From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.139]) by mx.groups.io with SMTP id smtpd.web11.2532.1592379270189468807 for ; Wed, 17 Jun 2020 00:34:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=gnVdWAwU; spf=pass (domain: microsoft.com, ip: 40.107.223.139, mailfrom: bret.barkelew@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DgnvvHDxtq/gIZtfG8HX3RFnkdHxtOzx3f+JErsyJ30ycW/cY+5XNl2vq50PsnQ3eFTmDbuvumsuSeKxvrdgvgq7M70lmimo2F65H8eGk7mo/5fVhYSngwrTbw4x3NV6Ptl4wuG1/Pxyk7bhSxSz2fMNymAH7oemD6pP/IX72qXeb0rqUHO+Qp5jNcrwAjP5HCzLvXCU+0rZNFTy+46/5Tqx96YzUvJO5Ep4kAZt2S3GoJJCpDsPXnCPC/FWUt8E9SU0TOS9Gz6pp5mCpmwf2USIS+Age2ZgE467mU5ZTjDlWKyoMa0BtjLsffVw5EKvfI4FN30eJ6fuWoDUvBP6Zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FQTgVVM18uMyHuYExtyoJ+xYSIyn/LP7LVCL9I5InhE=; b=j+sJhKjZ9Qgn6Qdw/ggRd31pG34iANxMUoH6U3QBKhiMDZzqghVz65ehPZN8W3Dm3Hetb5VWfAL7x7LKdl7SHLNJkUhPPQzNvdEhjJQ68Sqe9yfbjZOEwmPXtZWV+jSVaEyGStSKNc8OHLuxaDcsH6wagGkTF79/Hf8SYpQjDBUMIAqpAg/RPQe5iS8ooiOcEYJj09tusVWHpmJ3sWlvCweaPLMQqq+nxxt+ktrELoxTeLVs4/GAN4PvnYVjAlePgUSTgcFwkj7xaLtNpe2HoXMe75QhUSBCd/6Mx14xcUunJ7LtKJM+YCD0xSlFfrPUs4lVNwuUjwu4DV8jZVDXVQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FQTgVVM18uMyHuYExtyoJ+xYSIyn/LP7LVCL9I5InhE=; b=gnVdWAwUdcXrxvo8LOqWVDKl22zArkhpwKQA5uic4n4lIXpPV8BYYFIQStmzPPRGa6tnjzz1DXTzR31TGYg8xKHWH1prRwOz0zk7blXUmVF0zYomXHWHIl0rTmFgIVT7KugHXW4SduZGS2LCeN5O2r9jK5ph+hz8HR+12+GxJow= Received: from CY4PR21MB0743.namprd21.prod.outlook.com (2603:10b6:903:b2::9) by CY4PR2101MB0865.namprd21.prod.outlook.com (2603:10b6:910:8a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.9; Wed, 17 Jun 2020 07:34:28 +0000 Received: from CY4PR21MB0743.namprd21.prod.outlook.com ([fe80::4ef:d9e:62c:f319]) by CY4PR21MB0743.namprd21.prod.outlook.com ([fe80::f112:82fb:d4fd:f7dd%10]) with mapi id 15.20.3131.009; Wed, 17 Jun 2020 07:34:28 +0000 From: "Bret Barkelew" To: "devel@edk2.groups.io" , "bret@corthon.com" CC: Jian J Wang , Hao A Wu , liming.gao Subject: Re: [EXTERNAL] [edk2-devel] [PATCH v5 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Thread-Topic: [EXTERNAL] [edk2-devel] [PATCH v5 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Thread-Index: AQHWOYy+b2iLM3iDRkyxrKrjK/FzvKjcgFsh Date: Wed, 17 Jun 2020 07:34:28 +0000 Message-ID: References: <20200603065810.806-1-brbarkel@microsoft.com>,<20200603065810.806-11-brbarkel@microsoft.com> In-Reply-To: <20200603065810.806-11-brbarkel@microsoft.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-17T07:34:26.017Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [71.212.143.8] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 8e2ce85d-d4ea-4383-ed49-08d81290de1a x-ms-traffictypediagnostic: CY4PR2101MB0865: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:4125; x-forefront-prvs: 04371797A5 x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: neov2nt2qFZx1fX0WE0pf6xaStJaSsVfZTLirRdq5+lERATUdxXDko3GgyUlO8Uf4dvu67cqEt+GdFT0wzXdP/79x653rqRDLhrIdfNGO8+HGuwpI/bfNQxzfUHDYzEwQzyWvq3UyNKxoNI+IIxm3bju+zXyYrHlDkGOdtG0YQxeg3vAksQm5UrGLK0jaJ13z5V/xtIevnQdR7ysx82I5SpxXS5Il/rA1AmdtaXZDaL8hE2gk4pw95CwbqcrHDf1t6qub4K6hHDCYpH6C/oFdyVaAiWZaGE5TTaAjOM47h55Rm9Tmv3vJWblH1QJu3wWpz4gNounRx0pREiLZNFjTX4rb4FyfYQT8VjjnMrYjiICenjWeO5p+i3edIjcX20TngovuAhhJSxcLh7vs7gjYw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CY4PR21MB0743.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(396003)(366004)(376002)(39860400002)(346002)(136003)(91956017)(76116006)(66446008)(66946007)(64756008)(66476007)(66556008)(82950400001)(82960400001)(5660300002)(166002)(7696005)(52536014)(110136005)(54906003)(33656002)(71200400001)(83380400001)(966005)(478600001)(2906002)(53546011)(8676002)(8990500004)(26005)(10290500003)(55016002)(186003)(4326008)(6506007)(8936002)(9686003)(316002)(19627405001)(86362001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: 9a0SivNN4tNcW5BQs84G3E5arZHzuO2uQOO0RTG3APLPHYIvlCJ+4bgpohVsSAn7xv9F7HIeHT693+Wv62o+MHPEKDx8Iy2wUTBxdPcjbFGKxYLL1v5ul7CDVE6sprbEwi93+ZvKRGGA5R/owADQps080rA/fwvvukdAmA//s1C37/LjzM8jG8HCgtx48IwwR1MnmnKG2ejm3k1Ll8KPh5ZXxYSpcRfBKdYObmUvmrboQN3x72xPMkTmP9Dt96nJ53aB7LQGoOBaIfqS+3bhFNHFXfmZ1nBdtUHRkBd7ljrMMzwsaGVErmWJGN19jMYXQQ0LkikmHs4pE/PnUmaLcW94guHO8hdxrj60CuMhtUYL41MhzorViJW2jAHnf5If5wU//5icsUUjBM/soccBtLjChKbc94/4df684LvaBdI/ZNnagzBYsaa26jSVZejoNiSa6vwJluaADBLVEImQa6GN9VcREqrDaZTXj+NYqGA= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CY4PR21MB0743.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8e2ce85d-d4ea-4383-ed49-08d81290de1a X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2020 07:34:28.2992 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: tpmKBIsOeaWWkrXKS40vi0qBUMcVaO9enYIL+3PlI6R6JBRKAtZTh0zeINC2U9kR4WjkCB1h/3EDN1HBgSWm/Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR2101MB0865 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0743BFDC54B5030D452E590BEF9A0CY4PR21MB0743namp_" --_000_CY4PR21MB0743BFDC54B5030D452E590BEF9A0CY4PR21MB0743namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Bump. This specific patch needs Reviews. - Bret ________________________________ From: devel@edk2.groups.io on behalf of Bret Barkele= w via groups.io Sent: Tuesday, June 2, 2020 11:58 PM To: devel@edk2.groups.io Cc: Jian J Wang ; Hao A Wu ; lim= ing.gao Subject: [EXTERNAL] [edk2-devel] [PATCH v5 10/14] MdeModulePkg: Allow Varia= blePolicy state to delete protected variables https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugzill= a.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&data=3D02%7C01%7CBret.Barkel= ew%40microsoft.com%7Cec7ecc21f4ff44dadb1908d807a3e04b%7C72f988bf86f141af91a= b2d7cd011db47%7C1%7C0%7C637267747709985448&sdata=3DDFl0Cmoq4Tos0b%2FSLN= ZMV8OJ9Bj7Waz5VK%2B9jhVzKUY%3D&reserved=3D0 TcgMorLockSmm provides special protections for the TCG MOR variables. This will check IsVariablePolicyEnabled() before enforcing them to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 += +++++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 2 += + 2 files changed, 12 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 6d80eb64341a..085f82035f4b 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -5,6 +5,7 @@ This module adds Variable Hook and check MemoryOverwriteRequestControlLo= ck. Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include "Variable.h" +#include + +#include + typedef struct { CHAR16 *VariableName; EFI_GUID *VendorGuid; @@ -341,6 +346,11 @@ SetVariableCheckHandlerMor ( return EFI_SUCCESS; } + // Permit deletion when policy is disabled. + if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0) || (DataSize = =3D=3D 0))) { + return EFI_SUCCESS; + } + // // MorLock variable // diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index 6e17f6cdf588..d8f480be27cc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -20,6 +20,7 @@ # # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
# Copyright (c) 2018, Linaro, Ltd. All rights reserved.
+# Copyright (c) Microsoft Corporation. # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -74,6 +75,7 @@ [LibraryClasses] StandaloneMmDriverEntryPoint SynchronizationLib VarCheckLib + VariablePolicyLib [Protocols] gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES -- 2.26.2.windows.1.8.g01c50adf56.20200515075929 -=3D-=3D-=3D-=3D-=3D-=3D Groups.io Links: You receive all messages sent to this group. View/Reply Online (#60648): https://nam06.safelinks.protection.outlook.com/= ?url=3Dhttps%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F60648&data= =3D02%7C01%7CBret.Barkelew%40microsoft.com%7Cec7ecc21f4ff44dadb1908d807a3e0= 4b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747709985448&sdat= a=3DCUaI6lTvlhobvdDoqQgtMcKp5QRggGmaV1S3NEaeOtA%3D&reserved=3D0 Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=3Dhttp= s%3A%2F%2Fgroups.io%2Fmt%2F74646437%2F1822150&data=3D02%7C01%7CBret.Bar= kelew%40microsoft.com%7Cec7ecc21f4ff44dadb1908d807a3e04b%7C72f988bf86f141af= 91ab2d7cd011db47%7C1%7C0%7C637267747709985448&sdata=3DYvePvU%2FkWoM30sG= ZOk4rLOEWJQQJVsQO49%2FlhUtpm2k%3D&reserved=3D0 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A= %2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&data=3D02%7C01%7CBret.Barkelew= %40microsoft.com%7Cec7ecc21f4ff44dadb1908d807a3e04b%7C72f988bf86f141af91ab2= d7cd011db47%7C1%7C0%7C637267747709995441&sdata=3DOcjE6Lzcue9eaD05VCLcPV= PPBI9zq9P1uY0ZKKG4rfE%3D&reserved=3D0 [brbarkel@microsoft.com] -=3D-=3D-=3D-=3D-=3D-=3D --_000_CY4PR21MB0743BFDC54B5030D452E590BEF9A0CY4PR21MB0743namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Bump. This specif= ic patch needs Reviews.

