public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Nate DeSimone" <nathaniel.l.desimone@intel.com>
To: "Xu, Wei6" <wei6.xu@intel.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Bi, Dandan" <dandan.bi@intel.com>,
	"Gao, Liming" <gaoliming@byosoft.com.cn>
Subject: Re: [edk2-devel] [PATCH v2 edk2-platforms 1/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM.
Date: Thu, 30 Nov 2023 23:12:13 +0000	[thread overview]
Message-ID: <PH0PR11MB58327CEE34B5752ADCFB7500CD82A@PH0PR11MB5832.namprd11.prod.outlook.com> (raw)
In-Reply-To: <99ee6f53db1540ae5e47737e1e5b80c5433c3dea.1701355673.git.wei6.xu@intel.com>

Reviewed-by: Nate DeSimone <nathaniel.l.desione@intel.com>

-----Original Message-----
From: Xu, Wei6 <wei6.xu@intel.com> 
Sent: Thursday, November 30, 2023 7:07 AM
To: devel@edk2.groups.io
Cc: Xu, Wei6 <wei6.xu@intel.com>; Bi, Dandan <dandan.bi@intel.com>; Desimone, Nathaniel L <nathaniel.l.desimone@intel.com>; Gao, Liming <gaoliming@byosoft.com.cn>
Subject: [PATCH v2 edk2-platforms 1/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM.

Refactor UserAuthenticationSmm to support Standalone MM.
- Factor out variable lock code logic that references boot services.
- UserAuthenticationStandaloneMmDxe is added to lock the variables.
  It is only used for UserAuthenticationStandaloneMm.
- UserAuthenticationStandaloneMm doesn't lock the variables, needs to
  rely on UserAuthenticationStandaloneMmDxe to do the lock.
- UserAuthenticationSmm still locks the variables by itself, no need
  to include UserAuthenticationStandaloneMmDxe.
- Register gEfiEventExitBootServicesGuid notify which is used by the
  StandaloneMmCore.

Since gEdkiiVariableLockProtocolGuid is a deprecated interface, use gEdkiiVariablePolicyProtocolGuid to lock password variables instead.

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Nate DeSimone <nathaniel.l.desimone@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Wei6 Xu <wei6.xu@intel.com>
---
 .../Include/UserAuthFeature.dsc               |  4 +-
 .../UserAuthenticationSmm.c                   | 40 ++++-----
 .../UserAuthenticationSmm.h                   | 28 ++++---
 .../UserAuthenticationSmm.inf                 | 13 +--
 .../UserAuthenticationStandaloneMm.c          | 43 ++++++++++
 .../UserAuthenticationStandaloneMm.inf        | 58 +++++++++++++
 .../UserAuthenticationStandaloneMmDxe.c       | 31 +++++++
 .../UserAuthenticationStandaloneMmDxe.inf     | 42 ++++++++++
 .../UserAuthenticationTraditionalMm.c         | 28 +++++++
 .../UserAuthenticationVariable.h              | 36 ++++++++
 .../UserAuthenticationVariableLock.c          | 84 +++++++++++++++++++
 11 files changed, 363 insertions(+), 44 deletions(-)  create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c
 create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
 create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMmDxe.c
 create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMmDxe.inf
 create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c
 create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h
 create mode 100644 Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c

diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc b/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc
index 2f39a5580caf..1541dc3f80f3 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFeature.dsc
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/Include/UserAuthFe
+++ ature.dsc
@@ -6,7 +6,7 @@
 # INF files to generate AutoGen.c and AutoGen.h files  # for the build infrastructure.
 #
-# Copyright (c) 2020 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2020 - 2023, Intel Corporation. All rights 
+reserved.<BR>
 #
 # SPDX-License-Identifier: BSD-2-Clause-Patent  # @@ -75,3 +75,5 @@
   UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationDxe.inf
   UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthentication2Dxe.inf
   UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
+  
+ UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandalo
+ neMm.inf  
+ UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandalo
+ neMmDxe.inf
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
index 16e3405a82ef..98f40c1812c1 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.c
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationSmm.c
@@ -1,6 +1,6 @@
 /** @file
 
-  Copyright (c) 2019 - 2021, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2019 - 2023, Intel Corporation. All rights 
+ reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -642,7 +642,7 @@ UaExitBootServices (  {
   DEBUG ((DEBUG_INFO, "Unregister User Authentication Smi\n"));
 
-  gSmst->SmiHandlerUnRegister(mSmmHandle);
+  gMmst->MmiHandlerUnRegister(mSmmHandle);
 
   return EFI_SUCCESS;
 }
@@ -657,54 +657,44 @@ UaExitBootServices (
 
 **/
 EFI_STATUS
-EFIAPI
 PasswordSmmInit (
-  IN EFI_HANDLE                         ImageHandle,
-  IN EFI_SYSTEM_TABLE                   *SystemTable
+  VOID
   )
 {
   EFI_STATUS                            Status;
-  EDKII_VARIABLE_LOCK_PROTOCOL          *VariableLock;
-  CHAR16                                PasswordHistoryName[sizeof(USER_AUTHENTICATION_VAR_NAME)/sizeof(CHAR16) + 5];
-  UINTN                                 Index;
   EFI_EVENT                             ExitBootServicesEvent;
   EFI_EVENT                             LegacyBootEvent;
+  EFI_EVENT                             SmmExitBootServicesEvent;
 
   ASSERT (PASSWORD_HASH_SIZE == SHA256_DIGEST_SIZE);
   ASSERT (PASSWORD_HISTORY_CHECK_COUNT < 0xFFFF);
 
-  Status = gSmst->SmmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, (VOID**)&mSmmVariable);
+  Status = gMmst->MmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, 
+ (VOID**)&mSmmVariable);
   ASSERT_EFI_ERROR (Status);
 
   //
   // Make password variables read-only for DXE driver for security concern.
   //
-  Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **) &VariableLock);
-  if (!EFI_ERROR (Status)) {
-    Status = VariableLock->RequestToLock (VariableLock, USER_AUTHENTICATION_VAR_NAME, &gUserAuthenticationGuid);
-    ASSERT_EFI_ERROR (Status);
-
-    for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) {
-      UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index);
-      Status = VariableLock->RequestToLock (VariableLock, PasswordHistoryName, &gUserAuthenticationGuid);
-      ASSERT_EFI_ERROR (Status);
-    }
-    Status = VariableLock->RequestToLock (VariableLock, USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME, &gUserAuthenticationGuid);
-    ASSERT_EFI_ERROR (Status);
+  Status = LockPasswordVariable ();
+  ASSERT_EFI_ERROR (Status);
+  if (EFI_ERROR (Status)) {
+    return Status;
   }
 
-  Status = gSmst->SmiHandlerRegister (SmmPasswordHandler, &gUserAuthenticationGuid, &mSmmHandle);
+  Status = gMmst->MmiHandlerRegister (SmmPasswordHandler, 
+ &gUserAuthenticationGuid, &mSmmHandle);
   ASSERT_EFI_ERROR (Status);
   if (EFI_ERROR (Status)) {
     return Status;
   }
 
   //
-  // Register for SmmExitBootServices and SmmLegacyBoot notification.
+  // Register for SmmExitBootServices, SmmLegacyBoot and EventExitBootServices notification.
   //
-  Status = gSmst->SmmRegisterProtocolNotify (&gEdkiiSmmExitBootServicesProtocolGuid, UaExitBootServices, &ExitBootServicesEvent);
+  Status = gMmst->MmRegisterProtocolNotify 
+ (&gEdkiiSmmExitBootServicesProtocolGuid, UaExitBootServices, 
+ &SmmExitBootServicesEvent);  ASSERT_EFI_ERROR (Status);  Status = 
+ gMmst->MmRegisterProtocolNotify (&gEdkiiSmmLegacyBootProtocolGuid, 
+ UaExitBootServices, &LegacyBootEvent);
   ASSERT_EFI_ERROR (Status);
-  Status = gSmst->SmmRegisterProtocolNotify (&gEdkiiSmmLegacyBootProtocolGuid, UaExitBootServices, &LegacyBootEvent);
+  Status = gMmst->MmRegisterProtocolNotify 
+ (&gEfiEventExitBootServicesGuid, UaExitBootServices, 
+ &ExitBootServicesEvent);
   ASSERT_EFI_ERROR (Status);
 
   if (IsPasswordCleared()) {
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h
index 47bb95529fa7..84d06f9422ee 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.h
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationSmm.h
@@ -1,7 +1,7 @@
 /** @file
   Header file for UserAuthenticationSmm.
 
-  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+  Copyright (c) 2019 - 2023, Intel Corporation. All rights 
+ reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -9,7 +9,7 @@
 #ifndef __USER_AUTHENTICATION_SMM_H__
 #define __USER_AUTHENTICATION_SMM_H__
 
-#include <PiSmm.h>
+#include <PiMm.h>
 
 #include <Protocol/SmmVariable.h>
 #include <Protocol/VariableLock.h>
@@ -21,26 +21,17 @@
 #include <Library/BaseMemoryLib.h>
 #include <Library/PrintLib.h>
 #include <Library/UefiBootServicesTableLib.h>
-#include <Library/SmmServicesTableLib.h>
+#include <Library/MmServicesTableLib.h>
 #include <Library/MemoryAllocationLib.h> -#include <Library/SmmServicesTableLib.h>  #include <Library/BaseCryptLib.h>  #include <Library/PlatformPasswordLib.h>
 
 #include "KeyService.h"
+#include "UserAuthenticationVariable.h"
 
 #define PASSWORD_SALT_SIZE   32
 #define PASSWORD_HASH_SIZE   32 // SHA256_DIGEST_SIZE
 
-#define PASSWORD_MAX_TRY_COUNT  3
-#define PASSWORD_HISTORY_CHECK_COUNT  5
-
-//
-// Name of the variable
-//
-#define USER_AUTHENTICATION_VAR_NAME L"Password"
-#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME L"PasswordLast"
-
 //
 // Variable storage
 //
@@ -49,4 +40,15 @@ typedef struct {
   UINT8        PasswordSalt[PASSWORD_SALT_SIZE];
 } USER_PASSWORD_VAR_STRUCT;
 
+/**
+  Password Smm Init.
+
+  @retval EFI_SUCESS  This function always complete successfully.
+
+**/
+EFI_STATUS
+PasswordSmmInit (
+  VOID
+  );
+
 #endif
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
index b53f70f0e319..ad5a05bac8e6 100644
--- a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationSmm.inf
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationSmm.inf
@@ -3,7 +3,7 @@
 #
 #  This driver provides SMM services for DXE user authentication module.
 #
-# Copyright (c) 2019 - 2021, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2019 - 2023, Intel Corporation. All rights 
+reserved.<BR>
 # SPDX-License-Identifier: BSD-2-Clause-Patent  #  ## @@ -15,13 +15,15 @@
   MODULE_TYPE                    = DXE_SMM_DRIVER
   VERSION_STRING                 = 1.0
   PI_SPECIFICATION_VERSION       = 0x0001000A
-  ENTRY_POINT                    = PasswordSmmInit
+  ENTRY_POINT                    = UserAuthenticationMmEntry
 
 [Sources]
   UserAuthenticationSmm.c
+  UserAuthenticationTraditionalMm.c
   UserAuthenticationSmm.h
   KeyService.c
   KeyService.h
+  UserAuthenticationVariableLock.c
 
