From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (NAM11-DM6-obe.outbound.protection.outlook.com [40.92.19.61]) by mx.groups.io with SMTP id smtpd.web12.3167.1586543929669157683 for ; Fri, 10 Apr 2020 11:38:49 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@outlook.com header.s=selector1 header.b=ibjR7ElT; spf=pass (domain: outlook.com, ip: 40.92.19.61, mailfrom: michael.kubacki@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W25CfH99r5q3x0poMCnotoQW7OBqp6Sdwsilr1HLfdTlLhJppDICwOP5ynlb/WKXFvZ6bf6GRz/ei9JnmHqbf5L8TyctJJQrNRvnirFk5WA3I8JGkI64A5bEZELVTZ8JOuHyTI6IK+ZLO74HzLxNLXBZXoWxIg8scOnr0XIVh7uR+WMoMNRWjJ9vav9sR/gHQ4CijqETWyCPLf7wcml0TxYnpLdooiB0dMHYTtsE/rb8FFZdsmxcWzMlcILWgFg2X98bu4XEkAV8b0CpOuGJOU8KKxP4L7hDThMwnD3SSfu41j8so7daWSC5AZXrHF8fJtx4UuxoKDXwv8y2BKiU8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E/qVl6R/O8j9mvk2YumbntAKslVWce0eHxNE6W0gaL4=; b=hepnaBVTAApmNVdCv6//fi6wQ1qPma1ugp0Ywp74bxA3vxppd3JFQPsBxUH6jS/Jgs2Ku0jkCNH8ahCwmulPdIsL5ndzwohs86ro3G/Kc0FPJcF8+sLK360HyByZ2JkK1sdN9y48LNZOena2n5sZczzRbKcGLtf8WF3OjJIM1eCF5XCUYUk4ssTHM3bkRN8irpxBeE4f1Nq5Op3r4StmEWcrnpxEmzee0L6mhDnR1/PveN2mtMI/aCzrGiekuvjnH1GqzrPiQi7vBdhunOyR6KaFPcy8x1mUf2C1VI1O8FvGpVwErMAr/Lp1RC/r7+2gHN4xW9kcMEtuwUx7l4ev5Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=outlook.com; dmarc=pass action=none header.from=outlook.com; dkim=pass header.d=outlook.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E/qVl6R/O8j9mvk2YumbntAKslVWce0eHxNE6W0gaL4=; b=ibjR7ElTglM/BCossBIz+B/CxWkj31Il5TXxI0p0wApIkgWyevLw6lFdOYztwsNrTkbFod/DDJFIHVvHbtv9k4NaPlZsrgqM8Ev80kjOVNl/P6MxtoQpYeKaDH9RygPDbyUVvRcaWJGSkR9hqA+IoeiqPv9rMVae8KlRw8EWpTpUOwOTSLSH1B70iET6dwdUJuQFtFPYLs1tWFqvOrk8k2Wkt5NqxF2lDlsTFNjb7v7pZ/gZviWmmA2kAoxdANbGmNdcOrx9n9hMftoUNuubmWuydmX9GZtsjO86rey8EXJzKIxxlfxNssKDpwditv3DRAKBbx3tuMv3goe4b5RJVQ== Received: from BN8NAM11FT063.eop-nam11.prod.protection.outlook.com (2a01:111:e400:fc4b::53) by BN8NAM11HT043.eop-nam11.prod.protection.outlook.com (2a01:111:e400:fc4b::380) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.18; Fri, 10 Apr 2020 18:38:45 +0000 Received: from MWHPR07MB3440.namprd07.prod.outlook.com (2a01:111:e400:fc4b::44) by BN8NAM11FT063.mail.protection.outlook.com (2a01:111:e400:fc4b::366) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15 via Frontend Transport; Fri, 10 Apr 2020 18:38:45 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:53794A997BB4D5DA77EF8D93EA543E9CCFE70C2B66E1100FEE9AD0E567C6308B;UpperCasedChecksum:77C9875451744970C1E0936BB3BD856347FE5F66BEAC6881EAF3154C7A7F5F51;SizeAsReceived:7795;Count:49 Received: from MWHPR07MB3440.namprd07.prod.outlook.com ([fe80::bcc9:271b:20db:52e3]) by MWHPR07MB3440.namprd07.prod.outlook.com ([fe80::bcc9:271b:20db:52e3%6]) with mapi id 15.20.2900.015; Fri, 10 Apr 2020 18:38:45 +0000 From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Chao Zhang Subject: [PATCH v1 7/9] SecurityPkg: Allow VariablePolicy state to delete authenticated variables Date: Fri, 10 Apr 2020 11:38:00 -0700 Message-ID: X-Mailer: git-send-email 2.16.3.windows.1 In-Reply-To: <20200410183802.21192-1-michael.kubacki@outlook.com> References: <20200410183802.21192-1-michael.kubacki@outlook.com> X-ClientProxiedBy: MWHPR20CA0007.namprd20.prod.outlook.com (2603:10b6:300:13d::17) To MWHPR07MB3440.namprd07.prod.outlook.com (2603:10b6:301:69::28) Return-Path: michael.kubacki@outlook.com X-Microsoft-Original-Message-ID: <20200410183802.21192-7-michael.kubacki@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (2001:4898:80e8:9:2d7c:9ade:505:3bf5) by MWHPR20CA0007.namprd20.prod.outlook.com (2603:10b6:300:13d::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.17 via Frontend Transport; Fri, 10 Apr 2020 18:38:44 +0000 X-Mailer: git-send-email 2.16.3.windows.1 X-Microsoft-Original-Message-ID: <20200410183802.21192-7-michael.kubacki@outlook.com> X-TMN: [UKNX5JV3oT0RrzqcGFjwPkL/EOMn6wshbac3Yt/SnYYR+sPRDhxlu6VOHlJrChKA] X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 49 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: fbb3bac1-1e06-4bf5-33f8-08d7dd7e6632 X-MS-TrafficTypeDiagnostic: BN8NAM11HT043: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NrXjB1O3f6lzZFBn1WNGmeHECA+S3aXD7i5ZqFaChbExpmZ/ymAaJDGVlHvedud6Lt2hLUG4u1IGVk6GW+9/RaCNtxhDFQdHsF8nIjlFNAfZmezAM8RxBgBPsAKTKWJODNtRBTN6kLQEdvgqJefGCr+p3sq0P1gk9WgXNqrRsFzLgunSaQ0qX/bCLMy9OG4kEhCTvPCliJY29GBmpV7As60GxEfSKgEdPIRMP79fCTA= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR07MB3440.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901; X-MS-Exchange-AntiSpam-MessageData: jApzZzrE3UIYB6cz11/K8UeBWFRRy8lptN0N6A5LECfLrnqkzPCE7FRLOSyJdqpW/gsmxQ0MIcRajdYVDg/L3Lroz8vg5s0l0IvA3Idod1wbla7eib4oVXUQZFAvdXar+Ly4oIKyj3ZdtxQ57QUgvthmgfocf7phMHtWqfdY0T3kRWDslAxEIlzfJdspppaNtb4SZl50xTgmpaZPNC4K9w== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: fbb3bac1-1e06-4bf5-33f8-08d7dd7e6632 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Apr 2020 18:38:44.8217 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8NAM11HT043 Content-Type: text/plain From: Bret Barkelew https://bugzilla.tianocore.org/show_bug.cgi?id=2522 Causes AuthService to check IsVariablePolicyEnabled() before enforcing write protections to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jiewen Yao Cc: Jian J Wang Cc: Chao Zhang Signed-off-by: Bret Barkelew Signed-off-by: Michael Kubacki --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 22 ++++++++++++++++---- SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 ++ 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 2f60331f2c04..aca9a5620c28 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -19,12 +19,16 @@ to verify the signature. Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "AuthServiceInternal.h" +#include +#include + // // Public Exponent of RSA Key. // @@ -217,9 +221,12 @@ NeedPhysicallyPresent( IN EFI_GUID *VendorGuid ) { - if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0)) - || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) { - return TRUE; + // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables. + if (IsVariablePolicyEnabled()) { + if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) == 0)) + || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (VariableName, EFI_CUSTOM_MODE_NAME) == 0))) { + return TRUE; + } } return FALSE; @@ -842,7 +849,8 @@ ProcessVariable ( &OrgVariableInfo ); - if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) { + // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables. + if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && (UserPhysicalPresent() || !IsVariablePolicyEnabled())) { // // Allow the delete operation of common authenticated variable(AT or AW) at user physical presence. // @@ -1960,6 +1968,12 @@ VerifyTimeBasedPayload ( CopyMem (Buffer, PayloadPtr, PayloadSize); + // If the VariablePolicy engine is disabled, allow deletion of any authenticated variables. + if (PayloadSize == 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) == 0 && !IsVariablePolicyEnabled()) { + VerifyStatus = TRUE; + goto Exit; + } + if (AuthVarType == AuthVarTypePk) { // // Verify that the signature has been made with the current Platform Key (no chaining for PK). diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 8d4ce14df494..8eadeebcebd7 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -3,6 +3,7 @@ # # Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
# Copyright (c) 2018, ARM Limited. All rights reserved.
+# Copyright (c) Microsoft Corporation. # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -41,6 +42,7 @@ MemoryAllocationLib BaseCryptLib PlatformSecureLib + VariablePolicyLib [Guids] ## CONSUMES ## Variable:L"SetupMode" -- 2.16.3.windows.1