From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) by mx.groups.io with SMTP id smtpd.web11.37152.1598593921115489550 for ; Thu, 27 Aug 2020 22:52:01 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=MGq6Q/Fl; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.214.193, mailfrom: bret@corthon.com) Received: by mail-pl1-f193.google.com with SMTP id j11so1409085plk.9 for ; Thu, 27 Aug 2020 22:52:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=kPFmGHBejlFw7zgjYNDVDSDId6oK6p4ESYdTXNbkQoM=; b=MGq6Q/FlG3c+eJ5kd74AAKQOcNq45ZIijMhsQvIvc/Qk9nkjUqRSncYhZg8XUPcy81 5rk3dF/agcJZV8sZZFTGcx3kL2ybdZ0Yo1QzCZj8MsjkRxU+bRPQjc9oA36j0xCV8uUn 7TZXnL8jAKpshDMo4BUub909LZDtwuMT9jgBAG/tipC4vFjwQ/OdSvtyb/pCFDW57x8g o6Id7/h3VCol29lJDHyiRzgrQom1bxNGNwEHIi558wuk0ijZycN0607K+rRG2/ZqHyLY BVeHupa1xJKMIzn6xzGCS2wNmkL7J+wMmoS9oFH7HcDC+OchfXCIDQpWkiN5SSxpUffb 2dwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kPFmGHBejlFw7zgjYNDVDSDId6oK6p4ESYdTXNbkQoM=; b=MA2dQPhaucCz3zFti5/XrlJ0Q/Lgx+6jClhtfH+/drQ0HWSlF28hHhWdILwasEVYd9 lCfIXzS/qIUxynDisjL6H/yrPHJwyy3Dnk2FsmZ6i8G4C9SVwm7AeyxW3A5elWJrldF2 lo6X+A8OCjBu/5o9kwjhP3mFRb5QQ5NHrZAsVI1nfQMOg3uG3ZEN0fmsN4pUF1wJFhg9 0ocS7duP6Vofif8lDqsT+54OP2Ss+bdgf/mznRij9jqIFarc0OlWrOVbroTISGO+yOAN eVkz8kvKZUgI1Ybp18o4UCRJD8j9UPMvgwCazxEVGTci633SHBQajttqdeO2QTDbJZLB xM0Q== X-Gm-Message-State: AOAM533NM+Qa/wEWGOXrZFTsbdRBqNTDmic2valVM+kPMj2xcmSRvzKe boWDtrj3jkiivcVePwgqwWpXPXPNwZsRM6E0mz0= X-Google-Smtp-Source: ABdhPJyQYmVXupS7Wk5numxsPlBwwsXtXRtB33VtedRFcJ+G4nPeVMxwTDnZkfStVoPfCrdxFx6pFQ== X-Received: by 2002:a17:90b:1b43:: with SMTP id nv3mr270738pjb.22.1598593920292; Thu, 27 Aug 2020 22:52:00 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-132-206.tukw.qwest.net. [174.21.132.206]) by smtp.gmail.com with ESMTPSA id fz19sm41802pjb.40.2020.08.27.22.51.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Aug 2020 22:51:59 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao Subject: [PATCH v7 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Date: Thu, 27 Aug 2020 22:51:23 -0700 Message-Id: <20200828055127.1610-11-brbarkel@microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20200828055127.1610-1-brbarkel@microsoft.com> References: <20200828055127.1610-1-brbarkel@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 TcgMorLockSmm provides special protections for the TCG MOR variables. This will check IsVariablePolicyEnabled() before enforcing them to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 += +++++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 2 ++ 2 files changed, 12 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 6d80eb64341a..085f82035f4b 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -5,6 +5,7 @@ This module adds Variable Hook and check MemoryOverwriteRequestControlLo= ck.=0D =0D Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include "Variable.h"=0D =0D +#include =0D +=0D +#include =0D +=0D typedef struct {=0D CHAR16 *VariableName;=0D EFI_GUID *VendorGuid;=0D @@ -341,6 +346,11 @@ SetVariableCheckHandlerMor ( return EFI_SUCCESS;=0D }=0D =0D + // Permit deletion when policy is disabled.=0D + if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0) || (DataSize = =3D=3D 0))) {=0D + return EFI_SUCCESS;=0D + }=0D +=0D //=0D // MorLock variable=0D //=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index 6e17f6cdf588..d8f480be27cc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -20,6 +20,7 @@ #=0D # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
=0D # Copyright (c) 2018, Linaro, Ltd. All rights reserved.
=0D +# Copyright (c) Microsoft Corporation.=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -74,6 +75,7 @@ [LibraryClasses] StandaloneMmDriverEntryPoint=0D SynchronizationLib=0D VarCheckLib=0D + VariablePolicyLib=0D =0D [Protocols]=0D gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D --=20 2.28.0.windows.1