From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.94])
 by mx.groups.io with SMTP id smtpd.web10.2536.1592379285777991422
 for <devel@edk2.groups.io>;
 Wed, 17 Jun 2020 00:34:46 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@microsoft.com header.s=selector2 header.b=iXc5YH+6;
 spf=pass (domain: microsoft.com, ip: 40.107.92.94, mailfrom: bret.barkelew@microsoft.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=W3Fo3UO1r7sk9qIeX4i6hvgbGkLUQTr2WX0BLaWqctEPv3Nn/Vyvv0QsLMYy2W4F57zETaeeRnnYUliOou5npKKNYlNCpRluzgIkVWvjDMk/5vytm7tmMtTGsUvBx8BUvmf8fGCYJw4BEGTTqhtt3rP6nUToYD1MX33MlQDuaca0pwR/o/WQygNOVPXOkOnK2Vv32fR8ue8zYDRowx9yUy8jV0nH4MTodCQBvIlOQKEIOg3Pno9gHl573+Gm6jwmXvN7XfKrcrW6z9ZZTaInAl+2Ut+xMJBTw4UR6gXdN35BU4exwMR6kIf/RCTjMYR0BOmFcJsd9YbD+IfFtW8UVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=eG0VfWVGNFggzeXkGqUSuIl7/kxquK1C5HO4ZuQD3dY=;
 b=m+JOaXS764bdp+ZxxC5/C8XKmkhzNYwSnIrbrT1Dpxh7c587stulPoezwMgAtu1M+ZvzjTbGUWr7aU1fp9SfTi8VsTrS+ZfrsBxyMN6bmGfbPwF7VwXEpApYtuUKl/CB7vGDXVy1oOysDFUboYAfZyWBv4PS5fjFHdcrxfL5GP4TY1KzDwFayNyd9TG3N+0chuH5YKCPjmIECFX1b9sdy/npeiLPT+9usA9aYA4J+QPtZfd3HhI9XWC1jnzrg7cadmZUou7txirXTuoD4NqEknVEg1gXMnaJPYmsTzshyl7i+LyDyu8rKNRSKJtkUPCXCkvvBSxOof8HoLUn5e+Qog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=microsoft.com; dmarc=pass action=none
 header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=eG0VfWVGNFggzeXkGqUSuIl7/kxquK1C5HO4ZuQD3dY=;
 b=iXc5YH+6Yce7jZht0/Bww7n9/jmbw+iRvvt2mxKKwd6nwwIxxei+fExZfFabY18MHUBuA4p+vWhFKHrmQDOMmZms0zWw317xG/ydtxTj9XGa/LGJYhLDlfAV6fWTno0lLDPjLyYanabLQ7aKu4SWP/EseO9NROBADq5Vi+/MU5g=
Received: from CY4PR21MB0743.namprd21.prod.outlook.com (2603:10b6:903:b2::9)
 by CY4PR2101MB0865.namprd21.prod.outlook.com (2603:10b6:910:8a::18) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.9; Wed, 17 Jun
 2020 07:34:44 +0000
Received: from CY4PR21MB0743.namprd21.prod.outlook.com
 ([fe80::4ef:d9e:62c:f319]) by CY4PR21MB0743.namprd21.prod.outlook.com
 ([fe80::f112:82fb:d4fd:f7dd%10]) with mapi id 15.20.3131.009; Wed, 17 Jun
 2020 07:34:44 +0000
From: "Bret Barkelew" <bret.barkelew@microsoft.com>
To: "devel@edk2.groups.io" <devel@edk2.groups.io>, "bret@corthon.com"
	<bret@corthon.com>
CC: "Yao, Jiewen" <jiewen.yao@intel.com>, Jian J Wang <jian.j.wang@intel.com>,
	Chao Zhang <chao.b.zhang@intel.com>
Subject: Re: [EXTERNAL] [edk2-devel] [PATCH v5 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables
Thread-Topic: [EXTERNAL] [edk2-devel] [PATCH v5 11/14] SecurityPkg: Allow
 VariablePolicy state to delete authenticated variables
Thread-Index: AQHWOYyvogVuV+jst0urSs26qjxDMqjcgG0q
Date: Wed, 17 Jun 2020 07:34:44 +0000
Message-ID: 
 <CY4PR21MB0743BF3C971F9C59B0400C0AEF9A0@CY4PR21MB0743.namprd21.prod.outlook.com>
References: 
 <20200603065810.806-1-brbarkel@microsoft.com>,<20200603065810.806-12-brbarkel@microsoft.com>