 [Packages]
   MdePkg/MdePkg.dec
@@ -36,17 +38,18 @@
   BaseLib
   BaseMemoryLib
   PrintLib
-  SmmServicesTableLib
+  MmServicesTableLib
   MemoryAllocationLib
-  UefiLib
   BaseCryptLib
   PlatformPasswordLib
+  VariablePolicyHelperLib
 
 [Guids]
   gUserAuthenticationGuid                       ## CONSUMES  ## GUID
+  gEfiEventExitBootServicesGuid                 ## CONSUMES  ## Event
 
 [Protocols]
-  gEdkiiVariableLockProtocolGuid                ## CONSUMES
+  gEdkiiVariablePolicyProtocolGuid              ## CONSUMES
   gEfiSmmVariableProtocolGuid                   ## CONSUMES
   gEdkiiSmmExitBootServicesProtocolGuid         ## CONSUMES
   gEdkiiSmmLegacyBootProtocolGuid               ## CONSUMES
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.c
new file mode 100644
index 000000000000..c5fc220a7c12
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationStandaloneMm.c
@@ -0,0 +1,43 @@
+/** @file
+  Entry point of UserAuthenticationStandaloneMm.
+
+  Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "UserAuthenticationSmm.h"
+
+/**
+  NULL implement for Lock password variables.
+  Relies on UserAuthenticationStandaloneMmDxe to lock the password variables.
+
+  @retval EFI_SUCCESS  Always return success.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+  VOID
+  )
+{
+  return EFI_SUCCESS;
+}
+
+/**
+  Main entry for this driver.
+
+  @param ImageHandle     Image handle this driver.
+  @param SystemTable     Pointer to SystemTable.
+
+  @retval EFI_SUCESS     This function always complete successfully.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationMmEntry (
+  IN EFI_HANDLE           ImageHandle,
+  IN EFI_MM_SYSTEM_TABLE  *SystemTable
+  )
+{
+  return PasswordSmmInit ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMm.inf
new file mode 100644
index 000000000000..ebf92bc7acf2
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationStandaloneMm.inf
@@ -0,0 +1,58 @@
+## @file
+#  User Authentication Standalone Mm Driver.
+#
+#  This driver provides SMM services for DXE user authentication module.
+#  This Standalone Mm driver lacks of the ability to lock the password 
+#  variables. Need to rely on UserAuthenticationStandaloneMmDxe to lock 
+#  the variables.
+#
+# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR> # 
+SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = UserAuthenticationStandaloneMm
+  FILE_GUID                      = 80130611-a67a-4631-becb-87ce22d6f165
+  MODULE_TYPE                    = MM_STANDALONE
+  VERSION_STRING                 = 1.0
+  PI_SPECIFICATION_VERSION       = 0x00010032
+  ENTRY_POINT                    = UserAuthenticationMmEntry
+
+[Sources]
+  UserAuthenticationSmm.c
+  UserAuthenticationStandaloneMm.c
+  UserAuthenticationSmm.h
+  KeyService.c
+  KeyService.h
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  CryptoPkg/CryptoPkg.dec
+  UserAuthFeaturePkg/UserAuthFeaturePkg.dec
+
+[LibraryClasses]
+  StandaloneMmDriverEntryPoint
+  DebugLib
+  BaseLib
+  BaseMemoryLib
+  PrintLib
+  MmServicesTableLib
+  MemoryAllocationLib
+  BaseCryptLib
+  PlatformPasswordLib
+
+[Guids]
+  gUserAuthenticationGuid                       ## CONSUMES  ## GUID
+  gEfiEventExitBootServicesGuid                 ## CONSUMES  ## Event
+
+[Protocols]
+  gEdkiiVariableLockProtocolGuid                ## CONSUMES
+  gEfiSmmVariableProtocolGuid                   ## CONSUMES
+  gEdkiiSmmExitBootServicesProtocolGuid         ## CONSUMES
+  gEdkiiSmmLegacyBootProtocolGuid               ## CONSUMES
+
+[Depex]
+  gEfiSmmVariableProtocolGuid
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMmDxe.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMmDxe.c
new file mode 100644
index 000000000000..c2abc9e28bb3
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationStandaloneMmDxe.c
@@ -0,0 +1,31 @@
+/** @file
+  This Driver mainly locks password variables.
+
+  Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiDxe.h>
+
+#include "UserAuthenticationVariable.h"
+
+/**
+  User Authentication Standalone Mm Dxe driver entry point.
+
+  @param[in] ImageHandle  The image handle.
+  @param[in] SystemTable  The system table.
+
+  @retval EFI_SUCCESS    The entry point is executed successfully.
+  @return  other         Contain some other errors.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationStandaloneMmDxeEntry (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  return LockPasswordVariable ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMmDxe.inf b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationStandaloneMmDxe.inf
new file mode 100644
index 000000000000..beb28b461295
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationStandaloneMmDxe.inf
@@ -0,0 +1,42 @@
+## @file
+#  User Authentication Standalone MM Dxe Driver.
+#
+#  This Driver mainly locks the password variable.
+#
+# Copyright (c) 2023, Intel Corporation. All rights reserved.<BR> # 
+SPDX-License-Identifier: BSD-2-Clause-Patent # ##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = UserAuthenticationStandaloneMmDxe
+  FILE_GUID                      = 08fc98fb-1cec-45c6-ad02-542096191054
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = UserAuthenticationStandaloneMmDxeEntry
+
+[Sources]
+  UserAuthenticationStandaloneMmDxe.c
+  UserAuthenticationVariableLock.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  UserAuthFeaturePkg/UserAuthFeaturePkg.dec
+
+[LibraryClasses]
+  UefiBootServicesTableLib
+  UefiDriverEntryPoint
+  DebugLib
+  PrintLib
+  VariablePolicyHelperLib
+
+[Guids]
+  gUserAuthenticationGuid                       ## CONSUMES  ## GUID
+
+[Protocols]
+  gEdkiiVariablePolicyProtocolGuid              ## CONSUMES
+
+[Depex]
+  gEdkiiVariableLockProtocolGuid
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationTraditionalMm.c
new file mode 100644
index 000000000000..1514d78f1946
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationTraditionalMm.c
@@ -0,0 +1,28 @@
+/** @file
+  Entry point of UserAuthenticationSmm.
+
+  Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include "UserAuthenticationSmm.h"
+
+/**
+  Main entry for this driver.
+
+  @param[in] ImageHandle  Image handle this driver.
+  @param[in] SystemTable  Pointer to SystemTable.
+
+  @retval EFI_SUCESS  This function always complete successfully.
+
+**/
+EFI_STATUS
+EFIAPI
+UserAuthenticationMmEntry (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  return PasswordSmmInit ();
+}
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariable.h
new file mode 100644
index 000000000000..3b249e06d848
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationVariable.h
@@ -0,0 +1,36 @@
+/** @file
+  Header file for definition of User Authentication Variable.
+
+  Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef USER_AUTHENTICATION_VARIABLE_H_ #define 
+USER_AUTHENTICATION_VARIABLE_H_
+
+#define PASSWORD_MAX_TRY_COUNT        3
+#define PASSWORD_HISTORY_CHECK_COUNT  5
+
+//
+// Name of the variable
+//
+#define USER_AUTHENTICATION_VAR_NAME               L"Password"
+#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME  L"PasswordLast"
+
+/**
+  Lock password variables for security concern.
+
+  @retval EFI_SUCCESS           Succeed to lock variable.
+  @retval EFI_NOT_FOUND         Variable Lock protocol is not found.
+  @retval EFI_ACCESS_DENIED     EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has
+                                already been signaled.
+  @retval EFI_OUT_OF_RESOURCES  There is not enough resource to hold the lock request.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+  VOID
+  );
+
+#endif
diff --git a/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c
new file mode 100644
index 000000000000..dd43991fe711
--- /dev/null
+++ b/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthentication
+++ DxeSmm/UserAuthenticationVariableLock.c
@@ -0,0 +1,84 @@
+/** @file
+  Source code to lock password variables.
+
+  Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <PiDxe.h>
+
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/PrintLib.h>
+#include <Library/DebugLib.h>
+#include <Library/VariablePolicyHelperLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+
+#include <Guid/UserAuthentication.h>
+
+#include "UserAuthenticationVariable.h"
+
+/**
+  Lock password variables for security concern.
+
+  @retval EFI_SUCCESS           Succeed to lock variable.
+  @retval EFI_NOT_FOUND         Variable Lock protocol is not found.
+  @retval EFI_ACCESS_DENIED     EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has
+                                already been signaled.
+  @retval EFI_OUT_OF_RESOURCES  There is not enough resource to hold the lock request.
+
+**/
+EFI_STATUS
+LockPasswordVariable (
+  VOID
+  )
+{
+  EFI_STATUS                      Status;
+  CHAR16                          PasswordHistoryName[sizeof (USER_AUTHENTICATION_VAR_NAME)/sizeof (CHAR16) + 5];
+  UINTN                           Index;
+  EDKII_VARIABLE_POLICY_PROTOCOL  *VariablePolicy;
+
+  Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, 
+ NULL, (VOID **)&VariablePolicy);  if (!EFI_ERROR (Status)) {
+    Status = RegisterBasicVariablePolicy (
+               VariablePolicy,
+               &gUserAuthenticationGuid,
+               USER_AUTHENTICATION_VAR_NAME,
+               VARIABLE_POLICY_NO_MIN_SIZE,
+               VARIABLE_POLICY_NO_MAX_SIZE,
+               VARIABLE_POLICY_NO_MUST_ATTR,
+               VARIABLE_POLICY_NO_CANT_ATTR,
+               VARIABLE_POLICY_TYPE_LOCK_NOW
+               );
+    ASSERT_EFI_ERROR (Status);
+    for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) {
+      UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index);
+      Status = RegisterBasicVariablePolicy (
+                 VariablePolicy,
+                 &gUserAuthenticationGuid,
+                 PasswordHistoryName,
+                 VARIABLE_POLICY_NO_MIN_SIZE,
+                 VARIABLE_POLICY_NO_MAX_SIZE,
+                 VARIABLE_POLICY_NO_MUST_ATTR,
+                 VARIABLE_POLICY_NO_CANT_ATTR,
+                 VARIABLE_POLICY_TYPE_LOCK_NOW
+                 );
+      ASSERT_EFI_ERROR (Status);
+    }
+
+    Status = RegisterBasicVariablePolicy (
+               VariablePolicy,
+               &gUserAuthenticationGuid,
+               USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME,
+               VARIABLE_POLICY_NO_MIN_SIZE,
+               VARIABLE_POLICY_NO_MAX_SIZE,
+               VARIABLE_POLICY_NO_MUST_ATTR,
+               VARIABLE_POLICY_NO_CANT_ATTR,
+               VARIABLE_POLICY_TYPE_LOCK_NOW
+               );
+    ASSERT_EFI_ERROR (Status);
+  }
+
+  return Status;
+}
--
2.29.2.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#111919): https://edk2.groups.io/g/devel/message/111919
Mute This Topic: https://groups.io/mt/102895177/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



  reply	other threads:[~2023-11-30 23:12 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-30 15:07 [edk2-devel] [PATCH v2 edk2-platforms 0/1] UserAuthFeaturePkg/UserAuthenticationSmm: Support Standalone MM Xu, Wei6
2023-11-30 15:07 ` [edk2-devel] [PATCH v2 edk2-platforms 1/1] " Xu, Wei6
2023-11-30 23:12   ` Nate DeSimone [this message]
2023-11-30 23:14   ` Nate DeSimone

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=PH0PR11MB58327CEE34B5752ADCFB7500CD82A@PH0PR11MB5832.namprd11.prod.outlook.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox