From: "Bret Barkelew" <bret@corthon.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>,
Chao Zhang <chao.b.zhang@intel.com>,
Bret Barkelew <brbarkel@microsoft.com>,
Dandan Bi <dandan.bi@intel.com>
Subject: [PATCH v8 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables
Date: Tue, 22 Sep 2020 23:07:45 -0700 [thread overview]
Message-ID: <20200923060748.3795-12-bret.barkelew@microsoft.com> (raw)
In-Reply-To: <20200923060748.3795-1-bret.barkelew@microsoft.com>
From: Bret Barkelew <brbarkel@microsoft.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2522
Causes AuthService to check
IsVariablePolicyEnabled() before enforcing
write protections to allow variable deletion
when policy engine is disabled.
Only allows deletion, not modification.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
---
SecurityPkg/Library/AuthVariableLib/AuthService.c | 30 ++++++++++++++++----
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 ++
2 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 2f60331f2c04..4fb609504db7 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -19,12 +19,16 @@
to verify the signature.
Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include "AuthServiceInternal.h"
+#include <Protocol/VariablePolicy.h>
+#include <Library/VariablePolicyLib.h>
+
//
// Public Exponent of RSA Key.
//
@@ -217,9 +221,12 @@ NeedPhysicallyPresent(
IN EFI_GUID *VendorGuid
)
{
- if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
- || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
- return TRUE;
+ // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
+ if (IsVariablePolicyEnabled()) {
+ if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
+ || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
+ return TRUE;
+ }
}
return FALSE;
@@ -842,7 +849,8 @@ ProcessVariable (
&OrgVariableInfo
);
- if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) {
+ // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
+ if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && (UserPhysicalPresent() || !IsVariablePolicyEnabled())) {
//
// Allow the delete operation of common authenticated variable(AT or AW) at user physical presence.
//
@@ -1920,6 +1928,12 @@ VerifyTimeBasedPayload (
PayloadPtr = SigData + SigDataSize;
PayloadSize = DataSize - OFFSET_OF_AUTHINFO2_CERT_DATA - (UINTN) SigDataSize;
+ // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
+ if (PayloadSize == 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) == 0 && !IsVariablePolicyEnabled()) {
+ VerifyStatus = TRUE;
+ goto Exit;
+ }
+
//
// Construct a serialization buffer of the values of the VariableName, VendorGuid and Attributes
// parameters of the SetVariable() call and the TimeStamp component of the
@@ -2173,8 +2187,12 @@ VerifyTimeBasedPayload (
Exit:
if (AuthVarType == AuthVarTypePk || AuthVarType == AuthVarTypePriv) {
- Pkcs7FreeSigners (TopLevelCert);
- Pkcs7FreeSigners (SignerCerts);
+ if (TopLevelCert != NULL) {
+ Pkcs7FreeSigners (TopLevelCert);
+ }
+ if (SignerCerts != NULL) {
+ Pkcs7FreeSigners (SignerCerts);
+ }
}
if (!VerifyStatus) {
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8d4ce14df494..8eadeebcebd7 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -3,6 +3,7 @@
#
# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2018, ARM Limited. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.
#
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
@@ -41,6 +42,7 @@ [LibraryClasses]
MemoryAllocationLib
BaseCryptLib
PlatformSecureLib
+ VariablePolicyLib
[Guids]
## CONSUMES ## Variable:L"SetupMode"
--
2.28.0.windows.1
next prev parent reply other threads:[~2020-09-23 6:09 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-23 6:07 [PATCH v8 00/14] Add the VariablePolicy feature Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 02/14] MdeModulePkg: Define the VariablePolicyLib Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 03/14] MdeModulePkg: Define the VariablePolicyHelperLib Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 04/14] MdeModulePkg: Define the VarCheckPolicyLib and SMM interface Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 05/14] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 06/14] EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 07/14] ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 08/14] UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Bret Barkelew
2020-09-23 6:07 ` Bret Barkelew [this message]
2020-09-23 6:11 ` [PATCH v8 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables Yao, Jiewen
2020-09-23 6:07 ` [PATCH v8 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 13/14] MdeModulePkg: Drop VarLock from RuntimeDxe variable driver Bret Barkelew
2020-09-23 6:07 ` [PATCH v8 14/14] MdeModulePkg: Add a shell-based functional test for VariablePolicy Bret Barkelew
2020-09-23 6:12 ` [EXTERNAL] [PATCH v8 00/14] Add the VariablePolicy feature Bret Barkelew
2020-09-23 8:45 ` [edk2-devel] " Laszlo Ersek
2020-09-23 9:22 ` Ard Biesheuvel
2020-09-23 9:43 ` Laszlo Ersek
2020-09-23 10:04 ` Laszlo Ersek
2020-09-23 10:17 ` Ard Biesheuvel
2020-09-23 19:46 ` Sean
2020-09-23 13:02 ` Laszlo Ersek
2020-09-23 21:14 ` Bret Barkelew
2020-09-23 21:32 ` Andrew Fish
2020-09-23 21:34 ` Bret Barkelew
2020-09-24 21:37 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200923060748.3795-12-bret.barkelew@microsoft.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox