From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Dandan Bi <dandan.bi@intel.com>, Hao A Wu <hao.a.wu@intel.com>,
Jian J Wang <jian.j.wang@intel.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
Ard Biesheuvel <ardb@kernel.org>
Subject: [edk2-devel] [PATCH v3 1/4] MdeModulePkg/VariablePolicy: Add more granular variable policy querying
Date: Mon, 30 Oct 2023 16:31:09 -0400 [thread overview]
Message-ID: <20231030203112.736-2-mikuback@linux.microsoft.com> (raw)
In-Reply-To: <20231030203112.736-1-mikuback@linux.microsoft.com>
From: Michael Kubacki <michael.kubacki@microsoft.com>
Introduces two new APIs to EDKII_VARIABLE_POLICY_PROTOCOL:
1. GetVariablePolicyInfo()
2. GetLockOnVariableStateVariablePolicyInfo()
These allow a caller to retrieve policy information associated with
a UEFI variable given the variable name and vendor GUID.
GetVariablePolicyInfo() - Returns the variable policy applied to the
UEFI variable. If the variable policy is applied toward an individual
UEFI variable, that name can optionally be returned.
GetLockOnVariableStateVariablePolicyInfo() - Returns the Lock on
Variable State policy applied to the UEFI variable. If the Lock on
Variable State policy is applied to a specific variable name, that
name can optionally be returned.
These functions can be useful for a variety of purposes such as
auditing, testing, and functional flows.
Also fixed some variable name typos in code touched by the changes.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
---
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c | 174 ++++++++--
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c | 304 +++++++++++++++++
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 4 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c | 346 +++++++++++++++++++-
MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | 39 ++-
MdeModulePkg/Include/Library/VariablePolicyLib.h | 107 ++++++
MdeModulePkg/Include/Protocol/VariablePolicy.h | 133 +++++++-
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf | 1 +
8 files changed, 1062 insertions(+), 46 deletions(-)
diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
index 5de46133bb26..1448af85555a 100644
--- a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
+++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
@@ -76,14 +76,20 @@ VarCheckPolicyLibMmiHandler (
VOID *InternalCommBuffer;
EFI_STATUS Status;
EFI_STATUS SubCommandStatus;
- VAR_CHECK_POLICY_COMM_HEADER *PolicyCommmHeader;
- VAR_CHECK_POLICY_COMM_HEADER *InternalPolicyCommmHeader;
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyCommHeader;
+ VAR_CHECK_POLICY_COMM_HEADER *InternalPolicyCommHeader;
VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *IsEnabledParams;
VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsIn;
VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsOut;
+ VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *GetInfoParamsInternal;
+ VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *GetInfoParamsExternal;
+ CHAR16 *InternalCopyOfOutputVariableName;
+ CHAR16 *ExternalCopyOfOutputVariableName;
UINT8 *DumpInputBuffer;
UINT8 *DumpOutputBuffer;
+ UINTN AllowedOutputVariableNameSize;
UINTN DumpTotalPages;
+ UINTN LocalSize;
VARIABLE_POLICY_ENTRY *PolicyEntry;
UINTN ExpectedSize;
UINT32 TempSize;
@@ -122,21 +128,21 @@ VarCheckPolicyLibMmiHandler (
//
InternalCommBuffer = &mSecurityEvalBuffer[0];
CopyMem (InternalCommBuffer, CommBuffer, InternalCommBufferSize);
- PolicyCommmHeader = CommBuffer;
- InternalPolicyCommmHeader = InternalCommBuffer;
+ PolicyCommHeader = CommBuffer;
+ InternalPolicyCommHeader = InternalCommBuffer;
// Check the revision and the signature of the comm header.
- if ((InternalPolicyCommmHeader->Signature != VAR_CHECK_POLICY_COMM_SIG) ||
- (InternalPolicyCommmHeader->Revision != VAR_CHECK_POLICY_COMM_REVISION))
+ if ((InternalPolicyCommHeader->Signature != VAR_CHECK_POLICY_COMM_SIG) ||
+ (InternalPolicyCommHeader->Revision != VAR_CHECK_POLICY_COMM_REVISION))
{
DEBUG ((DEBUG_INFO, "%a - Signature or revision are incorrect!\n", __func__));
// We have verified the buffer is not null and have enough size to hold Result field.
- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
return EFI_SUCCESS;
}
// If we're in the middle of a paginated dump and any other command is sent,
// pagination cache must be cleared.
- if ((mPaginationCache != NULL) && (InternalPolicyCommmHeader->Command != mCurrentPaginationCommand)) {
+ if ((mPaginationCache != NULL) && (InternalPolicyCommHeader->Command != mCurrentPaginationCommand)) {
FreePool (mPaginationCache);
mPaginationCache = NULL;
mPaginationCacheSize = 0;
@@ -146,10 +152,10 @@ VarCheckPolicyLibMmiHandler (
//
// Now we can process the command as it was sent.
//
- PolicyCommmHeader->Result = EFI_ABORTED; // Set a default return for incomplete commands.
- switch (InternalPolicyCommmHeader->Command) {
+ PolicyCommHeader->Result = EFI_ABORTED; // Set a default return for incomplete commands.
+ switch (InternalPolicyCommHeader->Command) {
case VAR_CHECK_POLICY_COMMAND_DISABLE:
- PolicyCommmHeader->Result = DisableVariablePolicy ();
+ PolicyCommHeader->Result = DisableVariablePolicy ();
break;
case VAR_CHECK_POLICY_COMMAND_IS_ENABLED:
@@ -158,14 +164,14 @@ VarCheckPolicyLibMmiHandler (
ExpectedSize += sizeof (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS);
if (InternalCommBufferSize < ExpectedSize) {
DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize));
- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break;
}
// Now that we know we've got a valid size, we can fill in the rest of the data.
