public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Bret Barkelew" <bret@corthon.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>, Liming Gao <liming.gao@intel.com>,
	Bret Barkelew <brbarkel@microsoft.com>,
	Dandan Bi <dandan.bi@intel.com>
Subject: [PATCH v9 10/13] MdeModulePkg: Allow VariablePolicy state to delete protected variables
Date: Sun,  8 Nov 2020 22:45:19 -0800	[thread overview]
Message-ID: <20201109064522.919-11-bret.barkelew@microsoft.com> (raw)
In-Reply-To: <20201109064522.919-1-bret.barkelew@microsoft.com>

From: Bret Barkelew <brbarkel@microsoft.com>

https://bugzilla.tianocore.org/show_bug.cgi?id=2522

TcgMorLockSmm provides special protections for
the TCG MOR variables. This will check
IsVariablePolicyEnabled() before enforcing
them to allow variable deletion when policy
engine is disabled.

Only allows deletion, not modification.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c          | 10 ++++++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 6d80eb64341a..085f82035f4b 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -5,6 +5,7 @@
   This module adds Variable Hook and check MemoryOverwriteRequestControlLock.
 
 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/BaseMemoryLib.h>
 #include "Variable.h"
 
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/VariablePolicyLib.h>
+
 typedef struct {
   CHAR16                                 *VariableName;
   EFI_GUID                               *VendorGuid;
@@ -341,6 +346,11 @@ SetVariableCheckHandlerMor (
     return EFI_SUCCESS;
   }
 
+  // Permit deletion when policy is disabled.
+  if (!IsVariablePolicyEnabled() && ((Attributes == 0) || (DataSize == 0))) {
+    return EFI_SUCCESS;
+  }
+
   //
   // MorLock variable
   //
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index 6e17f6cdf588..d8f480be27cc 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -20,6 +20,7 @@
 #
 # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
 # Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -74,6 +75,7 @@ [LibraryClasses]
   StandaloneMmDriverEntryPoint
   SynchronizationLib
   VarCheckLib
+  VariablePolicyLib
 
 [Protocols]
   gEfiSmmFirmwareVolumeBlockProtocolGuid        ## CONSUMES
-- 
2.28.0.windows.1


  parent reply	other threads:[~2020-11-09  6:46 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-09  6:45 [PATCH v9 00/13] Add the VariablePolicy feature Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 01/13] MdeModulePkg: Define the VariablePolicy protocol interface Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 02/13] MdeModulePkg: Define the VariablePolicyLib Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 03/13] MdeModulePkg: Define the VariablePolicyHelperLib Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 04/13] MdeModulePkg: Define the VarCheckPolicyLib and SMM interface Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 05/13] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 06/13] EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 07/13] ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 08/13] UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 09/13] MdeModulePkg: Connect VariablePolicy business logic to VariableServices Bret Barkelew
2020-11-09  6:45 ` Bret Barkelew [this message]
2020-11-09  6:45 ` [PATCH v9 11/13] SecurityPkg: Allow VariablePolicy state to delete authenticated variables Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 12/13] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Bret Barkelew
2020-11-09  6:45 ` [PATCH v9 13/13] MdeModulePkg: Drop VarLock from RuntimeDxe variable driver Bret Barkelew
2020-11-11 18:43 ` [PATCH v9 00/13] Add the VariablePolicy feature Bret Barkelew
2020-11-11 22:34   ` [edk2-devel] " Laszlo Ersek
2020-11-12 14:24   ` 回复: " gaoliming
2020-11-12 16:45     ` Bret Barkelew
2020-11-13  1:20       ` Bret Barkelew
2020-11-13  2:05         ` 回复: " gaoliming
2020-11-13 19:59           ` Laszlo Ersek
     [not found]         ` <1646EF0A6B8F843A.414@groups.io>
2020-11-17  1:00           ` gaoliming
2020-11-19 12:46 ` Ard Biesheuvel
2020-11-19 16:15   ` Bret Barkelew
2020-11-19 16:19     ` Ard Biesheuvel
2020-11-19 16:23       ` [EXTERNAL] " Bret Barkelew
     [not found]       ` <1648F558ACA0C0F8.8629@groups.io>
2020-11-19 16:26         ` [edk2-devel] " Bret Barkelew
2020-11-19 16:35           ` Ard Biesheuvel
2020-11-20 10:34             ` Laszlo Ersek
2020-11-19 20:02     ` [edk2-devel] " Andrei Warkentin
2020-11-19 20:16       ` Michael Kubacki
2020-11-19 20:41       ` Bret Barkelew
2020-11-20 10:53         ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201109064522.919-11-bret.barkelew@microsoft.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox