* [edk2-devel] [PATCH edk2-platforms 0/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM.
@ 2023-11-10 5:37 Xu, Wei6
2023-11-10 5:37 ` [edk2-devel] [PATCH edk2-platforms 1/1] " Xu, Wei6
0 siblings, 1 reply; 3+ messages in thread
From: Xu, Wei6 @ 2023-11-10 5:37 UTC (permalink / raw)
To: devel; +Cc: Wei6 Xu, Dandan Bi, Nate DeSimone, Liming Gao
The this patch is to refator UserAuthenticationSmm to support MM_STANDALONE.
There is no impact to the existing platforms that are using UserAuthenticationSmm.
PR: https://github.com/tianocore/edk2-platforms/pull/110
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Wei6 Xu (1):
UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM.
.../Include/UserAuthFeature.dsc | 2 +
.../UserAuthenticationSmm.c | 38 ++++-----
.../UserAuthenticationSmm.h | 26 +++---
.../UserAuthenticationSmm.inf | 11 ++-
.../UserAuthenticationStandaloneMm.c | 43 ++++++++++
.../UserAuthenticationStandaloneMm.inf | 58 +++++++++++++
.../UserAuthenticationTraditionalMm.c | 28 +++++++
.../UserAuthenticationVariable.h | 36 ++++++++
.../UserAuthenticationVariableLock.c | 84 +++++++++++++++++++
.../UserAuthenticationVariableLockDxe.c | 31 +++++++
.../UserAuthenticationVariableLockDxe.inf | 42 ++++++++++
11 files changed, 359 insertions(+), 40 deletions(-)
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111014): https://edk2.groups.io/g/devel/message/111014
Mute This Topic: https://groups.io/mt/102502209/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 3+ messages in thread
* [edk2-devel] [PATCH edk2-platforms 1/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM.
2023-11-10 5:37 [edk2-devel] [PATCH edk2-platforms 0/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM Xu, Wei6
@ 2023-11-10 5:37 ` Xu, Wei6
2023-11-30 1:21 ` Nate DeSimone
0 siblings, 1 reply; 3+ messages in thread
From: Xu, Wei6 @ 2023-11-10 5:37 UTC (permalink / raw)
To: devel; +Cc: Wei6 Xu, Dandan Bi, Nate DeSimone, Liming Gao
Refactor UserAuthenticationSmm to support Standalone MM.
- Factor out variable lock code logic that references boot services.
- UserAuthenticationVariableLockDxe is added to lock the variables.
- UserAuthenticationStandaloneMm doesn't lock the variables, needs to
reply on UserAuthenticationVariableLockDxe to do the lock.
- UserAuthenticationSmm still locks the variables by itself, no need
to include UserAuthenticationVariableLockDxe.
- Register gEfiEventExitBootServicesGuid notify which is used by the
StandaloneMmCore.
Since gEdkiiVariableLockProtocolGuid is a deprecated interface, use
gEdkiiVariablePolicyProtocolGuid to lock password variables instead.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
---
.../Include/UserAuthFeature.dsc | 2 +
.../UserAuthenticationSmm.c | 38 ++++-----
.../UserAuthenticationSmm.h | 26 +++---
.../UserAuthenticationSmm.inf | 11 ++-
.../UserAuthenticationStandaloneMm.c | 43 ++++++++++
.../UserAuthenticationStandaloneMm.inf | 58 +++++++++++++
.../UserAuthenticationTraditionalMm.c | 28 +++++++
.../UserAuthenticationVariable.h | 36 ++++++++
.../UserAuthenticationVariableLock.c | 84 +++++++++++++++++++
.../UserAuthenticationVariableLockDxe.c | 31 +++++++
.../UserAuthenticationVariableLockDxe.inf | 42 ++++++++++
11 files changed, 359 insertions(+), 40 deletions(-)
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc b/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc
index 2f39a5580caf..d772b213aaeb 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc
@@ -75,3 +75,5 @@
UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationDxe.inf
UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthentication2Dxe.inf
UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
+ UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
+ UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
index 16e3405a82ef..89515ea11e85 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
@@ -642,7 +642,7 @@ UaExitBootServices (
{
DEBUG ((DEBUG_INFO, "Unregister User Authentication Smi\n"));
- gSmst->SmiHandlerUnRegister(mSmmHandle);
+ gMmst->MmiHandlerUnRegister(mSmmHandle);
return EFI_SUCCESS;
}
@@ -657,54 +657,44 @@ UaExitBootServices (
**/
EFI_STATUS
-EFIAPI
PasswordSmmInit (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
+ VOID
)
{
EFI_STATUS Status;
- EDKII_VARIABLE_LOCK_PROTOCOL *VariableLock;
- CHAR16 PasswordHistoryName[sizeof(USER_AUTHENTICATION_VAR_NAME)/sizeof(CHAR16) + 5];
- UINTN Index;
EFI_EVENT ExitBootServicesEvent;
EFI_EVENT LegacyBootEvent;
+ EFI_EVENT SmmExitBootServicesEvent;
ASSERT (PASSWORD_HASH_SIZE == SHA256_DIGEST_SIZE);
ASSERT (PASSWORD_HISTORY_CHECK_COUNT < 0xFFFF);
- Status = gSmst->SmmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, (VOID**)&mSmmVariable);
+ Status = gMmst->MmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, (VOID**)&mSmmVariable);
ASSERT_EFI_ERROR (Status);
//
// Make password variables read-only for DXE driver for security concern.
//
- Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **) &VariableLock);
- if (!EFI_ERROR (Status)) {
- Status = VariableLock->RequestToLock (VariableLock, USER_AUTHENTICATION_VAR_NAME, &gUserAuthenticationGuid);
- ASSERT_EFI_ERROR (Status);
-
- for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) {
- UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index);
- Status = VariableLock->RequestToLock (VariableLock, PasswordHistoryName, &gUserAuthenticationGuid);
- ASSERT_EFI_ERROR (Status);
- }
- Status = VariableLock->RequestToLock (VariableLock, USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME, &gUserAuthenticationGuid);
- ASSERT_EFI_ERROR (Status);
+ Status = LockPasswordVariable ();
+ ASSERT_EFI_ERROR (Status);
+ if (EFI_ERROR (Status)) {
+ return Status;
}
- Status = gSmst->SmiHandlerRegister (SmmPasswordHandler, &gUserAuthenticationGuid, &mSmmHandle);
+ Status = gMmst->MmiHandlerRegister (SmmPasswordHandler, &gUserAuthenticationGuid, &mSmmHandle);
ASSERT_EFI_ERROR (Status);
if (EFI_ERROR (Status)) {
return Status;
}
//
- // Register for SmmExitBootServices and SmmLegacyBoot notification.
+ // Register for SmmExitBootServices, SmmLegacyBoot and EventExitBootServices notification.
//
- Status = gSmst->SmmRegisterProtocolNotify (&gEdkiiSmmExitBootServicesProtocolGuid, UaExitBootServices, &ExitBootServicesEvent);
+ Status = gMmst->MmRegisterProtocolNotify (&gEdkiiSmmExitBootServicesProtocolGuid, UaExitBootServices, &SmmExitBootServicesEvent);
+ ASSERT_EFI_ERROR (Status);
+ Status = gMmst->MmRegisterProtocolNotify (&gEdkiiSmmLegacyBootProtocolGuid, UaExitBootServices, &LegacyBootEvent);
ASSERT_EFI_ERROR (Status);
- Status = gSmst->SmmRegisterProtocolNotify (&gEdkiiSmmLegacyBootProtocolGuid, UaExitBootServices, &LegacyBootEvent);
+ Status = gMmst->MmRegisterProtocolNotify (&gEfiEventExitBootServicesGuid, UaExitBootServices, &ExitBootServicesEvent);
ASSERT_EFI_ERROR (Status);
if (IsPasswordCleared()) {
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h
index 47bb95529fa7..5bb1268673b0 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h
@@ -9,7 +9,7 @@
#ifndef __USER_AUTHENTICATION_SMM_H__
#define __USER_AUTHENTICATION_SMM_H__
-#include <PiSmm.h>
+#include <PiMm.h>
#include <Protocol/SmmVariable.h>
#include <Protocol/VariableLock.h>
@@ -21,26 +21,17 @@
#include <Library/BaseMemoryLib.h>
#include <Library/PrintLib.h>
#include <Library/UefiBootServicesTableLib.h>
-#include <Library/SmmServicesTableLib.h>
+#include <Library/MmServicesTableLib.h>
#include <Library/MemoryAllocationLib.h>
-#include <Library/SmmServicesTableLib.h>
#include <Library/BaseCryptLib.h>
#include <Library/PlatformPasswordLib.h>
#include "KeyService.h"
+#include "UserAuthenticationVariable.h"
#define PASSWORD_SALT_SIZE 32
#define PASSWORD_HASH_SIZE 32 // SHA256_DIGEST_SIZE
-#define PASSWORD_MAX_TRY_COUNT 3
-#define PASSWORD_HISTORY_CHECK_COUNT 5
-
-//
-// Name of the variable
-//
-#define USER_AUTHENTICATION_VAR_NAME L"Password"
-#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME L"PasswordLast"
-
//
// Variable storage
//
@@ -49,4 +40,15 @@ typedef struct {
UINT8 PasswordSalt[PASSWORD_SALT_SIZE];
} USER_PASSWORD_VAR_STRUCT;
+/**
+ Password Smm Init.
+
+ @retval EFI_SUCESS This function always complete successfully.
+
+**/
+EFI_STATUS
+PasswordSmmInit (
+ VOID
+ );
+
#endif
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
index b53f70f0e319..b41a7ee8a3f1 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
@@ -15,13 +15,15 @@
MODULE_TYPE = DXE_SMM_DRIVER
VERSION_STRING = 1.0
PI_SPECIFICATION_VERSION = 0x0001000A
- ENTRY_POINT = PasswordSmmInit
+ ENTRY_POINT = UserAuthenticationMmEntry
[Sources]
UserAuthenticationSmm.c
+ UserAuthenticationTraditionalMm.c
UserAuthenticationSmm.h
KeyService.c
KeyService.h
+ UserAuthenticationVariableLock.c
[Packages]
MdePkg/MdePkg.dec
@@ -36,17 +38,18 @@
BaseLib
BaseMemoryLib
PrintLib
- SmmServicesTableLib
+ MmServicesTableLib
MemoryAllocationLib
- UefiLib
BaseCryptLib
PlatformPasswordLib
+ VariablePolicyHelperLib
[Guids]
gUserAuthenticationGuid ## CONSUMES ## GUID
+ gEfiEventExitBootServicesGuid ## CONSUMES ## Event
[Protocols]
- gEdkiiVariableLockProtocolGuid ## CONSUMES
+ gEdkiiVariablePolicyProtocolGuid ## CONSUMES
gEfiSmmVariableProtocolGuid ## CONSUMES
gEdkiiSmmExitBootServicesProtocolGuid ## CONSUMES
gEdkiiSmmLegacyBootProtocolGuid ## CONSUMES
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c
new file mode 100644
index 000000000000..7a767ccabf2f
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c
@@ -0,0 +1,43 @@
+/** @file
+ Entry point of UserAuthenticationStandaloneMm.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "UserAuthenticationSmm.h"
+
+/**
+ NULL implement for Lock password variables.
+ Relies on UserAuthenticationVariableLockDxe to lock the password variables.
+
+ @retval EFI_SUCCESS Always return success.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+ VOID
+ )
+{
+ return EFI_SUCCESS;
+}
+
+/**
+ Main entry for this driver.
+
+ @param ImageHandle Image handle this driver.
+ @param SystemTable Pointer to SystemTable.
+
+ @retval EFI_SUCESS This function always complete successfully.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationMmEntry (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_MM_SYSTEM_TABLE *SystemTable
+ )
+{
+ return PasswordSmmInit ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
new file mode 100644
index 000000000000..f7d9a045001e
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
@@ -0,0 +1,58 @@
+## @file
+# User Authentication Standalone Mm Driver.
+#
+# This driver provides SMM services for DXE user authentication module.
+# This Standalone Mm driver lacks of the ability to lock the password
+# variables. Need to reply on UserAuthenticationVariableLockDxe to lock
+# the variables.
+#
+# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = UserAuthenticationStandaloneMm
+ FILE_GUID = 80130611-a67a-4631-becb-87ce22d6f165
+ MODULE_TYPE = MM_STANDALONE
+ VERSION_STRING = 1.0
+ PI_SPECIFICATION_VERSION = 0x00010032
+ ENTRY_POINT = UserAuthenticationMmEntry
+
+[Sources]
+ UserAuthenticationSmm.c
+ UserAuthenticationStandaloneMm.c
+ UserAuthenticationSmm.h
+ KeyService.c
+ KeyService.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ CryptoPkg/CryptoPkg.dec
+ UserAuthFeaturePkg/UserAuthFeaturePkg.dec
+
+[LibraryClasses]
+ StandaloneMmDriverEntryPoint
+ DebugLib
+ BaseLib
+ BaseMemoryLib
+ PrintLib
+ MmServicesTableLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PlatformPasswordLib
+
+[Guids]
+ gUserAuthenticationGuid ## CONSUMES ## GUID
+ gEfiEventExitBootServicesGuid ## CONSUMES ## Event
+
+[Protocols]
+ gEdkiiVariableLockProtocolGuid ## CONSUMES
+ gEfiSmmVariableProtocolGuid ## CONSUMES
+ gEdkiiSmmExitBootServicesProtocolGuid ## CONSUMES
+ gEdkiiSmmLegacyBootProtocolGuid ## CONSUMES
+
+[Depex]
+ gEfiSmmVariableProtocolGuid
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c
new file mode 100644
index 000000000000..1514d78f1946
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c
@@ -0,0 +1,28 @@
+/** @file
+ Entry point of UserAuthenticationSmm.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "UserAuthenticationSmm.h"
+
+/**
+ Main entry for this driver.
