X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=SecurityPkg%2FVariableAuthenticated%2FRuntimeDxe%2FVariable.c;h=5f023dfdeef6ab2f28eb2d59db5a585b922c71b7;hb=335e2681334c87acc5d210801cfeb55b403d1a9e;hp=49358de0138cafe3f33a39a8cf9f822e09709710;hpb=a5f15e3025e2dfccaaa73121d43cf8e09fceeefe;p=mirror_edk2.git diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c index 49358de013..5f023dfdee 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c @@ -2,6 +2,20 @@ The common variable operation routines shared by DXE_RUNTIME variable module and DXE_SMM variable module. + Caution: This module requires additional review when modified. + This driver will have external input - variable data. They may be input in SMM mode. + This external input must be validated carefully to avoid security issue like + buffer overflow, integer overflow. + + VariableServiceGetNextVariableName () and VariableServiceQueryVariableInfo() are external API. + They need check input parameter. + + VariableServiceGetVariable() and VariableServiceSetVariable() are external API + to receive datasize and data buffer. The size should be checked carefully. + + VariableServiceSetVariable() should also check authenticate data to avoid buffer overflow, + integer overflow. It should also check attribute to avoid authentication bypass. + Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -507,6 +521,7 @@ GetEndPointer ( @param IsVolatile The variable store is volatile or not; if it is non-volatile, need FTW. @param UpdatingVariable Pointer to updating variable. + @param ReclaimAnyway If TRUE, do reclaim anyway. @return EFI_OUT_OF_RESOURCES @return EFI_SUCCESS @@ -518,7 +533,8 @@ Reclaim ( IN EFI_PHYSICAL_ADDRESS VariableBase, OUT UINTN *LastVariableOffset, IN BOOLEAN IsVolatile, - IN VARIABLE_HEADER *UpdatingVariable + IN VARIABLE_HEADER *UpdatingVariable, + IN BOOLEAN ReclaimAnyway ) { VARIABLE_HEADER *Variable; @@ -539,15 +555,15 @@ Reclaim ( EFI_STATUS Status; CHAR16 *VariableNamePtr; CHAR16 *UpdatingVariableNamePtr; + UINTN CommonVariableTotalSize; + UINTN HwErrVariableTotalSize; + BOOLEAN NeedDoReclaim; + NeedDoReclaim = FALSE; VariableStoreHeader = (VARIABLE_STORE_HEADER *) ((UINTN) VariableBase); - // - // Recalculate the total size of Common/HwErr type variables in non-volatile area. - // - if (!IsVolatile) { - mVariableModuleGlobal->CommonVariableTotalSize = 0; - mVariableModuleGlobal->HwErrVariableTotalSize = 0; - } + + CommonVariableTotalSize = 0; + HwErrVariableTotalSize = 0; // // Start Pointers for the variable. @@ -562,11 +578,18 @@ Reclaim ( ) { VariableSize = (UINTN) NextVariable - (UINTN) Variable; MaximumBufferSize += VariableSize; + } else { + NeedDoReclaim = TRUE; } Variable = NextVariable; } + if (!ReclaimAnyway && !NeedDoReclaim) { + DEBUG ((EFI_D_INFO, "Variable driver: no DELETED variable found, so no variable space could be reclaimed.\n")); + return EFI_SUCCESS; + } + // // Reserve the 1 Bytes with Oxff to identify the // end of the variable buffer. @@ -614,9 +637,9 @@ Reclaim ( CopyMem (CurrPtr, (UINT8 *) Variable, VariableSize); CurrPtr += VariableSize; if ((!IsVolatile) && ((Variable->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - mVariableModuleGlobal->HwErrVariableTotalSize += VariableSize; + HwErrVariableTotalSize += VariableSize; } else if ((!IsVolatile) && ((Variable->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - mVariableModuleGlobal->CommonVariableTotalSize += VariableSize; + CommonVariableTotalSize += VariableSize; } } Variable = NextVariable; @@ -630,9 +653,9 @@ Reclaim ( CopyMem (CurrPtr, (UINT8 *) UpdatingVariable, VariableSize); CurrPtr += VariableSize; if ((!IsVolatile) && ((UpdatingVariable->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - mVariableModuleGlobal->HwErrVariableTotalSize += VariableSize; + HwErrVariableTotalSize += VariableSize; } else if ((!IsVolatile) && ((UpdatingVariable->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - mVariableModuleGlobal->CommonVariableTotalSize += VariableSize; + CommonVariableTotalSize += VariableSize; } } @@ -676,9 +699,9 @@ Reclaim ( ((VARIABLE_HEADER *) CurrPtr)->State = VAR_ADDED; CurrPtr += VariableSize; if ((!IsVolatile) && ((Variable->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - mVariableModuleGlobal->HwErrVariableTotalSize += VariableSize; + HwErrVariableTotalSize += VariableSize; } else if ((!IsVolatile) && ((Variable->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { - mVariableModuleGlobal->CommonVariableTotalSize += VariableSize; + CommonVariableTotalSize += VariableSize; } } } @@ -706,8 +729,23 @@ Reclaim ( } if (!EFI_ERROR (Status)) { *LastVariableOffset = (UINTN) (CurrPtr - (UINT8 *) ValidBuffer); + if (!IsVolatile) { + mVariableModuleGlobal->HwErrVariableTotalSize = HwErrVariableTotalSize; + mVariableModuleGlobal->CommonVariableTotalSize = CommonVariableTotalSize; + } } else { - *LastVariableOffset = 0; + NextVariable = GetStartPointer ((VARIABLE_STORE_HEADER *)(UINTN)VariableBase); + while (IsValidVariableHeader (NextVariable)) { + VariableSize = NextVariable->NameSize + NextVariable->DataSize + sizeof (VARIABLE_HEADER); + if ((!IsVolatile) && ((Variable->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { + mVariableModuleGlobal->HwErrVariableTotalSize += HEADER_ALIGN (VariableSize); + } else if ((!IsVolatile) && ((Variable->Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) != EFI_VARIABLE_HARDWARE_ERROR_RECORD)) { + mVariableModuleGlobal->CommonVariableTotalSize += HEADER_ALIGN (VariableSize); + } + + NextVariable = GetNextVariablePtr (NextVariable); + } + *LastVariableOffset = (UINTN) NextVariable - (UINTN) VariableBase; } FreePool (ValidBuffer); @@ -1497,6 +1535,7 @@ UpdateVariable ( UpdateVariableInfo (VariableName, VendorGuid, Variable->Volatile, FALSE, FALSE, TRUE, FALSE); if (!Variable->Volatile) { CacheVariable->CurrPtr->State = State; + FlushHobVariableToFlash (VariableName, VendorGuid); } } goto Done; @@ -1706,7 +1745,7 @@ UpdateVariable ( // Perform garbage collection & reclaim operation. // Status = Reclaim (mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase, - &mVariableModuleGlobal->NonVolatileLastVariableOffset, FALSE, Variable->CurrPtr); + &mVariableModuleGlobal->NonVolatileLastVariableOffset, FALSE, Variable->CurrPtr, FALSE); if (EFI_ERROR (Status)) { goto Done; } @@ -1821,7 +1860,7 @@ UpdateVariable ( // Perform garbage collection & reclaim operation. // Status = Reclaim (mVariableModuleGlobal->VariableGlobal.VolatileVariableBase, - &mVariableModuleGlobal->VolatileLastVariableOffset, TRUE, Variable->CurrPtr); + &mVariableModuleGlobal->VolatileLastVariableOffset, TRUE, Variable->CurrPtr, FALSE); if (EFI_ERROR (Status)) { goto Done; } @@ -1878,6 +1917,9 @@ UpdateVariable ( if (!EFI_ERROR (Status)) { UpdateVariableInfo (VariableName, VendorGuid, Volatile, FALSE, TRUE, FALSE, FALSE); + if (!Volatile) { + FlushHobVariableToFlash (VariableName, VendorGuid); + } } Done: @@ -1941,10 +1983,41 @@ IsHwErrRecVariable ( return TRUE; } +/** + This code checks if variable should be treated as read-only variable. + + @param[in] VariableName Name of the Variable. + @param[in] VendorGuid GUID of the Variable. + + @retval TRUE This variable is read-only variable. + @retval FALSE This variable is NOT read-only variable. + +**/ +BOOLEAN +IsReadOnlyVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid)) { + if ((StrCmp (VariableName, EFI_SETUP_MODE_NAME) == 0) || + (StrCmp (VariableName, EFI_SIGNATURE_SUPPORT_NAME) == 0) || + (StrCmp (VariableName, EFI_SECURE_BOOT_MODE_NAME) == 0)) { + return TRUE; + } + } + + return FALSE; +} + /** This code finds variable in storage blocks (Volatile or Non-Volatile). + Caution: This function may receive untrusted input. + This function may be invoked in SMM mode, and datasize is external input. + This function will do basic validation, before parse the data. + @param VariableName Name of Variable to be found. @param VendorGuid Variable vendor GUID. @param Attributes Attribute value of the variable found. @@ -2022,6 +2095,9 @@ Done: This code Finds the Next available variable. + Caution: This function may receive untrusted input. + This function may be invoked in SMM mode. This function