[mirror_edk2.git] / MdeModulePkg / Universal / Variable / RuntimeDxe / TcgMorLockDxe.c

/** @file\r
  TCG MOR (Memory Overwrite Request) Lock Control support (DXE version).\r
\r
  This module clears MemoryOverwriteRequestControlLock variable to indicate\r
  MOR lock control unsupported.\r
\r
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <PiDxe.h>\r
#include <Guid/MemoryOverwriteControl.h>\r
#include <IndustryStandard/MemoryOverwriteRequestControlLock.h>\r
#include <Library/DebugLib.h>\r
#include <Library/BaseLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include "Variable.h"\r
\r
extern EDKII_VARIABLE_LOCK_PROTOCOL     mVariableLock;\r
\r
/**\r
  This service is an MOR/MorLock checker handler for the SetVariable().\r
\r
  @param[in]  VariableName the name of the vendor's variable, as a\r
                           Null-Terminated Unicode String\r
  @param[in]  VendorGuid   Unify identifier for vendor.\r
  @param[in]  Attributes   Attributes bitmask to set for the variable.\r
  @param[in]  DataSize     The size in bytes of Data-Buffer.\r
  @param[in]  Data         Point to the content of the variable.\r
\r
  @retval  EFI_SUCCESS            The MOR/MorLock check pass, and Variable\r
                                  driver can store the variable data.\r
  @retval  EFI_INVALID_PARAMETER  The MOR/MorLock data or data size or\r
                                  attributes is not allowed for MOR variable.\r
  @retval  EFI_ACCESS_DENIED      The MOR/MorLock is locked.\r
  @retval  EFI_ALREADY_STARTED    The MorLock variable is handled inside this\r
                                  function. Variable driver can just return\r
                                  EFI_SUCCESS.\r
**/\r
EFI_STATUS\r
SetVariableCheckHandlerMor (\r
  IN CHAR16     *VariableName,\r
  IN EFI_GUID   *VendorGuid,\r
  IN UINT32     Attributes,\r
  IN UINTN      DataSize,\r
  IN VOID       *Data\r
  )\r
{\r
  //\r
  // Just let it pass. No need provide protection for DXE version.\r
  //\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  Initialization for MOR Control Lock.\r
\r
  @retval EFI_SUCCESS     MorLock initialization success.\r
  @return Others          Some error occurs.\r
**/\r
EFI_STATUS\r
MorLockInit (\r
  VOID\r
  )\r
{\r
  //\r
  // Always clear variable to report unsupported to OS.\r
  // The reason is that the DXE version is not proper to provide *protection*.\r
  // BIOS should use SMM version variable driver to provide such capability.\r
  //\r
  VariableServiceSetVariable (\r
    MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
    &gEfiMemoryOverwriteRequestControlLockGuid,\r
    0,                                          // Attributes\r
    0,                                          // DataSize\r
    NULL                                        // Data\r
    );\r
\r
  //\r
  // Need set this variable to be read-only to prevent other module set it.\r
  //\r
  VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);\r
\r
  //\r
  // The MOR variable can effectively improve platform security only when the\r
  // MorLock variable protects the MOR variable. In turn MorLock cannot be made\r
  // secure without SMM support in the platform firmware (see above).\r
  //\r
  // Thus, delete the MOR variable, should it exist for any reason (some OSes\r
  // are known to create MOR unintentionally, in an attempt to set it), then\r
  // also lock the MOR variable, in order to prevent other modules from\r
  // creating it.\r
  //\r
  VariableServiceSetVariable (\r
    MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
    &gEfiMemoryOverwriteControlDataGuid,\r
    0,                                      // Attributes\r
    0,                                      // DataSize\r
    NULL                                    // Data\r
    );\r
  VariableLockRequestToLock (\r
    &mVariableLock,\r
    MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
    &gEfiMemoryOverwriteControlDataGuid\r
    );\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  Delayed initialization for MOR Control Lock at EndOfDxe.\r
\r
  This function performs any operations queued by MorLockInit().\r
**/\r
VOID\r
MorLockInitAtEndOfDxe (\r
  VOID\r
  )\r
{\r
  //\r
  // Do nothing.\r
  //\r
}\r
Commit	Line	Data
a0994dbe JY	1	/** @file\r
	2	TCG MOR (Memory Overwrite Request) Lock Control support (DXE version).\r
	3	\r
	4	This module clears MemoryOverwriteRequestControlLock variable to indicate\r
	5	MOR lock control unsupported.\r
	6	\r
	7	Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
9d510e61	8	SPDX-License-Identifier: BSD-2-Clause-Patent\r
a0994dbe JY	9	\r
	10	**/\r
	11	\r
	12	#include <PiDxe.h>\r
	13	#include <Guid/MemoryOverwriteControl.h>\r
	14	#include <IndustryStandard/MemoryOverwriteRequestControlLock.h>\r
	15	#include <Library/DebugLib.h>\r
	16	#include <Library/BaseLib.h>\r
	17	#include <Library/BaseMemoryLib.h>\r
	18	#include "Variable.h"\r
	19	\r
	20	extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;\r
	21	\r
	22	/**\r
	23	This service is an MOR/MorLock checker handler for the SetVariable().\r
	24	\r
03877377 LE	25	@param[in] VariableName the name of the vendor's variable, as a\r
	26	Null-Terminated Unicode String\r
	27	@param[in] VendorGuid Unify identifier for vendor.\r
	28	@param[in] Attributes Attributes bitmask to set for the variable.\r
	29	@param[in] DataSize The size in bytes of Data-Buffer.\r
	30	@param[in] Data Point to the content of the variable.\r
a0994dbe	31	\r
03877377 LE	32	@retval EFI_SUCCESS The MOR/MorLock check pass, and Variable\r
	33	driver can store the variable data.\r
	34	@retval EFI_INVALID_PARAMETER The MOR/MorLock data or data size or\r
	35	attributes is not allowed for MOR variable.\r
a0994dbe	36	@retval EFI_ACCESS_DENIED The MOR/MorLock is locked.\r
03877377 LE	37	@retval EFI_ALREADY_STARTED The MorLock variable is handled inside this\r
	38	function. Variable driver can just return\r
	39	EFI_SUCCESS.\r
a0994dbe JY	40	**/\r
	41	EFI_STATUS\r
	42	SetVariableCheckHandlerMor (\r
	43	IN CHAR16 *VariableName,\r
	44	IN EFI_GUID *VendorGuid,\r
	45	IN UINT32 Attributes,\r
	46	IN UINTN DataSize,\r
	47	IN VOID *Data\r
	48	)\r
	49	{\r
	50	//\r
	51	// Just let it pass. No need provide protection for DXE version.\r
	52	//\r
	53	return EFI_SUCCESS;\r
	54	}\r
	55	\r
	56	/**\r
03877377	57	Initialization for MOR Control Lock.\r
a0994dbe	58	\r
03877377	59	@retval EFI_SUCCESS MorLock initialization success.\r
a0994dbe JY	60	@return Others Some error occurs.\r
	61	**/\r
	62	EFI_STATUS\r
	63	MorLockInit (\r
	64	VOID\r
	65	)\r
	66	{\r
	67	//\r
	68	// Always clear variable to report unsupported to OS.\r
	69	// The reason is that the DXE version is not proper to provide protection.\r
	70	// BIOS should use SMM version variable driver to provide such capability.\r
	71	//\r
	72	VariableServiceSetVariable (\r
	73	MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
	74	&gEfiMemoryOverwriteRequestControlLockGuid,\r
704b71d7 LE	75	0, // Attributes\r
	76	0, // DataSize\r
	77	NULL // Data\r
a0994dbe JY	78	);\r
	79	\r
	80	//\r
	81	// Need set this variable to be read-only to prevent other module set it.\r
	82	//\r
	83	VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);\r
704b71d7 LE	84	\r
	85	//\r
	86	// The MOR variable can effectively improve platform security only when the\r
	87	// MorLock variable protects the MOR variable. In turn MorLock cannot be made\r
	88	// secure without SMM support in the platform firmware (see above).\r
	89	//\r
	90	// Thus, delete the MOR variable, should it exist for any reason (some OSes\r
	91	// are known to create MOR unintentionally, in an attempt to set it), then\r
	92	// also lock the MOR variable, in order to prevent other modules from\r
	93	// creating it.\r
	94	//\r
	95	VariableServiceSetVariable (\r
	96	MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
	97	&gEfiMemoryOverwriteControlDataGuid,\r
	98	0, // Attributes\r
	99	0, // DataSize\r
	100	NULL // Data\r
	101	);\r
	102	VariableLockRequestToLock (\r
	103	&mVariableLock,\r
	104	MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
	105	&gEfiMemoryOverwriteControlDataGuid\r
	106	);\r
	107	\r
a0994dbe JY	108	return EFI_SUCCESS;\r
a0994dbe JY	109	}\r
f1304280 LE	110	\r
	111	/**\r
	112	Delayed initialization for MOR Control Lock at EndOfDxe.\r
	113	\r
	114	This function performs any operations queued by MorLockInit().\r
	115	**/\r
	116	VOID\r
	117	MorLockInitAtEndOfDxe (\r
	118	VOID\r
	119	)\r
	120	{\r
	121	//\r
	122	// Do nothing.\r
	123	//\r
	124	}\r