In-Reply-To: <20200603065810.806-12-brbarkel@microsoft.com>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: 
 MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-17T07:34:41.778Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: edk2.groups.io; dkim=none (message not signed)
 header.d=none;edk2.groups.io; dmarc=none action=none
 header.from=microsoft.com;
x-originating-ip: [71.212.143.8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 91a0fcd6-e367-4932-a65b-08d81290e792
x-ms-traffictypediagnostic: CY4PR2101MB0865:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: 
 <CY4PR2101MB0865D0597004378661C5D206EF9A0@CY4PR2101MB0865.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 04371797A5
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 ezMrXHLfu9V5CE52uKWBp9KXBquaXksVdsVxJaRmF4/HSvFFue4UKBxPFaNviuDwKDHPB6kbiTJYidT0yam5FnNZd+2nqwQaq0pJTNozSZNKfuCs/LmkNvmS2iSMY1BKjOtCzTpVJnciUvCtOT+i7XGmYeOuDe8rd05wlH9HjcUO01lTvMya5NmuqeXFRJP4mXYp+9ASewS0gHjA/MDZeje7QNwASsz0sfvswLyPF7Yv1mBRvVrvbVaOAT21J5jVHZA34YRuEPK6dpWzjar65quZSedyCTxz/87xZs0f5I+oTmwMJhlwQpuBb7pO1sH2t8wMR0TTGN6b8WoNkl/cGuDirGnMwr9epFeEhuMI6m1UXLE6WnC7FVjuL0vbn3/J1ZiGZ0fu79T9Z0uTlvvDcw==
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CY4PR21MB0743.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(396003)(366004)(376002)(39860400002)(346002)(136003)(91956017)(76116006)(66446008)(66946007)(64756008)(66476007)(66556008)(82950400001)(82960400001)(5660300002)(166002)(7696005)(52536014)(110136005)(54906003)(33656002)(71200400001)(83380400001)(966005)(478600001)(2906002)(53546011)(8676002)(8990500004)(26005)(15650500001)(10290500003)(55016002)(186003)(4326008)(6506007)(8936002)(9686003)(316002)(19627405001)(86362001);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata: 
 yNHhwDvmmbwqlwd+nq76p9YLtDypZVw1An5cZygOb2a6kiKABWl/JiaRhdlfqjUMRQQZiLq4mG6nzQpqv9F0h4ySNlLeu3LXk+7wXkizE8kXxh7WeqpUx+1xHkjUm0QBxxwRo05HHnWLbrIPI7KcrbHbu1YrYn768eOvyDPt8JknqCFDGDH3BfvZfJGoE9vA7Kez5HunsNGYcMAIAa+Qzy7JCn4kGiAxvqf6pFquAkj8pqGPOAiiG79j9tvttx4rPQ/zkzQYSTLuWcF3beKXAaaMI1tFUNZ9g2Qa9i3qb5l2puVoGvHCjLz0QQ9oH1T+FATlxYjt+NyPCFkaL1D5yUYcdIzYmHkgWK60wSZUU823aMja9jKxlcUQ20+fekuex9rTiwQ5HjSS6H8NkkMwMExReSA2rXvKNrAOPoQfbuVMRhDgiPDlVZqfo3K7DYJ5pfC4vliNWnc5s6o7TPQ6zYwz74E2a6yCG2m/gDufUWQ=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CY4PR21MB0743.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 91a0fcd6-e367-4932-a65b-08d81290e792
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2020 07:34:44.1643
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tSMHF5gNs9zUO128YWiiORvBL3Nm+XSewlCwUVdRR+Eo50yv9TFnCQZAopeT3g/AImQ1VJRWvMS5r9lomGzSBQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR2101MB0865
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_CY4PR21MB0743BF3C971F9C59B0400C0AEF9A0CY4PR21MB0743namp_"

