[PATCH v1 7/9] SecurityPkg: Allow VariablePolicy state to delete authenticated variables

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Michael Kubacki" <michael.kubacki@outlook.com>
To: devel@edk2.groups.io
Cc: Jiewen Yao <jiewen.yao@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Chao Zhang <chao.b.zhang@intel.com>
Subject: [PATCH v1 7/9] SecurityPkg: Allow VariablePolicy state to delete authenticated variables
Date: Fri, 10 Apr 2020 11:38:00 -0700	[thread overview]
Message-ID: <MWHPR07MB3440C9F5A1E077269F494B52E9DE0@MWHPR07MB3440.namprd07.prod.outlook.com> (raw)
In-Reply-To: <20200410183802.21192-1-michael.kubacki@outlook.com>

From: Bret Barkelew <brbarkel@microsoft.com>

https://bugzilla.tianocore.org/show_bug.cgi?id=2522

Causes AuthService to check
IsVariablePolicyEnabled() before enforcing
write protections to allow variable deletion
when policy engine is disabled.

Only allows deletion, not modification.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
 SecurityPkg/Library/AuthVariableLib/AuthService.c       | 22 ++++++++++++++++----
 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf |  2 ++
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 2f60331f2c04..aca9a5620c28 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -19,12 +19,16 @@
   to verify the signature.
 
 Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
 
 #include "AuthServiceInternal.h"
 
+#include <Protocol/VariablePolicy.h>
+#include <Library/VariablePolicyLib.h>
+
 //
 // Public Exponent of RSA Key.
 //
@@ -217,9 +221,12 @@ NeedPhysicallyPresent(
   IN     EFI_GUID       *VendorGuid
   )
 {
-  if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
-    || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
-    return TRUE;
+  // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
+  if (IsVariablePolicyEnabled()) {
+    if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0))
+      || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) {
+      return TRUE;
+    }
   }
 
   return FALSE;
@@ -842,7 +849,8 @@ ProcessVariable (
              &OrgVariableInfo
              );
 
-  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) {
+  // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
+  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && (UserPhysicalPresent() || !IsVariablePolicyEnabled())) {
     //
     // Allow the delete operation of common authenticated variable(AT or AW) at user physical presence.
     //
@@ -1960,6 +1968,12 @@ VerifyTimeBasedPayload (
 
   CopyMem (Buffer, PayloadPtr, PayloadSize);
 
+  // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables.
+  if (PayloadSize == 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) == 0 && !IsVariablePolicyEnabled()) {
+    VerifyStatus = TRUE;
+    goto Exit;
+  }
+
   if (AuthVarType == AuthVarTypePk) {
     //
     // Verify that the signature has been made with the current Platform Key (no chaining for PK).
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8d4ce14df494..8eadeebcebd7 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -3,6 +3,7 @@
 #
 #  Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
 #  Copyright (c) 2018, ARM Limited. All rights reserved.<BR>
+#  Copyright (c) Microsoft Corporation.
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -41,6 +42,7 @@
   MemoryAllocationLib
   BaseCryptLib
   PlatformSecureLib
+  VariablePolicyLib
 
 [Guids]
   ## CONSUMES            ## Variable:L"SetupMode"
-- 
2.16.3.windows.1

next prev parent reply	other threads:[~2020-04-10 18:38 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20200410183802.21192-1-michael.kubacki@outlook.com>
2020-04-10 18:37 ` [PATCH v1 2/9] MdeModulePkg: Define the VariablePolicyLib Michael Kubacki
2020-04-22  9:14   ` [edk2-devel] " Guomin Jiang
2020-04-10 18:37 ` [PATCH v1 3/9] MdeModulePkg: Define the VariablePolicyHelperLib Michael Kubacki
2020-04-26  2:03   ` [edk2-devel] " Guomin Jiang
2020-04-10 18:37 ` [PATCH v1 4/9] MdeModulePkg: Define the VarCheckPolicyLib and SMM interface Michael Kubacki
2020-04-10 18:37 ` [PATCH v1 5/9] MdeModulePkg: Connect VariablePolicy business logic to VariableServices Michael Kubacki
2020-04-10 18:37 ` [PATCH v1 6/9] MdeModulePkg: Allow VariablePolicy state to delete protected variables Michael Kubacki
2020-04-10 18:38 ` Michael Kubacki [this message]
2020-04-10 18:38 ` [PATCH v1 8/9] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Michael Kubacki
2020-04-10 18:38 ` [PATCH v1 9/9] MdeModulePkg: Drop VarLock from RuntimeDxe variable driver Michael Kubacki

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:2f60331f2c0 dfblob:aca9a5620c2 dfblob:8d4ce14df49
dfblob:8eadeebcebd )
 OR (
bs:"[PATCH v1 7/9] SecurityPkg: Allow VariablePolicy state to delete authenticated variables" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=MWHPR07MB3440C9F5A1E077269F494B52E9DE0@MWHPR07MB3440.namprd07.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox