2 The sample implementation for SMM variable protocol. And this driver
3 implements an SMI handler to communicate with the DXE runtime driver
4 to provide variable services.
6 Caution: This module requires additional review when modified.
7 This driver will have external input - variable data and communicate buffer in SMM mode.
8 This external input must be validated carefully to avoid security issue like
9 buffer overflow, integer overflow.
11 SmmVariableHandler() will receive untrusted input and do basic validation.
13 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
14 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
15 SmmVariableGetStatistics() should also do validation based on its own knowledge.
17 Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
18 Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>
19 SPDX-License-Identifier: BSD-2-Clause-Patent
23 #include <Protocol/SmmVariable.h>
24 #include <Protocol/SmmFirmwareVolumeBlock.h>
25 #include <Protocol/SmmFaultTolerantWrite.h>
26 #include <Protocol/MmEndOfDxe.h>
27 #include <Protocol/SmmVarCheck.h>
29 #include <Library/MmServicesTableLib.h>
30 #include <Library/VariablePolicyLib.h>
32 #include <Guid/SmmVariableCommon.h>
34 #include "VariableParsing.h"
35 #include "VariableRuntimeCache.h"
37 extern VARIABLE_STORE_HEADER
*mNvVariableCache
;
39 BOOLEAN mAtRuntime
= FALSE
;
40 UINT8
*mVariableBufferPayload
= NULL
;
41 UINTN mVariableBufferPayloadSize
;
44 SecureBoot Hook for SetVariable.
46 @param[in] VariableName Name of Variable to be found.
47 @param[in] VendorGuid Variable vendor GUID.
53 IN CHAR16
*VariableName
,
54 IN EFI_GUID
*VendorGuid
62 This code sets variable in storage blocks (Volatile or Non-Volatile).
64 @param VariableName Name of Variable to be found.
65 @param VendorGuid Variable vendor GUID.
66 @param Attributes Attribute value of the variable found
67 @param DataSize Size of Data found. If size is less than the
68 data, this value contains the required size.
69 @param Data Data pointer.
71 @return EFI_INVALID_PARAMETER Invalid parameter.
72 @return EFI_SUCCESS Set successfully.
73 @return EFI_OUT_OF_RESOURCES Resource not enough to set variable.
74 @return EFI_NOT_FOUND Not found.
75 @return EFI_WRITE_PROTECTED Variable is read-only.
80 SmmVariableSetVariable (
81 IN CHAR16
*VariableName
,
82 IN EFI_GUID
*VendorGuid
,
91 // Disable write protection when the calling SetVariable() through EFI_SMM_VARIABLE_PROTOCOL.
93 mRequestSource
= VarCheckFromTrusted
;
94 Status
= VariableServiceSetVariable (
101 mRequestSource
= VarCheckFromUntrusted
;
105 EFI_SMM_VARIABLE_PROTOCOL gSmmVariable
= {
106 VariableServiceGetVariable
,
107 VariableServiceGetNextVariableName
,
108 SmmVariableSetVariable
,
109 VariableServiceQueryVariableInfo
112 EDKII_SMM_VAR_CHECK_PROTOCOL mSmmVarCheck
= {
113 VarCheckRegisterSetVariableCheckHandler
,
114 VarCheckVariablePropertySet
,
115 VarCheckVariablePropertyGet
119 Return TRUE if ExitBootServices () has been called.
121 @retval TRUE If ExitBootServices () has been called.
132 Initializes a basic mutual exclusion lock.
134 This function initializes a basic mutual exclusion lock to the released state
135 and returns the lock. Each lock provides mutual exclusion access at its task
136 priority level. Since there is no preemption or multiprocessor support in EFI,
137 acquiring the lock only consists of raising to the locks TPL.
138 If Lock is NULL, then ASSERT().
139 If Priority is not a valid TPL value, then ASSERT().
141 @param Lock A pointer to the lock data structure to initialize.
142 @param Priority EFI TPL is associated with the lock.
149 IN OUT EFI_LOCK
*Lock
,
157 Acquires lock only at boot time. Simply returns at runtime.
159 This is a temperary function that will be removed when
160 EfiAcquireLock() in UefiLib can handle the call in UEFI
161 Runtimer driver in RT phase.
162 It calls EfiAcquireLock() at boot time, and simply returns
165 @param Lock A pointer to the lock to acquire.
169 AcquireLockOnlyAtBootTime (
176 Releases lock only at boot time. Simply returns at runtime.
178 This is a temperary function which will be removed when
179 EfiReleaseLock() in UefiLib can handle the call in UEFI
180 Runtimer driver in RT phase.
181 It calls EfiReleaseLock() at boot time and simply returns
184 @param Lock A pointer to the lock to release.
188 ReleaseLockOnlyAtBootTime (
195 Retrieve the SMM Fault Tolerent Write protocol interface.
197 @param[out] FtwProtocol The interface of SMM Ftw protocol
199 @retval EFI_SUCCESS The SMM FTW protocol instance was found and returned in FtwProtocol.
200 @retval EFI_NOT_FOUND The SMM FTW protocol instance was not found.
201 @retval EFI_INVALID_PARAMETER SarProtocol is NULL.
206 OUT VOID
**FtwProtocol
212 // Locate Smm Fault Tolerent Write protocol
214 Status
= gMmst
->MmLocateProtocol (
215 &gEfiSmmFaultTolerantWriteProtocolGuid
,
223 Retrieve the SMM FVB protocol interface by HANDLE.
225 @param[in] FvBlockHandle The handle of SMM FVB protocol that provides services for
226 reading, writing, and erasing the target block.
227 @param[out] FvBlock The interface of SMM FVB protocol
229 @retval EFI_SUCCESS The interface information for the specified protocol was returned.
230 @retval EFI_UNSUPPORTED The device does not support the SMM FVB protocol.
231 @retval EFI_INVALID_PARAMETER FvBlockHandle is not a valid EFI_HANDLE or FvBlock is NULL.
236 IN EFI_HANDLE FvBlockHandle
,
237 OUT EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL
**FvBlock
241 // To get the SMM FVB protocol interface on the handle
243 return gMmst
->MmHandleProtocol (
245 &gEfiSmmFirmwareVolumeBlockProtocolGuid
,
251 Function returns an array of handles that support the SMM FVB protocol
252 in a buffer allocated from pool.
254 @param[out] NumberHandles The number of handles returned in Buffer.
255 @param[out] Buffer A pointer to the buffer to return the requested
256 array of handles that support SMM FVB protocol.
258 @retval EFI_SUCCESS The array of handles was returned in Buffer, and the number of
259 handles in Buffer was returned in NumberHandles.
260 @retval EFI_NOT_FOUND No SMM FVB handle was found.
261 @retval EFI_OUT_OF_RESOURCES There is not enough pool memory to store the matching results.
262 @retval EFI_INVALID_PARAMETER NumberHandles is NULL or Buffer is NULL.
266 GetFvbCountAndBuffer (
267 OUT UINTN
*NumberHandles
,
268 OUT EFI_HANDLE
**Buffer
274 if ((NumberHandles
== NULL
) || (Buffer
== NULL
)) {
275 return EFI_INVALID_PARAMETER
;
281 Status
= gMmst
->MmLocateHandle (
283 &gEfiSmmFirmwareVolumeBlockProtocolGuid
,
288 if (EFI_ERROR (Status
) && (Status
!= EFI_BUFFER_TOO_SMALL
)) {
289 return EFI_NOT_FOUND
;
292 *Buffer
= AllocatePool (BufferSize
);
293 if (*Buffer
== NULL
) {
294 return EFI_OUT_OF_RESOURCES
;
297 Status
= gMmst
->MmLocateHandle (
299 &gEfiSmmFirmwareVolumeBlockProtocolGuid
,
305 *NumberHandles
= BufferSize
/ sizeof (EFI_HANDLE
);
306 if (EFI_ERROR (Status
)) {
316 Get the variable statistics information from the information buffer pointed by gVariableInfo.
318 Caution: This function may be invoked at SMM runtime.
319 InfoEntry and InfoSize are external input. Care must be taken to make sure not security issue at runtime.
321 @param[in, out] InfoEntry A pointer to the buffer of variable information entry.
322 On input, point to the variable information returned last time. if
323 InfoEntry->VendorGuid is zero, return the first information.
324 On output, point to the next variable information.
325 @param[in, out] InfoSize On input, the size of the variable information buffer.
326 On output, the returned variable information size.
328 @retval EFI_SUCCESS The variable information is found and returned successfully.
329 @retval EFI_UNSUPPORTED No variable inoformation exists in variable driver. The
330 PcdVariableCollectStatistics should be set TRUE to support it.
331 @retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the next variable information.
332 @retval EFI_INVALID_PARAMETER Input parameter is invalid.
336 SmmVariableGetStatistics (
337 IN OUT VARIABLE_INFO_ENTRY
*InfoEntry
,
338 IN OUT UINTN
*InfoSize
341 VARIABLE_INFO_ENTRY
*VariableInfo
;
343 UINTN StatisticsInfoSize
;
345 UINTN InfoNameMaxSize
;
348 if (InfoEntry
== NULL
) {
349 return EFI_INVALID_PARAMETER
;
352 VariableInfo
= gVariableInfo
;
353 if (VariableInfo
== NULL
) {
354 return EFI_UNSUPPORTED
;
357 StatisticsInfoSize
= sizeof (VARIABLE_INFO_ENTRY
);
358 if (*InfoSize
< StatisticsInfoSize
) {
359 *InfoSize
= StatisticsInfoSize
;
360 return EFI_BUFFER_TOO_SMALL
;
363 InfoName
= (CHAR16
*)(InfoEntry
+ 1);
364 InfoNameMaxSize
= (*InfoSize
- sizeof (VARIABLE_INFO_ENTRY
));
366 CopyGuid (&VendorGuid
, &InfoEntry
->VendorGuid
);
368 if (IsZeroGuid (&VendorGuid
)) {
370 // Return the first variable info
372 NameSize
= StrSize (VariableInfo
->Name
);
373 StatisticsInfoSize
= sizeof (VARIABLE_INFO_ENTRY
) + NameSize
;
374 if (*InfoSize
< StatisticsInfoSize
) {
375 *InfoSize
= StatisticsInfoSize
;
376 return EFI_BUFFER_TOO_SMALL
;
379 CopyMem (InfoEntry
, VariableInfo
, sizeof (VARIABLE_INFO_ENTRY
));
380 CopyMem (InfoName
, VariableInfo
->Name
, NameSize
);
381 *InfoSize
= StatisticsInfoSize
;
386 // Get the next variable info
388 while (VariableInfo
!= NULL
) {
389 if (CompareGuid (&VariableInfo
->VendorGuid
, &VendorGuid
)) {
390 NameSize
= StrSize (VariableInfo
->Name
);
391 if (NameSize
<= InfoNameMaxSize
) {
392 if (CompareMem (VariableInfo
->Name
, InfoName
, NameSize
) == 0) {
394 // Find the match one
396 VariableInfo
= VariableInfo
->Next
;
402 VariableInfo
= VariableInfo
->Next
;
405 if (VariableInfo
== NULL
) {
411 // Output the new variable info
413 NameSize
= StrSize (VariableInfo
->Name
);
414 StatisticsInfoSize
= sizeof (VARIABLE_INFO_ENTRY
) + NameSize
;
415 if (*InfoSize
< StatisticsInfoSize
) {
416 *InfoSize
= StatisticsInfoSize
;
417 return EFI_BUFFER_TOO_SMALL
;
420 CopyMem (InfoEntry
, VariableInfo
, sizeof (VARIABLE_INFO_ENTRY
));
421 CopyMem (InfoName
, VariableInfo
->Name
, NameSize
);
422 *InfoSize
= StatisticsInfoSize
;