--_000_CY4PR21MB0743BF3C971F9C59B0400C0AEF9A0CY4PR21MB0743namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Bump. This specific patch needs Reviews.


- Bret

________________________________
From: devel@edk2.groups.io <devel@edk2.groups.io> on behalf of Bret Barkele=
w via groups.io <bret=3Dcorthon.com@groups.io>
Sent: Tuesday, June 2, 2020 11:58 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Jian J Wang <jian.j.wang@intel.com>=
; Chao Zhang <chao.b.zhang@intel.com>
Subject: [EXTERNAL] [edk2-devel] [PATCH v5 11/14] SecurityPkg: Allow Variab=
lePolicy state to delete authenticated variables

https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugzill=
a.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&amp;data=3D02%7C01%7CBret.Barkel=
ew%40microsoft.com%7C2d4a699617424da6381f08d807a3d094%7C72f988bf86f141af91a=
b2d7cd011db47%7C1%7C0%7C637267747454210698&amp;sdata=3D10egANvpHPv6bNbdaNyL=
4%2F3tOk9eG03HUKCADhQix68%3D&amp;reserved=3D0

Causes AuthService to check
IsVariablePolicyEnabled() before enforcing
write protections to allow variable deletion
when policy engine is disabled.

Only allows deletion, not modification.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
 SecurityPkg/Library/AuthVariableLib/AuthService.c       | 22 +++++++++++++=
+++----
 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf |  2 ++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk=
g/Library/AuthVariableLib/AuthService.c
index 2f60331f2c04..aca9a5620c28 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -19,12 +19,16 @@
   to verify the signature.



 Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>

+Copyright (c) Microsoft Corporation.

 SPDX-License-Identifier: BSD-2-Clause-Patent



 **/



 #include "AuthServiceInternal.h"



+#include <Protocol/VariablePolicy.h>

+#include <Library/VariablePolicyLib.h>

+

 //

 // Public Exponent of RSA Key.

 //

@@ -217,9 +221,12 @@ NeedPhysicallyPresent(
   IN     EFI_GUID       *VendorGuid

   )

 {

-  if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrC=
mp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0))

-    || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (Va=
riableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) {

-    return TRUE;

+  // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.

+  if (IsVariablePolicyEnabled()) {

+    if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (St=
rCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0))

+      || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (=
VariableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) {

+      return TRUE;

+    }

   }



   return FALSE;

@@ -842,7 +849,8 @@ ProcessVariable (
              &OrgVariableInfo

              );



-  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attri=
butes, Data, DataSize, Attributes) && UserPhysicalPresent()) {

+  // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.

+  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attri=
butes, Data, DataSize, Attributes) && (UserPhysicalPresent() || !IsVariable=
PolicyEnabled())) {

     //

     // Allow the delete operation of common authenticated variable(AT or A=
W) at user physical presence.

     //

@@ -1960,6 +1968,12 @@ VerifyTimeBasedPayload (


   CopyMem (Buffer, PayloadPtr, PayloadSize);



+  // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.

+  if (PayloadSize =3D=3D 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) =3D=
=3D 0 && !IsVariablePolicyEnabled()) {

+    VerifyStatus =3D TRUE;

+    goto Exit;

+  }

+

   if (AuthVarType =3D=3D AuthVarTypePk) {

     //

     // Verify that the signature has been made with the current Platform K=
ey (no chaining for PK).

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/Secu=
rityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8d4ce14df494..8eadeebcebd7 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -3,6 +3,7 @@
 #

 #  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>

 #  Copyright (c) 2018, ARM Limited. All rights reserved.<BR>

+#  Copyright (c) Microsoft Corporation.

 #

 #  SPDX-License-Identifier: BSD-2-Clause-Patent

 #

@@ -41,6 +42,7 @@ [LibraryClasses]
   MemoryAllocationLib

   BaseCryptLib

   PlatformSecureLib

+  VariablePolicyLib



 [Guids]

   ## CONSUMES            ## Variable:L"SetupMode"

--
2.26.2.windows.1.8.g01c50adf56.20200515075929


-=3D-=3D-=3D-=3D-=3D-=3D
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60637): https://nam06.safelinks.protection.outlook.com/=
?url=3Dhttps%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F60637&amp;data=
=3D02%7C01%7CBret.Barkelew%40microsoft.com%7C2d4a699617424da6381f08d807a3d0=
94%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747454210698&amp;sdat=
a=3D%2BAYYshrhsUe22N%2Bq29KTBwBSfPZ%2BKMI%2BHfXnlAC1UDA%3D&amp;reserved=3D0
Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=3Dhttp=
s%3A%2F%2Fgroups.io%2Fmt%2F74646426%2F1822150&amp;data=3D02%7C01%7CBret.Bar=
kelew%40microsoft.com%7C2d4a699617424da6381f08d807a3d094%7C72f988bf86f141af=
91ab2d7cd011db47%7C1%7C0%7C637267747454210698&amp;sdata=3DmKJ2mIwadixEeJXSP=
litdokFxojYhLgituGitz5Y%2FKQ%3D&amp;reserved=3D0
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A=
%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&amp;data=3D02%7C01%7CBret.Barkelew=
%40microsoft.com%7C2d4a699617424da6381f08d807a3d094%7C72f988bf86f141af91ab2=
d7cd011db47%7C1%7C0%7C637267747454210698&amp;sdata=3DtAo%2FXEtUjmykPq%2BZgx=
5USuiQdkQyX7pMaTQ%2FMaUCfuE%3D&amp;reserved=3D0  [brbarkel@microsoft.com]
-=3D-=3D-=3D-=3D-=3D-=3D


--_000_CY4PR21MB0743BF3C971F9C59B0400C0AEF9A0CY4PR21MB0743namp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);">
<span style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; backgrou=
nd-color: rgb(255, 255, 255); display: inline !important">Bump. This specif=
ic patch needs Reviews.</span><br>
</div>
<div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id=3D"Signature">
<div>
<div id=3D"divtagdefaultwrapper" dir=3D"ltr" style=3D"font-size:12pt; color=
:#000000; font-family:Calibri,Arial,Helvetica,sans-serif">
<p style=3D"margin-top: 0px; margin-bottom: 0px;">- Bret </p>
</div>
</div>
</div>
</div>
<div id=3D"appendonsend"></div>
<hr style=3D"display:inline-block;width:98%" tabindex=3D"-1">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" st=
yle=3D"font-size:11pt" color=3D"#000000"><b>From:</b> devel@edk2.groups.io =
&lt;devel@edk2.groups.io&gt; on behalf of Bret Barkelew via groups.io &lt;b=
ret=3Dcorthon.com@groups.io&gt;<br>
<b>Sent:</b> Tuesday, June 2, 2020 11:58 PM<br>
<b>To:</b> devel@edk2.groups.io &lt;devel@edk2.groups.io&gt;<br>
<b>Cc:</b> Yao, Jiewen &lt;jiewen.yao@intel.com&gt;; Jian J Wang &lt;jian.j=
.wang@intel.com&gt;; Chao Zhang &lt;chao.b.zhang@intel.com&gt;<br>
<b>Subject:</b> [EXTERNAL] [edk2-devel] [PATCH v5 11/14] SecurityPkg: Allow=
 VariablePolicy state to delete authenticated variables</font>
<div>&nbsp;</div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt;=
">
<div class=3D"PlainText"><a href=3D"https://nam06.safelinks.protection.outl=
ook.com/?url=3Dhttps%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2=
522&amp;amp;data=3D02%7C01%7CBret.Barkelew%40microsoft.com%7C2d4a699617424d=
a6381f08d807a3d094%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63726774745=
4210698&amp;amp;sdata=3D10egANvpHPv6bNbdaNyL4%2F3tOk9eG03HUKCADhQix68%3D&am=
p;amp;reserved=3D0">https://nam06.safelinks.protection.outlook.com/?url=3Dh=
ttps%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&amp;amp;data=
=3D02%7C01%7CBret.Barkelew%40microsoft.com%7C2d4a699617424da6381f08d807a3d0=
94%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747454210698&amp;amp;=
sdata=3D10egANvpHPv6bNbdaNyL4%2F3tOk9eG03HUKCADhQix68%3D&amp;amp;reserved=
=3D0</a><br>
<br>
Causes AuthService to check<br>
IsVariablePolicyEnabled() before enforcing<br>
write protections to allow variable deletion<br>
when policy engine is disabled.<br>
<br>
Only allows deletion, not modification.<br>
<br>
Cc: Jiewen Yao &lt;jiewen.yao@intel.com&gt;<br>
Cc: Jian J Wang &lt;jian.j.wang@intel.com&gt;<br>
Cc: Chao Zhang &lt;chao.b.zhang@intel.com&gt;<br>
Cc: Bret Barkelew &lt;brbarkel@microsoft.com&gt;<br>
Signed-off-by: Bret Barkelew &lt;brbarkel@microsoft.com&gt;<br>
---<br>
&nbsp;SecurityPkg/Library/AuthVariableLib/AuthService.c&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp; | 22 &#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#43;&#4=
3;&#43;&#43;&#43;&#43;&#43;----<br>
&nbsp;SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf |&nbsp; 2 &#4=
3;&#43;<br>
&nbsp;2 files changed, 20 insertions(&#43;), 4 deletions(-)<br>
<br>
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk=
g/Library/AuthVariableLib/AuthService.c<br>
index 2f60331f2c04..aca9a5620c28 100644<br>
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c<br>
&#43;&#43;&#43; b/SecurityPkg/Library/AuthVariableLib/AuthService.c<br>
@@ -19,12 &#43;19,16 @@<br>
&nbsp;&nbsp; to verify the signature.<br>
<br>
&nbsp;<br>
<br>
&nbsp;Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.&lt=
;BR&gt;<br>
<br>
&#43;Copyright (c) Microsoft Corporation.<br>
<br>
&nbsp;SPDX-License-Identifier: BSD-2-Clause-Patent<br>
<br>
&nbsp;<br>
<br>
&nbsp;**/<br>
<br>
&nbsp;<br>
<br>
&nbsp;#include &quot;AuthServiceInternal.h&quot;<br>
<br>
&nbsp;<br>
<br>
&#43;#include &lt;Protocol/VariablePolicy.h&gt;<br>
<br>
&#43;#include &lt;Library/VariablePolicyLib.h&gt;<br>
<br>
&#43;<br>
<br>
&nbsp;//<br>
<br>
&nbsp;// Public Exponent of RSA Key.<br>
<br>
&nbsp;//<br>
<br>
@@ -217,9 &#43;221,12 @@ NeedPhysicallyPresent(<br>
&nbsp;&nbsp; IN&nbsp;&nbsp;&nbsp;&nbsp; EFI_GUID&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; *VendorGuid<br>
<br>
&nbsp;&nbsp; )<br>
<br>
&nbsp;{<br>
<br>
-&nbsp; if ((CompareGuid (VendorGuid, &amp;gEfiSecureBootEnableDisableGuid)=
 &amp;&amp; (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0))<=
br>
<br>
-&nbsp;&nbsp;&nbsp; || (CompareGuid (VendorGuid, &amp;gEfiCustomModeEnableG=
uid) &amp;&amp; (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) {<=
br>
<br>
-&nbsp;&nbsp;&nbsp; return TRUE;<br>
<br>
&#43;&nbsp; // If the VariablePolicy engine is disabled, allow deletion of =
any authenticated variables.<br>
<br>
&#43;&nbsp; if (IsVariablePolicyEnabled()) {<br>
<br>
&#43;&nbsp;&nbsp;&nbsp; if ((CompareGuid (VendorGuid, &amp;gEfiSecureBootEn=
ableDisableGuid) &amp;&amp; (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_N=
AME) =3D=3D 0))<br>
<br>
&#43;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; || (CompareGuid (VendorGuid, &amp;gEfiC=
ustomModeEnableGuid) &amp;&amp; (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME=
) =3D=3D 0))) {<br>
<br>
&#43;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return TRUE;<br>
<br>
&#43;&nbsp;&nbsp;&nbsp; }<br>
<br>
&nbsp;&nbsp; }<br>
<br>
&nbsp;<br>
<br>
&nbsp;&nbsp; return FALSE;<br>
<br>
@@ -842,7 &#43;849,8 @@ ProcessVariable (<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; &amp;OrgVariableInfo<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; );<br>
<br>
&nbsp;<br>
<br>
-&nbsp; if ((!EFI_ERROR (Status)) &amp;&amp; IsDeleteAuthVariable (OrgVaria=
bleInfo.Attributes, Data, DataSize, Attributes) &amp;&amp; UserPhysicalPres=
ent()) {<br>
<br>
&#43;&nbsp; // If the VariablePolicy engine is disabled, allow deletion of =
any authenticated variables.<br>
<br>
&#43;&nbsp; if ((!EFI_ERROR (Status)) &amp;&amp; IsDeleteAuthVariable (OrgV=
ariableInfo.Attributes, Data, DataSize, Attributes) &amp;&amp; (UserPhysica=
lPresent() || !IsVariablePolicyEnabled())) {<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; //<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; // Allow the delete operation of common authentica=
ted variable(AT or AW) at user physical presence.<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; //<br>
<br>
@@ -1960,6 &#43;1968,12 @@ VerifyTimeBasedPayload (<br>
&nbsp;<br>
<br>
&nbsp;&nbsp; CopyMem (Buffer, PayloadPtr, PayloadSize);<br>
<br>
&nbsp;<br>
<br>
&#43;&nbsp; // If the VariablePolicy engine is disabled, allow deletion of =
any authenticated variables.<br>
<br>
&#43;&nbsp; if (PayloadSize =3D=3D 0 &amp;&amp; (Attributes &amp; EFI_VARIA=
BLE_APPEND_WRITE) =3D=3D 0 &amp;&amp; !IsVariablePolicyEnabled()) {<br>
<br>
&#43;&nbsp;&nbsp;&nbsp; VerifyStatus =3D TRUE;<br>
<br>
&#43;&nbsp;&nbsp;&nbsp; goto Exit;<br>
<br>
&#43;&nbsp; }<br>
<br>
&#43;<br>
<br>
&nbsp;&nbsp; if (AuthVarType =3D=3D AuthVarTypePk) {<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; //<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; // Verify that the signature has been made with th=
e current Platform Key (no chaining for PK).<br>
<br>
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/Secu=
rityPkg/Library/AuthVariableLib/AuthVariableLib.inf<br>
