From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.107.223.111]) by mx.groups.io with SMTP id smtpd.web11.2539.1592379301873209156 for ; Wed, 17 Jun 2020 00:35:02 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=hH29Wb15; spf=pass (domain: microsoft.com, ip: 40.107.223.111, mailfrom: bret.barkelew@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iOYlamdGas7u+ZEjWZrmwj/anchs5yweBrhNheW51C7Kwt0ZjGl0FwFfkD1klHCkqPbdOypU4WR4tSZ88CAYQBAlhPjMcFPdB2lGXLZYVeeV/2rQ3fWkiYXmsuIrp1cB0BcdF95cGOUvHekeZhf+UWA9lDtp2KTyZenUZk3q8OQlMC7dozUY8xeZ4MvKJqF1vO9qiwYwN+PsDvHDFIMeUawrE+oh5eZrL1PHUsiD8NvWnGB6O4cfHCnOeJV+Ecx+cf+7hg1K9RB839HRsIomMxMS1JsQRAdP3A7daFBKTBz8GKL1zq9spmnJEaWQctodeEdf9ob1roMcy6eONM93OQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pl4e1xUjtqVB2L15g/8xzyve3ZcCNoerXN6kmY/yBUI=; b=JSyP9SO6QOHqOBmBaXdj5urv0OCCvmVdmXfNUYVbvKxx/mh2IfP5pFzUL1inDDtMJdRpiGfba+myj3wV1B5F8VhKHnwvNs0zhVxdsD/S/bnMTPr8qc+WaAMv46F+W+OK4rASUC1qb57Ef0U4+Dsybro8mp1ZkGloE3mpFCLeTVY9Ji8pp3rIW8mucoTPUI4rp24lRRpzaJfRFp0B3ojIHC/Bf/lkpeI409cSyrm10W+3La2kHN+ZYs456CuZt25zfuE18eym9wc1dzhcpgaR2cWdDChnKOm9KwBsP5ZqB2PVDt7ndbe7y4fcIh8JFiwGip5Gtct1IakQsJmVP5vWZQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Pl4e1xUjtqVB2L15g/8xzyve3ZcCNoerXN6kmY/yBUI=; b=hH29Wb15VyFnJs2t3rPcIolp6MzCzMusu91xb9JUQ2rLqA2kM7E8NuFh8pDyHLSi7gVo9p8H9hJoqppM5Psk6iMmmexKYpDcQl1dUDLMwMb2vSkxMK7M4XsrLRAYNUJUVcN2IfSuYpBFLHpsPe78B/2vIv6BgZ9r71Lc5BO+3Gs= Received: from CY4PR21MB0743.namprd21.prod.outlook.com (2603:10b6:903:b2::9) by CY4PR2101MB0865.namprd21.prod.outlook.com (2603:10b6:910:8a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.9; Wed, 17 Jun 2020 07:35:00 +0000 Received: from CY4PR21MB0743.namprd21.prod.outlook.com ([fe80::4ef:d9e:62c:f319]) by CY4PR21MB0743.namprd21.prod.outlook.com ([fe80::f112:82fb:d4fd:f7dd%10]) with mapi id 15.20.3131.009; Wed, 17 Jun 2020 07:35:00 +0000 From: "Bret Barkelew" To: "devel@edk2.groups.io" , "bret@corthon.com" CC: Jian J Wang , Hao A Wu , liming.gao Subject: Re: [EXTERNAL] [edk2-devel] [PATCH v5 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Thread-Topic: [EXTERNAL] [edk2-devel] [PATCH v5 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Thread-Index: AQHWOYy/HO9rjo+2WUaMFDXstZprLqjcgID7 Date: Wed, 17 Jun 2020 07:35:00 +0000 Message-ID: References: <20200603065810.806-1-brbarkel@microsoft.com>,<20200603065810.806-13-brbarkel@microsoft.com> In-Reply-To: <20200603065810.806-13-brbarkel@microsoft.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-17T07:34:57.975Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [71.212.143.8] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 3210a79c-9079-4669-291c-08d81290f13d x-ms-traffictypediagnostic: CY4PR2101MB0865: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2043; x-forefront-prvs: 04371797A5 x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ShT0wAv5O0Sm1DqoPtsCWvJ6j1Ces6NNR6IL5NlE9IqAoS5E9sjgXrDw+Bb9BtYCWDi/F9VYFGW2KtcT7EDD29UysM6U2dt1gAspOUh2m20TPKfPz23uoE2xtTfH8dfoZoj4aPeJs8qP6RvCR93DvA5rys5wXNr2PJCtqTJY5YujnyQJewHAAwRtsatsyEQHp8POPDQ30XGsb0VxvbN1/eLdobLoiFTWZYPeRyxHvGqb5rTaoqAdQZ4kpQXLIOYw3+BxJHBxpJHeANV7klSkl5AwpGS649s4Uk41Kp7AXMWeLBI9S82DinnrudkJFTJWA8tgNX98ptlAZh+a+E8GL/IInl74NbltDUwYMFgsX/2Tz0bXzDzDbod2YPiTQigFBY8kWBj8QxpY82dzXcogKw== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CY4PR21MB0743.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(396003)(366004)(376002)(39860400002)(346002)(136003)(91956017)(76116006)(66446008)(66946007)(64756008)(66476007)(66556008)(82950400001)(82960400001)(5660300002)(166002)(7696005)(52536014)(110136005)(54906003)(33656002)(71200400001)(83380400001)(966005)(478600001)(2906002)(53546011)(8676002)(8990500004)(26005)(10290500003)(55016002)(186003)(4326008)(6506007)(8936002)(9686003)(316002)(19627405001)(86362001);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: YxDWpt9mGSzEfp0kymJdAe9DdOl8/vSwBMwWeZfsKmSAXVi+oSTfZWaMKz6u40/UyxmbUxCsPi5F9+AdO/qyDe9m7epqQ6W4LJrLzKeX24vsBEC/uIekvufEIOOj1oO/va1BNNP9KJQa4OwdTnyHHqW+xK7A7QWSn3KbgsobZutHzEtfybY887uGXfUpEk7myfvsZeR2KeRh0/wKdQ8sV2fCs65icr0sTttEoCHLYw329VomOd7a7TR0FpasFv6YERmXgGB5RIlYA5ox2lMN3Og8ZE8fJvbooRAHRXpOY4Q8Rzp1OwVhZKkQnMa8znVFZRc/u6Irpv9FlUbOnEi8eFA+1ZYqQjKrQP/f5T+AzcWHSSjPEEnMyUw2wQxAz2568EpQ79J++5zUNw6fz2Yij52V7kk+ehIvPQnzkjK4mRYMX5ExzCFvKeA1trLOtUZX1pdoeUojmmC7h34hS9Y0D5qUIyC8WmUb+OajuWjdclY= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CY4PR21MB0743.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3210a79c-9079-4669-291c-08d81290f13d X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2020 07:35:00.4133 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: kLuQLvTW6zAnDFnHjircgw1V4OD40G8RfRnvQuIqIM8kIZHkXArlJHL4lRv8NGbEwHHF6TQLz6YOtFrsEWYlgA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR2101MB0865 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0743EAC5714F75FD4701AB8DEF9A0CY4PR21MB0743namp_" --_000_CY4PR21MB0743EAC5714F75FD4701AB8DEF9A0CY4PR21MB0743namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Bump. This specific patch needs Reviews. - Bret ________________________________ From: devel@edk2.groups.io on behalf of Bret Barkele= w via groups.io Sent: Tuesday, June 2, 2020 11:58 PM To: devel@edk2.groups.io Cc: Jian J Wang ; Hao A Wu ; lim= ing.gao Subject: [EXTERNAL] [edk2-devel] [PATCH v5 12/14] MdeModulePkg: Change TCG = MOR variables to use VariablePolicy https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugzill= a.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&data=3D02%7C01%7Cbret.barkel= ew%40microsoft.com%7Cc4837d136ec548d67adc08d807a3e192%7C72f988bf86f141af91a= b2d7cd011db47%7C1%7C0%7C637267747730722710&sdata=3DNAVaoXnmIgu2F0YobNn7= oC5XNGudCoalxrB3nPZDl98%3D&reserved=3D0 These were previously using VarLock, which is being deprecated. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 += +++++++++++++------ MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 52 += ++++++++++++++----- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1 + 4 files changed, 82 insertions(+), 25 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c index e7accf4ed806..b85f08c48c11 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -5,6 +5,7 @@ MOR lock control unsupported. Copyright (c) 2016, Intel Corporation. All rights reserved.
+Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include "Variable.h" -extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock; +#include +#include /** This service is an MOR/MorLock checker handler for the SetVariable(). @@ -77,11 +79,6 @@ MorLockInit ( NULL // Data ); - // - // Need set this variable to be read-only to prevent other module set it= . - // - VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONT= ROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid); - // // The MOR variable can effectively improve platform security only when = the // MorLock variable protects the MOR variable. In turn MorLock cannot be= made @@ -99,11 +96,6 @@ MorLockInit ( 0, // DataSize NULL // Data ); - VariableLockRequestToLock ( - &mVariableLock, - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, - &gEfiMemoryOverwriteControlDataGuid - ); return EFI_SUCCESS; } @@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe ( VOID ) { - // - // Do nothing. - // + EFI_STATUS Status; + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy; + + // First, we obviously need to locate the VariablePolicy protocol. + Status =3D gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL,= (VOID**)&VariablePolicy ); + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %= r\n", __FUNCTION__, Status )); + return; + } + + // If we're successful, go ahead and set the policies to protect the tar= get variables. + Status =3D RegisterBasicVariablePolicy( VariablePolicy, + &gEfiMemoryOverwriteRequestControl= LockGuid, + MEMORY_OVERWRITE_REQUEST_CONTROL_L= OCK_NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW ); + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status )); + } + Status =3D RegisterBasicVariablePolicy( VariablePolicy, + &gEfiMemoryOverwriteControlDataGui= d, + MEMORY_OVERWRITE_REQUEST_VARIABLE_= NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW ); + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status )); + } + + return; } diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 085f82035f4b..ee37942a6b0c 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "Variable.h" #include - +#include #include typedef struct { @@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe ( { UINTN MorSize; EFI_STATUS MorStatus; + EFI_STATUS Status; + VARIABLE_POLICY_ENTRY *NewPolicy; if (!mMorLockInitializationRequired) { // @@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe ( // The MOR variable is absent; the platform firmware does not support it= . // Lock the variable so that no other module may create it. // - VariableLockRequestToLock ( - NULL, // This - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, - &gEfiMemoryOverwriteControlDataGuid - ); + NewPolicy =3D NULL; + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGui= d, + MEMORY_OVERWRITE_REQUEST_VARIABLE_NA= ME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW, + &NewPolicy ); + if (!EFI_ERROR( Status )) { + Status =3D RegisterVariablePolicy( NewPolicy ); + } + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status )); + ASSERT_EFI_ERROR( Status ); + } + if (NewPolicy !=3D NULL) { + FreePool( NewPolicy ); + } // // Delete the MOR Control Lock variable too (should it exists for some @@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe ( ); mMorLockPassThru =3D FALSE; - VariableLockRequestToLock ( - NULL, // This - MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, - &gEfiMemoryOverwriteRequestControlLockGuid - ); + NewPolicy =3D NULL; + Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControl= LockGuid, + MEMORY_OVERWRITE_REQUEST_CONTROL_LOC= K_NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW, + &NewPolicy ); + if (!EFI_ERROR( Status )) { + Status =3D RegisterVariablePolicy( NewPolicy ); + } + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI= ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status )); + ASSERT_EFI_ERROR( Status ); + } + if (NewPolicy !=3D NULL) { + FreePool( NewPolicy ); + } } diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.= inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 48ac167906f7..8debc560e6dc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -71,6 +71,7 @@ [LibraryClasses] AuthVariableLib VarCheckLib VariablePolicyLib + VariablePolicyHelperLib [Protocols] gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES @@ -80,6 +81,7 @@ [Protocols] gEfiVariableWriteArchProtocolGuid ## PRODUCES gEfiVariableArchProtocolGuid ## PRODUCES gEdkiiVariableLockProtocolGuid ## PRODUCES + gEdkiiVariablePolicyProtocolGuid ## CONSUMES gEdkiiVarCheckProtocolGuid ## PRODUCES [Guids] diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index d8f480be27cc..62f2f9252f43 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -76,6 +76,7 @@ [LibraryClasses] SynchronizationLib VarCheckLib VariablePolicyLib + VariablePolicyHelperLib [Protocols] gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES -- 2.26.2.windows.1.8.g01c50adf56.20200515075929 -=3D-=3D-=3D-=3D-=3D-=3D Groups.io Links: You receive all messages sent to this group. View/Reply Online (#60649): https://nam06.safelinks.protection.outlook.com/= ?url=3Dhttps%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F60649&data= =3D02%7C01%7Cbret.barkelew%40microsoft.com%7Cc4837d136ec548d67adc08d807a3e1= 92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747730722710&sdat= a=3D7J764sVxeEu973uDLn7KBpquLZp7j9A0QzxlCyeaOFM%3D&reserved=3D0 Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=3Dhttp= s%3A%2F%2Fgroups.io%2Fmt%2F74646438%2F1852292&data=3D02%7C01%7Cbret.bar= kelew%40microsoft.com%7Cc4837d136ec548d67adc08d807a3e192%7C72f988bf86f141af= 91ab2d7cd011db47%7C1%7C0%7C637267747730722710&sdata=3DI51sthKt1j%2FdJEx= zKr2jwopeDgdDimIBPmOBU55KxoM%3D&reserved=3D0 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A= %2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&data=3D02%7C01%7Cbret.barkelew= %40microsoft.com%7Cc4837d136ec548d67adc08d807a3e192%7C72f988bf86f141af91ab2= d7cd011db47%7C1%7C0%7C637267747730732700&sdata=3DXQ8938isA26a%2BDE1oLin= Ykb49yAq2BDCPnBhyiECgLg%3D&reserved=3D0 [bret.barkelew@microsoft.com] -=3D-=3D-=3D-=3D-=3D-=3D --_000_CY4PR21MB0743EAC5714F75FD4701AB8DEF9A0CY4PR21MB0743namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Bump. This specif= ic patch needs Reviews.

