From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mx.groups.io with SMTP id smtpd.web08.11156.1655152799464249408 for ; Mon, 13 Jun 2022 13:39:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=Em/ZfIvw; spf=pass (domain: gmail.com, ip: 209.85.214.180, mailfrom: kuqin12@gmail.com) Received: by mail-pl1-f180.google.com with SMTP id d13so6026622plh.13 for ; Mon, 13 Jun 2022 13:39:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=NlkQxSQb4ccvlYOPpCBP+ZGvdcYeNnwe8J8PwHnP0LU=; b=Em/ZfIvwvDBIuubkRaD0r6SMPOzP9xKVFcVTbTomuRfOUSXrHyXfQdBNQdpTtHgn1z h+eGmAAHMSyvnmi6U6sYGXE4Cu0yefERFTu9XoAQ2m+cH4CJR6zwSrNWDhTlfHvjxF3D fDz9qG4Qji8WIDwjc93X+g6yzRvcMNDzJcV0kOF2j/QiRRC7Db+GJlj9slBHD+WJ6s9C OiYR92WUN5rYExnvRSVnrOYs97l3lFk89qUUB7uE2UM2aVK72RCzDbWS0gfp+MkM8Vri rg5gsMze2YReRaVlVOegs8euxWUxIBUfLMa0A5UAcp1yeXn8FY72N9a7sImDzq2DkdmT P62Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=NlkQxSQb4ccvlYOPpCBP+ZGvdcYeNnwe8J8PwHnP0LU=; b=riq4zaCA5X4++1lbKuVIiCG7KtDYzAB0YsSKMXY9ujFysgbysN/4NnEMG9ExbeWLJD 8vg/L44eqppJRiCVfrmRD5KaanYbK1JVabDS/lYIwIZFJ1mtZbANvFmZ4VxrTnD+dohI 49xCr5TuIgTQ3pWobQCWfJh9SKDc6F5m9EMer09igI31druI2+jildrPzlt382TQwJFN 6Bh3tB1ndcTY42TNRWZCXlGZWjHp8G4REPlBLqfWCz9ReDbt+UjIpOwu9F7ik8O6CRYc ALhvU8p1qkFe5Ze+YuWBPU6k0KYtzGe3GIKPebc2l6YhkVfwh6/qBryVyfOle58+uq8j BNoA== X-Gm-Message-State: AJIora+TMgznWm5D/9MEySb0SrEDOpAUqTrbjsadFVA5qCp9jS62VKXL f9/A/4FOOz+0Rj8Hq3+vXuTu/aAHbXNf7w== X-Google-Smtp-Source: AGRyM1uKxdIuTHPwK3TMok49w75Y2IFDVgJflYTP9rs8+ckwsBRoXS6CKs06J8g+5lLIi6W9Xo6oWg== X-Received: by 2002:a17:90a:cc7:b0:1ea:3993:78f9 with SMTP id 7-20020a17090a0cc700b001ea399378f9mr542708pjt.179.1655152798744; Mon, 13 Jun 2022 13:39:58 -0700 (PDT) Return-Path: Received: from localhost.localdomain ([50.35.66.9]) by smtp.gmail.com with ESMTPSA id g14-20020a17090a578e00b001ea90dada74sm5603239pji.12.2022.06.13.13.39.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Jun 2022 13:39:58 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu Subject: [PATCH v2 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface Date: Mon, 13 Jun 2022 13:39:33 -0700 Message-Id: <20220613203943.704-3-kuqin12@gmail.com> X-Mailer: git-send-email 2.35.1.windows.2 In-Reply-To: <20220613203943.704-1-kuqin12@gmail.com> References: <20220613203943.704-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911 This patch provides an abstracted interface for platform to implement PK variable related protection interface, which is designed to be used when PK variable is about to be changed by UEFI firmware. This change also provided a variable policy based library implementation to accomodate platforms that supports variable policy for variable protections. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin --- SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c | 51 ++++++++++++++++++++ SecurityPkg/Include/Library/PlatformPKProtectionLib.h | 31 ++++++++++++ SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf | 36 ++++++++++++++ SecurityPkg/SecurityPkg.dec | 5 ++ SecurityPkg/SecurityPkg.dsc | 2 + 5 files changed, 125 insertions(+) diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c new file mode 100644 index 000000000000..a2649242246f --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c @@ -0,0 +1,51 @@ +/** @file + Provides an abstracted interface for configuring PK related variable protection. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include + +#include +#include + +/** + Disable any applicable protection against variable 'PK'. The implementation + of this interface is platform specific, depending on the protection techniques + used per platform. + + Note: It is the platform's responsibility to conduct cautious operation after + disabling this protection. + + @retval EFI_SUCCESS State has been successfully updated. + @retval Others Error returned from implementation specific + underying APIs. + +**/ +EFI_STATUS +EFIAPI +DisablePKProtection ( + VOID + ) +{ + EFI_STATUS Status; + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy; + + DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__)); + + // IMPORTANT NOTE: This operation is sticky and leaves variable protections disabled. + // The system *MUST* be reset after performing this operation. + Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy); + if (!EFI_ERROR (Status)) { + Status = VariablePolicy->DisableVariablePolicy (); + // EFI_ALREADY_STARTED means that everything is currently disabled. + // This should be considered SUCCESS. + if (Status == EFI_ALREADY_STARTED) { + Status = EFI_SUCCESS; + } + } + + return Status; +} diff --git a/SecurityPkg/Include/Library/PlatformPKProtectionLib.h b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h new file mode 100644 index 000000000000..3586a47b77c2 --- /dev/null +++ b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h @@ -0,0 +1,31 @@ +/** @file + Provides an abstracted interface for configuring PK related variable protection. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef PLATFORM_PK_PROTECTION_LIB_H_ +#define PLATFORM_PK_PROTECTION_LIB_H_ + +/** + Disable any applicable protection against variable 'PK'. The implementation + of this interface is platform specific, depending on the protection techniques + used per platform. + + Note: It is the platform's responsibility to conduct cautious operation after + disabling this protection. + + @retval EFI_SUCCESS State has been successfully updated. + @retval Others Error returned from implementation specific + underying APIs. + +**/ +EFI_STATUS +EFIAPI +DisablePKProtection ( + VOID + ); + +#endif diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf new file mode 100644 index 000000000000..df42ce06c019 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf @@ -0,0 +1,36 @@ +## @file +# Provides an abstracted interface for configuring PK related variable protection. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = PlatformPKProtectionLibVarPolicy + FILE_GUID = AE0C5992-526C-4518-93BA-3C2611B801E0 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = PlatformPKProtectionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 AARCH64 +# + +[Sources] + PlatformPKProtectionLibVarPolicy.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + DebugLib + UefiBootServicesTableLib + +[Protocols] + gEdkiiVariablePolicyProtocolGuid diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 0ee75efc1a97..7ecf9565d98c 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -99,6 +99,11 @@ [LibraryClasses] ## @libraryclass Provides support to enroll Secure Boot keys. # SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h + + ## @libraryclass Provides support to manage variable 'PK' related protections. + # + PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h + [Guids] ## Security package token space guid. # Include/Guid/SecurityPkgTokenSpace.h diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index d883747474e4..f48187650f2f 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -71,6 +71,7 @@ [LibraryClasses] TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf TdxLib|MdePkg/Library/TdxLib/TdxLib.inf @@ -261,6 +262,7 @@ [Components] # SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf # # Other -- 2.35.1.windows.2