index 8d4ce14df494..8eadeebcebd7 100644<br>
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf<br>
&#43;&#43;&#43; b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf<b=
r>
@@ -3,6 &#43;3,7 @@<br>
&nbsp;#<br>
<br>
&nbsp;#&nbsp; Copyright (c) 2015 - 2016, Intel Corporation. All rights rese=
rved.&lt;BR&gt;<br>
<br>
&nbsp;#&nbsp; Copyright (c) 2018, ARM Limited. All rights reserved.&lt;BR&g=
t;<br>
<br>
&#43;#&nbsp; Copyright (c) Microsoft Corporation.<br>
<br>
&nbsp;#<br>
<br>
&nbsp;#&nbsp; SPDX-License-Identifier: BSD-2-Clause-Patent<br>
<br>
&nbsp;#<br>
<br>
@@ -41,6 &#43;42,7 @@ [LibraryClasses]<br>
&nbsp;&nbsp; MemoryAllocationLib<br>
<br>
&nbsp;&nbsp; BaseCryptLib<br>
<br>
&nbsp;&nbsp; PlatformSecureLib<br>
<br>
&#43;&nbsp; VariablePolicyLib<br>
<br>
&nbsp;<br>
<br>
&nbsp;[Guids]<br>
<br>
&nbsp;&nbsp; ## CONSUMES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp; ## Variable:L&quot;SetupMode&quot;<br>
<br>
-- <br>
2.26.2.windows.1.8.g01c50adf56.20200515075929<br>
<br>
<br>
-=3D-=3D-=3D-=3D-=3D-=3D<br>
Groups.io Links: You receive all messages sent to this group.<br>
<br>
View/Reply Online (#60637): <a href=3D"https://nam06.safelinks.protection.o=
utlook.com/?url=3Dhttps%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F6063=
7&amp;amp;data=3D02%7C01%7CBret.Barkelew%40microsoft.com%7C2d4a699617424da6=
381f08d807a3d094%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6372677474542=
10698&amp;amp;sdata=3D%2BAYYshrhsUe22N%2Bq29KTBwBSfPZ%2BKMI%2BHfXnlAC1UDA%3=
D&amp;amp;reserved=3D0">
https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr=
oups.io%2Fg%2Fdevel%2Fmessage%2F60637&amp;amp;data=3D02%7C01%7CBret.Barkele=
w%40microsoft.com%7C2d4a699617424da6381f08d807a3d094%7C72f988bf86f141af91ab=
2d7cd011db47%7C1%7C0%7C637267747454210698&amp;amp;sdata=3D%2BAYYshrhsUe22N%=
2Bq29KTBwBSfPZ%2BKMI%2BHfXnlAC1UDA%3D&amp;amp;reserved=3D0</a><br>
Mute This Topic: <a href=3D"https://nam06.safelinks.protection.outlook.com/=
?url=3Dhttps%3A%2F%2Fgroups.io%2Fmt%2F74646426%2F1822150&amp;amp;data=3D02%=
7C01%7CBret.Barkelew%40microsoft.com%7C2d4a699617424da6381f08d807a3d094%7C7=
2f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747454210698&amp;amp;sdata=
=3DmKJ2mIwadixEeJXSPlitdokFxojYhLgituGitz5Y%2FKQ%3D&amp;amp;reserved=3D0">
https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgroups.=
io%2Fmt%2F74646426%2F1822150&amp;amp;data=3D02%7C01%7CBret.Barkelew%40micro=
soft.com%7C2d4a699617424da6381f08d807a3d094%7C72f988bf86f141af91ab2d7cd011d=
b47%7C1%7C0%7C637267747454210698&amp;amp;sdata=3DmKJ2mIwadixEeJXSPlitdokFxo=
jYhLgituGitz5Y%2FKQ%3D&amp;amp;reserved=3D0</a><br>
Group Owner: devel&#43;owner@edk2.groups.io<br>
Unsubscribe: <a href=3D"https://nam06.safelinks.protection.outlook.com/?url=
=3Dhttps%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&amp;amp;data=3D02%7C01%=
7CBret.Barkelew%40microsoft.com%7C2d4a699617424da6381f08d807a3d094%7C72f988=
bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747454210698&amp;amp;sdata=3DtAo=
%2FXEtUjmykPq%2BZgx5USuiQdkQyX7pMaTQ%2FMaUCfuE%3D&amp;amp;reserved=3D0">
https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr=
oups.io%2Fg%2Fdevel%2Funsub&amp;amp;data=3D02%7C01%7CBret.Barkelew%40micros=
oft.com%7C2d4a699617424da6381f08d807a3d094%7C72f988bf86f141af91ab2d7cd011db=
47%7C1%7C0%7C637267747454210698&amp;amp;sdata=3DtAo%2FXEtUjmykPq%2BZgx5USui=
QdkQyX7pMaTQ%2FMaUCfuE%3D&amp;amp;reserved=3D0</a>&nbsp;
 [brbarkel@microsoft.com]<br>
-=3D-=3D-=3D-=3D-=3D-=3D<br>
<br>
</div>
</span></font></div>
</body>
</html>

--_000_CY4PR21MB0743BF3C971F9C59B0400C0AEF9A0CY4PR21MB0743namp_--