- Bret

From: devel@edk2.groups.io = <devel@edk2.groups.io> on behalf of Bret Barkelew via groups.io <b= ret=3Dcorthon.com@groups.io>
Sent: Tuesday, June 2, 2020 11:58 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Jian J Wang <jian.j.wang@intel.com>; Hao A Wu <hao.a.wu= @intel.com>; liming.gao <liming.gao@intel.com>
Subject: [EXTERNAL] [edk2-devel] [PATCH v5 12/14] MdeModulePkg: Chan= ge TCG MOR variables to use VariablePolicy
 
https://nam06.safelinks.protection.outlook.com/?url=3Dhtt= ps%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&amp;data= =3D02%7C01%7Cbret.barkelew%40microsoft.com%7Cc4837d136ec548d67adc08d807a3e1= 92%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747730722710&amp;= sdata=3DNAVaoXnmIgu2F0YobNn7oC5XNGudCoalxrB3nPZDl98%3D&amp;reserved=3D0=

These were previously using VarLock, which is
being deprecated.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c  = ;        | 52 +++++&= #43;++++++++------
 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c  = ;        | 52 +++++&= #43;+++++++++-----
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf&nbs= p;  |  2 +
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf |=   1 +
 4 files changed, 82 insertions(+), 25 deletions(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
index e7accf4ed806..b85f08c48c11 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.= c
@@ -5,6 +5,7 @@
   MOR lock control unsupported.

 

 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>=

+Copyright (c) Microsoft Corporation.

 SPDX-License-Identifier: BSD-2-Clause-Patent

 

 **/

@@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/BaseMemoryLib.h>

 #include "Variable.h"

 

-extern EDKII_VARIABLE_LOCK_PROTOCOL     mVariableLock;=

+#include <Protocol/VariablePolicy.h>

+#include <Library/VariablePolicyHelperLib.h>

 

 /**

   This service is an MOR/MorLock checker handler for the SetVari= able().

@@ -77,11 +79,6 @@ MorLockInit (
     NULL       &nbs= p;            &= nbsp;           &nbs= p;       // Data

     );

 

-  //

-  // Need set this variable to be read-only to prevent other module s= et it.

-  //

-  VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQ= UEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);
-

   //

   // The MOR variable can effectively improve platform security = only when the

   // MorLock variable protects the MOR variable. In turn MorLock= cannot be made

@@ -99,11 +96,6 @@ MorLockInit (
     0,        =             &nb= sp;            =      // DataSize

     NULL       &nbs= p;            &= nbsp;           &nbs= p;   // Data

     );

-  VariableLockRequestToLock (

-    &mVariableLock,

-    MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,

-    &gEfiMemoryOverwriteControlDataGuid

-    );

 

   return EFI_SUCCESS;

 }

@@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe (
   VOID

   )

 {

-  //

-  // Do nothing.