will do basic validation, before parse the data. + @param VariableNameSize Size of the variable name. @param VariableName Pointer to variable name. @param VendorGuid Variable Vendor Guid. @@ -2167,6 +2243,13 @@ Done: This code sets variable in storage blocks (Volatile or Non-Volatile). + Caution: This function may receive untrusted input. + This function may be invoked in SMM mode, and datasize and data are external input. + This function will do basic validation, before parse the data. + This function will parse the authentication carefully to avoid security issues, like + buffer overflow, integer overflow. + This function will check attribute carefully to avoid authentication bypass. + @param VariableName Name of Variable to be found. @param VendorGuid Variable vendor GUID. @param Attributes Attribute value of the variable found @@ -2204,10 +2287,21 @@ VariableServiceSetVariable ( return EFI_INVALID_PARAMETER; } + if (IsReadOnlyVariable (VariableName, VendorGuid)) { + return EFI_WRITE_PROTECTED; + } + if (DataSize != 0 && Data == NULL) { return EFI_INVALID_PARAMETER; } + // + // Check for reserverd bit in variable attribute. + // + if ((Attributes & (~EFI_VARIABLE_ATTRIBUTES_MASK)) != 0) { + return EFI_INVALID_PARAMETER; + } + // // Make sure if runtime bit is set, boot service bit is set also. // @@ -2321,7 +2415,10 @@ VariableServiceSetVariable ( Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes, FALSE); } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) && ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))) { - Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes); + Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes, FALSE); + if (EFI_ERROR (Status)) { + Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes); + } } else { Status = ProcessVariable (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes); } @@ -2336,6 +2433,9 @@ VariableServiceSetVariable ( This code returns information about the EFI variables. + Caution: This function may receive untrusted input. + This function may be invoked in SMM mode. This function will do basic validation, before parse the data. + @param Attributes Attributes bitmask to specify the type of variables on which to return information. @param MaximumVariableStorageSize Pointer to the maximum size of the storage space available @@ -2497,6 +2597,9 @@ VariableServiceQueryVariableInfo ( /** This function reclaims variable storage if free size is below the threshold. + Caution: This function may be invoked at SMM mode. + Care must be taken to make sure not security issue. + **/ VOID ReclaimForOS( @@ -2525,12 +2628,102 @@ ReclaimForOS( mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase, &mVariableModuleGlobal->NonVolatileLastVariableOffset, FALSE, - NULL + NULL, + FALSE ); ASSERT_EFI_ERROR (Status); } } +/** + Flush the HOB variable to flash. + + @param[in] VariableName Name of variable has been updated or deleted. + @param[in] VendorGuid Guid of variable has been updated or deleted. + +**/ +VOID +FlushHobVariableToFlash ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + EFI_STATUS Status; + VARIABLE_STORE_HEADER *VariableStoreHeader; + VARIABLE_HEADER *Variable; + VOID *VariableData; + BOOLEAN ErrorFlag; + + ErrorFlag = FALSE; + + // + // Flush the HOB variable to flash. + // + if (mVariableModuleGlobal->VariableGlobal.HobVariableBase != 0) { + VariableStoreHeader = (VARIABLE_STORE_HEADER *) (UINTN) mVariableModuleGlobal->VariableGlobal.HobVariableBase; + // + // Set HobVariableBase to 0, it can avoid SetVariable to call back. + // + mVariableModuleGlobal->VariableGlobal.HobVariableBase = 0; + for ( Variable = GetStartPointer (VariableStoreHeader) + ; (Variable < GetEndPointer (VariableStoreHeader) && IsValidVariableHeader (Variable)) + ; Variable = GetNextVariablePtr (Variable) + ) { + if (Variable->State != VAR_ADDED) { + // + // The HOB variable has been set to DELETED state in local. + // + continue; + } + ASSERT ((Variable->Attributes & EFI_VARIABLE_NON_VOLATILE) != 0); + if (VendorGuid == NULL || VariableName == NULL || + !CompareGuid (VendorGuid, &Variable->VendorGuid) || + StrCmp (VariableName, GetVariableNamePtr (Variable)) != 0) { + VariableData = GetVariableDataPtr (Variable); + Status = VariableServiceSetVariable ( + GetVariableNamePtr (Variable), + &Variable->VendorGuid, + Variable->Attributes, + Variable->DataSize, + VariableData + ); + DEBUG ((EFI_D_INFO, "Variable driver flush the HOB variable to flash: %g %s %r\n", &Variable->VendorGuid, GetVariableNamePtr (Variable), Status)); + } else { + // + // The updated or deleted variable is matched with the HOB variable. + // Don't break here because we will try to set other HOB variables + // since this variable could be set successfully. + // + Status = EFI_SUCCESS; + } + if (!EFI_ERROR (Status)) { + // + // If set variable successful, or the updated or deleted variable is matched with the HOB variable, + // set the HOB variable to DELETED state in local. + // + DEBUG ((EFI_D_INFO, "Variable driver set the HOB variable to DELETED state in local: %g %s\n", &Variable->VendorGuid, GetVariableNamePtr (Variable))); + Variable->State &= VAR_DELETED; + } else { + ErrorFlag = TRUE; + } + } + if (ErrorFlag) { + // + // We still have HOB variable(s) not flushed in flash. + // + mVariableModuleGlobal->VariableGlobal.HobVariableBase = (EFI_PHYSICAL_ADDRESS) (UINTN) VariableStoreHeader; + } else { + // + // All HOB variables have been flushed in flash. + // + DEBUG ((EFI_D_INFO, "Variable driver: all HOB variables have been flushed in flash.\n")); + if (!AtRuntime ()) { + FreePool ((VOID *) VariableStoreHeader); + } + } + } + +} /** Initializes variable write service after FVB was ready. @@ -2549,8 +2742,6 @@ VariableWriteServiceInitialize ( UINTN Index; UINT8 Data; EFI_PHYSICAL_ADDRESS VariableStoreBase; - VARIABLE_HEADER *Variable; - VOID *VariableData; VariableStoreBase = mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase; VariableStoreHeader = (VARIABLE_STORE_HEADER *)(UINTN)VariableStoreBase; @@ -2568,7 +2759,8 @@ VariableWriteServiceInitialize ( mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase, &mVariableModuleGlobal->NonVolatileLastVariableOffset, FALSE, - NULL + NULL, + TRUE ); if (EFI_ERROR (Status)) { return Status; @@ -2577,34 +2769,7 @@ VariableWriteServiceInitialize ( } } - - // - // Flush the HOB variable to flash and invalidate HOB variable. - // - if (mVariableModuleGlobal->VariableGlobal.HobVariableBase != 0) { - // - // Clear the HobVariableBase to avoid SetVariable() updating the variable in HOB - // - VariableStoreHeader = (VARIABLE_STORE_HEADER *) (UINTN) mVariableModuleGlobal->VariableGlobal.HobVariableBase; - mVariableModuleGlobal->VariableGlobal.HobVariableBase = 0; - - for ( Variable = GetStartPointer (VariableStoreHeader) - ; (Variable < GetEndPointer (VariableStoreHeader) && IsValidVariableHeader (Variable)) - ; Variable = GetNextVariablePtr (Variable) - ) { - ASSERT (Variable->State == VAR_ADDED); - ASSERT ((Variable->Attributes & EFI_VARIABLE_NON_VOLATILE) != 0); - VariableData = GetVariableDataPtr (Variable); - Status = VariableServiceSetVariable ( - GetVariableNamePtr (Variable), - &Variable->VendorGuid, - Variable->Attributes, - Variable->DataSize, - VariableData - ); - ASSERT_EFI_ERROR (Status); - } - } + FlushHobVariableToFlash (NULL, NULL); // // Authenticated variable initialize. @@ -2662,8 +2827,12 @@ VariableCommonInitialize ( GuidHob = GetFirstGuidHob (&gEfiAuthenticatedVariableGuid); if (GuidHob != NULL) { VariableStoreHeader = GET_GUID_HOB_DATA (GuidHob); + VariableStoreLength = (UINT64) (GuidHob->Header.HobLength - sizeof (EFI_HOB_GUID_TYPE)); if (GetVariableStoreStatus (VariableStoreHeader) == EfiValid) { - mVariableModuleGlobal->VariableGlobal.HobVariableBase = (EFI_PHYSICAL_ADDRESS) (UINTN) VariableStoreHeader; + mVariableModuleGlobal->VariableGlobal.HobVariableBase = (EFI_PHYSICAL_ADDRESS) (UINTN) AllocateRuntimeCopyPool ((UINTN) VariableStoreLength, (VOID *) VariableStoreHeader); + if (mVariableModuleGlobal->VariableGlobal.HobVariableBase == 0) { + return EFI_OUT_OF_RESOURCES; + } } else { DEBUG ((EFI_D_ERROR, "HOB Variable Store header is corrupted!\n")); }