- IsEnabledParams = (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *)((UINT8 *)CommBuffer + sizeof (VAR_CHECK_POLICY_COMM_HEADER));
- IsEnabledParams->State = IsVariablePolicyEnabled ();
- PolicyCommmHeader->Result = EFI_SUCCESS;
+ IsEnabledParams = (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *)((UINT8 *)CommBuffer + sizeof (VAR_CHECK_POLICY_COMM_HEADER));
+ IsEnabledParams->State = IsVariablePolicyEnabled ();
+ PolicyCommHeader->Result = EFI_SUCCESS;
break;
case VAR_CHECK_POLICY_COMMAND_REGISTER:
@@ -174,7 +180,7 @@ VarCheckPolicyLibMmiHandler (
ExpectedSize += sizeof (VARIABLE_POLICY_ENTRY);
if (InternalCommBufferSize < ExpectedSize) {
DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize));
- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break;
}
@@ -187,11 +193,11 @@ VarCheckPolicyLibMmiHandler (
(InternalCommBufferSize < ExpectedSize))
{
DEBUG ((DEBUG_INFO, "%a - Bad policy entry contents!\n", __func__));
- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break;
}
- PolicyCommmHeader->Result = RegisterVariablePolicy (PolicyEntry);
+ PolicyCommHeader->Result = RegisterVariablePolicy (PolicyEntry);
break;
case VAR_CHECK_POLICY_COMMAND_DUMP:
@@ -200,13 +206,13 @@ VarCheckPolicyLibMmiHandler (
ExpectedSize += sizeof (VAR_CHECK_POLICY_COMM_DUMP_PARAMS) + VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE;
if (InternalCommBufferSize < ExpectedSize) {
DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize));
- PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break;
}
// Now that we know we've got a valid size, we can fill in the rest of the data.
- DumpParamsIn = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(InternalPolicyCommmHeader + 1);
- DumpParamsOut = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(PolicyCommmHeader + 1);
+ DumpParamsIn = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(InternalPolicyCommHeader + 1);
+ DumpParamsOut = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(PolicyCommHeader + 1);
// If we're requesting the first page, initialize the cache and get the sizes.
if (DumpParamsIn->PageRequested == 0) {
@@ -289,17 +295,131 @@ VarCheckPolicyLibMmiHandler (
}
// There's currently no use for this, but it shouldn't be hard to implement.
- PolicyCommmHeader->Result = SubCommandStatus;
+ PolicyCommHeader->Result = SubCommandStatus;
break;
case VAR_CHECK_POLICY_COMMAND_LOCK:
- PolicyCommmHeader->Result = LockVariablePolicy ();
+ PolicyCommHeader->Result = LockVariablePolicy ();
+ break;
+
+ case VAR_CHECK_POLICY_COMMAND_GET_INFO:
+ case VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO:
+ ExpectedSize += VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END + VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE;
+
+ if (InternalCommBufferSize < ExpectedSize) {
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ GetInfoParamsInternal = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(InternalPolicyCommHeader + 1);
+ GetInfoParamsExternal = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(PolicyCommHeader + 1);
+
+ SubCommandStatus = SafeUintnSub (
+ VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE,
+ GetInfoParamsInternal->InputVariableNameSize,
+ &AllowedOutputVariableNameSize
+ );
+ if (EFI_ERROR (SubCommandStatus)) {
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ if (GetInfoParamsInternal->OutputVariableNameSize > 0) {
+ SubCommandStatus = SafeUintnAdd (
+ ((UINTN)GetInfoParamsInternal + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END),
+ (UINTN)GetInfoParamsInternal->InputVariableNameSize,
+ (UINTN *)&InternalCopyOfOutputVariableName
+ );
+ if (EFI_ERROR (SubCommandStatus)) {
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
+ break;
+ }
+ } else {
+ InternalCopyOfOutputVariableName = NULL;
+ }
+
+ ZeroMem (&GetInfoParamsInternal->OutputPolicyEntry, sizeof (GetInfoParamsInternal->OutputPolicyEntry));
+ ZeroMem (&GetInfoParamsExternal->OutputPolicyEntry, sizeof (GetInfoParamsExternal->OutputPolicyEntry));
+
+ LocalSize = (UINTN)GetInfoParamsInternal->OutputVariableNameSize;
+
+ if (InternalPolicyCommHeader->Command == VAR_CHECK_POLICY_COMMAND_GET_INFO) {
+ SubCommandStatus = GetVariablePolicyInfo (
+ GetInfoParamsInternal->InputVariableName,
+ &GetInfoParamsInternal->InputVendorGuid,
+ &LocalSize,
+ &GetInfoParamsInternal->OutputPolicyEntry.VariablePolicy,
+ InternalCopyOfOutputVariableName
+ );
+ } else if (InternalPolicyCommHeader->Command == VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO) {
+ SubCommandStatus = GetLockOnVariableStateVariablePolicyInfo (
+ GetInfoParamsInternal->InputVariableName,
+ &GetInfoParamsInternal->InputVendorGuid,
+ &LocalSize,
+ &GetInfoParamsInternal->OutputPolicyEntry.LockOnVarStatePolicy,
+ InternalCopyOfOutputVariableName
+ );
+ } else {
+ PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ if (EFI_ERROR (SubCommandStatus) && (SubCommandStatus != EFI_BUFFER_TOO_SMALL)) {
+ PolicyCommHeader->Result = SubCommandStatus;
+ break;
+ }
+
+ if (EFI_ERROR (SafeUintnToUint32 (LocalSize, &GetInfoParamsInternal->OutputVariableNameSize))) {
+ PolicyCommHeader->Result = EFI_BAD_BUFFER_SIZE;
+ break;
+ }
+
+ ASSERT (sizeof (GetInfoParamsInternal->OutputPolicyEntry) == sizeof (GetInfoParamsExternal->OutputPolicyEntry));
+ CopyMem (
+ &GetInfoParamsExternal->OutputPolicyEntry,
+ &GetInfoParamsInternal->OutputPolicyEntry,
+ sizeof (GetInfoParamsExternal->OutputPolicyEntry)
+ );
+
+ GetInfoParamsExternal->OutputVariableNameSize = GetInfoParamsInternal->OutputVariableNameSize;
+ if (SubCommandStatus == EFI_BUFFER_TOO_SMALL) {
+ PolicyCommHeader->Result = EFI_BUFFER_TOO_SMALL;
+ break;
+ }
+
+ SubCommandStatus = SafeUintnAdd (
+ ((UINTN)GetInfoParamsExternal + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END),
+ (UINTN)GetInfoParamsInternal->InputVariableNameSize,
+ (UINTN *)&ExternalCopyOfOutputVariableName
+ );
+ if (EFI_ERROR (SubCommandStatus)) {
+ PolicyCommHeader->Result = EFI_BAD_BUFFER_SIZE;
+ break;
+ }
+
+ if (GetInfoParamsInternal->OutputVariableNameSize > 0) {
+ SubCommandStatus = StrnCpyS (
+ ExternalCopyOfOutputVariableName,
+ AllowedOutputVariableNameSize,
+ InternalCopyOfOutputVariableName,
+ (UINTN)GetInfoParamsInternal->OutputVariableNameSize
+ );
+ ASSERT_EFI_ERROR (SubCommandStatus);
+ } else {
+ // The comm buffer should always have the space for the variable policy output
+ // variable name. Fill it with NULL chars if a variable name is not present so
+ // it has a consistent value in the case of variable name absence.
+ SetMem (ExternalCopyOfOutputVariableName, AllowedOutputVariableNameSize, CHAR_NULL);
+ }
+
+ PolicyCommHeader->Result = SubCommandStatus;
+
break;
default:
// Mark unknown requested command as EFI_UNSUPPORTED.
- DEBUG ((DEBUG_INFO, "%a - Invalid command requested! %d\n", __func__, PolicyCommmHeader->Command));
- PolicyCommmHeader->Result = EFI_UNSUPPORTED;
+ DEBUG ((DEBUG_INFO, "%a - Invalid command requested! %d\n", __func__, PolicyCommHeader->Command));
+ PolicyCommHeader->Result = EFI_UNSUPPORTED;
break;
}
@@ -307,8 +427,8 @@ VarCheckPolicyLibMmiHandler (
DEBUG_VERBOSE,
"%a - Command %d returning %r.\n",
__func__,
- PolicyCommmHeader->Command,
- PolicyCommmHeader->Result
+ PolicyCommHeader->Command,
+ PolicyCommHeader->Result
));
return Status;
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
index 214f76ab9626..768662829dbf 100644
--- a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
@@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Uefi.h>
+#include <Library/BaseLib.h>
#include <Library/SafeIntLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/BaseMemoryLib.h>
@@ -684,6 +685,309 @@ DumpVariablePolicy (
return EFI_SUCCESS;
}
+/**
+ This function will return variable policy information for a UEFI variable with a
+ registered variable policy.
+
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
+ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
+ buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariablePolicyVariableName buffer size
+ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
+ guaranteed to be returned if the variable policy variable name
+ is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
+ variable policy will be written if a variable name is
+ registered.
+
+ If the variable policy is not associated with a variable name
+ (e.g. applied to variable vendor namespace) and this parameter
+ is given, this parameter will not be modified and
+ VariablePolicyVariableNameBufferSize will be set to zero to
+ indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariablePolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A variable policy entry was found and returned successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
+ is NULL.
+ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
+
+**/
+EFI_STATUS
+EFIAPI
+GetVariablePolicyInfo (
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL,
+ OUT VARIABLE_POLICY_ENTRY *VariablePolicy,
+ OUT CHAR16 *VariablePolicyVariableName OPTIONAL
+ )
+{
+ EFI_STATUS Status;
+ UINT8 MatchPriority;
+ UINTN LocalVariablePolicyVariableNameBufferSize;
+ UINTN RequiredVariablePolicyVariableNameBufferSize;
+ VARIABLE_POLICY_ENTRY *MatchPolicy;
+
+ Status = EFI_SUCCESS;
+
+ if (!IsVariablePolicyLibInitialized ()) {
+ return EFI_NOT_READY;
+ }
+
+ if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ MatchPolicy = GetBestPolicyMatch (
+ VariableName,
+ VendorGuid,
+ &MatchPriority
+ );
+ if (MatchPolicy != NULL) {
+ CopyMem (VariablePolicy, MatchPolicy, sizeof (*VariablePolicy));
+
+ if (VariablePolicyVariableNameBufferSize == NULL) {
+ if (VariablePolicyVariableName != NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ return Status;
+ }
+
+ if (MatchPolicy->Size != MatchPolicy->OffsetToName) {
+ if (MatchPolicy->Size < MatchPolicy->OffsetToName) {
+ ASSERT (MatchPolicy->Size > MatchPolicy->OffsetToName);
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ RequiredVariablePolicyVariableNameBufferSize = (UINTN)(MatchPolicy->Size - MatchPolicy->OffsetToName);
+ ASSERT (RequiredVariablePolicyVariableNameBufferSize > 0);
+
+ if (*VariablePolicyVariableNameBufferSize < RequiredVariablePolicyVariableNameBufferSize) {
+ // Let the caller get the size needed to hold the policy variable name
+ *VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize;
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (VariablePolicyVariableName == NULL) {
+ // If the policy variable name size given is valid, then a valid policy variable name buffer should be provided
+ *VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize;
+ return EFI_INVALID_PARAMETER;
+ }
+
+ LocalVariablePolicyVariableNameBufferSize = *VariablePolicyVariableNameBufferSize;
+
+ // Actual string size should match expected string size
+ if (
+ ((StrnLenS (GET_POLICY_NAME (MatchPolicy), RequiredVariablePolicyVariableNameBufferSize) + 1) * sizeof (CHAR16))
+ != RequiredVariablePolicyVariableNameBufferSize)
+ {
+ ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE);
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ *VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize;
+
+ Status = StrnCpyS (
+ VariablePolicyVariableName,
+ LocalVariablePolicyVariableNameBufferSize / sizeof (CHAR16),
+ GET_POLICY_NAME (MatchPolicy),
+ RequiredVariablePolicyVariableNameBufferSize / sizeof (CHAR16)
+ );
+ ASSERT_EFI_ERROR (Status);
+ } else {
+ // A variable policy variable name is not present. Return values according to interface.