-  //

+  EFI_STATUS         = ;            &n= bsp;  Status;

+  EDKII_VARIABLE_POLICY_PROTOCOL    *VariablePolic= y;

+

+  // First, we obviously need to locate the VariablePolicy protoc= ol.

+  Status =3D gBS->LocateProtocol( &gEdkiiVariablePolicyPro= tocolGuid, NULL, (VOID**)&VariablePolicy );

+  if (EFI_ERROR( Status )) {

+    DEBUG(( DEBUG_ERROR, "%a - Could not locate Va= riablePolicy protocol! %r\n", __FUNCTION__, Status ));

+    return;

+  }

+

+  // If we're successful, go ahead and set the policies to protec= t the target variables.

+  Status =3D RegisterBasicVariablePolicy( VariablePolicy,

+           &nbs= p;            &= nbsp;           &nbs= p;   &gEfiMemoryOverwriteRequestControlLockGuid,

+           &nbs= p;            &= nbsp;           &nbs= p;   MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_NO_MIN_SIZE,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_NO_MAX_SIZE,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_NO_MUST_ATTR,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_NO_CANT_ATTR,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_TYPE_LOCK_NOW );

+  if (EFI_ERROR( Status )) {

+    DEBUG(( DEBUG_ERROR, "%a - Could not lock vari= able %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NA= ME, Status ));

+  }

+  Status =3D RegisterBasicVariablePolicy( VariablePolicy,

+           &nbs= p;            &= nbsp;           &nbs= p;   &gEfiMemoryOverwriteControlDataGuid,

+           &nbs= p;            &= nbsp;           &nbs= p;   MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_NO_MIN_SIZE,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_NO_MAX_SIZE,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_NO_MUST_ATTR,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_NO_CANT_ATTR,

+           &nbs= p;            &= nbsp;           &nbs= p;   VARIABLE_POLICY_TYPE_LOCK_NOW );

+  if (EFI_ERROR( Status )) {

+    DEBUG(( DEBUG_ERROR, "%a - Could not lock vari= able %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, = Status ));

+  }

+

+  return;

 }

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M= deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 085f82035f4b..ee37942a6b0c 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.= c
@@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "Variable.h"

 

 #include <Protocol/VariablePolicy.h>

-

+#include <Library/VariablePolicyHelperLib.h>

 #include <Library/VariablePolicyLib.h>

 

 typedef struct {

@@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe (
 {

   UINTN      MorSize;

   EFI_STATUS MorStatus;

+  EFI_STATUS         = ;     Status;

+  VARIABLE_POLICY_ENTRY   *NewPolicy;

 

   if (!mMorLockInitializationRequired) {

     //

@@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe (
   // The MOR variable is absent; the platform firmware does not = support it.

   // Lock the variable so that no other module may create it.
   //

-  VariableLockRequestToLock (

-    NULL,        &n= bsp;            = ;            &n= bsp; // This

-    MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,

-    &gEfiMemoryOverwriteControlDataGuid

-    );

+  NewPolicy =3D NULL;

+  Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteC= ontrolDataGuid,

+           &nbs= p;            &= nbsp;           &nbs= p; MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_NO_MIN_SIZE,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_NO_MAX_SIZE,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_NO_MUST_ATTR,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_NO_CANT_ATTR,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_TYPE_LOCK_NOW,

+           &nbs= p;            &= nbsp;           &nbs= p; &NewPolicy );

+  if (!EFI_ERROR( Status )) {

+    Status =3D RegisterVariablePolicy( NewPolicy );

+  }

+  if (EFI_ERROR( Status )) {

+    DEBUG(( DEBUG_ERROR, "%a - Failed to lock vari= able %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, = Status ));

+    ASSERT_EFI_ERROR( Status );

+  }

+  if (NewPolicy !=3D NULL) {

+    FreePool( NewPolicy );

+  }

 

   //

   // Delete the MOR Control Lock variable too (should it exists = for some

@@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe (
     );

   mMorLockPassThru =3D FALSE;

 

-  VariableLockRequestToLock (

-    NULL,        &n= bsp;            = ;            &n= bsp;     // This

-    MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,

-    &gEfiMemoryOverwriteRequestControlLockGuid

-    );

+  NewPolicy =3D NULL;

+  Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteR= equestControlLockGuid,

+           &nbs= p;            &= nbsp;           &nbs= p; MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_NO_MIN_SIZE,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_NO_MAX_SIZE,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_NO_MUST_ATTR,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_NO_CANT_ATTR,

+           &nbs= p;            &= nbsp;           &nbs= p; VARIABLE_POLICY_TYPE_LOCK_NOW,

+           &nbs= p;            &= nbsp;           &nbs= p; &NewPolicy );

+  if (!EFI_ERROR( Status )) {

+    Status =3D RegisterVariablePolicy( NewPolicy );

+  }

+  if (EFI_ERROR( Status )) {

+    DEBUG(( DEBUG_ERROR, "%a - Failed to lock vari= able %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NA= ME, Status ));

+    ASSERT_EFI_ERROR( Status );

+  }

+  if (NewPolicy !=3D NULL) {

+    FreePool( NewPolicy );

+  }

 }

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.= inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 48ac167906f7..8debc560e6dc 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntim= eDxe.inf
@@ -71,6 +71,7 @@ [LibraryClasses]
   AuthVariableLib

   VarCheckLib

   VariablePolicyLib

+  VariablePolicyHelperLib

 

 [Protocols]

   gEfiFirmwareVolumeBlockProtocolGuid    &nb= sp;      ## CONSUMES

@@ -80,6 +81,7 @@ [Protocols]
   gEfiVariableWriteArchProtocolGuid     = ;        ## PRODUCES

   gEfiVariableArchProtocolGuid     &nbs= p;            ## PRO= DUCES

   gEdkiiVariableLockProtocolGuid     &n= bsp;          ## PRODUCES

+  gEdkiiVariablePolicyProtocolGuid     &= nbsp;        ## CONSUMES

   gEdkiiVarCheckProtocolGuid      =             &nb= sp; ## PRODUCES

 

 [Guids]

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM= m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf=
index d8f480be27cc..62f2f9252f43 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStanda= loneMm.inf
@@ -76,6 +76,7 @@ [LibraryClasses]
   SynchronizationLib

   VarCheckLib

   VariablePolicyLib

+  VariablePolicyHelperLib

 

 [Protocols]

   gEfiSmmFirmwareVolumeBlockProtocolGuid    =     ## CONSUMES

--
2.26.2.windows.1.8.g01c50adf56.20200515075929


-=3D-=3D-=3D-=3D-=3D-=3D
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60649): https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr= oups.io%2Fg%2Fdevel%2Fmessage%2F60649&amp;data=3D02%7C01%7Cbret.barkele= w%40microsoft.com%7Cc4837d136ec548d67adc08d807a3e192%7C72f988bf86f141af91ab= 2d7cd011db47%7C1%7C0%7C637267747730722710&amp;sdata=3D7J764sVxeEu973uDL= n7KBpquLZp7j9A0QzxlCyeaOFM%3D&amp;reserved=3D0
Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgroups.= io%2Fmt%2F74646438%2F1852292&amp;data=3D02%7C01%7Cbret.barkelew%40micro= soft.com%7Cc4837d136ec548d67adc08d807a3e192%7C72f988bf86f141af91ab2d7cd011d= b47%7C1%7C0%7C637267747730722710&amp;sdata=3DI51sthKt1j%2FdJExzKr2jwope= DgdDimIBPmOBU55KxoM%3D&amp;reserved=3D0
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr= oups.io%2Fg%2Fdevel%2Funsub&amp;data=3D02%7C01%7Cbret.barkelew%40micros= oft.com%7Cc4837d136ec548d67adc08d807a3e192%7C72f988bf86f141af91ab2d7cd011db= 47%7C1%7C0%7C637267747730732700&amp;sdata=3DXQ8938isA26a%2BDE1oLinYkb49= yAq2BDCPnBhyiECgLg%3D&amp;reserved=3D0  [bret.barkelew@microsoft.com]
-=3D-=3D-=3D-=3D-=3D-=3D

--_000_CY4PR21MB0743EAC5714F75FD4701AB8DEF9A0CY4PR21MB0743namp_--