From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) by mx.groups.io with SMTP id smtpd.web12.6851.1600841381057379867 for ; Tue, 22 Sep 2020 23:09:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=vvxeKf6C; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.210.194, mailfrom: bret@corthon.com) Received: by mail-pf1-f194.google.com with SMTP id x123so14387963pfc.7 for ; Tue, 22 Sep 2020 23:09:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=quzbJfSStqXkGVLtLeU3Bjd92/31t/AqecpwP+68NUA=; b=vvxeKf6C/HdaxSMsNiEi8jV08NDjF6nNDuEkn0Oiw8gQDvbiWB0YgepfCaPlRSrTPq VatqGbGGonxIJy0rlylVwyVq41jlyIuk7nmJBRRvI5k13Qy+bGVR17N7ZNKofX/yyvsZ aObYmruehg1XATxXSrVarhKWQxv2+YlmYZ0cjVALwVCT5qoO3JqHznFy/4hZok1wtwjh NbvU61CHZ3nz+hf5jlVPc62mPF2kVQ/PKORoCs+EfuWxp4KmBKlninv1JZCB4N1TmUqh M4JXWOusBHES3IwyO1/X+8pPGJRvP3/nEIKq/PLsyq72XP+LcejWHLOjk+bmYgHogU4F 7yBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=quzbJfSStqXkGVLtLeU3Bjd92/31t/AqecpwP+68NUA=; b=VCQKeWJUED+s3PCCDhT8YrdObLlS2IMFXkNncKolp+GLLwVuOuY5EH0wiGWJrHZ/Z2 H0D1YWasCDIoFtasTVVGf8jX8fDJgQoqBdDfyLNwpQWlVJadsmrMYOAdh1ZDpLL0XhMQ ho2xTG8f/V9rGlRhjJUlhpWas9EAxsa+uqENk9VfmYW94r+cr38h46/cluGS3nYig3Ml 6z+4DcsSTsl07mNPUDRqFrcdoS6ez24F4VJ4kqnrEw6Rkmdy0Po1baxKeSp0Zwwvv973 NRlFqkeud+hO9yfgkMnZLfms7Sb6vjr+oMRQpyvHOlNhyMMkP86uqY3cZHcFjfc73vbg SrHw== X-Gm-Message-State: AOAM533ets9dd/zzyRKnFHER5cHEWiXYAYjM+sq08Kzb1krTKNf2eGOT 5CGL0eCqZHOlHZb70GWczfEVZ+dHk4sUSX8q X-Google-Smtp-Source: ABdhPJx6NMcG/7HTJE1REV/+9Kpj3wBOrcpkOxtpr1Kj5LvWHBJKWu5bWio8CRdW0jSBehrV97XVaA== X-Received: by 2002:a62:3585:0:b029:142:2501:3985 with SMTP id c127-20020a6235850000b029014225013985mr7568080pfa.74.1600841380161; Tue, 22 Sep 2020 23:09:40 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-140-128.tukw.qwest.net. [174.21.140.128]) by smtp.gmail.com with ESMTPSA id x4sm16960498pff.57.2020.09.22.23.09.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Sep 2020 23:09:39 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao , Bret Barkelew , Dandan Bi Subject: [PATCH v8 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Date: Tue, 22 Sep 2020 23:07:44 -0700 Message-Id: <20200923060748.3795-11-bret.barkelew@microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20200923060748.3795-1-bret.barkelew@microsoft.com> References: <20200923060748.3795-1-bret.barkelew@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Bret Barkelew https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 TcgMorLockSmm provides special protections for the TCG MOR variables. This will check IsVariablePolicyEnabled() before enforcing them to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew Reviewed-by: Dandan Bi Acked-by: Jian J Wang --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 += +++++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 2 ++ 2 files changed, 12 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 6d80eb64341a..085f82035f4b 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -5,6 +5,7 @@ This module adds Variable Hook and check MemoryOverwriteRequestControlLo= ck.=0D =0D Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include "Variable.h"=0D =0D +#include =0D +=0D +#include =0D +=0D typedef struct {=0D CHAR16 *VariableName;=0D EFI_GUID *VendorGuid;=0D @@ -341,6 +346,11 @@ SetVariableCheckHandlerMor ( return EFI_SUCCESS;=0D }=0D =0D + // Permit deletion when policy is disabled.=0D + if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0) || (DataSize = =3D=3D 0))) {=0D + return EFI_SUCCESS;=0D + }=0D +=0D //=0D // MorLock variable=0D //=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index 6e17f6cdf588..d8f480be27cc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -20,6 +20,7 @@ #=0D # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
=0D # Copyright (c) 2018, Linaro, Ltd. All rights reserved.
=0D +# Copyright (c) Microsoft Corporation.=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -74,6 +75,7 @@ [LibraryClasses] StandaloneMmDriverEntryPoint=0D SynchronizationLib=0D VarCheckLib=0D + VariablePolicyLib=0D =0D [Protocols]=0D gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D --=20 2.28.0.windows.1