From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by mx.groups.io with SMTP id smtpd.web10.32235.1656633238523530917 for ; Thu, 30 Jun 2022 16:53:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20210112 header.b=iy67QO5f; spf=pass (domain: gmail.com, ip: 209.85.210.181, mailfrom: kuqin12@gmail.com) Received: by mail-pf1-f181.google.com with SMTP id 136so860982pfy.10 for ; Thu, 30 Jun 2022 16:53:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=AUfxa3ALwklSgN69Lci9UjL01ujGqaN2bOgfMgecafg=; b=iy67QO5fRWwX9AyBt1nEPjnF5nZks+lkIYNSRz3YfzJBLwj/kne46e9j6RI2MP3+Ml ojqpCWazF58NBij++DYWv3NfJn2/gG3GOpOrbb1Nq8ALBTwTf9FjHZsC5nkQ5DMcl3qd 8X9YaSYDULSiDuO9SuF8Ec/nazTpwh4ETuAVfznHKNhdh99exPSB3fmSlthwzGHNZt0b 2Tjki0d3AWPBp30b8ykZV5g5FlrUvEZz/MJxyfYYbZaIoPSYB3xRhNBaBEmq8Cp3dgPk eWHDJPO4IPrZnd9v54UAAswSsSWkJxaSmHnvBiYf5EyyZ2vHKmz3HIHXQWOY/2FsWxDW H+4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AUfxa3ALwklSgN69Lci9UjL01ujGqaN2bOgfMgecafg=; b=hvp3i42IrG/MSSQzVnPY7lCZNYwRQVaYykVuPE6sJOAV2eibTX7s+r22uL6PUGG7mi OugEUoYREOHwEPZBr0lvP60vRjepJ8qVihEnxLhcqqAKzHmwCYp3Ea/aPF5hoMHKP8Fd w+c6iiE4ApRfU2dDulBCksaot2Ol2JdXNBPalPMsGo4e2fLYWtPAMZXwlnuCGOfbmB9l Xw7WAYWN1dhEGOlOLZvez0vyVkELwX7usVu3kLgqnfTzsjj6mQ7EQO0uANwoUX1pCCJa IH2hSYsRgl0ZAalScrxtaQKZbsnNifC0GsVPwpxokOQCyfieM2OKntr2xuC8xaUfvwGz arvg== X-Gm-Message-State: AJIora/Q7sCdVr0KzxLkKkQ1ODso5gPVMEwJlcJAN6iIomx2zDpjQiR2 28sR5/uNk1HyPV7aJlsTpUvZlBsqJsc= X-Google-Smtp-Source: AGRyM1u/kcuDeY9d1WlG8ZZC8aaRq8AVRXceD34TAD0rj/0qEgDfx7xYi8gjWc6wwYf7h2Lc2llw+g== X-Received: by 2002:a63:1e49:0:b0:3fd:cf48:3694 with SMTP id p9-20020a631e49000000b003fdcf483694mr9850658pgm.275.1656633237911; Thu, 30 Jun 2022 16:53:57 -0700 (PDT) Return-Path: Received: from MININT-0U7P5GU.redmond.corp.microsoft.com ([2001:4898:80e8:7:19ac:d515:5a95:7969]) by smtp.gmail.com with ESMTPSA id x199-20020a627cd0000000b00525243d0dc6sm14679202pfc.15.2022.06.30.16.53.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Jun 2022 16:53:57 -0700 (PDT) From: "Kun Qin" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Min Xu , Jiewen Yao , Michael Kubacki Subject: [PATCH v3 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface Date: Thu, 30 Jun 2022 16:53:32 -0700 Message-Id: <20220630235341.1746-3-kuqin12@gmail.com> X-Mailer: git-send-email 2.36.0.windows.1 In-Reply-To: <20220630235341.1746-1-kuqin12@gmail.com> References: <20220630235341.1746-1-kuqin12@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Kun Qin REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D3911 This patch provides an abstracted interface for platform to implement PK variable related protection interface, which is designed to be used when PK variable is about to be changed by UEFI firmware. This change also provided a variable policy based library implementation to accomodate platforms that supports variable policy for variable protections. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- Notes: v3: - Added reviewed-by tag [Jiewen] - Added acked-by tag [Michael Kubacki] SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionL= ibVarPolicy.c | 51 ++++++++++++++++++++ SecurityPkg/Include/Library/PlatformPKProtectionLib.h = | 31 ++++++++++++ SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionL= ibVarPolicy.inf | 36 ++++++++++++++ SecurityPkg/SecurityPkg.dec = | 5 ++ SecurityPkg/SecurityPkg.dsc = | 2 + 5 files changed, 125 insertions(+) diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformP= KProtectionLibVarPolicy.c b/SecurityPkg/Library/PlatformPKProtectionLibVarP= olicy/PlatformPKProtectionLibVarPolicy.c new file mode 100644 index 000000000000..a2649242246f --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtec= tionLibVarPolicy.c @@ -0,0 +1,51 @@ +/** @file=0D + Provides an abstracted interface for configuring PK related variable pro= tection.=0D +=0D + Copyright (c) Microsoft Corporation.=0D + SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +#include =0D +#include =0D +=0D +#include =0D +#include =0D +=0D +/**=0D + Disable any applicable protection against variable 'PK'. The implementat= ion=0D + of this interface is platform specific, depending on the protection tech= niques=0D + used per platform.=0D +=0D + Note: It is the platform's responsibility to conduct cautious operation = after=0D + disabling this protection.=0D +=0D + @retval EFI_SUCCESS State has been successfully updated.= =0D + @retval Others Error returned from implementation s= pecific=0D + underying APIs.=0D +=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +DisablePKProtection (=0D + VOID=0D + )=0D +{=0D + EFI_STATUS Status;=0D + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;=0D +=0D + DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__));=0D +=0D + // IMPORTANT NOTE: This operation is sticky and leaves variable protecti= ons disabled.=0D + // The system *MUST* be reset after performing this ope= ration.=0D + Status =3D gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL,= (VOID **)&VariablePolicy);=0D + if (!EFI_ERROR (Status)) {=0D + Status =3D VariablePolicy->DisableVariablePolicy ();=0D + // EFI_ALREADY_STARTED means that everything is currently disabled.=0D + // This should be considered SUCCESS.=0D + if (Status =3D=3D EFI_ALREADY_STARTED) {=0D + Status =3D EFI_SUCCESS;=0D + }=0D + }=0D +=0D + return Status;=0D +}=0D diff --git a/SecurityPkg/Include/Library/PlatformPKProtectionLib.h b/Securi= tyPkg/Include/Library/PlatformPKProtectionLib.h new file mode 100644 index 000000000000..3586a47b77c2 --- /dev/null +++ b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h @@ -0,0 +1,31 @@ +/** @file=0D + Provides an abstracted interface for configuring PK related variable pro= tection.=0D +=0D + Copyright (c) Microsoft Corporation.=0D + SPDX-License-Identifier: BSD-2-Clause-Patent=0D +=0D +**/=0D +=0D +#ifndef PLATFORM_PK_PROTECTION_LIB_H_=0D +#define PLATFORM_PK_PROTECTION_LIB_H_=0D +=0D +/**=0D + Disable any applicable protection against variable 'PK'. The implementat= ion=0D + of this interface is platform specific, depending on the protection tech= niques=0D + used per platform.=0D +=0D + Note: It is the platform's responsibility to conduct cautious operation = after=0D + disabling this protection.=0D +=0D + @retval EFI_SUCCESS State has been successfully updated.= =0D + @retval Others Error returned from implementation s= pecific=0D + underying APIs.=0D +=0D +**/=0D +EFI_STATUS=0D +EFIAPI=0D +DisablePKProtection (=0D + VOID=0D + );=0D +=0D +#endif=0D diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformP= KProtectionLibVarPolicy.inf b/SecurityPkg/Library/PlatformPKProtectionLibVa= rPolicy/PlatformPKProtectionLibVarPolicy.inf new file mode 100644 index 000000000000..df42ce06c019 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtec= tionLibVarPolicy.inf @@ -0,0 +1,36 @@ +## @file=0D +# Provides an abstracted interface for configuring PK related variable pr= otection.=0D +#=0D +# Copyright (c) Microsoft Corporation.=0D +# SPDX-License-Identifier: BSD-2-Clause-Patent=0D +#=0D +##=0D +=0D +[Defines]=0D + INF_VERSION =3D 0x00010005=0D + BASE_NAME =3D PlatformPKProtectionLibVarPolicy=0D + FILE_GUID =3D AE0C5992-526C-4518-93BA-3C2611B801E0= =0D + MODULE_TYPE =3D DXE_DRIVER=0D + VERSION_STRING =3D 1.0=0D + LIBRARY_CLASS =3D PlatformPKProtectionLib|DXE_DRIVER DX= E_RUNTIME_DRIVER UEFI_APPLICATION=0D +=0D +#=0D +# The following information is for reference only and not required by the = build tools.=0D +#=0D +# VALID_ARCHITECTURES =3D IA32 X64 AARCH64=0D +#=0D +=0D +[Sources]=0D + PlatformPKProtectionLibVarPolicy.c=0D +=0D +[Packages]=0D + MdePkg/MdePkg.dec=0D + MdeModulePkg/MdeModulePkg.dec=0D + SecurityPkg/SecurityPkg.dec=0D +=0D +[LibraryClasses]=0D + DebugLib=0D + UefiBootServicesTableLib=0D +=0D +[Protocols]=0D + gEdkiiVariablePolicyProtocolGuid=0D diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 0ee75efc1a97..7ecf9565d98c 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -99,6 +99,11 @@ [LibraryClasses] ## @libraryclass Provides support to enroll Secure Boot keys.=0D #=0D SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisi= onLib.h=0D +=0D + ## @libraryclass Provides support to manage variable 'PK' related prote= ctions.=0D + #=0D + PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h=0D +=0D [Guids]=0D ## Security package token space guid.=0D # Include/Guid/SecurityPkgTokenSpace.h=0D diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index d883747474e4..f48187650f2f 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -71,6 +71,7 @@ [LibraryClasses] TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLo= gRecordLib.inf=0D MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibN= ull.inf=0D SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBo= otVariableLib.inf=0D + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPo= licy/PlatformPKProtectionLibVarPolicy.inf=0D SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariablePro= visionLib/SecureBootVariableProvisionLib.inf=0D TdxLib|MdePkg/Library/TdxLib/TdxLib.inf=0D =0D @@ -261,6 +262,7 @@ [Components] #=0D SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf=0D SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf=0D + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectio= nLibVarPolicy.inf=0D =0D #=0D # Other=0D --=20 2.36.0.windows.1