+ *VariablePolicyVariableNameBufferSize = 0;
+ }
+
+ return Status;
+ }
+
+ return EFI_NOT_FOUND;
+}
+
+/**
+ This function will return the Lock on Variable State policy information for the policy
+ associated with the given UEFI variable.
+
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy
+ search.
+ @param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the
+ VariableLockPolicyVariableName buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariableLockPolicyVariableName buffer
+ size needed, set this value to zero so EFI_BUFFER_TOO_SMALL
+ is guaranteed to be returned if the variable policy variable
+ name is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the
+ variable lock on variable state policy will be written if
+ a variable name is registered.
+
+ If the lock on variable policy is not associated with a
+ variable name (e.g. applied to variable vendor namespace)
+ and this parameter is given, this parameter will not be
+ modified and VariableLockPolicyVariableNameBufferSize will
+ be set to zero to indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariableLockPolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned
+ successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariableLockPolicyVariableName is non-NULL and
+ VariableLockPolicyVariableNameBufferSize is NULL.
+ @retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI
+ variable name and vendor GUID.
+
+**/
+EFI_STATUS
+EFIAPI
+GetLockOnVariableStateVariablePolicyInfo (
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL,
+ OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy,
+ OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL
+ )
+{
+ EFI_STATUS Status;
+ UINT8 MatchPriority;
+ UINTN RequiredVariablePolicyVariableNameBufferSize;
+ UINTN RequiredVariableLockPolicyVariableNameBufferSize;
+ UINTN LocalVariablePolicyLockVariableNameBufferSize;
+ UINTN LockOnVarStatePolicyEndOffset;
+ CHAR16 *LocalVariableLockPolicyVariableName;
+ VARIABLE_LOCK_ON_VAR_STATE_POLICY *LocalLockOnVarStatePolicy;
+ VARIABLE_POLICY_ENTRY *MatchPolicy;
+
+ Status = EFI_SUCCESS;
+
+ if (!IsVariablePolicyLibInitialized ()) {
+ return EFI_NOT_READY;
+ }
+
+ if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ MatchPolicy = GetBestPolicyMatch (
+ VariableName,
+ VendorGuid,
+ &MatchPriority
+ );
+ if (MatchPolicy != NULL) {
+ if (MatchPolicy->LockPolicyType != VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE) {
+ return EFI_NOT_FOUND;
+ }
+
+ Status = SafeUintnAdd (
+ sizeof (VARIABLE_POLICY_ENTRY),
+ sizeof (VARIABLE_LOCK_ON_VAR_STATE_POLICY),
+ &LockOnVarStatePolicyEndOffset
+ );
+ if (EFI_ERROR (Status) || (LockOnVarStatePolicyEndOffset > (UINTN)MatchPolicy->Size)) {
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ LocalLockOnVarStatePolicy = (VARIABLE_LOCK_ON_VAR_STATE_POLICY *)(MatchPolicy + 1);
+ CopyMem (VariablePolicy, LocalLockOnVarStatePolicy, sizeof (*LocalLockOnVarStatePolicy));
+
+ if ((VariableLockPolicyVariableNameBufferSize == NULL)) {
+ if (VariableLockPolicyVariableName != NULL) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ return Status;
+ }
+
+ // The name offset should be less than or equal to the total policy size.
+ if (MatchPolicy->Size < MatchPolicy->OffsetToName) {
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ RequiredVariablePolicyVariableNameBufferSize = (UINTN)(MatchPolicy->Size - MatchPolicy->OffsetToName);
+ RequiredVariableLockPolicyVariableNameBufferSize = MatchPolicy->Size -
+ (LockOnVarStatePolicyEndOffset + RequiredVariablePolicyVariableNameBufferSize);
+
+ LocalVariablePolicyLockVariableNameBufferSize = *VariableLockPolicyVariableNameBufferSize;
+ *VariableLockPolicyVariableNameBufferSize = RequiredVariableLockPolicyVariableNameBufferSize;
+
+ if (LocalVariablePolicyLockVariableNameBufferSize < RequiredVariableLockPolicyVariableNameBufferSize) {
+ // Let the caller get the size needed to hold the policy variable name
+ return EFI_BUFFER_TOO_SMALL;
+ }
+
+ if (VariableLockPolicyVariableName == NULL) {
+ // If the policy variable name size given is valid, then a valid policy variable name buffer should be provided
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (RequiredVariableLockPolicyVariableNameBufferSize == 0) {
+ return Status;
+ }
+
+ LocalVariableLockPolicyVariableName = (CHAR16 *)((UINT8 *)LocalLockOnVarStatePolicy + sizeof (*LocalLockOnVarStatePolicy));
+ *VariableLockPolicyVariableNameBufferSize = RequiredVariableLockPolicyVariableNameBufferSize;
+
+ // Actual string size should match expected string size (if a variable name is present)
+ if (
+ (RequiredVariablePolicyVariableNameBufferSize > 0) &&
+ (((StrnLenS (GET_POLICY_NAME (MatchPolicy), RequiredVariablePolicyVariableNameBufferSize) + 1) * sizeof (CHAR16)) !=
+ RequiredVariablePolicyVariableNameBufferSize))
+ {
+ ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE);
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ // Actual string size should match expected string size (if here, variable lock variable name is present)
+ if (
+ ((StrnLenS (LocalVariableLockPolicyVariableName, RequiredVariableLockPolicyVariableNameBufferSize) + 1) * sizeof (CHAR16)) !=
+ RequiredVariableLockPolicyVariableNameBufferSize)
+ {
+ ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE);
+ return EFI_BAD_BUFFER_SIZE;
+ }
+
+ Status = StrnCpyS (
+ VariableLockPolicyVariableName,
+ LocalVariablePolicyLockVariableNameBufferSize / sizeof (CHAR16),
+ LocalVariableLockPolicyVariableName,
+ RequiredVariableLockPolicyVariableNameBufferSize / sizeof (CHAR16)
+ );
+ ASSERT_EFI_ERROR (Status);
+
+ return Status;
+ }
+
+ return EFI_NOT_FOUND;
+}
+
/**
This API function returns whether or not the policy engine is
currently being enforced.
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
index d5c409c914d1..c4ccdfd20f74 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
@@ -33,7 +33,9 @@ EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol = {
ProtocolIsVariablePolicyEnabled,
RegisterVariablePolicy,
DumpVariablePolicy,
- LockVariablePolicy
+ LockVariablePolicy,
+ GetVariablePolicyInfo,
+ GetLockOnVariableStateVariablePolicyInfo
};
EDKII_VAR_CHECK_PROTOCOL mVarCheck = {
VarCheckRegisterSetVariableCheckHandler,
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
index 6151a2ba0b18..0dd72dde27ce 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
@@ -410,6 +410,338 @@ ProtocolLockVariablePolicy (
return (EFI_ERROR (Status)) ? Status : PolicyHeader->Result;
}
+/**
+ Internal implementation to retrieve variable information for a given UEFI variable that is shared
+ between different policy types.
+
+ Currently, the two policy structure types supported (and all that is defined) are VARIABLE_POLICY_ENTRY
+ and VARIABLE_LOCK_ON_VAR_STATE_POLICY.
+
+ @param[in] Command The command value to use in the communicate call.
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
+ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
+ buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariablePolicyVariableName buffer size
+ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
+ guaranteed to be returned if the variable policy variable name
+ is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
+ variable policy will be written if a variable name is
+ registered.
+
+ If the variable policy is not associated with a variable name
+ (e.g. applied to variable vendor namespace) and this parameter
+ is given, this parameter will not be modified and
+ VariablePolicyVariableNameBufferSize will be set to zero to
+ indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariablePolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A variable policy entry was found and returned successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
+ is NULL. It can also be returned if the Command value provided is invalid.
+ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
+
+
+**/
+STATIC
+EFI_STATUS
+InternalProtocolGetVariablePolicyInfo (
+ IN UINT32 Command,
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariablePolicyVariableNameBufferSize, OPTIONAL
+ OUT VOID *VariablePolicy,
+ OUT CHAR16 *VariablePolicyVariableName OPTIONAL
+ )
+{
+ EFI_STATUS Status;
+ CHAR16 *OutputVariableName;
+ EFI_MM_COMMUNICATE_HEADER *CommHeader;
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyHeader;
+ VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *CommandParams;
+ UINTN AllowedOutputVariableNameSize;
+ UINTN BufferSize;
+ UINTN VariableNameSize;
+
+ if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ switch (Command) {
+ case VAR_CHECK_POLICY_COMMAND_GET_INFO:
+ case VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO:
+ break;
+ default:
+ return EFI_INVALID_PARAMETER;
+ }
+
+ AcquireLockOnlyAtBootTime (&mMmCommunicationLock);
+
+ VariableNameSize = StrnSizeS (
+ VariableName,
+ (VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE - VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END)
+ );
+ if (VariableNameSize >= (VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE - VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto Done;
+ }
+
+ if ((VariablePolicyVariableName != NULL) && (VariablePolicyVariableNameBufferSize == NULL)) {
+ return EFI_INVALID_PARAMETER;
+ goto Done;
+ }
+
+ BufferSize = mMmCommunicationBufferSize;
+ CommHeader = mMmCommunicationBuffer;
+
+ Status = SafeUintnSub (
+ VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE,
+ VariableNameSize,
+ &AllowedOutputVariableNameSize
+ );
+ if (EFI_ERROR (Status)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto Done;
+ }
+
+ if (VariablePolicyVariableNameBufferSize != NULL) {
+ AllowedOutputVariableNameSize = MIN (AllowedOutputVariableNameSize, *VariablePolicyVariableNameBufferSize);
+ } else {
+ AllowedOutputVariableNameSize = 0;
+ }
+
+ PolicyHeader = (VAR_CHECK_POLICY_COMM_HEADER *)&CommHeader->Data;
+ CommandParams = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(PolicyHeader + 1);
+
+ CopyGuid (&CommHeader->HeaderGuid, &gVarCheckPolicyLibMmiHandlerGuid);
+ CommHeader->MessageLength = BufferSize - OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data);
+ PolicyHeader->Signature = VAR_CHECK_POLICY_COMM_SIG;
+ PolicyHeader->Revision = VAR_CHECK_POLICY_COMM_REVISION;
+ PolicyHeader->Command = Command;
+
+ ZeroMem ((VOID *)&CommandParams->OutputPolicyEntry, sizeof (CommandParams->OutputPolicyEntry));
+ CopyGuid (&CommandParams->InputVendorGuid, VendorGuid);
+ Status = SafeUintnToUint32 (VariableNameSize, &CommandParams->InputVariableNameSize);
+ if (EFI_ERROR (Status)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto Done;
+ }
+
+ Status = SafeUintnToUint32 (AllowedOutputVariableNameSize, &CommandParams->OutputVariableNameSize);
+ if (EFI_ERROR (Status)) {
+ Status = EFI_INVALID_PARAMETER;
+ goto Done;
+ }
+
+ if (AllowedOutputVariableNameSize > 0) {
+ Status = StrnCpyS (
+ CommandParams->InputVariableName,
+ AllowedOutputVariableNameSize / sizeof (CHAR16),
+ VariableName,
+ (UINTN)CommandParams->InputVariableNameSize / sizeof (CHAR16)
+ );
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ Status = InternalMmCommunicate (CommHeader, &BufferSize);
+ if (Status == EFI_SUCCESS) {
+ CopyMem (
+ VariablePolicy,
+ (VOID *)&CommandParams->OutputPolicyEntry,
+ (Command == VAR_CHECK_POLICY_COMMAND_GET_INFO) ?
+ sizeof (CommandParams->OutputPolicyEntry.VariablePolicy) :
+ sizeof (CommandParams->OutputPolicyEntry.LockOnVarStatePolicy)
+ );
+
+ if (VariablePolicyVariableNameBufferSize == NULL) {
+ if (VariablePolicyVariableName != NULL) {
+ Status = EFI_INVALID_PARAMETER;
+ }
+
+ goto Done;
+ }
+
+ if (PolicyHeader->Result == EFI_BUFFER_TOO_SMALL) {
+ *VariablePolicyVariableNameBufferSize = (UINTN)CommandParams->OutputVariableNameSize;
+ goto Done;
+ }
+
+ if (PolicyHeader->Result == EFI_SUCCESS) {
+ if (CommandParams->OutputVariableNameSize > 0) {
+ Status = SafeUintnAdd (
+ ((UINTN)CommandParams + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END),
+ (UINTN)CommandParams->InputVariableNameSize,
+ (UINTN *)&OutputVariableName
+ );
+ if (EFI_ERROR (Status)) {
+ Status = EFI_BAD_BUFFER_SIZE;
+ goto Done;
+ }
+
+ Status = StrnCpyS (
+ VariablePolicyVariableName,
+ *VariablePolicyVariableNameBufferSize / sizeof (CHAR16),
+ OutputVariableName,
+ (UINTN)CommandParams->OutputVariableNameSize
+ );
+ ASSERT_EFI_ERROR (Status);
+ *VariablePolicyVariableNameBufferSize = (UINTN)CommandParams->OutputVariableNameSize;
+ } else {
+ // A variable policy variable name is not present. Return values according to interface.
+ *VariablePolicyVariableNameBufferSize = 0;
+ }
+ }
+ }
+
+Done:
+ ReleaseLockOnlyAtBootTime (&mMmCommunicationLock);
+
+ return (EFI_ERROR (Status)) ? Status : PolicyHeader->Result;
+}
+
+/**
+ This function will return variable policy information for a UEFI variable with a
+ registered variable policy.
+
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
+ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
+ buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariablePolicyVariableName buffer size
+ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
+ guaranteed to be returned if the variable policy variable name
+ is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
+ variable policy will be written if a variable name is
+ registered.
+
+ If the variable policy is not associated with a variable name
+ (e.g. applied to variable vendor namespace) and this parameter
+ is given, this parameter will not be modified and
+ VariablePolicyVariableNameBufferSize will be set to zero to
+ indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariablePolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A variable policy entry was found and returned successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
+ is NULL.
+ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+ProtocolGetVariablePolicyInfo (
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariablePolicyVariableNameBufferSize, OPTIONAL
+ OUT VARIABLE_POLICY_ENTRY *VariablePolicy,
+ OUT CHAR16 *VariablePolicyVariableName OPTIONAL
+ )
+{
+ return InternalProtocolGetVariablePolicyInfo (
+ VAR_CHECK_POLICY_COMMAND_GET_INFO,
+ VariableName,
+ VendorGuid,
+ VariablePolicyVariableNameBufferSize,
+ VariablePolicy,
+ VariablePolicyVariableName
+ );
+}
+
+/**
+ This function will return the Lock on Variable State policy information for the policy
+ associated with the given UEFI variable.
+
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy
+ search.
+ @param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the
+ VariableLockPolicyVariableName buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariableLockPolicyVariableName buffer
+ P size needed, set this value to zero so EFI_BUFFER_TOO_SMALL
+ is guaranteed to be returned if the variable policy variable
+ name is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the
+ variable lock on variable state policy will be written if
+ a variable name is registered.
+
+ If the lock on variable policy is not associated with a
+ variable name (e.g. applied to variable vendor namespace)
+ and this parameter is given, this parameter will not be
+ modified and VariableLockPolicyVariableNameBufferSize will
+ be set to zero to indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariableLockPolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned
+ successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariableLockPolicyVariableName is non-NULL and
+ VariableLockPolicyVariableNameBufferSize is NULL.
+ @retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI
+ variable name and vendor GUID.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+ProtocolGetLockOnVariableStateVariablePolicyInfo (
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariableLockPolicyVariableNameBufferSize, OPTIONAL
+ OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy,
+ OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL
+ )
+{
+ return InternalProtocolGetVariablePolicyInfo (
+ VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO,
+ VariableName,
+ VendorGuid,
+ VariableLockPolicyVariableNameBufferSize,
+ VariablePolicy,
+ VariableLockPolicyVariableName
+ );
+}
+
/**
This helper function locates the shared comm buffer and assigns it to input pointers.
@@ -514,12 +846,14 @@ VariablePolicySmmDxeMain (
}
// Configure the VariablePolicy protocol structure.
- mVariablePolicyProtocol.Revision = EDKII_VARIABLE_POLICY_PROTOCOL_REVISION;
- mVariablePolicyProtocol.DisableVariablePolicy = ProtocolDisableVariablePolicy;
- mVariablePolicyProtocol.IsVariablePolicyEnabled = ProtocolIsVariablePolicyEnabled;
- mVariablePolicyProtocol.RegisterVariablePolicy = ProtocolRegisterVariablePolicy;
- mVariablePolicyProtocol.DumpVariablePolicy = ProtocolDumpVariablePolicy;
- mVariablePolicyProtocol.LockVariablePolicy = ProtocolLockVariablePolicy;
+ mVariablePolicyProtocol.Revision = EDKII_VARIABLE_POLICY_PROTOCOL_REVISION;
+ mVariablePolicyProtocol.DisableVariablePolicy = ProtocolDisableVariablePolicy;
+ mVariablePolicyProtocol.IsVariablePolicyEnabled = ProtocolIsVariablePolicyEnabled;
+ mVariablePolicyProtocol.RegisterVariablePolicy = ProtocolRegisterVariablePolicy;
+ mVariablePolicyProtocol.DumpVariablePolicy = ProtocolDumpVariablePolicy;
+ mVariablePolicyProtocol.LockVariablePolicy = ProtocolLockVariablePolicy;
+ mVariablePolicyProtocol.GetVariablePolicyInfo = ProtocolGetVariablePolicyInfo;
+ mVariablePolicyProtocol.GetLockOnVariableStateVariablePolicyInfo = ProtocolGetLockOnVariableStateVariablePolicyInfo;
// Register all the protocols and return the status.
Status = gBS->InstallMultipleProtocolInterfaces (
diff --git a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
index ff3d4a1fd68a..a692fa40c946 100644
--- a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
+++ b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
@@ -32,23 +32,52 @@ typedef struct _VAR_CHECK_POLICY_COMM_DUMP_PARAMS {
BOOLEAN HasMore;
} VAR_CHECK_POLICY_COMM_DUMP_PARAMS;
+typedef union {
+ VARIABLE_POLICY_ENTRY VariablePolicy;
+ VARIABLE_LOCK_ON_VAR_STATE_POLICY LockOnVarStatePolicy;
+} VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY;
+
+typedef struct _VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS {
+ EFI_GUID InputVendorGuid;
+ UINT32 InputVariableNameSize;
+ UINT32 OutputVariableNameSize;
+ VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY OutputPolicyEntry;
+ CHAR16 InputVariableName[1];
+} VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS;
+
#pragma pack(pop)
+#define VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END \
+ (OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName))
+
// Make sure that we will hold at least the headers.
#define VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE MAX((OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + sizeof (VAR_CHECK_POLICY_COMM_HEADER) + EFI_PAGES_TO_SIZE(1)), EFI_PAGES_TO_SIZE(4))
#define VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \
(OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \
sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \
sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS)))
+
+#define VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \
+ (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \
+ sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \
+ OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName)))
+
STATIC_ASSERT (
VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,
"an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE"
);
-#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x0001
-#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x0002
-#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x0003
-#define VAR_CHECK_POLICY_COMMAND_DUMP 0x0004
-#define VAR_CHECK_POLICY_COMMAND_LOCK 0x0005
+STATIC_ASSERT (
+ VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,
+ "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE"
+ );
+
+#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x0001
+#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x0002
+#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x0003
+#define VAR_CHECK_POLICY_COMMAND_DUMP 0x0004
+#define VAR_CHECK_POLICY_COMMAND_LOCK 0x0005
+#define VAR_CHECK_POLICY_COMMAND_GET_INFO 0x0006
+#define VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO 0x0007
#endif // _VAR_CHECK_POLICY_MMI_COMMON_H_
diff --git a/MdeModulePkg/Include/Library/VariablePolicyLib.h b/MdeModulePkg/Include/Library/VariablePolicyLib.h
index 63c49fbca1ed..bc4e26b2d434 100644
--- a/MdeModulePkg/Include/Library/VariablePolicyLib.h
+++ b/MdeModulePkg/Include/Library/VariablePolicyLib.h
@@ -102,6 +102,113 @@ DumpVariablePolicy (
IN OUT UINT32 *Size
);
+/**
+ This function will return variable policy information for a UEFI variable with a
+ registered variable policy.
+
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
+ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
+ buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariablePolicyVariableName buffer size
+ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
+ guaranteed to be returned if the variable policy variable name
+ is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
+ variable policy will be written if a variable name is
+ registered.
+
+ If the variable policy is not associated with a variable name
+ (e.g. applied to variable vendor namespace) and this parameter
+ is given, this parameter will not be modified and
+ VariablePolicyVariableNameBufferSize will be set to zero to
+ indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariablePolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A variable policy entry was found and returned successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
+ is NULL.
+ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
+
+**/
+EFI_STATUS
+EFIAPI
+GetVariablePolicyInfo (
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL,
+ OUT VARIABLE_POLICY_ENTRY *VariablePolicy,
+ OUT CHAR16 *VariablePolicyVariableName OPTIONAL
+ );
+
+/**
+ This function will return the Lock on Variable State policy information for the policy
+ associated with the given UEFI variable.
+
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy
+ search.
+ @param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the
+ VariableLockPolicyVariableName buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariableLockPolicyVariableName buffer
+ size needed, set this value to zero so EFI_BUFFER_TOO_SMALL
+ is guaranteed to be returned if the variable policy variable
+ name is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the
+ variable lock on variable state policy will be written if
+ a variable name is registered.
+
+ If the lock on variable policy is not associated with a
+ variable name (e.g. applied to variable vendor namespace)
+ and this parameter is given, this parameter will not be
+ modified and VariableLockPolicyVariableNameBufferSize will
+ be set to zero to indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariableLockPolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned
+ successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariableLockPolicyVariableName is non-NULL and
+ VariableLockPolicyVariableNameBufferSize is NULL.
+ @retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI
+ variable name and vendor GUID.
