From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f193.google.com (mail-pg1-f193.google.com [209.85.215.193]) by mx.groups.io with SMTP id smtpd.web11.8063.1604904402364531418 for ; Sun, 08 Nov 2020 22:46:42 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=NThbfK1n; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.215.193, mailfrom: bret@corthon.com) Received: by mail-pg1-f193.google.com with SMTP id w4so6275841pgg.13 for ; Sun, 08 Nov 2020 22:46:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=quzbJfSStqXkGVLtLeU3Bjd92/31t/AqecpwP+68NUA=; b=NThbfK1nEjfysGHMlCqckbU3TpP5+i45TyQ6hehxf1/KohsI4t5qbig00G+BBjfhai 3X6QECOehEZki9356NXhJhCk18SsG9ClW4q9K9A0lte470ptJvBwvhCn/imNZg4nEoCf jnplSJre+A2eqrXymhE64rzF2VOBx09khFnNTTmGm5acH8azzxSxdqTnoHWlRn8UFDFL 0dlTcciFT8ROESFpnz9/+gkYJ2k0IR7FKOWuEryvrXqlhtSq1jvB08h6eYj4KFd4zVLn T2sIREOVo8K8VAMDzfYzRXF9rpJ2SzOTqxyHYYf/hGR3HlrYLZsVhGBCNYl5KavMLZNT ebjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=quzbJfSStqXkGVLtLeU3Bjd92/31t/AqecpwP+68NUA=; b=O17WGgPyNXG75xx6rbc2v2K5/WCZETOvjEIb6SqKX91gmANzSWEaj0BXQeXfevbTyl M3EBBKyAI8mozhzfl0jKlxYw1I/8aSUqjzs5KDmyaDjZCF8cmDRG3P1eoFN/pqH6GEto kAI/Kiz2L+oyhI6WPrR6Eqigyz/mQx12h5KUx5r5ein/KfmQPgX7mDp5ZsnXxjqWughX lmDMMj0NOC3eRzRcGvDwQGkt2JyJiozvvezkDIXaVLIibrxCJOfSMHCYfS9K+SP9aJt7 xF8EGa9TnbxuKIdS6vMnXfAdllUBqXe3XKnKopDnP2PnLuTYe0bA6cqm3XKOd/8n1kPy oFFQ== X-Gm-Message-State: AOAM531fe91aVMpGR1L3xif+QYrj27ZKcGT2ddZsKuRe5+tE/GIDU1YC sdZ9AuR5t9F1JNRKQOIkLuoI1/9VKlrbFXsy X-Google-Smtp-Source: ABdhPJylSg/WCzE4Kd/1FmDUydosCZYTBWn7dBGwWjkVHaTUeWTXYpVTrjdqAXsRq8ucHqIWRjD6og== X-Received: by 2002:aa7:870e:0:b029:18b:f46:9ca9 with SMTP id b14-20020aa7870e0000b029018b0f469ca9mr12418832pfo.3.1604904401719; Sun, 08 Nov 2020 22:46:41 -0800 (PST) Return-Path: Received: from localhost.localdomain ([71.212.128.184]) by smtp.gmail.com with ESMTPSA id s145sm10215111pfs.187.2020.11.08.22.46.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Nov 2020 22:46:41 -0800 (PST) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao , Bret Barkelew , Dandan Bi Subject: [PATCH v9 10/13] MdeModulePkg: Allow VariablePolicy state to delete protected variables Date: Sun, 8 Nov 2020 22:45:19 -0800 Message-Id: <20201109064522.919-11-bret.barkelew@microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20201109064522.919-1-bret.barkelew@microsoft.com> References: <20201109064522.919-1-bret.barkelew@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Bret Barkelew https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 TcgMorLockSmm provides special protections for the TCG MOR variables. This will check IsVariablePolicyEnabled() before enforcing them to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew Reviewed-by: Dandan Bi Acked-by: Jian J Wang --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 += +++++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 2 ++ 2 files changed, 12 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 6d80eb64341a..085f82035f4b 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -5,6 +5,7 @@ This module adds Variable Hook and check MemoryOverwriteRequestControlLo= ck.=0D =0D Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include "Variable.h"=0D =0D +#include =0D +=0D +#include =0D +=0D typedef struct {=0D CHAR16 *VariableName;=0D EFI_GUID *VendorGuid;=0D @@ -341,6 +346,11 @@ SetVariableCheckHandlerMor ( return EFI_SUCCESS;=0D }=0D =0D + // Permit deletion when policy is disabled.=0D + if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0) || (DataSize = =3D=3D 0))) {=0D + return EFI_SUCCESS;=0D + }=0D +=0D //=0D // MorLock variable=0D //=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index 6e17f6cdf588..d8f480be27cc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -20,6 +20,7 @@ #=0D # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
=0D # Copyright (c) 2018, Linaro, Ltd. All rights reserved.
=0D +# Copyright (c) Microsoft Corporation.=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -74,6 +75,7 @@ [LibraryClasses] StandaloneMmDriverEntryPoint=0D SynchronizationLib=0D VarCheckLib=0D + VariablePolicyLib=0D =0D [Protocols]=0D gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D --=20 2.28.0.windows.1