From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f65.google.com (mail-pj1-f65.google.com [209.85.216.65]) by mx.groups.io with SMTP id smtpd.web11.37154.1598593923284246742 for ; Thu, 27 Aug 2020 22:52:03 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=LQ2DG/br; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.216.65, mailfrom: bret@corthon.com) Received: by mail-pj1-f65.google.com with SMTP id ls14so35476pjb.3 for ; Thu, 27 Aug 2020 22:52:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=M62QkQgbw+mCy8Tk+6i9tHWQojaChLnPkR1/j0Olj3A=; b=LQ2DG/brioPTB/1cixyIQT1m8J9Far0RlidL4rX29MW9huFHpuVtOttue49GgR0yjD 6pYMic5bioIr3Tjy0+KKy0smQ3OlSq5T3NXT9/qdMBaKf8MYBUDPDOV22WTer6LsvQL4 e7+Sf5Ys4uQsSOZZXiMoP9JuLhD0/kt5c9rT9y7+dhzcoZ8RRwhYee6/K9AI160h9C6S w1gry0Vk5dO8S0gr618lfWPvDZJC7BwwtXoal+hWyFvN+lKp2VVqkfij3ZrQxAQeCwMX yeybtDkzKWg4FS5l6Qu/i5yENb71vc2u7HoygJYEBFFIB0xlJGzRl4CJK/Y2LzJ8jag/ 72uA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=M62QkQgbw+mCy8Tk+6i9tHWQojaChLnPkR1/j0Olj3A=; b=K05Vm+8SuLm0Pz9pllkPhhSwXGk4egKLjXd2qMeqqKUWxjOi1YNeQxVMZHXoSbwbPd zGTwM1MwCo/1eoQtNDzzxpHNCaNU8+49igc0OdxA807hBxjqVXIZDpE2eOJd93+/Nnfl XHe1HV4NMlC6EjG3o75ShEbu57n1Kx+Os21m9x4l0BHBEjt/7Af1nixZbUKSppDr6440 bVkfrS1755JOmCRHaJXiFZXmkiHlIfHA0HJRldi0x3RBSHxmKCn4LaSQeowxigSC0JFB QSgL750O4ldwQCDQRTZpb6boSs46v21VYT7EeRwo4PcjZ2w6uHLT46uUnu1kNbPjE0Nf muIw== X-Gm-Message-State: AOAM531nwZZIFhFFmZHgxbapZfbiQRM3xFfSUPVckU7V58zHOh7AwPl6 lFQCjcXhtkNG74ICEz6Qixw2fYwA+TufOrWqx7o= X-Google-Smtp-Source: ABdhPJxOELWehHPgkfjN0ZDPjFUR3a57IEQRHzPxi1XFEAlEMf9GERTS8hwvqiKAhz09tZS3q9TOrA== X-Received: by 2002:a17:90a:550e:: with SMTP id b14mr259862pji.64.1598593922391; Thu, 27 Aug 2020 22:52:02 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-132-206.tukw.qwest.net. [174.21.132.206]) by smtp.gmail.com with ESMTPSA id fz19sm41802pjb.40.2020.08.27.22.52.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Aug 2020 22:52:01 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao Subject: [PATCH v7 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Date: Thu, 27 Aug 2020 22:51:25 -0700 Message-Id: <20200828055127.1610-13-brbarkel@microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20200828055127.1610-1-brbarkel@microsoft.com> References: <20200828055127.1610-1-brbarkel@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 These were previously using VarLock, which is being deprecated. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 += +++++++++++++------ MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 52 += ++++++++++++++----- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1 + 4 files changed, 82 insertions(+), 25 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c index e7accf4ed806..b85f08c48c11 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -5,6 +5,7 @@ MOR lock control unsupported.=0D =0D Copyright (c) 2016, Intel Corporation. All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include "Variable.h"=0D =0D -extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;=0D +#include =0D +#include =0D =0D /**=0D This service is an MOR/MorLock checker handler for the SetVariable().=0D @@ -77,11 +79,6 @@ MorLockInit ( NULL // Data=0D );=0D =0D - //=0D - // Need set this variable to be read-only to prevent other module set it= .=0D - //=0D - VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONT= ROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);=0D -=0D //=0D // The MOR variable can effectively improve platform security only when = the=0D // MorLock variable protects the MOR variable. In turn MorLock cannot be= made=0D @@ -99,11 +96,6 @@ MorLockInit ( 0, // DataSize=0D NULL // Data=0D );=0D - VariableLockRequestToLock (=0D - &mVariableLock,=0D - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D - &gEfiMemoryOverwriteControlDataGuid=0D - );=0D =0D return EFI_SUCCESS;=0D }=0D @@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe ( VOID=0D )=0D {=0D - //=0D - // Do nothing.=0D - //=0D + EFI_STATUS Status;=0D + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;=0D +=0D + // First, we obviously need to locate the VariablePolicy protocol.=0D + Status =3D gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL,= (VOID**)&VariablePolicy );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %= r\n", __FUNCTION__, Status ));=0D + return;=0D + }=0D +=0D + // If we're successful, go ahead and set the policies to protect the tar= get variables.=0D + Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D + &gEfiMemoryOverwriteRequestControl= LockGuid,=0D + MEMORY_OVERWRITE_REQUEST_CONTROL_L= OCK_NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D + }=0D + Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D + &gEfiMemoryOverwriteControlDataGui= d,=0D + MEMORY_OVERWRITE_REQUEST_VARIABLE_= NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D + }=0D +=0D + return;=0D }=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 085f82035f4b..ee37942a6b0c 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "Variable.h"=0D =0D #include =0D -=0D +#include =0D #include =0D =0D typedef struct {=0D @@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe ( {=0D UINTN MorSize;=0D EFI_STATUS MorStatus;=0D + EFI_STATUS Status;=0D + VARIABLE_POLICY_ENTRY *NewPolicy;=0D =0D if (!mMorLockInitializationRequired) {=0D //=0D @@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe ( // The MOR variable is absent; the platform firmware does not support it= .=0D // Lock the variable so that no other module may create it.=0D //=0D - VariableLockRequestToLock (=0D - NULL, // This=0D - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D - &gEfiMemoryOverwriteControlDataGuid=0D - );=0D + NewPolicy =3D NULL;=0D + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGui= d,=0D + MEMORY_OVERWRITE_REQUEST_VARIABLE_NA= ME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW,=0D + &NewPolicy );=0D + if (!EFI_ERROR( Status )) {=0D + Status =3D RegisterVariablePolicy( NewPolicy );=0D + }=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D + ASSERT_EFI_ERROR( Status );=0D + }=0D + if (NewPolicy !=3D NULL) {=0D + FreePool( NewPolicy );=0D + }=0D =0D //=0D // Delete the MOR Control Lock variable too (should it exists for some=0D @@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe ( );=0D mMorLockPassThru =3D FALSE;=0D =0D - VariableLockRequestToLock (=0D - NULL, // This=0D - MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,=0D - &gEfiMemoryOverwriteRequestControlLockGuid=0D - );=0D + NewPolicy =3D NULL;=0D + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControl= LockGuid,=0D + MEMORY_OVERWRITE_REQUEST_CONTROL_LOC= K_NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW,=0D + &NewPolicy );=0D + if (!EFI_ERROR( Status )) {=0D + Status =3D RegisterVariablePolicy( NewPolicy );=0D + }=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D + ASSERT_EFI_ERROR( Status );=0D + }=0D + if (NewPolicy !=3D NULL) {=0D + FreePool( NewPolicy );=0D + }=0D }=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.= inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 48ac167906f7..8debc560e6dc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -71,6 +71,7 @@ [LibraryClasses] AuthVariableLib=0D VarCheckLib=0D VariablePolicyLib=0D + VariablePolicyHelperLib=0D =0D [Protocols]=0D gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D @@ -80,6 +81,7 @@ [Protocols] gEfiVariableWriteArchProtocolGuid ## PRODUCES=0D gEfiVariableArchProtocolGuid ## PRODUCES=0D gEdkiiVariableLockProtocolGuid ## PRODUCES=0D + gEdkiiVariablePolicyProtocolGuid ## CONSUMES=0D gEdkiiVarCheckProtocolGuid ## PRODUCES=0D =0D [Guids]=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index d8f480be27cc..62f2f9252f43 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -76,6 +76,7 @@ [LibraryClasses] SynchronizationLib=0D VarCheckLib=0D VariablePolicyLib=0D + VariablePolicyHelperLib=0D =0D [Protocols]=0D gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D --=20 2.28.0.windows.1