+
+ @param[in] ImageHandle Image handle this driver.
+ @param[in] SystemTable Pointer to SystemTable.
+
+ @retval EFI_SUCESS This function always complete successfully.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationMmEntry (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ return PasswordSmmInit ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h
new file mode 100644
index 000000000000..3b249e06d848
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h
@@ -0,0 +1,36 @@
+/** @file
+ Header file for definition of User Authentication Variable.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef USER_AUTHENTICATION_VARIABLE_H_
+#define USER_AUTHENTICATION_VARIABLE_H_
+
+#define PASSWORD_MAX_TRY_COUNT 3
+#define PASSWORD_HISTORY_CHECK_COUNT 5
+
+//
+// Name of the variable
+//
+#define USER_AUTHENTICATION_VAR_NAME L"Password"
+#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME L"PasswordLast"
+
+/**
+ Lock password variables for security concern.
+
+ @retval EFI_SUCCESS Succeed to lock variable.
+ @retval EFI_NOT_FOUND Variable Lock protocol is not found.
+ @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has
+ already been signaled.
+ @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold the lock request.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+ VOID
+ );
+
+#endif
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c
new file mode 100644
index 000000000000..dd43991fe711
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c
@@ -0,0 +1,84 @@
+/** @file
+ Source code to lock password variables.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiDxe.h>
+
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/PrintLib.h>
+#include <Library/DebugLib.h>
+#include <Library/VariablePolicyHelperLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+
+#include <Guid/UserAuthentication.h>
+
+#include "UserAuthenticationVariable.h"
+
+/**
+ Lock password variables for security concern.
+
+ @retval EFI_SUCCESS Succeed to lock variable.
+ @retval EFI_NOT_FOUND Variable Lock protocol is not found.
+ @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has
+ already been signaled.
+ @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold the lock request.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ CHAR16 PasswordHistoryName[sizeof (USER_AUTHENTICATION_VAR_NAME)/sizeof (CHAR16) + 5];
+ UINTN Index;
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
+
+ Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy);
+ if (!EFI_ERROR (Status)) {
+ Status = RegisterBasicVariablePolicy (
+ VariablePolicy,
+ &gUserAuthenticationGuid,
+ USER_AUTHENTICATION_VAR_NAME,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW
+ );
+ ASSERT_EFI_ERROR (Status);
+ for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) {
+ UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index);
+ Status = RegisterBasicVariablePolicy (
+ VariablePolicy,
+ &gUserAuthenticationGuid,
+ PasswordHistoryName,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW
+ );
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ Status = RegisterBasicVariablePolicy (
+ VariablePolicy,
+ &gUserAuthenticationGuid,
+ USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW
+ );
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c
new file mode 100644
index 000000000000..7919feacc9e7
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c
@@ -0,0 +1,31 @@
+/** @file
+ This Driver mainly locks password variables.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiDxe.h>
+
+#include "UserAuthenticationVariable.h"
+
+/**
+ User Authentication Variable Lock entry point.
+
+ @param[in] ImageHandle The image handle.
+ @param[in] SystemTable The system table.
+
+ @retval EFI_SUCCESS The entry point is executed successfully.
+ @return other Contain some other errors.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationVariableLockEntry (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ return LockPasswordVariable ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf
new file mode 100644
index 000000000000..3959686647f9
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf
@@ -0,0 +1,42 @@
+## @file
+# User Authentication Variable Lock Dxe Driver.
+#
+# This Driver mainly locks the password variable.
+#
+# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = UserAuthenticationVariableLockDxe
+ FILE_GUID = 08fc98fb-1cec-45c6-ad02-542096191054
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = UserAuthenticationVariableLockEntry
+
+[Sources]
+ UserAuthenticationVariableLockDxe.c
+ UserAuthenticationVariableLock.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UserAuthFeaturePkg/UserAuthFeaturePkg.dec
+
+[LibraryClasses]
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+ DebugLib
+ PrintLib
+ VariablePolicyHelperLib
+
+[Guids]
+ gUserAuthenticationGuid ## CONSUMES ## GUID
+
+[Protocols]
+ gEdkiiVariablePolicyProtocolGuid ## CONSUMES
+
+[Depex]
+ gEdkiiVariableLockProtocolGuid
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111015): https://edk2.groups.io/g/devel/message/111015
Mute This Topic: https://groups.io/mt/102502210/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [edk2-devel] [PATCH edk2-platforms 1/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM.
2023-11-10 5:37 ` [edk2-devel] [PATCH edk2-platforms 1/1] " Xu, Wei6
@ 2023-11-30 1:21 ` Nate DeSimone
0 siblings, 0 replies; 3+ messages in thread
From: Nate DeSimone @ 2023-11-30 1:21 UTC (permalink / raw)
To: Xu, Wei6, devel@edk2.groups.io; +Cc: Bi, Dandan, Gao, Liming
Hi Wei,
There is a bigger issue here that your patch series highlights. It is not possible to implement the user authentication feature in standalone MM without also having a DXE driver. But that is an issue that is beyond the scope of this patch series as it will require modifications to the variable driver.
Please send a v2 patch with the following changes:
- Please update copyright year on UserAuthFeature.dsc and UserAuthenticationSmm.*
- Please rename UserAuthenticationVariableLockDxe so that it is clear that this driver is only used for the standalone MM case. Perhaps UserAuthenticationStandaloneMmDxe
Thanks,
Nate
-----Original Message-----
From: Xu, Wei6 <wei6.xu@intel.com>
Sent: Thursday, November 9, 2023 9:38 PM
To: devel@edk2.groups.io
Cc: Xu, Wei6 <wei6.xu@intel.com>; Bi, Dandan <dandan.bi@intel.com>; Desimone, Nathaniel L <nathaniel.l.desimone@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
Subject: [PATCH edk2-platforms 1/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM.
Refactor UserAuthenticationSmm to support Standalone MM.
- Factor out variable lock code logic that references boot services.
- UserAuthenticationVariableLockDxe is added to lock the variables.
- UserAuthenticationStandaloneMm doesn't lock the variables, needs to
reply on UserAuthenticationVariableLockDxe to do the lock.
- UserAuthenticationSmm still locks the variables by itself, no need
to include UserAuthenticationVariableLockDxe.
- Register gEfiEventExitBootServicesGuid notify which is used by the
StandaloneMmCore.
Since gEdkiiVariableLockProtocolGuid is a deprecated interface, use gEdkiiVariablePolicyProtocolGuid to lock password variables instead.
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
---
.../Include/UserAuthFeature.dsc | 2 +
.../UserAuthenticationSmm.c | 38 ++++-----
.../UserAuthenticationSmm.h | 26 +++---
.../UserAuthenticationSmm.inf | 11 ++-
.../UserAuthenticationStandaloneMm.c | 43 ++++++++++
.../UserAuthenticationStandaloneMm.inf | 58 +++++++++++++
.../UserAuthenticationTraditionalMm.c | 28 +++++++
.../UserAuthenticationVariable.h | 36 ++++++++
.../UserAuthenticationVariableLock.c | 84 +++++++++++++++++++
.../UserAuthenticationVariableLockDxe.c | 31 +++++++
.../UserAuthenticationVariableLockDxe.inf | 42 ++++++++++
11 files changed, 359 insertions(+), 40 deletions(-) create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c
create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc b/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc
index 2f39a5580caf..d772b213aaeb 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFe
+++ ature.dsc
@@ -75,3 +75,5 @@
UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationDxe.inf
UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthentication2Dxe.inf
UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
+
+ UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandalo
+ neMm.inf
+ UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable
+ LockDxe.inf
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
index 16e3405a82ef..89515ea11e85 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationSmm.c
@@ -642,7 +642,7 @@ UaExitBootServices ( {
DEBUG ((DEBUG_INFO, "Unregister User Authentication Smi\n"));
- gSmst->SmiHandlerUnRegister(mSmmHandle);
+ gMmst->MmiHandlerUnRegister(mSmmHandle);
return EFI_SUCCESS;
}
@@ -657,54 +657,44 @@ UaExitBootServices (
**/
EFI_STATUS
-EFIAPI
PasswordSmmInit (
- IN EFI_HANDLE ImageHandle,
- IN EFI_SYSTEM_TABLE *SystemTable
+ VOID
)
{
EFI_STATUS Status;
- EDKII_VARIABLE_LOCK_PROTOCOL *VariableLock;
- CHAR16 PasswordHistoryName[sizeof(USER_AUTHENTICATION_VAR_NAME)/sizeof(CHAR16) + 5];
- UINTN Index;
EFI_EVENT ExitBootServicesEvent;
EFI_EVENT LegacyBootEvent;
+ EFI_EVENT SmmExitBootServicesEvent;
ASSERT (PASSWORD_HASH_SIZE == SHA256_DIGEST_SIZE);
ASSERT (PASSWORD_HISTORY_CHECK_COUNT < 0xFFFF);
- Status = gSmst->SmmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, (VOID**)&mSmmVariable);
+ Status = gMmst->MmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL,
+ (VOID**)&mSmmVariable);
ASSERT_EFI_ERROR (Status);
//
// Make password variables read-only for DXE driver for security concern.
//
- Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **) &VariableLock);
- if (!EFI_ERROR (Status)) {
- Status = VariableLock->RequestToLock (VariableLock, USER_AUTHENTICATION_VAR_NAME, &gUserAuthenticationGuid);
- ASSERT_EFI_ERROR (Status);
-
- for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) {
- UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index);
- Status = VariableLock->RequestToLock (VariableLock, PasswordHistoryName, &gUserAuthenticationGuid);
- ASSERT_EFI_ERROR (Status);
- }
- Status = VariableLock->RequestToLock (VariableLock, USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME, &gUserAuthenticationGuid);
- ASSERT_EFI_ERROR (Status);
+ Status = LockPasswordVariable ();
+ ASSERT_EFI_ERROR (Status);
+ if (EFI_ERROR (Status)) {
+ return Status;
}
- Status = gSmst->SmiHandlerRegister (SmmPasswordHandler, &gUserAuthenticationGuid, &mSmmHandle);
+ Status = gMmst->MmiHandlerRegister (SmmPasswordHandler,
+ &gUserAuthenticationGuid, &mSmmHandle);
ASSERT_EFI_ERROR (Status);
if (EFI_ERROR (Status)) {
return Status;
}
//
- // Register for SmmExitBootServices and SmmLegacyBoot notification.
+ // Register for SmmExitBootServices, SmmLegacyBoot and EventExitBootServices notification.
//
- Status = gSmst->SmmRegisterProtocolNotify (&gEdkiiSmmExitBootServicesProtocolGuid, UaExitBootServices, &ExitBootServicesEvent);
+ Status = gMmst->MmRegisterProtocolNotify
+ (&gEdkiiSmmExitBootServicesProtocolGuid, UaExitBootServices,
+ &SmmExitBootServicesEvent); ASSERT_EFI_ERROR (Status); Status =
+ gMmst->MmRegisterProtocolNotify (&gEdkiiSmmLegacyBootProtocolGuid,
+ UaExitBootServices, &LegacyBootEvent);
ASSERT_EFI_ERROR (Status);
- Status = gSmst->SmmRegisterProtocolNotify (&gEdkiiSmmLegacyBootProtocolGuid, UaExitBootServices, &LegacyBootEvent);
+ Status = gMmst->MmRegisterProtocolNotify
+ (&gEfiEventExitBootServicesGuid, UaExitBootServices,
+ &ExitBootServicesEvent);
ASSERT_EFI_ERROR (Status);
if (IsPasswordCleared()) {
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h
index 47bb95529fa7..5bb1268673b0 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationSmm.h
@@ -9,7 +9,7 @@
#ifndef __USER_AUTHENTICATION_SMM_H__
#define __USER_AUTHENTICATION_SMM_H__
-#include <PiSmm.h>
+#include <PiMm.h>
#include <Protocol/SmmVariable.h>
#include <Protocol/VariableLock.h>
@@ -21,26 +21,17 @@
#include <Library/BaseMemoryLib.h>
#include <Library/PrintLib.h>
#include <Library/UefiBootServicesTableLib.h>
-#include <Library/SmmServicesTableLib.h>
+#include <Library/MmServicesTableLib.h>
#include <Library/MemoryAllocationLib.h> -#include <Library/SmmServicesTableLib.h> #include <Library/BaseCryptLib.h> #include <Library/PlatformPasswordLib.h>
#include "KeyService.h"
+#include "UserAuthenticationVariable.h"
#define PASSWORD_SALT_SIZE 32
#define PASSWORD_HASH_SIZE 32 // SHA256_DIGEST_SIZE
-#define PASSWORD_MAX_TRY_COUNT 3
-#define PASSWORD_HISTORY_CHECK_COUNT 5
-
-//
-// Name of the variable
-//
-#define USER_AUTHENTICATION_VAR_NAME L"Password"
-#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME L"PasswordLast"
-
//
// Variable storage
//
@@ -49,4 +40,15 @@ typedef struct {
UINT8 PasswordSalt[PASSWORD_SALT_SIZE];
} USER_PASSWORD_VAR_STRUCT;
+/**
+ Password Smm Init.
+
+ @retval EFI_SUCESS This function always complete successfully.
+
+**/
+EFI_STATUS
+PasswordSmmInit (
+ VOID
+ );
+
#endif
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
index b53f70f0e319..b41a7ee8a3f1 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationSmm.inf
@@ -15,13 +15,15 @@
MODULE_TYPE = DXE_SMM_DRIVER
VERSION_STRING = 1.0
PI_SPECIFICATION_VERSION = 0x0001000A
- ENTRY_POINT = PasswordSmmInit
+ ENTRY_POINT = UserAuthenticationMmEntry
[Sources]
UserAuthenticationSmm.c
+ UserAuthenticationTraditionalMm.c
UserAuthenticationSmm.h
KeyService.c
KeyService.h
+ UserAuthenticationVariableLock.c
[Packages]
MdePkg/MdePkg.dec
@@ -36,17 +38,18 @@
BaseLib
BaseMemoryLib
PrintLib
- SmmServicesTableLib
+ MmServicesTableLib
MemoryAllocationLib
- UefiLib
BaseCryptLib
PlatformPasswordLib
+ VariablePolicyHelperLib
[Guids]
gUserAuthenticationGuid ## CONSUMES ## GUID
+ gEfiEventExitBootServicesGuid ## CONSUMES ## Event
[Protocols]
- gEdkiiVariableLockProtocolGuid ## CONSUMES
+ gEdkiiVariablePolicyProtocolGuid ## CONSUMES
gEfiSmmVariableProtocolGuid ## CONSUMES
gEdkiiSmmExitBootServicesProtocolGuid ## CONSUMES
gEdkiiSmmLegacyBootProtocolGuid ## CONSUMES
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c
new file mode 100644
index 000000000000..7a767ccabf2f
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationStandaloneMm.c
@@ -0,0 +1,43 @@
+/** @file
+ Entry point of UserAuthenticationStandaloneMm.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "UserAuthenticationSmm.h"
+
+/**
+ NULL implement for Lock password variables.
+ Relies on UserAuthenticationVariableLockDxe to lock the password variables.
+
+ @retval EFI_SUCCESS Always return success.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+ VOID
+ )
+{
+ return EFI_SUCCESS;
+}
+
+/**
+ Main entry for this driver.
+
+ @param ImageHandle Image handle this driver.
+ @param SystemTable Pointer to SystemTable.
+
+ @retval EFI_SUCESS This function always complete successfully.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationMmEntry (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_MM_SYSTEM_TABLE *SystemTable
+ )
+{
+ return PasswordSmmInit ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
new file mode 100644
index 000000000000..f7d9a045001e
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationStandaloneMm.inf
@@ -0,0 +1,58 @@
+## @file
+# User Authentication Standalone Mm Driver.
+#
+# This driver provides SMM services for DXE user authentication module.
+# This Standalone Mm driver lacks of the ability to lock the password
+# variables. Need to reply on UserAuthenticationVariableLockDxe to
+lock # the variables.
+#
+# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR> #
+SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = UserAuthenticationStandaloneMm
+ FILE_GUID = 80130611-a67a-4631-becb-87ce22d6f165
+ MODULE_TYPE = MM_STANDALONE
+ VERSION_STRING = 1.0
+ PI_SPECIFICATION_VERSION = 0x00010032
+ ENTRY_POINT = UserAuthenticationMmEntry
+
+[Sources]
+ UserAuthenticationSmm.c
+ UserAuthenticationStandaloneMm.c
+ UserAuthenticationSmm.h
+ KeyService.c
+ KeyService.h
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ CryptoPkg/CryptoPkg.dec
+ UserAuthFeaturePkg/UserAuthFeaturePkg.dec
+
+[LibraryClasses]
+ StandaloneMmDriverEntryPoint
+ DebugLib
+ BaseLib
+ BaseMemoryLib
+ PrintLib
+ MmServicesTableLib
+ MemoryAllocationLib
+ BaseCryptLib
+ PlatformPasswordLib
+
+[Guids]
+ gUserAuthenticationGuid ## CONSUMES ## GUID
+ gEfiEventExitBootServicesGuid ## CONSUMES ## Event
+
+[Protocols]
+ gEdkiiVariableLockProtocolGuid ## CONSUMES
+ gEfiSmmVariableProtocolGuid ## CONSUMES
+ gEdkiiSmmExitBootServicesProtocolGuid ## CONSUMES
+ gEdkiiSmmLegacyBootProtocolGuid ## CONSUMES
+
+[Depex]
+ gEfiSmmVariableProtocolGuid
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c
new file mode 100644
index 000000000000..1514d78f1946
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationTraditionalMm.c
@@ -0,0 +1,28 @@
+/** @file
+ Entry point of UserAuthenticationSmm.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "UserAuthenticationSmm.h"
+
+/**
+ Main entry for this driver.
+
+ @param[in] ImageHandle Image handle this driver.
+ @param[in] SystemTable Pointer to SystemTable.
+
+ @retval EFI_SUCESS This function always complete successfully.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationMmEntry (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ return PasswordSmmInit ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h
new file mode 100644
index 000000000000..3b249e06d848
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationVariable.h
@@ -0,0 +1,36 @@
+/** @file
+ Header file for definition of User Authentication Variable.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef USER_AUTHENTICATION_VARIABLE_H_ #define
+USER_AUTHENTICATION_VARIABLE_H_
+
+#define PASSWORD_MAX_TRY_COUNT 3
+#define PASSWORD_HISTORY_CHECK_COUNT 5
+
+//
+// Name of the variable
+//
+#define USER_AUTHENTICATION_VAR_NAME L"Password"
+#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME L"PasswordLast"
+
+/**
+ Lock password variables for security concern.
+
+ @retval EFI_SUCCESS Succeed to lock variable.
+ @retval EFI_NOT_FOUND Variable Lock protocol is not found.
+ @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has
+ already been signaled.
+ @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold the lock request.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+ VOID
+ );
+
+#endif
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c
new file mode 100644
index 000000000000..dd43991fe711
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationVariableLock.c
@@ -0,0 +1,84 @@
+/** @file
+ Source code to lock password variables.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiDxe.h>
+
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/PrintLib.h>
+#include <Library/DebugLib.h>
+#include <Library/VariablePolicyHelperLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+
+#include <Guid/UserAuthentication.h>
+
+#include "UserAuthenticationVariable.h"
+
+/**
+ Lock password variables for security concern.
+
+ @retval EFI_SUCCESS Succeed to lock variable.
+ @retval EFI_NOT_FOUND Variable Lock protocol is not found.
+ @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has
+ already been signaled.
+ @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold the lock request.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ CHAR16 PasswordHistoryName[sizeof (USER_AUTHENTICATION_VAR_NAME)/sizeof (CHAR16) + 5];
+ UINTN Index;
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
+
+ Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid,
+ NULL, (VOID **)&VariablePolicy); if (!EFI_ERROR (Status)) {
+ Status = RegisterBasicVariablePolicy (
+ VariablePolicy,
+ &gUserAuthenticationGuid,
+ USER_AUTHENTICATION_VAR_NAME,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW
+ );
+ ASSERT_EFI_ERROR (Status);
+ for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) {
+ UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index);
+ Status = RegisterBasicVariablePolicy (
+ VariablePolicy,
+ &gUserAuthenticationGuid,
+ PasswordHistoryName,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW
+ );
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ Status = RegisterBasicVariablePolicy (
+ VariablePolicy,
+ &gUserAuthenticationGuid,
+ USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW
+ );
+ ASSERT_EFI_ERROR (Status);
+ }
+
+ return Status;
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.c
new file mode 100644
index 000000000000..7919feacc9e7
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationVariableLockDxe.c
@@ -0,0 +1,31 @@
+/** @file
+ This Driver mainly locks password variables.
+
+ Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiDxe.h>
+
+#include "UserAuthenticationVariable.h"
+
+/**
+ User Authentication Variable Lock entry point.
+
+ @param[in] ImageHandle The image handle.
+ @param[in] SystemTable The system table.
+
+ @retval EFI_SUCCESS The entry point is executed successfully.
+ @return other Contain some other errors.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationVariableLockEntry (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ return LockPasswordVariable ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLockDxe.inf
new file mode 100644
index 000000000000..3959686647f9
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationVariableLockDxe.inf
@@ -0,0 +1,42 @@
+## @file
+# User Authentication Variable Lock Dxe Driver.
+#
+# This Driver mainly locks the password variable.
+#
+# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR> #
+SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = UserAuthenticationVariableLockDxe
+ FILE_GUID = 08fc98fb-1cec-45c6-ad02-542096191054
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ ENTRY_POINT = UserAuthenticationVariableLockEntry
+
+[Sources]
+ UserAuthenticationVariableLockDxe.c
+ UserAuthenticationVariableLock.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ UserAuthFeaturePkg/UserAuthFeaturePkg.dec
+
+[LibraryClasses]
+ UefiBootServicesTableLib
+ UefiDriverEntryPoint
+ DebugLib
+ PrintLib
+ VariablePolicyHelperLib
+
+[Guids]
+ gUserAuthenticationGuid ## CONSUMES ## GUID
+
+[Protocols]
+ gEdkiiVariablePolicyProtocolGuid ## CONSUMES
+
+[Depex]
+ gEdkiiVariableLockProtocolGuid
--
2.29.2.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111873): https://edk2.groups.io/g/devel/message/111873
Mute This Topic: https://groups.io/mt/102502210/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-11-30 1:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-11-10 5:37 [edk2-devel] [PATCH edk2-platforms 0/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM Xu, Wei6
2023-11-10 5:37 ` [edk2-devel] [PATCH edk2-platforms 1/1] " Xu, Wei6
2023-11-30 1:21 ` Nate DeSimone
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox