From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 18799740034 for ; Fri, 10 Nov 2023 05:38:44 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=NaJEfQl+xqje27+91Cj4Hq2/RO3SJGpe9N6c2DxAcps=; c=relaxed/simple; d=groups.io; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1699594723; v=1; b=OuUAfimNcwlvc1nofwT+FFFA5ZqnPEU/s5mh2ELogW4c/yoCIfKVgLIS36ov3iTxIy5/udnb VsklRfYd4kiw3PsIt9hv5qDpPI2IVDFpfH0LWlC/7OE9lbJt2zn8iFy09mjsMIDesVexTU1I0Jd SHYgHnSZiG/O6jxtqrIQM5L4= X-Received: by 127.0.0.2 with SMTP id qOJgYY7687511xxTlqbxjro4; Thu, 09 Nov 2023 21:38:43 -0800 X-Received: from mgamail.intel.com (mgamail.intel.com [192.55.52.136]) by mx.groups.io with SMTP id smtpd.web10.22024.1699594719724989071 for ; Thu, 09 Nov 2023 21:38:43 -0800 X-IronPort-AV: E=McAfee;i="6600,9927,10889"; a="369467479" X-IronPort-AV: E=Sophos;i="6.03,291,1694761200"; d="scan'208";a="369467479" X-Received: from orsmga005.jf.intel.com ([10.7.209.41]) by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Nov 2023 21:38:42 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10889"; a="937085602" X-IronPort-AV: E=Sophos;i="6.03,291,1694761200"; d="scan'208";a="937085602" X-Received: from shpfwdbuild003.ccr.corp.intel.com ([10.239.56.82]) by orsmga005.jf.intel.com with ESMTP; 09 Nov 2023 21:38:40 -0800 From: "Xu, Wei6" To: devel@edk2.groups.io Cc: Wei6 Xu , Dandan Bi , Nate DeSimone , Liming Gao Subject: [edk2-devel] [PATCH edk2-platforms 1/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM. Date: Fri, 10 Nov 2023 13:37:47 +0800 Message-Id: <8e840c90bdeead468bcfc156ab0d62b3faa1a1c3.1699594213.git.wei6.xu@intel.com> In-Reply-To: References: MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,wei6.xu@intel.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: En6iE9MzwerO8rh2L7wzdDZmx7686176AA= Content-Transfer-Encoding: 8bit X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=OuUAfimN; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=intel.com (policy=none); spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io Refactor UserAuthenticationSmm to support Standalone MM. - Factor out variable lock code logic that references boot services. - UserAuthenticationVariableLockDxe is added to lock the variables. - UserAuthenticationStandaloneMm doesn't lock the variables, needs to reply on UserAuthenticationVariableLockDxe to do the lock. - UserAuthenticationSmm still locks the variables by itself, no need to include UserAuthenticationVariableLockDxe. - Register gEfiEventExitBootServicesGuid notify which is used by the StandaloneMmCore. Since gEdkiiVariableLockProtocolGuid is a deprecated interface, use gEdkiiVariablePolicyProtocolGuid to lock password variables instead. Cc: Dandan Bi Cc: Nate DeSimone Cc: Liming Gao Signed-off-by: Wei6 Xu --- .../Include/UserAuthFeature.dsc | 2 + .../UserAuthenticationSmm.c | 38 ++++----- .../UserAuthenticationSmm.h | 26 +++--- .../UserAuthenticationSmm.inf | 11 ++- .../UserAuthenticationStandaloneMm.c | 43 ++++++++++ .../UserAuthenticationStandaloneMm.inf | 58 +++++++++++++ .../UserAuthenticationTraditionalMm.c | 28 +++++++ .../UserAuthenticationVariable.h | 36 ++++++++ .../UserAuthenticationVariableLock.c | 84 +++++++++++++++++++ .../UserAuthenticationVariableLockDxe.c | 31 +++++++ .../UserAuthenticationVariableLockDxe.inf | 42 ++++++++++ 11 files changed, 359 insertions(+), 40 deletions(-) create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc b/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc index 2f39a5580caf..d772b213aaeb 100644 --- a/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc @@ -75,3 +75,5 @@ UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationDxe.inf UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthentication2Dxe.inf UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf + UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf + UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c index 16e3405a82ef..89515ea11e85 100644 --- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c @@ -642,7 +642,7 @@ UaExitBootServices ( { DEBUG ((DEBUG_INFO, "Unregister User Authentication Smi\n")); - gSmst->SmiHandlerUnRegister(mSmmHandle); + gMmst->MmiHandlerUnRegister(mSmmHandle); return EFI_SUCCESS; } @@ -657,54 +657,44 @@ UaExitBootServices ( **/ EFI_STATUS -EFIAPI PasswordSmmInit ( - IN EFI_HANDLE ImageHandle, - IN EFI_SYSTEM_TABLE *SystemTable + VOID ) { EFI_STATUS Status; - EDKII_VARIABLE_LOCK_PROTOCOL *VariableLock; - CHAR16 PasswordHistoryName[sizeof(USER_AUTHENTICATION_VAR_NAME)/sizeof(CHAR16) + 5]; - UINTN Index; EFI_EVENT ExitBootServicesEvent; EFI_EVENT LegacyBootEvent; + EFI_EVENT SmmExitBootServicesEvent; ASSERT (PASSWORD_HASH_SIZE == SHA256_DIGEST_SIZE); ASSERT (PASSWORD_HISTORY_CHECK_COUNT < 0xFFFF); - Status = gSmst->SmmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, (VOID**)&mSmmVariable); + Status = gMmst->MmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, (VOID**)&mSmmVariable); ASSERT_EFI_ERROR (Status); // // Make password variables read-only for DXE driver for security concern. // - Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **) &VariableLock); - if (!EFI_ERROR (Status)) { - Status = VariableLock->RequestToLock (VariableLock, USER_AUTHENTICATION_VAR_NAME, &gUserAuthenticationGuid); - ASSERT_EFI_ERROR (Status); - - for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) { - UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index); - Status = VariableLock->RequestToLock (VariableLock, PasswordHistoryName, &gUserAuthenticationGuid); - ASSERT_EFI_ERROR (Status); - } - Status = VariableLock->RequestToLock (VariableLock, USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME, &gUserAuthenticationGuid); - ASSERT_EFI_ERROR (Status); + Status = LockPasswordVariable (); + ASSERT_EFI_ERROR (Status); + if (EFI_ERROR (Status)) { + return Status; } - Status = gSmst->SmiHandlerRegister (SmmPasswordHandler, &gUserAuthenticationGuid, &mSmmHandle); + Status = gMmst->MmiHandlerRegister (SmmPasswordHandler, &gUserAuthenticationGuid, &mSmmHandle); ASSERT_EFI_ERROR (Status); if (EFI_ERROR (Status)) { return Status; } // - // Register for SmmExitBootServices and SmmLegacyBoot notification. + // Register for SmmExitBootServices, SmmLegacyBoot and EventExitBootServices notification. // - Status = gSmst->SmmRegisterProtocolNotify (&gEdkiiSmmExitBootServicesProtocolGuid, UaExitBootServices, &ExitBootServicesEvent); + Status = gMmst->MmRegisterProtocolNotify (&gEdkiiSmmExitBootServicesProtocolGuid, UaExitBootServices, &SmmExitBootServicesEvent); + ASSERT_EFI_ERROR (Status); + Status = gMmst->MmRegisterProtocolNotify (&gEdkiiSmmLegacyBootProtocolGuid, UaExitBootServices, &LegacyBootEvent); ASSERT_EFI_ERROR (Status); - Status = gSmst->SmmRegisterProtocolNotify (&gEdkiiSmmLegacyBootProtocolGuid, UaExitBootServices, &LegacyBootEvent); + Status = gMmst->MmRegisterProtocolNotify (&gEfiEventExitBootServicesGuid, UaExitBootServices, &ExitBootServicesEvent); ASSERT_EFI_ERROR (Status); if (IsPasswordCleared()) { diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h index 47bb95529fa7..5bb1268673b0 100644 --- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h @@ -9,7 +9,7 @@ #ifndef __USER_AUTHENTICATION_SMM_H__ #define __USER_AUTHENTICATION_SMM_H__ -#include +#include #include #include @@ -21,26 +21,17 @@ #include #include #include -#include +#include #include -#include #include #include #include "KeyService.h" +#include "UserAuthenticationVariable.h" #define PASSWORD_SALT_SIZE 32 #define PASSWORD_HASH_SIZE 32 // SHA256_DIGEST_SIZE -#define PASSWORD_MAX_TRY_COUNT 3 -#define PASSWORD_HISTORY_CHECK_COUNT 5 - -// -// Name of the variable -// -#define USER_AUTHENTICATION_VAR_NAME L"Password" -#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME L"PasswordLast" - // // Variable storage // @@ -49,4 +40,15 @@ typedef struct { UINT8 PasswordSalt[PASSWORD_SALT_SIZE]; } USER_PASSWORD_VAR_STRUCT; +/** + Password Smm Init. + + @retval EFI_SUCESS This function always complete successfully. + +**/ +EFI_STATUS +PasswordSmmInit ( + VOID + ); + #endif diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf index b53f70f0e319..b41a7ee8a3f1 100644 --- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf @@ -15,13 +15,15 @@ MODULE_TYPE = DXE_SMM_DRIVER VERSION_STRING = 1.0 PI_SPECIFICATION_VERSION = 0x0001000A - ENTRY_POINT = PasswordSmmInit + ENTRY_POINT = UserAuthenticationMmEntry [Sources] UserAuthenticationSmm.c + UserAuthenticationTraditionalMm.c UserAuthenticationSmm.h KeyService.c KeyService.h + UserAuthenticationVariableLock.c [Packages] MdePkg/MdePkg.dec @@ -36,17 +38,18 @@ BaseLib BaseMemoryLib PrintLib - SmmServicesTableLib + MmServicesTableLib MemoryAllocationLib - UefiLib BaseCryptLib PlatformPasswordLib + VariablePolicyHelperLib [Guids] gUserAuthenticationGuid ## CONSUMES ## GUID + gEfiEventExitBootServicesGuid ## CONSUMES ## Event [Protocols] - gEdkiiVariableLockProtocolGuid ## CONSUMES + gEdkiiVariablePolicyProtocolGuid ## CONSUMES gEfiSmmVariableProtocolGuid ## CONSUMES gEdkiiSmmExitBootServicesProtocolGuid ## CONSUMES gEdkiiSmmLegacyBootProtocolGuid ## CONSUMES diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c new file mode 100644 index 000000000000..7a767ccabf2f --- /dev/null +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c @@ -0,0 +1,43 @@ +/** @file + Entry point of UserAuthenticationStandaloneMm. + + Copyright (c) 2023, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "UserAuthenticationSmm.h" + +/** + NULL implement for Lock password variables. + Relies on UserAuthenticationVariableLockDxe to lock the password variables. + + @retval EFI_SUCCESS Always return success. + +**/ +EFI_STATUS +LockPasswordVariable ( + VOID + ) +{ + return EFI_SUCCESS; +} + +/** + Main entry for this driver. + + @param ImageHandle Image handle this driver. + @param SystemTable Pointer to SystemTable. + + @retval EFI_SUCESS This function always complete successfully. + +**/ +EFI_STATUS +EFIAPI +UserAuthenticationMmEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_MM_SYSTEM_TABLE *SystemTable + ) +{ + return PasswordSmmInit (); +} diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf new file mode 100644 index 000000000000..f7d9a045001e --- /dev/null +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf @@ -0,0 +1,58 @@ +## @file +# User Authentication Standalone Mm Driver. +# +# This driver provides SMM services for DXE user authentication module. +# This Standalone Mm driver lacks of the ability to lock the password +# variables. Need to reply on UserAuthenticationVariableLockDxe to lock +# the variables. +# +# Copyright (c) 2023, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = UserAuthenticationStandaloneMm + FILE_GUID = 80130611-a67a-4631-becb-87ce22d6f165 + MODULE_TYPE = MM_STANDALONE + VERSION_STRING = 1.0 + PI_SPECIFICATION_VERSION = 0x00010032 + ENTRY_POINT = UserAuthenticationMmEntry + +[Sources] + UserAuthenticationSmm.c + UserAuthenticationStandaloneMm.c + UserAuthenticationSmm.h + KeyService.c + KeyService.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + CryptoPkg/CryptoPkg.dec + UserAuthFeaturePkg/UserAuthFeaturePkg.dec + +[LibraryClasses] + StandaloneMmDriverEntryPoint + DebugLib + BaseLib + BaseMemoryLib + PrintLib + MmServicesTableLib + MemoryAllocationLib + BaseCryptLib + PlatformPasswordLib + +[Guids] + gUserAuthenticationGuid ## CONSUMES ## GUID + gEfiEventExitBootServicesGuid ## CONSUMES ## Event + +[Protocols] + gEdkiiVariableLockProtocolGuid ## CONSUMES + gEfiSmmVariableProtocolGuid ## CONSUMES + gEdkiiSmmExitBootServicesProtocolGuid ## CONSUMES + gEdkiiSmmLegacyBootProtocolGuid ## CONSUMES + +[Depex] + gEfiSmmVariableProtocolGuid diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c new file mode 100644 index 000000000000..1514d78f1946 --- /dev/null +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c @@ -0,0 +1,28 @@ +/** @file + Entry point of UserAuthenticationSmm. + + Copyright (c) 2023, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "UserAuthenticationSmm.h" + +/** + Main entry for this driver. + + @param[in] ImageHandle Image handle this driver. + @param[in] SystemTable Pointer to SystemTable. + + @retval EFI_SUCESS This function always complete successfully. + +**/ +EFI_STATUS +EFIAPI +UserAuthenticationMmEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + return PasswordSmmInit (); +} diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h new file mode 100644 index 000000000000..3b249e06d848 --- /dev/null +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h @@ -0,0 +1,36 @@ +/** @file + Header file for definition of User Authentication Variable. + + Copyright (c) 2023, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef USER_AUTHENTICATION_VARIABLE_H_ +#define USER_AUTHENTICATION_VARIABLE_H_ + +#define PASSWORD_MAX_TRY_COUNT 3 +#define PASSWORD_HISTORY_CHECK_COUNT 5 + +// +// Name of the variable +// +#define USER_AUTHENTICATION_VAR_NAME L"Password" +#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME L"PasswordLast" + +/** + Lock password variables for security concern. + + @retval EFI_SUCCESS Succeed to lock variable. + @retval EFI_NOT_FOUND Variable Lock protocol is not found. + @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has + already been signaled. + @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold the lock request. + +**/ +EFI_STATUS +LockPasswordVariable ( + VOID + ); + +#endif diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c new file mode 100644 index 000000000000..dd43991fe711 --- /dev/null +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c @@ -0,0 +1,84 @@ +/** @file + Source code to lock password variables. + + Copyright (c) 2023, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +#include + +#include +#include +#include +#include + +#include + +#include "UserAuthenticationVariable.h" + +/** + Lock password variables for security concern. + + @retval EFI_SUCCESS Succeed to lock variable. + @retval EFI_NOT_FOUND Variable Lock protocol is not found. + @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has + already been signaled. + @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold the lock request. + +**/ +EFI_STATUS +LockPasswordVariable ( + VOID + ) +{ + EFI_STATUS Status; + CHAR16 PasswordHistoryName[sizeof (USER_AUTHENTICATION_VAR_NAME)/sizeof (CHAR16) + 5]; + UINTN Index; + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy; + + Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy); + if (!EFI_ERROR (Status)) { + Status = RegisterBasicVariablePolicy ( + VariablePolicy, + &gUserAuthenticationGuid, + USER_AUTHENTICATION_VAR_NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW + ); + ASSERT_EFI_ERROR (Status); + for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) { + UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index); + Status = RegisterBasicVariablePolicy ( + VariablePolicy, + &gUserAuthenticationGuid, + PasswordHistoryName, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW + ); + ASSERT_EFI_ERROR (Status); + } + + Status = RegisterBasicVariablePolicy ( + VariablePolicy, + &gUserAuthenticationGuid, + USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW + ); + ASSERT_EFI_ERROR (Status); + } + + return Status; +} diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c new file mode 100644 index 000000000000..7919feacc9e7 --- /dev/null +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c @@ -0,0 +1,31 @@ +/** @file + This Driver mainly locks password variables. + + Copyright (c) 2023, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +#include "UserAuthenticationVariable.h" + +/** + User Authentication Variable Lock entry point. + + @param[in] ImageHandle The image handle. + @param[in] SystemTable The system table. + + @retval EFI_SUCCESS The entry point is executed successfully. + @return other Contain some other errors. + +**/ +EFI_STATUS +EFIAPI +UserAuthenticationVariableLockEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + return LockPasswordVariable (); +} diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf new file mode 100644 index 000000000000..3959686647f9 --- /dev/null +++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf @@ -0,0 +1,42 @@ +## @file +# User Authentication Variable Lock Dxe Driver. +# +# This Driver mainly locks the password variable. +# +# Copyright (c) 2023, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = UserAuthenticationVariableLockDxe + FILE_GUID = 08fc98fb-1cec-45c6-ad02-542096191054 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + ENTRY_POINT = UserAuthenticationVariableLockEntry + +[Sources] + UserAuthenticationVariableLockDxe.c + UserAuthenticationVariableLock.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UserAuthFeaturePkg/UserAuthFeaturePkg.dec + +[LibraryClasses] + UefiBootServicesTableLib + UefiDriverEntryPoint + DebugLib + PrintLib + VariablePolicyHelperLib + +[Guids] + gUserAuthenticationGuid ## CONSUMES ## GUID + +[Protocols] + gEdkiiVariablePolicyProtocolGuid ## CONSUMES + +[Depex] + gEdkiiVariableLockProtocolGuid -- 2.29.2.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#111015): https://edk2.groups.io/g/devel/message/111015 Mute This Topic: https://groups.io/mt/102502210/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-