- Bret


From: devel@edk2.groups.io = <devel@edk2.groups.io> on behalf of Bret Barkelew via groups.io <b= ret=3Dcorthon.com@groups.io>
Sent: Tuesday, June 2, 2020 11:58 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Jian J Wang <jian.j.wang@intel.com>; Hao A Wu <hao.a.wu= @intel.com>; liming.gao <liming.gao@intel.com>
Subject: [EXTERNAL] [edk2-devel] [PATCH v5 10/14] MdeModulePkg: Allo= w VariablePolicy state to delete protected variables
 
https://nam06.safelinks.protection.outlook.com/?url= =3Dhttps%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&amp;= data=3D02%7C01%7CBret.Barkelew%40microsoft.com%7Cec7ecc21f4ff44dadb1908d807= a3e04b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747709985448&= amp;sdata=3DDFl0Cmoq4Tos0b%2FSLNZMV8OJ9Bj7Waz5VK%2B9jhVzKUY%3D&amp;rese= rved=3D0

TcgMorLockSmm provides special protections for
the TCG MOR variables. This will check
IsVariablePolicyEnabled() before enforcing
them to allow variable deletion when policy
engine is disabled.

Only allows deletion, not modification.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c  = ;        | 10 +++++&= #43;++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf |=   2 ++
 2 files changed, 12 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 6d80eb64341a..085f82035f4b 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.= c
@@ -5,6 +5,7 @@
   This module adds Variable Hook and check MemoryOverwriteReques= tControlLock.

 

 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<= ;BR>

+Copyright (c) Microsoft Corporation.

 SPDX-License-Identifier: BSD-2-Clause-Patent

 

 **/

@@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/BaseMemoryLib.h>

 #include "Variable.h"

 

+#include <Protocol/VariablePolicy.h>

+

+#include <Library/VariablePolicyLib.h>

+

 typedef struct {

   CHAR16         &n= bsp;            = ;           *VariableName= ;

   EFI_GUID         =             &nb= sp;         *VendorGuid;

@@ -341,6 +346,11 @@ SetVariableCheckHandlerMor (
     return EFI_SUCCESS;

   }

 

+  // Permit deletion when policy is disabled.

+  if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0= ) || (DataSize =3D=3D 0))) {

+    return EFI_SUCCESS;

+  }

+

   //

   // MorLock variable

   //

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf=
index 6e17f6cdf588..d8f480be27cc 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStanda= loneMm.inf
@@ -20,6 +20,7 @@
 #

 # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.&= lt;BR>

 # Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>

+# Copyright (c) Microsoft Corporation.

 # SPDX-License-Identifier: BSD-2-Clause-Patent

 #

 ##

@@ -74,6 +75,7 @@ [LibraryClasses]
   StandaloneMmDriverEntryPoint

   SynchronizationLib

   VarCheckLib

+  VariablePolicyLib

 

 [Protocols]

   gEfiSmmFirmwareVolumeBlockProtocolGuid    =     ## CONSUMES

--
2.26.2.windows.1.8.g01c50adf56.20200515075929


-=3D-=3D-=3D-=3D-=3D-=3D
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60648): https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr= oups.io%2Fg%2Fdevel%2Fmessage%2F60648&amp;data=3D02%7C01%7CBret.Barkele= w%40microsoft.com%7Cec7ecc21f4ff44dadb1908d807a3e04b%7C72f988bf86f141af91ab= 2d7cd011db47%7C1%7C0%7C637267747709985448&amp;sdata=3DCUaI6lTvlhobvdDoq= QgtMcKp5QRggGmaV1S3NEaeOtA%3D&amp;reserved=3D0
Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgroups.= io%2Fmt%2F74646437%2F1822150&amp;data=3D02%7C01%7CBret.Barkelew%40micro= soft.com%7Cec7ecc21f4ff44dadb1908d807a3e04b%7C72f988bf86f141af91ab2d7cd011d= b47%7C1%7C0%7C637267747709985448&amp;sdata=3DYvePvU%2FkWoM30sGZOk4rLOEW= JQQJVsQO49%2FlhUtpm2k%3D&amp;reserved=3D0
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr= oups.io%2Fg%2Fdevel%2Funsub&amp;data=3D02%7C01%7CBret.Barkelew%40micros= oft.com%7Cec7ecc21f4ff44dadb1908d807a3e04b%7C72f988bf86f141af91ab2d7cd011db= 47%7C1%7C0%7C637267747709995441&amp;sdata=3DOcjE6Lzcue9eaD05VCLcPVPPBI9= zq9P1uY0ZKKG4rfE%3D&amp;reserved=3D0  [brbarkel@microsoft.com]
-=3D-=3D-=3D-=3D-=3D-=3D

--_000_CY4PR21MB0743BFDC54B5030D452E590BEF9A0CY4PR21MB0743namp_--