From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f195.google.com (mail-pf1-f195.google.com [209.85.210.195]) by mx.groups.io with SMTP id smtpd.web12.8025.1604904404960429172 for ; Sun, 08 Nov 2020 22:46:45 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=wVRZDmPb; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.210.195, mailfrom: bret@corthon.com) Received: by mail-pf1-f195.google.com with SMTP id c20so7191568pfr.8 for ; Sun, 08 Nov 2020 22:46:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=eWl0UOdiOkxijvjJu9bxevnvPwjKnG3ci8d2FrtrHzI=; b=wVRZDmPbfe3pkYKvIStasTiVm8vQo7ttSiInZ7qK9V6UIpElvcb0kmZQLWRsis0qQk KcbP3FTC1zbxgsjxNH1tweQjQ/1+awWL4nI7q31zYe2ukMpoexazu9SANrJOmxCbiwBb hOAC0Y1QAztRpXpbknzl6sH2dOj2qSgh08QnjLQfFdq2TVWVjMBKOFfepKHcx2XDwJNc jcWAPgy4GnpxA8EDlNUWq/ux26bdwx351aMWUO4t9nXfxwXuGsKrCCVTSmdOo7iJJpWU STzQShHgR0ZMtnLf3uKeQvXfN3Wp9cBRGEYvA2E4SL9Sq78287WE19Th0QTuB1Y/oP8f fbYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=eWl0UOdiOkxijvjJu9bxevnvPwjKnG3ci8d2FrtrHzI=; b=S7/cf7JlyedSSHKe0V0uv0oLvw1fjtzTrJQ3i5Mjoax8cgUngcllhUidHtSbK2x6LV kKuVlvNBVMz+O6lxrb9Z9YJGo3qg13OQmwZsutRJZWjAbtwQHsDWWoFp+kUm1VSCBJ1n Dv9f8LmsfnJaX4p1AImSL1nBJSg+RIvh8tO1EPWDEvRM010zDtyHKyD+woYHOlN4/DuL gL6ScrgNXISIlS/9e4De5bT07h2bgNRjNlI27ornDWCDzotE57T5QSPPYc3xWSvSpKmN EvmkXZYVBBTTEC0z1rc6Uf8WzqP+ueuTeXADUPLVKRJrrOC+BVmILXvvoprQs0/UEqqR GO/w== X-Gm-Message-State: AOAM531yGLd6PX77+Ecoz92KnA6Wxue8VklkLg4OaCx/UVb66sonTzmN iN6jifPUnP9fnTgNZW1W7O4TKO+rrfzwvxxs X-Google-Smtp-Source: ABdhPJzBWqTejCd9x+P2Dl0pvlcrbdyjCQM2ZONBXTD9wa/xY19gzhd/KRymyXK4jSgssXCSX6EFwA== X-Received: by 2002:a62:2a8a:0:b029:18b:83c1:60af with SMTP id q132-20020a622a8a0000b029018b83c160afmr12694080pfq.54.1604904404248; Sun, 08 Nov 2020 22:46:44 -0800 (PST) Return-Path: Received: from localhost.localdomain ([71.212.128.184]) by smtp.gmail.com with ESMTPSA id s145sm10215111pfs.187.2020.11.08.22.46.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Nov 2020 22:46:43 -0800 (PST) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao , Bret Barkelew , Dandan Bi Subject: [PATCH v9 12/13] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Date: Sun, 8 Nov 2020 22:45:21 -0800 Message-Id: <20201109064522.919-13-bret.barkelew@microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20201109064522.919-1-bret.barkelew@microsoft.com> References: <20201109064522.919-1-bret.barkelew@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Bret Barkelew https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 These were previously using VarLock, which is being deprecated. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew Reviewed-by: Dandan Bi Acked-by: Jian J Wang --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 += +++++++++++++------ MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 52 += ++++++++++++++----- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1 + 4 files changed, 82 insertions(+), 25 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c index e7accf4ed806..b85f08c48c11 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -5,6 +5,7 @@ MOR lock control unsupported.=0D =0D Copyright (c) 2016, Intel Corporation. All rights reserved.
=0D +Copyright (c) Microsoft Corporation.=0D SPDX-License-Identifier: BSD-2-Clause-Patent=0D =0D **/=0D @@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include =0D #include "Variable.h"=0D =0D -extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;=0D +#include =0D +#include =0D =0D /**=0D This service is an MOR/MorLock checker handler for the SetVariable().=0D @@ -77,11 +79,6 @@ MorLockInit ( NULL // Data=0D );=0D =0D - //=0D - // Need set this variable to be read-only to prevent other module set it= .=0D - //=0D - VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONT= ROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);=0D -=0D //=0D // The MOR variable can effectively improve platform security only when = the=0D // MorLock variable protects the MOR variable. In turn MorLock cannot be= made=0D @@ -99,11 +96,6 @@ MorLockInit ( 0, // DataSize=0D NULL // Data=0D );=0D - VariableLockRequestToLock (=0D - &mVariableLock,=0D - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D - &gEfiMemoryOverwriteControlDataGuid=0D - );=0D =0D return EFI_SUCCESS;=0D }=0D @@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe ( VOID=0D )=0D {=0D - //=0D - // Do nothing.=0D - //=0D + EFI_STATUS Status;=0D + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;=0D +=0D + // First, we obviously need to locate the VariablePolicy protocol.=0D + Status =3D gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL,= (VOID**)&VariablePolicy );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %= r\n", __FUNCTION__, Status ));=0D + return;=0D + }=0D +=0D + // If we're successful, go ahead and set the policies to protect the tar= get variables.=0D + Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D + &gEfiMemoryOverwriteRequestControl= LockGuid,=0D + MEMORY_OVERWRITE_REQUEST_CONTROL_L= OCK_NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D + }=0D + Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D + &gEfiMemoryOverwriteControlDataGui= d,=0D + MEMORY_OVERWRITE_REQUEST_VARIABLE_= NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW );=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D + }=0D +=0D + return;=0D }=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 085f82035f4b..ee37942a6b0c 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "Variable.h"=0D =0D #include =0D -=0D +#include =0D #include =0D =0D typedef struct {=0D @@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe ( {=0D UINTN MorSize;=0D EFI_STATUS MorStatus;=0D + EFI_STATUS Status;=0D + VARIABLE_POLICY_ENTRY *NewPolicy;=0D =0D if (!mMorLockInitializationRequired) {=0D //=0D @@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe ( // The MOR variable is absent; the platform firmware does not support it= .=0D // Lock the variable so that no other module may create it.=0D //=0D - VariableLockRequestToLock (=0D - NULL, // This=0D - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D - &gEfiMemoryOverwriteControlDataGuid=0D - );=0D + NewPolicy =3D NULL;=0D + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGui= d,=0D + MEMORY_OVERWRITE_REQUEST_VARIABLE_NA= ME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW,=0D + &NewPolicy );=0D + if (!EFI_ERROR( Status )) {=0D + Status =3D RegisterVariablePolicy( NewPolicy );=0D + }=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D + ASSERT_EFI_ERROR( Status );=0D + }=0D + if (NewPolicy !=3D NULL) {=0D + FreePool( NewPolicy );=0D + }=0D =0D //=0D // Delete the MOR Control Lock variable too (should it exists for some=0D @@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe ( );=0D mMorLockPassThru =3D FALSE;=0D =0D - VariableLockRequestToLock (=0D - NULL, // This=0D - MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,=0D - &gEfiMemoryOverwriteRequestControlLockGuid=0D - );=0D + NewPolicy =3D NULL;=0D + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControl= LockGuid,=0D + MEMORY_OVERWRITE_REQUEST_CONTROL_LOC= K_NAME,=0D + VARIABLE_POLICY_NO_MIN_SIZE,=0D + VARIABLE_POLICY_NO_MAX_SIZE,=0D + VARIABLE_POLICY_NO_MUST_ATTR,=0D + VARIABLE_POLICY_NO_CANT_ATTR,=0D + VARIABLE_POLICY_TYPE_LOCK_NOW,=0D + &NewPolicy );=0D + if (!EFI_ERROR( Status )) {=0D + Status =3D RegisterVariablePolicy( NewPolicy );=0D + }=0D + if (EFI_ERROR( Status )) {=0D + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D + ASSERT_EFI_ERROR( Status );=0D + }=0D + if (NewPolicy !=3D NULL) {=0D + FreePool( NewPolicy );=0D + }=0D }=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.= inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 48ac167906f7..8debc560e6dc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -71,6 +71,7 @@ [LibraryClasses] AuthVariableLib=0D VarCheckLib=0D VariablePolicyLib=0D + VariablePolicyHelperLib=0D =0D [Protocols]=0D gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D @@ -80,6 +81,7 @@ [Protocols] gEfiVariableWriteArchProtocolGuid ## PRODUCES=0D gEfiVariableArchProtocolGuid ## PRODUCES=0D gEdkiiVariableLockProtocolGuid ## PRODUCES=0D + gEdkiiVariablePolicyProtocolGuid ## CONSUMES=0D gEdkiiVarCheckProtocolGuid ## PRODUCES=0D =0D [Guids]=0D diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index d8f480be27cc..62f2f9252f43 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -76,6 +76,7 @@ [LibraryClasses] SynchronizationLib=0D VarCheckLib=0D VariablePolicyLib=0D + VariablePolicyHelperLib=0D =0D [Protocols]=0D gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D --=20 2.28.0.windows.1