428 Communication service SMI Handler entry.
430 This SMI handler provides services for the variable wrapper driver.
432 Caution: This function may receive untrusted input.
433 This variable data and communicate buffer are external input, so this function will do basic validation.
434 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
435 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
436 SmmVariableGetStatistics() should also do validation based on its own knowledge.
438 @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
439 @param[in] RegisterContext Points to an optional handler context which was specified when the
440 handler was registered.
441 @param[in, out] CommBuffer A pointer to a collection of data in memory that will
442 be conveyed from a non-SMM environment into an SMM environment.
443 @param[in, out] CommBufferSize The size of the CommBuffer.
445 @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
446 should still be called.
447 @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
449 @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
451 @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
456 IN EFI_HANDLE DispatchHandle
,
457 IN CONST VOID
*RegisterContext
,
458 IN OUT VOID
*CommBuffer
,
459 IN OUT UINTN
*CommBufferSize
463 SMM_VARIABLE_COMMUNICATE_HEADER
*SmmVariableFunctionHeader
;
464 SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
*SmmVariableHeader
;
465 SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME
*GetNextVariableName
;
466 SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO
*QueryVariableInfo
;
467 SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE
*GetPayloadSize
;
468 SMM_VARIABLE_COMMUNICATE_RUNTIME_VARIABLE_CACHE_CONTEXT
*RuntimeVariableCacheContext
;
469 SMM_VARIABLE_COMMUNICATE_GET_RUNTIME_CACHE_INFO
*GetRuntimeCacheInfo
;
470 SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE
*VariableToLock
;
471 SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY
*CommVariableProperty
;
472 VARIABLE_INFO_ENTRY
*VariableInfo
;
473 VARIABLE_RUNTIME_CACHE_CONTEXT
*VariableCacheContext
;
474 VARIABLE_STORE_HEADER
*VariableCache
;
476 UINTN NameBufferSize
;
477 UINTN CommBufferPayloadSize
;
478 UINTN TempCommBufferSize
;
481 // If input is invalid, stop processing this SMI
483 if ((CommBuffer
== NULL
) || (CommBufferSize
== NULL
)) {
487 TempCommBufferSize
= *CommBufferSize
;
489 if (TempCommBufferSize
< SMM_VARIABLE_COMMUNICATE_HEADER_SIZE
) {
490 DEBUG ((DEBUG_ERROR
, "SmmVariableHandler: SMM communication buffer size invalid!\n"));
494 CommBufferPayloadSize
= TempCommBufferSize
- SMM_VARIABLE_COMMUNICATE_HEADER_SIZE
;
495 if (CommBufferPayloadSize
> mVariableBufferPayloadSize
) {
496 DEBUG ((DEBUG_ERROR
, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));
500 if (!VariableSmmIsBufferOutsideSmmValid ((UINTN
)CommBuffer
, TempCommBufferSize
)) {
501 DEBUG ((DEBUG_ERROR
, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));
505 SmmVariableFunctionHeader
= (SMM_VARIABLE_COMMUNICATE_HEADER
*)CommBuffer
;
506 switch (SmmVariableFunctionHeader
->Function
) {
507 case SMM_VARIABLE_FUNCTION_GET_VARIABLE
:
508 if (CommBufferPayloadSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
, Name
)) {
509 DEBUG ((DEBUG_ERROR
, "GetVariable: SMM communication buffer size invalid!\n"));
514 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
516 CopyMem (mVariableBufferPayload
, SmmVariableFunctionHeader
->Data
, CommBufferPayloadSize
);
517 SmmVariableHeader
= (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
*)mVariableBufferPayload
;
518 if (((UINTN
)(~0) - SmmVariableHeader
->DataSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
, Name
)) ||
519 ((UINTN
)(~0) - SmmVariableHeader
->NameSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
, Name
) + SmmVariableHeader
->DataSize
))
522 // Prevent InfoSize overflow happen
524 Status
= EFI_ACCESS_DENIED
;
528 InfoSize
= OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
, Name
)
529 + SmmVariableHeader
->DataSize
+ SmmVariableHeader
->NameSize
;
532 // SMRAM range check already covered before
534 if (InfoSize
> CommBufferPayloadSize
) {
535 DEBUG ((DEBUG_ERROR
, "GetVariable: Data size exceed communication buffer size limit!\n"));
536 Status
= EFI_ACCESS_DENIED
;
541 // The VariableSpeculationBarrier() call here is to ensure the previous
542 // range/content checks for the CommBuffer have been completed before the
543 // subsequent consumption of the CommBuffer content.
545 VariableSpeculationBarrier ();
546 if ((SmmVariableHeader
->NameSize
< sizeof (CHAR16
)) || (SmmVariableHeader
->Name
[SmmVariableHeader
->NameSize
/sizeof (CHAR16
) - 1] != L
'\0')) {
548 // Make sure VariableName is A Null-terminated string.
550 Status
= EFI_ACCESS_DENIED
;
554 Status
= VariableServiceGetVariable (
555 SmmVariableHeader
->Name
,
556 &SmmVariableHeader
->Guid
,
557 &SmmVariableHeader
->Attributes
,
558 &SmmVariableHeader
->DataSize
,
559 (UINT8
*)SmmVariableHeader
->Name
+ SmmVariableHeader
->NameSize
561 CopyMem (SmmVariableFunctionHeader
->Data
, mVariableBufferPayload
, CommBufferPayloadSize
);
564 case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME
:
565 if (CommBufferPayloadSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME
, Name
)) {
566 DEBUG ((DEBUG_ERROR
, "GetNextVariableName: SMM communication buffer size invalid!\n"));
571 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
573 CopyMem (mVariableBufferPayload
, SmmVariableFunctionHeader
->Data
, CommBufferPayloadSize
);
574 GetNextVariableName
= (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME
*)mVariableBufferPayload
;
575 if ((UINTN
)(~0) - GetNextVariableName
->NameSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME
, Name
)) {
577 // Prevent InfoSize overflow happen
579 Status
= EFI_ACCESS_DENIED
;
583 InfoSize
= OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME
, Name
) + GetNextVariableName
->NameSize
;
586 // SMRAM range check already covered before
588 if (InfoSize
> CommBufferPayloadSize
) {
589 DEBUG ((DEBUG_ERROR
, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));
590 Status
= EFI_ACCESS_DENIED
;
594 NameBufferSize
= CommBufferPayloadSize
- OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME
, Name
);
595 if ((NameBufferSize
< sizeof (CHAR16
)) || (GetNextVariableName
->Name
[NameBufferSize
/sizeof (CHAR16
) - 1] != L
'\0')) {
597 // Make sure input VariableName is A Null-terminated string.
599 Status
= EFI_ACCESS_DENIED
;
603 Status
= VariableServiceGetNextVariableName (
604 &GetNextVariableName
->NameSize
,
605 GetNextVariableName
->Name
,
606 &GetNextVariableName
->Guid
608 CopyMem (SmmVariableFunctionHeader
->Data
, mVariableBufferPayload
, CommBufferPayloadSize
);
611 case SMM_VARIABLE_FUNCTION_SET_VARIABLE
:
612 if (CommBufferPayloadSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
, Name
)) {
613 DEBUG ((DEBUG_ERROR
, "SetVariable: SMM communication buffer size invalid!\n"));
618 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
620 CopyMem (mVariableBufferPayload
, SmmVariableFunctionHeader
->Data
, CommBufferPayloadSize
);
621 SmmVariableHeader
= (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
*)mVariableBufferPayload
;
622 if (((UINTN
)(~0) - SmmVariableHeader
->DataSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
, Name
)) ||
623 ((UINTN
)(~0) - SmmVariableHeader
->NameSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
, Name
) + SmmVariableHeader
->DataSize
))
626 // Prevent InfoSize overflow happen
628 Status
= EFI_ACCESS_DENIED
;
632 InfoSize
= OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE
, Name
)
633 + SmmVariableHeader
->DataSize
+ SmmVariableHeader
->NameSize
;
636 // SMRAM range check already covered before
637 // Data buffer should not contain SMM range
639 if (InfoSize
> CommBufferPayloadSize
) {
640 DEBUG ((DEBUG_ERROR
, "SetVariable: Data size exceed communication buffer size limit!\n"));
641 Status
= EFI_ACCESS_DENIED
;
646 // The VariableSpeculationBarrier() call here is to ensure the previous
647 // range/content checks for the CommBuffer have been completed before the
648 // subsequent consumption of the CommBuffer content.
650 VariableSpeculationBarrier ();
651 if ((SmmVariableHeader
->NameSize
< sizeof (CHAR16
)) || (SmmVariableHeader
->Name
[SmmVariableHeader
->NameSize
/sizeof (CHAR16
) - 1] != L
'\0')) {
653 // Make sure VariableName is A Null-terminated string.
655 Status
= EFI_ACCESS_DENIED
;
659 Status
= VariableServiceSetVariable (
660 SmmVariableHeader
->Name
,
661 &SmmVariableHeader
->Guid
,
662 SmmVariableHeader
->Attributes
,
663 SmmVariableHeader
->DataSize
,
664 (UINT8
*)SmmVariableHeader
->Name
+ SmmVariableHeader
->NameSize
668 case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO
:
669 if (CommBufferPayloadSize
< sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO
)) {
670 DEBUG ((DEBUG_ERROR
, "QueryVariableInfo: SMM communication buffer size invalid!\n"));
674 QueryVariableInfo
= (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO
*)SmmVariableFunctionHeader
->Data
;
676 Status
= VariableServiceQueryVariableInfo (
677 QueryVariableInfo
->Attributes
,
678 &QueryVariableInfo
->MaximumVariableStorageSize
,
679 &QueryVariableInfo
->RemainingVariableStorageSize
,
680 &QueryVariableInfo
->MaximumVariableSize
684 case SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE
:
685 if (CommBufferPayloadSize
< sizeof (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE
)) {
686 DEBUG ((DEBUG_ERROR
, "GetPayloadSize: SMM communication buffer size invalid!\n"));
690 GetPayloadSize
= (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE
*)SmmVariableFunctionHeader
->Data
;
691 GetPayloadSize
->VariablePayloadSize
= mVariableBufferPayloadSize
;
692 Status
= EFI_SUCCESS
;
695 case SMM_VARIABLE_FUNCTION_READY_TO_BOOT
:
697 Status
= EFI_UNSUPPORTED
;
702 MorLockInitAtEndOfDxe ();
703 Status
= LockVariablePolicy ();
704 ASSERT_EFI_ERROR (Status
);
706 VarCheckLibInitializeAtEndOfDxe (NULL
);
708 // The initialization for variable quota.
710 InitializeVariableQuota ();
714 Status
= EFI_SUCCESS
;
717 case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE
:
719 Status
= EFI_SUCCESS
;
722 case SMM_VARIABLE_FUNCTION_GET_STATISTICS
:
723 VariableInfo
= (VARIABLE_INFO_ENTRY
*)SmmVariableFunctionHeader
->Data
;
724 InfoSize
= TempCommBufferSize
- SMM_VARIABLE_COMMUNICATE_HEADER_SIZE
;
727 // Do not need to check SmmVariableFunctionHeader->Data in SMRAM here.
728 // It is covered by previous CommBuffer check
732 // Do not need to check CommBufferSize buffer as it should point to SMRAM
733 // that was used by SMM core to cache CommSize from SmmCommunication protocol.
736 Status
= SmmVariableGetStatistics (VariableInfo
, &InfoSize
);
737 *CommBufferSize
= InfoSize
+ SMM_VARIABLE_COMMUNICATE_HEADER_SIZE
;
740 case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE
:
742 Status
= EFI_ACCESS_DENIED
;
744 VariableToLock
= (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE
*)SmmVariableFunctionHeader
->Data
;
745 Status
= VariableLockRequestToLock (
747 VariableToLock
->Name
,
748 &VariableToLock
->Guid
753 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET
:
755 Status
= EFI_ACCESS_DENIED
;
757 CommVariableProperty
= (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY
*)SmmVariableFunctionHeader
->Data
;
758 Status
= VarCheckVariablePropertySet (
759 CommVariableProperty
->Name
,
760 &CommVariableProperty
->Guid
,
761 &CommVariableProperty
->VariableProperty
766 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET
:
767 if (CommBufferPayloadSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY
, Name
)) {
768 DEBUG ((DEBUG_ERROR
, "VarCheckVariablePropertyGet: SMM communication buffer size invalid!\n"));
773 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
775 CopyMem (mVariableBufferPayload
, SmmVariableFunctionHeader
->Data
, CommBufferPayloadSize
);
776 CommVariableProperty
= (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY
*)mVariableBufferPayload
;
777 if ((UINTN
)(~0) - CommVariableProperty
->NameSize
< OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY
, Name
)) {
779 // Prevent InfoSize overflow happen
781 Status
= EFI_ACCESS_DENIED
;
785 InfoSize
= OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY
, Name
) + CommVariableProperty
->NameSize
;
788 // SMRAM range check already covered before
790 if (InfoSize
> CommBufferPayloadSize
) {
791 DEBUG ((DEBUG_ERROR
, "VarCheckVariablePropertyGet: Data size exceed communication buffer size limit!\n"));
792 Status
= EFI_ACCESS_DENIED
;
797 // The VariableSpeculationBarrier() call here is to ensure the previous
798 // range/content checks for the CommBuffer have been completed before the
799 // subsequent consumption of the CommBuffer content.
801 VariableSpeculationBarrier ();
802 if ((CommVariableProperty
->NameSize
< sizeof (CHAR16
)) || (CommVariableProperty
->Name
[CommVariableProperty
->NameSize
/sizeof (CHAR16
) - 1] != L
'\0')) {
804 // Make sure VariableName is A Null-terminated string.
806 Status
= EFI_ACCESS_DENIED
;
810 Status
= VarCheckVariablePropertyGet (
811 CommVariableProperty
->Name
,
812 &CommVariableProperty
->Guid
,
813 &CommVariableProperty
->VariableProperty
815 CopyMem (SmmVariableFunctionHeader
->Data
, mVariableBufferPayload
, CommBufferPayloadSize
);
817 case SMM_VARIABLE_FUNCTION_INIT_RUNTIME_VARIABLE_CACHE_CONTEXT
:
818 if (CommBufferPayloadSize
< sizeof (SMM_VARIABLE_COMMUNICATE_RUNTIME_VARIABLE_CACHE_CONTEXT
)) {
819 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: SMM communication buffer size invalid!\n"));
820 Status
= EFI_ACCESS_DENIED
;
825 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: Cannot init context after end of DXE!\n"));
826 Status
= EFI_ACCESS_DENIED
;
831 // Copy the input communicate buffer payload to the pre-allocated SMM variable payload buffer.
833 CopyMem (mVariableBufferPayload
, SmmVariableFunctionHeader
->Data
, CommBufferPayloadSize
);
834 RuntimeVariableCacheContext
= (SMM_VARIABLE_COMMUNICATE_RUNTIME_VARIABLE_CACHE_CONTEXT
*)mVariableBufferPayload
;
837 // Verify required runtime cache buffers are provided.
839 if ((RuntimeVariableCacheContext
->RuntimeVolatileCache
== NULL
) ||
840 (RuntimeVariableCacheContext
->RuntimeNvCache
== NULL
) ||
841 (RuntimeVariableCacheContext
->PendingUpdate
== NULL
) ||
842 (RuntimeVariableCacheContext
->ReadLock
== NULL
) ||
843 (RuntimeVariableCacheContext
->HobFlushComplete
== NULL
))
845 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: Required runtime cache buffer is NULL!\n"));
846 Status
= EFI_ACCESS_DENIED
;
851 // Verify minimum size requirements for the runtime variable store buffers.
853 if (((RuntimeVariableCacheContext
->RuntimeHobCache
!= NULL
) &&
854 (RuntimeVariableCacheContext
->RuntimeHobCache
->Size
< sizeof (VARIABLE_STORE_HEADER
))) ||
855 (RuntimeVariableCacheContext
->RuntimeVolatileCache
->Size
< sizeof (VARIABLE_STORE_HEADER
)) ||
856 (RuntimeVariableCacheContext
->RuntimeNvCache
->Size
< sizeof (VARIABLE_STORE_HEADER
)))
858 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: A runtime cache buffer size is invalid!\n"));
859 Status
= EFI_ACCESS_DENIED
;
864 // Verify runtime buffers do not overlap with SMRAM ranges.
866 if ((RuntimeVariableCacheContext
->RuntimeHobCache
!= NULL
) &&
867 !VariableSmmIsBufferOutsideSmmValid (
868 (UINTN
)RuntimeVariableCacheContext
->RuntimeHobCache
,
869 (UINTN
)RuntimeVariableCacheContext
->RuntimeHobCache
->Size
872 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: Runtime HOB cache buffer in SMRAM or overflow!\n"));
873 Status
= EFI_ACCESS_DENIED
;
877 if (!VariableSmmIsBufferOutsideSmmValid (
878 (UINTN
)RuntimeVariableCacheContext
->RuntimeVolatileCache
,
879 (UINTN
)RuntimeVariableCacheContext
->RuntimeVolatileCache
->Size
882 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: Runtime volatile cache buffer in SMRAM or overflow!\n"));
883 Status
= EFI_ACCESS_DENIED
;
887 if (!VariableSmmIsBufferOutsideSmmValid (
888 (UINTN
)RuntimeVariableCacheContext
->RuntimeNvCache
,
889 (UINTN
)RuntimeVariableCacheContext
->RuntimeNvCache
->Size
892 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: Runtime non-volatile cache buffer in SMRAM or overflow!\n"));
893 Status
= EFI_ACCESS_DENIED
;
897 if (!VariableSmmIsBufferOutsideSmmValid (
898 (UINTN
)RuntimeVariableCacheContext
->PendingUpdate
,
899 sizeof (*(RuntimeVariableCacheContext
->PendingUpdate
))
902 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: Runtime cache pending update buffer in SMRAM or overflow!\n"));
903 Status
= EFI_ACCESS_DENIED
;
907 if (!VariableSmmIsBufferOutsideSmmValid (
908 (UINTN
)RuntimeVariableCacheContext
->ReadLock
,
909 sizeof (*(RuntimeVariableCacheContext
->ReadLock
))
912 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: Runtime cache read lock buffer in SMRAM or overflow!\n"));
913 Status
= EFI_ACCESS_DENIED
;
917 if (!VariableSmmIsBufferOutsideSmmValid (
918 (UINTN
)RuntimeVariableCacheContext
->HobFlushComplete
,
919 sizeof (*(RuntimeVariableCacheContext
->HobFlushComplete
))
922 DEBUG ((DEBUG_ERROR
, "InitRuntimeVariableCacheContext: Runtime cache HOB flush complete buffer in SMRAM or overflow!\n"));
923 Status
= EFI_ACCESS_DENIED
;
927 VariableCacheContext
= &mVariableModuleGlobal
->VariableGlobal
.VariableRuntimeCacheContext
;
928 VariableCacheContext
->VariableRuntimeHobCache
.Store
= RuntimeVariableCacheContext
->RuntimeHobCache
;
929 VariableCacheContext
->VariableRuntimeVolatileCache
.Store
= RuntimeVariableCacheContext
->RuntimeVolatileCache
;
930 VariableCacheContext
->VariableRuntimeNvCache
.Store
= RuntimeVariableCacheContext
->RuntimeNvCache
;
931 VariableCacheContext
->PendingUpdate
= RuntimeVariableCacheContext
->PendingUpdate
;
932 VariableCacheContext
->ReadLock
= RuntimeVariableCacheContext
->ReadLock
;
933 VariableCacheContext
->HobFlushComplete
= RuntimeVariableCacheContext
->HobFlushComplete
;
935 // Set up the intial pending request since the RT cache needs to be in sync with SMM cache
936 VariableCacheContext
->VariableRuntimeHobCache
.PendingUpdateOffset
= 0;
937 VariableCacheContext
->VariableRuntimeHobCache
.PendingUpdateLength
= 0;
938 if ((mVariableModuleGlobal
->VariableGlobal
.HobVariableBase
> 0) &&
939 (VariableCacheContext
->VariableRuntimeHobCache
.Store
!= NULL
))
941 VariableCache
= (VARIABLE_STORE_HEADER
*)(UINTN
)mVariableModuleGlobal
->VariableGlobal
.HobVariableBase
;
942 VariableCacheContext
->VariableRuntimeHobCache
.PendingUpdateLength
= (UINT32
)((UINTN
)GetEndPointer (VariableCache
) - (UINTN
)VariableCache
);
943 CopyGuid (&(VariableCacheContext
->VariableRuntimeHobCache
.Store
->Signature
), &(VariableCache
->Signature
));
946 VariableCache
= (VARIABLE_STORE_HEADER
*)(UINTN
)mVariableModuleGlobal
->VariableGlobal
.VolatileVariableBase
;
947 VariableCacheContext
->VariableRuntimeVolatileCache
.PendingUpdateOffset
= 0;
948 VariableCacheContext
->VariableRuntimeVolatileCache
.PendingUpdateLength
= (UINT32
)((UINTN
)GetEndPointer (VariableCache
) - (UINTN
)VariableCache
);
949 CopyGuid (&(VariableCacheContext
->VariableRuntimeVolatileCache
.Store
->Signature
), &(VariableCache
->Signature
));
951 VariableCache
= (VARIABLE_STORE_HEADER
*)(UINTN
)mNvVariableCache
;
952 VariableCacheContext
->VariableRuntimeNvCache
.PendingUpdateOffset
= 0;
953 VariableCacheContext
->VariableRuntimeNvCache
.PendingUpdateLength
= (UINT32
)((UINTN
)GetEndPointer (VariableCache
) - (UINTN
)VariableCache
);
954 CopyGuid (&(VariableCacheContext
->VariableRuntimeNvCache
.Store
->Signature
), &(VariableCache
->Signature
));
956 *(VariableCacheContext
->PendingUpdate
) = TRUE
;
957 *(VariableCacheContext
->ReadLock
) = FALSE
;
958 *(VariableCacheContext
->HobFlushComplete
) = FALSE
;
960 Status
= EFI_SUCCESS
;
962 case SMM_VARIABLE_FUNCTION_SYNC_RUNTIME_CACHE
:
963 Status
= FlushPendingRuntimeVariableCacheUpdates ();
965 case SMM_VARIABLE_FUNCTION_GET_RUNTIME_CACHE_INFO
:
966 if (CommBufferPayloadSize
< sizeof (SMM_VARIABLE_COMMUNICATE_GET_RUNTIME_CACHE_INFO
)) {
967 DEBUG ((DEBUG_ERROR
, "GetRuntimeCacheInfo: SMM communication buffer size invalid!\n"));
971 GetRuntimeCacheInfo
= (SMM_VARIABLE_COMMUNICATE_GET_RUNTIME_CACHE_INFO
*)SmmVariableFunctionHeader
->Data
;
973 if (mVariableModuleGlobal
->VariableGlobal
.HobVariableBase
> 0) {
974 VariableCache
= (VARIABLE_STORE_HEADER
*)(UINTN
)mVariableModuleGlobal
->VariableGlobal
.HobVariableBase
;
975 GetRuntimeCacheInfo
->TotalHobStorageSize
= VariableCache
->Size
;
977 GetRuntimeCacheInfo
->TotalHobStorageSize
= 0;
980 VariableCache
= (VARIABLE_STORE_HEADER
*)(UINTN
)mVariableModuleGlobal
->VariableGlobal
.VolatileVariableBase
;
981 GetRuntimeCacheInfo
->TotalVolatileStorageSize
= VariableCache
->Size
;
982 VariableCache
= (VARIABLE_STORE_HEADER
*)(UINTN
)mNvVariableCache
;
983 GetRuntimeCacheInfo
->TotalNvStorageSize
= (UINTN
)VariableCache
->Size
;
984 GetRuntimeCacheInfo
->AuthenticatedVariableUsage
= mVariableModuleGlobal
->VariableGlobal
.AuthFormat
;
986 Status
= EFI_SUCCESS
;
990 Status
= EFI_UNSUPPORTED
;
995 SmmVariableFunctionHeader
->ReturnStatus
= Status
;
1001 SMM END_OF_DXE protocol notification event handler.
1003 @param Protocol Points to the protocol's unique identifier
1004 @param Interface Points to the interface instance
1005 @param Handle The handle on which the interface was installed
1007 @retval EFI_SUCCESS SmmEndOfDxeCallback runs successfully
1012 SmmEndOfDxeCallback (
1013 IN CONST EFI_GUID
*Protocol
,
1015 IN EFI_HANDLE Handle
1020 DEBUG ((DEBUG_INFO
, "[Variable]SMM_END_OF_DXE is signaled\n"));
1021 MorLockInitAtEndOfDxe ();
1022 Status
= LockVariablePolicy ();
1023 ASSERT_EFI_ERROR (Status
);
1025 VarCheckLibInitializeAtEndOfDxe (NULL
);
1027 // The initialization for variable quota.
1029 InitializeVariableQuota ();
1030 if (PcdGetBool (PcdReclaimVariableSpaceAtEndOfDxe
)) {
1038 Initializes variable write service for SMM.
1042 VariableWriteServiceInitializeSmm (
1048 Status
= VariableWriteServiceInitialize ();
1049 if (EFI_ERROR (Status
)) {
1050 DEBUG ((DEBUG_ERROR
, "Variable write service initialization failed. Status = %r\n", Status
));
1054 // Notify the variable wrapper driver the variable write service is ready
1056 VariableNotifySmmWriteReady ();
1060 SMM Fault Tolerant Write protocol notification event handler.
1062 Non-Volatile variable write may needs FTW protocol to reclaim when
1065 @param Protocol Points to the protocol's unique identifier
1066 @param Interface Points to the interface instance
1067 @param Handle The handle on which the interface was installed
1069 @retval EFI_SUCCESS SmmEventCallback runs successfully
1070 @retval EFI_NOT_FOUND The Fvb protocol for variable is not found.
1075 SmmFtwNotificationEvent (
1076 IN CONST EFI_GUID
*Protocol
,
1078 IN EFI_HANDLE Handle
1082 EFI_PHYSICAL_ADDRESS VariableStoreBase
;
1083 EFI_SMM_FIRMWARE_VOLUME_BLOCK_PROTOCOL
*FvbProtocol
;
1084 EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL
*FtwProtocol
;
1085 EFI_PHYSICAL_ADDRESS NvStorageVariableBase
;
1086 UINTN FtwMaxBlockSize
;
1088 if (mVariableModuleGlobal
->FvbInstance
!= NULL
) {
1093 // Ensure SMM FTW protocol is installed.
1095 Status
= GetFtwProtocol ((VOID
**)&FtwProtocol
);
1096 if (EFI_ERROR (Status
)) {
1100 Status
= FtwProtocol
->GetMaxBlockSize (FtwProtocol
, &FtwMaxBlockSize
);
1101 if (!EFI_ERROR (Status
)) {
1102 ASSERT (PcdGet32 (PcdFlashNvStorageVariableSize
) <= FtwMaxBlockSize
);
1105 NvStorageVariableBase
= NV_STORAGE_VARIABLE_BASE
;
1106 VariableStoreBase
= NvStorageVariableBase
+ mNvFvHeaderCache
->HeaderLength
;
1109 // Let NonVolatileVariableBase point to flash variable store base directly after FTW ready.
1111 mVariableModuleGlobal
->VariableGlobal
.NonVolatileVariableBase
= VariableStoreBase
;
1114 // Find the proper FVB protocol for variable.
1116 Status
= GetFvbInfoByAddress (NvStorageVariableBase
, NULL
, &FvbProtocol
);
1117 if (EFI_ERROR (Status
)) {
1118 return EFI_NOT_FOUND
;
1121 mVariableModuleGlobal
->FvbInstance
= FvbProtocol
;
1124 // Initializes variable write service after FTW was ready.
1126 VariableWriteServiceInitializeSmm ();
1132 Variable Driver main entry point. The Variable driver places the 4 EFI
1133 runtime services in the EFI System Table and installs arch protocols
1134 for variable read and write services being available. It also registers
1135 a notification function for an EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
1137 @retval EFI_SUCCESS Variable service successfully initialized.
1142 MmVariableServiceInitialize (
1147 EFI_HANDLE VariableHandle
;
1148 VOID
*SmmFtwRegistration
;
1149 VOID
*SmmEndOfDxeRegistration
;
1152 // Variable initialize.
1154 Status
= VariableCommonInitialize ();
1155 ASSERT_EFI_ERROR (Status
);
1158 // Install the Smm Variable Protocol on a new handle.
1160 VariableHandle
= NULL
;
1161 Status
= gMmst
->MmInstallProtocolInterface (
1163 &gEfiSmmVariableProtocolGuid
,
1164 EFI_NATIVE_INTERFACE
,
1167 ASSERT_EFI_ERROR (Status
);
1169 Status
= gMmst
->MmInstallProtocolInterface (
1171 &gEdkiiSmmVarCheckProtocolGuid
,
1172 EFI_NATIVE_INTERFACE
,
1175 ASSERT_EFI_ERROR (Status
);
1177 mVariableBufferPayloadSize
= GetMaxVariableSize () +
1178 OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY
, Name
) -
1179 GetVariableHeaderSize (mVariableModuleGlobal
->VariableGlobal
.AuthFormat
);
1181 Status
= gMmst
->MmAllocatePool (
1182 EfiRuntimeServicesData
,
1183 mVariableBufferPayloadSize
,
1184 (VOID
**)&mVariableBufferPayload
1186 ASSERT_EFI_ERROR (Status
);
1189 /// Register SMM variable SMI handler
1191 VariableHandle
= NULL
;
1192 Status
= gMmst
->MmiHandlerRegister (SmmVariableHandler
, &gEfiSmmVariableProtocolGuid
, &VariableHandle
);
1193 ASSERT_EFI_ERROR (Status
);
1196 // Notify the variable wrapper driver the variable service is ready
1198 VariableNotifySmmReady ();
1201 // Register EFI_SMM_END_OF_DXE_PROTOCOL_GUID notify function.
1203 Status
= gMmst
->MmRegisterProtocolNotify (
1204 &gEfiMmEndOfDxeProtocolGuid
,
1205 SmmEndOfDxeCallback
,
1206 &SmmEndOfDxeRegistration
1208 ASSERT_EFI_ERROR (Status
);
1210 if (!PcdGetBool (PcdEmuVariableNvModeEnable
)) {
1212 // Register FtwNotificationEvent () notify function.
1214 Status
= gMmst
->MmRegisterProtocolNotify (
1215 &gEfiSmmFaultTolerantWriteProtocolGuid
,
1216 SmmFtwNotificationEvent
,
1219 ASSERT_EFI_ERROR (Status
);
1221 SmmFtwNotificationEvent (NULL
, NULL
, NULL
);
1224 // Emulated non-volatile variable mode does not depend on FVB and FTW.
1226 VariableWriteServiceInitializeSmm ();