+
+**/
+EFI_STATUS
+EFIAPI
+GetLockOnVariableStateVariablePolicyInfo (
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL,
+ OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy,
+ OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL
+ );
+
/**
This API function returns whether or not the policy engine is
currently being enforced.
diff --git a/MdeModulePkg/Include/Protocol/VariablePolicy.h b/MdeModulePkg/Include/Protocol/VariablePolicy.h
index 98d739401f83..4b57f70a9da8 100644
--- a/MdeModulePkg/Include/Protocol/VariablePolicy.h
+++ b/MdeModulePkg/Include/Protocol/VariablePolicy.h
@@ -9,7 +9,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__
#define __EDKII_VARIABLE_POLICY_PROTOCOL__
-#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000010000
+#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000020000
+
+/*
+ Rev 0x0000000000010000:
+ - Initial protocol definition
+
+ Rev 0x0000000000020000:
+ - Add GetVariablePolicyInfo() API
+ - Add GetLockOnVariableStateVariablePolicyInfo() API
+
+*/
#define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \
{ \
@@ -141,13 +151,122 @@ EFI_STATUS
VOID
);
+/**
+ This function will return variable policy information for a UEFI variable with a
+ registered variable policy.
+
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
+ @param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
+ buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariablePolicyVariableName buffer size
+ needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
+ guaranteed to be returned if the variable policy variable name
+ is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
+ variable policy will be written if a variable name is
+ registered.
+
+ If the variable policy is not associated with a variable name
+ (e.g. applied to variable vendor namespace) and this parameter
+ is given, this parameter will not be modified and
+ VariablePolicyVariableNameBufferSize will be set to zero to
+ indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariablePolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A variable policy entry was found and returned successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
+ is NULL.
+ @retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *GET_VARIABLE_POLICY_INFO)(
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL,
+ OUT VARIABLE_POLICY_ENTRY *VariablePolicy,
+ OUT CHAR16 *VariablePolicyVariableName OPTIONAL
+ );
+
+/**
+ This function will return the Lock on Variable State policy information for the policy
+ associated with the given UEFI variable.
+
+ @param[in] VariableName The name of the variable to use for the policy search.
+ @param[in] VendorGuid The vendor GUID of the variable to use for the policy
+ search.
+ @param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the
+ VariableLockPolicyVariableName buffer.
+
+ On output, the size, in bytes, needed to store the variable
+ policy variable name.
+
+ If testing for the VariableLockPolicyVariableName buffer
+ size needed, set this value to zero so EFI_BUFFER_TOO_SMALL
+ is guaranteed to be returned if the variable policy variable
+ name is found.
+ @param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
+ if found.
+ @param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the
+ variable lock on variable state policy will be written if
+ a variable name is registered.
+
+ If the lock on variable policy is not associated with a
+ variable name (e.g. applied to variable vendor namespace)
+ and this parameter is given, this parameter will not be
+ modified and VariableLockPolicyVariableNameBufferSize will
+ be set to zero to indicate a name was not present.
+
+ If the pointer given is not NULL,
+ VariableLockPolicyVariableNameBufferSize must be non-NULL.
+
+ @retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned
+ successfully.
+ @retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
+ @retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed.
+ The buffer should now point to the size needed.
+ @retval EFI_NOT_READY Variable policy has not yet been initialized.
+ @retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
+ VariableLockPolicyVariableName is non-NULL and
+ VariableLockPolicyVariableNameBufferSize is NULL.
+ @retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI
+ variable name and vendor GUID.
+
+**/
+typedef
+EFI_STATUS
+(EFIAPI *GET_LOCK_ON_VARIABLE_STATE_VARIABLE_POLICY_INFO)(
+ IN CONST CHAR16 *VariableName,
+ IN CONST EFI_GUID *VendorGuid,
+ IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL,
+ OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy,
+ OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL
+ );
+
typedef struct {
- UINT64 Revision;
- DISABLE_VARIABLE_POLICY DisableVariablePolicy;
- IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;
- REGISTER_VARIABLE_POLICY RegisterVariablePolicy;
- DUMP_VARIABLE_POLICY DumpVariablePolicy;
- LOCK_VARIABLE_POLICY LockVariablePolicy;
+ UINT64 Revision;
+ DISABLE_VARIABLE_POLICY DisableVariablePolicy;
+ IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;
+ REGISTER_VARIABLE_POLICY RegisterVariablePolicy;
+ DUMP_VARIABLE_POLICY DumpVariablePolicy;
+ LOCK_VARIABLE_POLICY LockVariablePolicy;
+ GET_VARIABLE_POLICY_INFO GetVariablePolicyInfo;
+ GET_LOCK_ON_VARIABLE_STATE_VARIABLE_POLICY_INFO GetLockOnVariableStateVariablePolicyInfo;
} _EDKII_VARIABLE_POLICY_PROTOCOL;
typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL;
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
index 3fe6043bf631..7048d555f0a9 100644
--- a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
@@ -32,6 +32,7 @@ [Packages]
[LibraryClasses]
+ BaseLib
DebugLib
BaseMemoryLib
MemoryAllocationLib
--
2.42.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110340): https://edk2.groups.io/g/devel/message/110340
Mute This Topic: https://groups.io/mt/102284381/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2023-10-30 20:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-30 20:31 [edk2-devel] [PATCH v3 0/4] Add Variable Policy Audit App and Shell Command Michael Kubacki
2023-10-30 20:31 ` Michael Kubacki [this message]
2023-10-30 20:31 ` [edk2-devel] [PATCH v3 2/4] ShellPkg: Add varpolicy dynamic shell command and app Michael Kubacki
2023-10-30 20:31 ` [edk2-devel] [PATCH v3 3/4] OvmfPkg: Add varpolicy shell command Michael Kubacki
2023-10-30 20:31 ` [edk2-devel] [PATCH v3 4/4] ArmVirtPkg: " Michael Kubacki
2023-10-30 22:36 ` Ard Biesheuvel
2023-10-31 13:43 ` Laszlo Ersek
2023-10-31 15:24 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231030203112.736-2-mikuback@linux.microsoft.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox