From: "Kun Qin" <kuqin12@gmail.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
Jian J Wang <jian.j.wang@intel.com>, Min Xu <min.m.xu@intel.com>
Subject: [PATCH v2 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface
Date: Mon, 13 Jun 2022 13:39:33 -0700 [thread overview]
Message-ID: <20220613203943.704-3-kuqin12@gmail.com> (raw)
In-Reply-To: <20220613203943.704-1-kuqin12@gmail.com>
From: Kun Qin <kuqin@microsoft.com>
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911
This patch provides an abstracted interface for platform to implement PK
variable related protection interface, which is designed to be used when
PK variable is about to be changed by UEFI firmware.
This change also provided a variable policy based library implementation
to accomodate platforms that supports variable policy for variable
protections.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
---
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c | 51 ++++++++++++++++++++
SecurityPkg/Include/Library/PlatformPKProtectionLib.h | 31 ++++++++++++
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf | 36 ++++++++++++++
SecurityPkg/SecurityPkg.dec | 5 ++
SecurityPkg/SecurityPkg.dsc | 2 +
5 files changed, 125 insertions(+)
diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
new file mode 100644
index 000000000000..a2649242246f
--- /dev/null
+++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
@@ -0,0 +1,51 @@
+/** @file
+ Provides an abstracted interface for configuring PK related variable protection.
+
+ Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Uefi.h>
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/DebugLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+
+/**
+ Disable any applicable protection against variable 'PK'. The implementation
+ of this interface is platform specific, depending on the protection techniques
+ used per platform.
+
+ Note: It is the platform's responsibility to conduct cautious operation after
+ disabling this protection.
+
+ @retval EFI_SUCCESS State has been successfully updated.
+ @retval Others Error returned from implementation specific
+ underying APIs.
+
+**/
+EFI_STATUS
+EFIAPI
+DisablePKProtection (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
+
+ DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__));
+
+ // IMPORTANT NOTE: This operation is sticky and leaves variable protections disabled.
+ // The system *MUST* be reset after performing this operation.
+ Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy);
+ if (!EFI_ERROR (Status)) {
+ Status = VariablePolicy->DisableVariablePolicy ();
+ // EFI_ALREADY_STARTED means that everything is currently disabled.
+ // This should be considered SUCCESS.
+ if (Status == EFI_ALREADY_STARTED) {
+ Status = EFI_SUCCESS;
+ }
+ }
+
+ return Status;
+}
diff --git a/SecurityPkg/Include/Library/PlatformPKProtectionLib.h b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h
new file mode 100644
index 000000000000..3586a47b77c2
--- /dev/null
+++ b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h
@@ -0,0 +1,31 @@
+/** @file
+ Provides an abstracted interface for configuring PK related variable protection.
+
+ Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef PLATFORM_PK_PROTECTION_LIB_H_
+#define PLATFORM_PK_PROTECTION_LIB_H_
+
+/**
+ Disable any applicable protection against variable 'PK'. The implementation
+ of this interface is platform specific, depending on the protection techniques
+ used per platform.
+
+ Note: It is the platform's responsibility to conduct cautious operation after
+ disabling this protection.
+
+ @retval EFI_SUCCESS State has been successfully updated.
+ @retval Others Error returned from implementation specific
+ underying APIs.
+
+**/
+EFI_STATUS
+EFIAPI
+DisablePKProtection (
+ VOID
+ );
+
+#endif
diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
new file mode 100644
index 000000000000..df42ce06c019
--- /dev/null
+++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
@@ -0,0 +1,36 @@
+## @file
+# Provides an abstracted interface for configuring PK related variable protection.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = PlatformPKProtectionLibVarPolicy
+ FILE_GUID = AE0C5992-526C-4518-93BA-3C2611B801E0
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = PlatformPKProtectionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+
+[Sources]
+ PlatformPKProtectionLibVarPolicy.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ DebugLib
+ UefiBootServicesTableLib
+
+[Protocols]
+ gEdkiiVariablePolicyProtocolGuid
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 0ee75efc1a97..7ecf9565d98c 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -99,6 +99,11 @@ [LibraryClasses]
## @libraryclass Provides support to enroll Secure Boot keys.
#
SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h
+
+ ## @libraryclass Provides support to manage variable 'PK' related protections.
+ #
+ PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h
+
[Guids]
## Security package token space guid.
# Include/Guid/SecurityPkgTokenSpace.h
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index d883747474e4..f48187650f2f 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -71,6 +71,7 @@ [LibraryClasses]
TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
TdxLib|MdePkg/Library/TdxLib/TdxLib.inf
@@ -261,6 +262,7 @@ [Components]
#
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
+ SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
#
# Other
--
2.35.1.windows.2
next prev parent reply other threads:[~2022-06-13 20:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-13 20:39 [PATCH v2 00/11] Enhance Secure Boot Variable Libraries Kun Qin
2022-06-13 20:39 ` [PATCH v2 01/11] SecurityPkg: UefiSecureBoot: Definitions of cert and payload structures Kun Qin
2022-06-13 20:39 ` Kun Qin [this message]
2022-06-13 20:39 ` [PATCH v2 03/11] SecurityPkg: SecureBootVariableLib: Updated time based payload creator Kun Qin
2022-06-13 20:39 ` [PATCH v2 04/11] SecurityPkg: SecureBootVariableLib: Updated signature list creator Kun Qin
2022-06-13 20:39 ` [PATCH v2 05/11] SecurityPkg: SecureBootVariableLib: Added newly supported interfaces Kun Qin
2022-06-13 20:39 ` [PATCH v2 06/11] SecurityPkg: SecureBootVariableProvisionLib: Updated implementation Kun Qin
2022-06-13 20:39 ` [PATCH v2 07/11] SecurityPkg: Secure Boot Drivers: Added common header files Kun Qin
2022-06-13 20:39 ` [PATCH v2 08/11] SecurityPkg: SecureBootConfigDxe: Updated invocation pattern Kun Qin
2022-06-13 20:39 ` [PATCH v2 09/11] SecurityPkg: SecureBootVariableLib: Added unit tests Kun Qin
2022-06-13 20:39 ` [PATCH v2 10/11] OvmfPkg: Pipeline: Resolve SecureBootVariableLib dependency Kun Qin
2022-06-13 20:39 ` [PATCH v2 11/11] EmulatorPkg: " Kun Qin
2022-06-24 9:08 ` Ni, Ray
2022-06-30 19:44 ` [edk2-devel] [PATCH v2 00/11] Enhance Secure Boot Variable Libraries Michael Kubacki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220613203943.704-3-kuqin12@gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox