From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.92.19.103]) by mx.groups.io with SMTP id smtpd.web12.3164.1586543926762857510 for ; Fri, 10 Apr 2020 11:38:46 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@outlook.com header.s=selector1 header.b=fA+UobVF; spf=pass (domain: outlook.com, ip: 40.92.19.103, mailfrom: michael.kubacki@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RhbYLbe0QRbaQ52b0tCmSTClkHRZXCEDUUWuQXUyYG2PgexHx2FgPAmQpyWrGbHjR//1TZ9UQ5rcyK8Jtv/31DrLk8a8920oB0rFUj6Q8Js2muYzsmjN1OSSGJWESrpk472mpy8VkLZL5XjJLySVqjYvqG8yqnlmgAxh3gzoewJhtVhAAPTZbKMrEs1LXUkrJTZdoGrm+Pqe7aG77DKspXWmU4MEpNGqVgDIXV93ewozmcPTQE7IStKacVWBdealGRUaNj29bKiqxyqIBZqbYvHt47xI1RVWPizAb+UONyM4u0f5FaUQ5sK16rz9peXwQIAzoBffNJ/4gppbTVViOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/VvoUF6+pBbUzLrDewo6WQKISuNq0wrduFTn+VX7418=; b=drr8GVIXFwmbsNcNPHx+bKOfbK8IU2H3Pl2KENa9gnByQqV2roLYTUApON9QsSDtST4ALMqbsDd6e+sZHrzfUaEDQay11y8SwvU3z+7jAm1G8vQMkhU81xyp1lfnyzYN1RYr2R/2KI2Iyp22AiogZqsoINRNaTNTnBAxVENXfNBKL3//vvbmjfQTprQoD0+rqolVMDhD7CPELPEbWzEuOqfNJ8gjM94C6bWUTsvbNceRvDabbkNM+U0EaoFXxDUI/EK0CIq7chzv4jsWlZuxBiVb7OgxAudSVbJ4FTUI1Y/evDCPJz2gXreOQCdBjmRd64ynKxXZho4j35Wx708KSA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=outlook.com; dmarc=pass action=none header.from=outlook.com; dkim=pass header.d=outlook.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/VvoUF6+pBbUzLrDewo6WQKISuNq0wrduFTn+VX7418=; b=fA+UobVFR1WRmh6a7Gabz2tZixUSj0LXDI19w0W6SHOFeZBsu5r5Z+ImEGqL9NiHsLGspRhyJ5ppxaTssVokFmgsfxy9C7VN/xK+ZDAyYcEsQ7vQuYtMI6FwEGCFX4TFMO4CzIDFy7TOiszMh1ll+ENMh5rRCqkl/sUDtA1UxXQ2bisVLcQJyZ04eiaThNt89ZIxdifDr7u9/UySvNHW5TpJdDutmPpbRL1LDZcPvUpOu4VLMady9t2jlcconhzW8pXgd65AJPB1aSZLlVTipCEjsRwu0fdHL24veM/JoCE3KpbTRNjtNv3cbNDvKlK/pkVSpvjjyLr87GUo7FgbGw== Received: from BN8NAM11FT063.eop-nam11.prod.protection.outlook.com (2a01:111:e400:fc4b::52) by BN8NAM11HT030.eop-nam11.prod.protection.outlook.com (2a01:111:e400:fc4b::268) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.18; Fri, 10 Apr 2020 18:38:42 +0000 Received: from MWHPR07MB3440.namprd07.prod.outlook.com (2a01:111:e400:fc4b::44) by BN8NAM11FT063.mail.protection.outlook.com (2a01:111:e400:fc4b::366) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15 via Frontend Transport; Fri, 10 Apr 2020 18:38:42 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:2B2C5AE1D673E6418005515E40C9DC2667FB0557260110F519AE9E364B5662C9;UpperCasedChecksum:21FCE4D2417972286F2F13B94ABD7FABCA965850FF7FEABB0A155A51127179BD;SizeAsReceived:7786;Count:49 Received: from MWHPR07MB3440.namprd07.prod.outlook.com ([fe80::bcc9:271b:20db:52e3]) by MWHPR07MB3440.namprd07.prod.outlook.com ([fe80::bcc9:271b:20db:52e3%6]) with mapi id 15.20.2900.015; Fri, 10 Apr 2020 18:38:42 +0000 From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao Subject: [PATCH v1 6/9] MdeModulePkg: Allow VariablePolicy state to delete protected variables Date: Fri, 10 Apr 2020 11:37:59 -0700 Message-ID: X-Mailer: git-send-email 2.16.3.windows.1 In-Reply-To: <20200410183802.21192-1-michael.kubacki@outlook.com> References: <20200410183802.21192-1-michael.kubacki@outlook.com> X-ClientProxiedBy: MWHPR20CA0007.namprd20.prod.outlook.com (2603:10b6:300:13d::17) To MWHPR07MB3440.namprd07.prod.outlook.com (2603:10b6:301:69::28) Return-Path: michael.kubacki@outlook.com X-Microsoft-Original-Message-ID: <20200410183802.21192-6-michael.kubacki@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (2001:4898:80e8:9:2d7c:9ade:505:3bf5) by MWHPR20CA0007.namprd20.prod.outlook.com (2603:10b6:300:13d::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.17 via Frontend Transport; Fri, 10 Apr 2020 18:38:41 +0000 X-Mailer: git-send-email 2.16.3.windows.1 X-Microsoft-Original-Message-ID: <20200410183802.21192-6-michael.kubacki@outlook.com> X-TMN: [bVW/2i3CsIaY82ohXKIU6j6/arzBt3I2RLW4DYMibm/WUDtUpA3JKU4gk3zHCeMY] X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 49 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: 54b7d8f6-ee55-4130-8f33-08d7dd7e644d X-MS-TrafficTypeDiagnostic: BN8NAM11HT030: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: +Qw/tC7V2RSm8SMiYc88bevio8pzfzd1qv3XsRR4v2FQ3Z4NocT30EmET2NMD1aClIPhxCkwLjP9lCQSkfPHeNOudpRRb3xa4I5BCgi9+ENAb/lETIJ7yZR0cVHPHZ6OLSexK1cS2aUn8UO6Kklym8a4pFddlA9mcQcmQPAjZlyZsstpBrCYiqkfwOPOuaf2aRZPwCOzOg3uAU6A2yUDQ+Og98mFq+Dq9xPsaZQ4Z5o= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR07MB3440.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901; X-MS-Exchange-AntiSpam-MessageData: uPwP5IKKaIZ9n6yvLxQiWbxtp0DqMjJhWphrRxTpMemQn0RYb29xBGGn8YVLGD44uzJxkOpA8tf0iZbQL1gKD2pOcJXQkGazoTLnhiVp7B2nl9+TWTgBKH5KVQtVQ02c5EQyQjlaroO4JZZoAeORrBrR3Ft0aroh5d9J8CinKeHD3KXzE6RgZVxUKq0AEcqsCPS2EInWww4b2j8iqggqCg== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 54b7d8f6-ee55-4130-8f33-08d7dd7e644d X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Apr 2020 18:38:41.6145 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8NAM11HT030 Content-Type: text/plain From: Bret Barkelew https://bugzilla.tianocore.org/show_bug.cgi?id=2522 TcgMorLockSmm provides special protections for the TCG MOR variables. This will check IsVariablePolicyEnabled() before enforcing them to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Signed-off-by: Bret Barkelew Signed-off-by: Michael Kubacki --- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 ++++++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 2 ++ 2 files changed, 12 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 6d80eb64341a..085f82035f4b 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -5,6 +5,7 @@ This module adds Variable Hook and check MemoryOverwriteRequestControlLock. Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include "Variable.h" +#include + +#include + typedef struct { CHAR16 *VariableName; EFI_GUID *VendorGuid; @@ -341,6 +346,11 @@ SetVariableCheckHandlerMor ( return EFI_SUCCESS; } + // Permit deletion when policy is disabled. + if (!IsVariablePolicyEnabled() && ((Attributes == 0) || (DataSize == 0))) { + return EFI_SUCCESS; + } + // // MorLock variable // diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index 6e17f6cdf588..d8f480be27cc 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -20,6 +20,7 @@ # # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.
# Copyright (c) 2018, Linaro, Ltd. All rights reserved.
+# Copyright (c) Microsoft Corporation. # SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -74,6 +75,7 @@ StandaloneMmDriverEntryPoint SynchronizationLib VarCheckLib + VariablePolicyLib [Protocols] gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES -- 2.16.3.windows.1