76,6 +76,7 @@ [LibraryClasses] SynchronizationLib=0D VarCheckLib=0D VariablePolicyLib=0D + VariablePolicyHelperLib=0D =0D [Protocols]=0D gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D --=20 2.26.2.windows.1.8.g01c50adf56.20200515075929