From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (NAM02-BL2-obe.outbound.protection.outlook.com [40.92.3.73])
 by mx.groups.io with SMTP id smtpd.web11.3112.1590101095383494027
 for <devel@edk2.groups.io>;
 Thu, 21 May 2020 15:44:55 -0700
Authentication-Results: mx.groups.io;
 dkim=fail reason="body hash did not verify" header.i=@outlook.com header.s=selector1 header.b=kQn92mmF;
 spf=pass (domain: outlook.com, ip: 40.92.3.73, mailfrom: michael.kubacki@outlook.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=H/p2BOf064BXfbBl1T7JNVslDSF8/+lmKM586wUsYlLWSkA0NMcI+ae14Stzg80LOe2vpUrdjc+1Pkbt38WSa6Cc7bPjVShBYwTMXTfCAAXSf8/PUOc+gyfJqpGDGooZWEs054Dcb6mbQc+uq1FLOnAOYUwGK2ELmnNmlSH9IG312Tee60fdqUKTMBR7xXiMmbs4pw7QdKwtfUMOcnw1xE3TtzwurV3tM1tNghBWNaF3vLcmEEZ5OpMr+z7r2P5gTUi5TDKtdIsFdpiCwlRwoBRMJKzsShoZwp0BlBBpZU/67XHuPu21HJ5bGjbG/0WHgS9E5LNHAVVOSMbk8Gnl+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ZGG/yNpa4PkgtZQQAxCBOycdXgrPph8kTAVptzq/bdo=;
 b=gfm2yxZlbF4pLpTW4R4oYQaRiI8ksKaEp6CbZuWjPV5bQhSxoaiwjLB3pdLKW3BoMINv607Mqsl2v6c1/zUjZsdOfBvslCGPztAgVS+go3SC6UWpxc/uZ8m5vPlV1NcYmky5G6gUcHyVl3pkuCB5aD9zx0wt22nYAIvxq4dvuy80H0HnXMtjxX2mfUMRyijixgVNod6udqhjx4x0yMd/Vrc1pCuOSEkVbgyNtGHN2scraknP1Qon/2OS41ribgv72wq0iBZuAs+MNiPG1c8mYTOnIJlJ0s2sxZh7ZR20meJwUuM6LxzSBwO5w4LZs//sBTTM/MoG8hRIyizf9ZO/Ig==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=outlook.com; dmarc=pass action=none header.from=outlook.com;
 dkim=pass header.d=outlook.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ZGG/yNpa4PkgtZQQAxCBOycdXgrPph8kTAVptzq/bdo=;
 b=kQn92mmFF+DLtK8cyAdavn6MsIWfojc13Y86G8gBDW3EKwTjfBp7TThUOCwF3miYZpCOfgpbfVbIWxsdTTAntTTGekYeySPOI+LVcWSGNj/HkncaSWdT6LBkpB1ZfxOgiGTKPR/8OTdLuR52H8SImuKEwM4YV0yUcmpTHjOJ55h2Akx6mKN5U4tWyFlgXrYYsffaiv9Q4bd1MqmfgX4n/hN6Ws6TBHh2DyfQJVeET6QnuMGIaotr5QoyevmX3Cp2M7YGzcTsJAP2t4oeg30EgrfIEJ/IRuzwc+7w2WcXxnqV6gvmiLjGhK6TeLew8jurXimRwjlsJSylQnX7ix+pJA==
Received: from CY1NAM02FT003.eop-nam02.prod.protection.outlook.com
 (10.152.74.58) by CY1NAM02HT266.eop-nam02.prod.protection.outlook.com
 (10.152.74.99) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23; Thu, 21 May
 2020 22:44:53 +0000
Received: from MWHPR07MB3440.namprd07.prod.outlook.com
 (2a01:111:e400:7e45::53) by CY1NAM02FT003.mail.protection.outlook.com
 (2a01:111:e400:7e45::151) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23 via Frontend
 Transport; Thu, 21 May 2020 22:44:53 +0000
X-IncomingTopHeaderMarker: OriginalChecksum:8F408EE7026DF5C0EDD841D016E14E250812089020C1F3EAFAE6AC93F562EBC7;UpperCasedChecksum:C744F9CAB9FF23D310488F2B2AB848ABD92804C0C3F00B1A9D19138391518D99;SizeAsReceived:7870;Count:50
Received: from MWHPR07MB3440.namprd07.prod.outlook.com
 ([fe80::bcc9:271b:20db:52e3]) by MWHPR07MB3440.namprd07.prod.outlook.com
 ([fe80::bcc9:271b:20db:52e3%6]) with mapi id 15.20.3021.020; Thu, 21 May 2020
 22:44:53 +0000
From: "Michael Kubacki" <michael.kubacki@outlook.com>
To: devel@edk2.groups.io
CC: Jian J Wang <jian.j.wang@intel.com>,
	Hao A Wu <hao.a.wu@intel.com>,
	Liming Gao <liming.gao@intel.com>,
	Bret Barkelew <brbarkel@microsoft.com>
Subject: [PATCH v3 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables
Date: Thu, 21 May 2020 15:43:27 -0700
Message-ID: <MWHPR07MB3440F706AEC396B75A7A3EBFE9B70@MWHPR07MB3440.namprd07.prod.outlook.com>
X-Mailer: git-send-email 2.16.3.windows.1
In-Reply-To: <20200521224331.15616-1-michael.kubacki@outlook.com>
References: <20200521224331.15616-1-michael.kubacki@outlook.com>
X-ClientProxiedBy: MWHPR12CA0071.namprd12.prod.outlook.com
 (2603:10b6:300:103::33) To MWHPR07MB3440.namprd07.prod.outlook.com
 (2603:10b6:301:69::28)
Return-Path: michael.kubacki@outlook.com
X-Microsoft-Original-Message-ID: <20200521224331.15616-11-michael.kubacki@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost.localdomain (2001:4898:80e8:1:2c94:8481:fffa:8ac5) by MWHPR12CA0071.namprd12.prod.outlook.com (2603:10b6:300:103::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23 via Frontend Transport; Thu, 21 May 2020 22:44:52 +0000
X-Mailer: git-send-email 2.16.3.windows.1
X-Microsoft-Original-Message-ID: <20200521224331.15616-11-michael.kubacki@outlook.com>
X-TMN: [VQV4t66egXCLnh006XDDhQn3nNkL1pAnNm5CNf7S33kn95AU9cwq8L+qTs9xwVTh]
X-MS-PublicTrafficType: Email
X-IncomingHeaderCount: 50
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-Correlation-Id: 0135f669-4b0a-4ae8-1e75-08d7fdd8939e
X-MS-TrafficTypeDiagnostic: CY1NAM02HT266:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	krGLQtasv6ca7dalGQF+4GuvoE7rl4jWE/MPFNcgah3EcJl5dvyv2SDQHbiXc/RyjmvRA12jlTMYAK/JkFnhpUlyPoUjuZ1xzoL4ME8jCKucbmOWVly9FARf/iRDUgdmVBoxQ0paWFr22s2qeqdVmthPhRXccRC28Dqv/nr5LaW4c8Jg+ESdgYndgsJ+P6xH1HX7x5fsuDCPP8u7MKzg8O/EypOHH82ljWmVx9pMgIRL+NVRhodHKvJwCk/M3GRw
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR07MB3440.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
X-MS-Exchange-AntiSpam-MessageData: 
	CMvspPrlqN20rmOxaDAZbqF58XhmPK2QKjn6ATYEYOZk2Kz/Gln+cun0r6MHsf095vEzNDithd7v7sCwcbSdB9rNK4pNOufjR1OHwLPwHkY73M1W5CvCz/SQVRsQmBaFpX9jPto7LiONy5fT8VX3vjjZKKRKTXJ+L6gYISYgWQIWlpJuLlKGK3xT9YvmxTKyJEnO/1hhrMeSt7yrv+NlzA==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0135f669-4b0a-4ae8-1e75-08d7fdd8939e
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2020 22:44:53.5716
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1NAM02HT266
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain

From: Bret Barkelew <brbarkel@microsoft.com>

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

TcgMorLockSmm provides special protections for
the TCG MOR variables. This will check
IsVariablePolicyEnabled() before enforcing
them to allow variable deletion when policy
engine is disabled.

Only allows deletion, not modification.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
---
 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c          | 10 +=
+++++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf |  2 +=
+
 2 files changed, 12 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M=
deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 6d80eb64341a..7a6c19b1fa96 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -5,6 +5,7 @@
   This module adds Variable Hook and check MemoryOverwriteRequestControlLo=
ck.
=20
 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
=20
 **/
@@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/BaseMemoryLib.h>
 #include "Variable.h"
=20
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/VariablePolicyLib.h>
+
 typedef struct {
   CHAR16                                 *VariableName;
   EFI_GUID                               *VendorGuid;
@@ -341,6 +346,11 @@ SetVariableCheckHandlerMor (
     return EFI_SUCCESS;
   }
=20
+  // Permit deletion when policy is disabled.
+  if (!IsVariablePolicyEnabled () && ((Attributes =3D=3D 0) || (DataSize =
=3D=3D 0))) {
+    return EFI_SUCCESS;
+  }
+
   //
   // MorLock variable
   //
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM=
m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index 6e17f6cdf588..2db05238e406 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -20,6 +20,7 @@
 #
 # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
 # Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.<BR>
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -74,6 +75,7 @@ [LibraryClasses]
   StandaloneMmDriverEntryPoint
   SynchronizationLib
   VarCheckLib
+  VariablePolicyLib
=20
 [Protocols]
   gEfiSmmFirmwareVolumeBlockProtocolGuid        ## CONSUMES
--=20
2.16.3.windows.1