[mirror_edk2.git] / MdeModulePkg / Universal / Variable / RuntimeDxe / TcgMorLockSmm.c

/** @file\r
  TCG MOR (Memory Overwrite Request) Lock Control support (SMM version).\r
\r
  This module initilizes MemoryOverwriteRequestControlLock variable.\r
  This module adds Variable Hook and check MemoryOverwriteRequestControlLock.\r
\r
Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>\r
Copyright (c) Microsoft Corporation.\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include <PiDxe.h>\r
#include <Guid/MemoryOverwriteControl.h>\r
#include <IndustryStandard/MemoryOverwriteRequestControlLock.h>\r
#include <Library/DebugLib.h>\r
#include <Library/BaseLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include "Variable.h"\r
\r
#include <Protocol/VariablePolicy.h>\r
#include <Library/VariablePolicyHelperLib.h>\r
#include <Library/VariablePolicyLib.h>\r
\r
typedef struct {\r
  CHAR16      *VariableName;\r
  EFI_GUID    *VendorGuid;\r
} VARIABLE_TYPE;\r
\r
VARIABLE_TYPE  mMorVariableType[] = {\r
  { MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,     &gEfiMemoryOverwriteControlDataGuid        },\r
  { MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid },\r
};\r
\r
BOOLEAN  mMorPassThru = FALSE;\r
\r
#define MOR_LOCK_DATA_UNLOCKED            0x0\r
#define MOR_LOCK_DATA_LOCKED_WITHOUT_KEY  0x1\r
#define MOR_LOCK_DATA_LOCKED_WITH_KEY     0x2\r
\r
#define MOR_LOCK_V1_SIZE      1\r
#define MOR_LOCK_V2_KEY_SIZE  8\r
\r
typedef enum {\r
  MorLockStateUnlocked = 0,\r
  MorLockStateLocked   = 1,\r
} MOR_LOCK_STATE;\r
\r
BOOLEAN         mMorLockInitializationRequired = FALSE;\r
UINT8           mMorLockKey[MOR_LOCK_V2_KEY_SIZE];\r
BOOLEAN         mMorLockKeyEmpty = TRUE;\r
BOOLEAN         mMorLockPassThru = FALSE;\r
MOR_LOCK_STATE  mMorLockState    = MorLockStateUnlocked;\r
\r
/**\r
  Returns if this is MOR related variable.\r
\r
  @param  VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String\r
  @param  VendorGuid   Unify identifier for vendor.\r
\r
  @retval  TRUE            The variable is MOR related.\r
  @retval  FALSE           The variable is NOT MOR related.\r
**/\r
BOOLEAN\r
IsAnyMorVariable (\r
  IN CHAR16    *VariableName,\r
  IN EFI_GUID  *VendorGuid\r
  )\r
{\r
  UINTN  Index;\r
\r
  for (Index = 0; Index < sizeof (mMorVariableType)/sizeof (mMorVariableType[0]); Index++) {\r
    if ((StrCmp (VariableName, mMorVariableType[Index].VariableName) == 0) &&\r
        (CompareGuid (VendorGuid, mMorVariableType[Index].VendorGuid)))\r
    {\r
      return TRUE;\r
    }\r
  }\r
\r
  return FALSE;\r
}\r
\r
/**\r
  Returns if this is MOR lock variable.\r
\r
  @param  VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String\r
  @param  VendorGuid   Unify identifier for vendor.\r
\r
  @retval  TRUE            The variable is MOR lock variable.\r
  @retval  FALSE           The variable is NOT MOR lock variable.\r
**/\r
BOOLEAN\r
IsMorLockVariable (\r
  IN CHAR16    *VariableName,\r
  IN EFI_GUID  *VendorGuid\r
  )\r
{\r
  if ((StrCmp (VariableName, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME) == 0) &&\r
      (CompareGuid (VendorGuid, &gEfiMemoryOverwriteRequestControlLockGuid)))\r
  {\r
    return TRUE;\r
  }\r
\r
  return FALSE;\r
}\r
\r
/**\r
  Set MOR lock variable.\r
\r
  @param  Data         MOR Lock variable data.\r
\r
  @retval  EFI_SUCCESS            The firmware has successfully stored the variable and its data as\r
                                  defined by the Attributes.\r
  @retval  EFI_INVALID_PARAMETER  An invalid combination of attribute bits was supplied, or the\r
                                  DataSize exceeds the maximum allowed.\r
  @retval  EFI_INVALID_PARAMETER  VariableName is an empty Unicode string.\r
  @retval  EFI_OUT_OF_RESOURCES   Not enough storage is available to hold the variable and its data.\r
  @retval  EFI_DEVICE_ERROR       The variable could not be saved due to a hardware failure.\r
  @retval  EFI_WRITE_PROTECTED    The variable in question is read-only.\r
  @retval  EFI_WRITE_PROTECTED    The variable in question cannot be deleted.\r
  @retval  EFI_SECURITY_VIOLATION The variable could not be written due to EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS\r
                                  set but the AuthInfo does NOT pass the validation check carried\r
                                  out by the firmware.\r
  @retval  EFI_NOT_FOUND          The variable trying to be updated or deleted was not found.\r
**/\r
EFI_STATUS\r
SetMorLockVariable (\r
  IN UINT8  Data\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  mMorLockPassThru = TRUE;\r
  Status           = VariableServiceSetVariable (\r
                       MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
                       &gEfiMemoryOverwriteRequestControlLockGuid,\r
                       EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
                       sizeof (Data),\r
                       &Data\r
                       );\r
  mMorLockPassThru = FALSE;\r
  return Status;\r
}\r
\r
/**\r
  This service is an MorLock checker handler for the SetVariable().\r
\r
  @param  VariableName the name of the vendor's variable, as a\r
                       Null-Terminated Unicode String\r
  @param  VendorGuid   Unify identifier for vendor.\r
  @param  Attributes   Point to memory location to return the attributes of variable. If the point\r
                       is NULL, the parameter would be ignored.\r
  @param  DataSize     The size in bytes of Data-Buffer.\r
  @param  Data         Point to the content of the variable.\r
\r
  @retval  EFI_SUCCESS            The MorLock check pass, and Variable driver can store the variable data.\r
  @retval  EFI_INVALID_PARAMETER  The MorLock data or data size or attributes is not allowed.\r
  @retval  EFI_ACCESS_DENIED      The MorLock is locked.\r
  @retval  EFI_WRITE_PROTECTED    The MorLock deletion is not allowed.\r
  @retval  EFI_ALREADY_STARTED    The MorLock variable is handled inside this function.\r
                                  Variable driver can just return EFI_SUCCESS.\r
**/\r
EFI_STATUS\r
SetVariableCheckHandlerMorLock (\r
  IN CHAR16    *VariableName,\r
  IN EFI_GUID  *VendorGuid,\r
  IN UINT32    Attributes,\r
  IN UINTN     DataSize,\r
  IN VOID      *Data\r
  )\r
{\r
  EFI_STATUS  Status;\r
\r
  //\r
  // Basic Check\r
  //\r
  if ((Attributes == 0) || (DataSize == 0) || (Data == NULL)) {\r
    //\r
    // Permit deletion for passthru request, deny it otherwise.\r
    //\r
    return mMorLockPassThru ? EFI_SUCCESS : EFI_WRITE_PROTECTED;\r
  }\r
\r
  if ((Attributes != (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS)) ||\r
      ((DataSize != MOR_LOCK_V1_SIZE) && (DataSize != MOR_LOCK_V2_KEY_SIZE)))\r
  {\r
    return EFI_INVALID_PARAMETER;\r
  }\r
\r
  //\r
  // Do not check if the request is passthru.\r
  //\r
  if (mMorLockPassThru) {\r
    return EFI_SUCCESS;\r
  }\r
\r
  if (mMorLockState == MorLockStateUnlocked) {\r
    //\r
    // In Unlocked State\r
    //\r
    if (DataSize == MOR_LOCK_V1_SIZE) {\r
      //\r
      // V1 - lock permanently\r
      //\r
      if (*(UINT8 *)Data == MOR_LOCK_DATA_UNLOCKED) {\r
        //\r
        // Unlock\r
        //\r
        Status = SetMorLockVariable (MOR_LOCK_DATA_UNLOCKED);\r
        if (!EFI_ERROR (Status)) {\r
          //\r
          // return EFI_ALREADY_STARTED to skip variable set.\r
          //\r
          return EFI_ALREADY_STARTED;\r
        } else {\r
          //\r
          // SetVar fail\r
          //\r
          return Status;\r
        }\r
      } else if (*(UINT8 *)Data == MOR_LOCK_DATA_LOCKED_WITHOUT_KEY) {\r
        //\r
        // Lock without key\r
        //\r
        Status = SetMorLockVariable (MOR_LOCK_DATA_LOCKED_WITHOUT_KEY);\r
        if (!EFI_ERROR (Status)) {\r
          //\r
          // Lock success\r
          //\r
          mMorLockState = MorLockStateLocked;\r
          //\r
          // return EFI_ALREADY_STARTED to skip variable set.\r
          //\r
          return EFI_ALREADY_STARTED;\r
        } else {\r
          //\r
          // SetVar fail\r
          //\r
          return Status;\r
        }\r
      } else {\r
        return EFI_INVALID_PARAMETER;\r
      }\r
    } else if (DataSize == MOR_LOCK_V2_KEY_SIZE) {\r
      //\r
      // V2 lock and provision the key\r
      //\r
\r
      //\r
      // Need set here because the data value on flash is different\r
      //\r
      Status = SetMorLockVariable (MOR_LOCK_DATA_LOCKED_WITH_KEY);\r
      if (EFI_ERROR (Status)) {\r
        //\r
        // SetVar fail, do not provision the key\r
        //\r
        return Status;\r
      } else {\r
        //\r
        // Lock success, provision the key\r
        //\r
        mMorLockKeyEmpty = FALSE;\r
        CopyMem (mMorLockKey, Data, MOR_LOCK_V2_KEY_SIZE);\r
        mMorLockState = MorLockStateLocked;\r
        //\r
        // return EFI_ALREADY_STARTED to skip variable set.\r
        //\r
        return EFI_ALREADY_STARTED;\r
      }\r
    } else {\r
      ASSERT (FALSE);\r
      return EFI_OUT_OF_RESOURCES;\r
    }\r
  } else {\r
    //\r
    // In Locked State\r
    //\r
    if (mMorLockKeyEmpty || (DataSize != MOR_LOCK_V2_KEY_SIZE)) {\r
      return EFI_ACCESS_DENIED;\r
    }\r
\r
    if ((CompareMem (Data, mMorLockKey, MOR_LOCK_V2_KEY_SIZE) == 0)) {\r
      //\r
      // Key match - unlock\r
      //\r
\r
      //\r
      // Need set here because the data value on flash is different\r
      //\r
      Status = SetMorLockVariable (MOR_LOCK_DATA_UNLOCKED);\r
      if (EFI_ERROR (Status)) {\r
        //\r
        // SetVar fail\r
        //\r
        return Status;\r
      } else {\r
        //\r
        // Unlock Success\r
        //\r
        mMorLockState    = MorLockStateUnlocked;\r
        mMorLockKeyEmpty = TRUE;\r
        ZeroMem (mMorLockKey, sizeof (mMorLockKey));\r
        //\r
        // return EFI_ALREADY_STARTED to skip variable set.\r
        //\r
        return EFI_ALREADY_STARTED;\r
      }\r
    } else {\r
      //\r
      // Key mismatch - Prevent Dictionary Attack\r
      //\r
      mMorLockState    = MorLockStateLocked;\r
      mMorLockKeyEmpty = TRUE;\r
      ZeroMem (mMorLockKey, sizeof (mMorLockKey));\r
      return EFI_ACCESS_DENIED;\r
    }\r
  }\r
}\r
\r
/**\r
  This service is an MOR/MorLock checker handler for the SetVariable().\r
\r
  @param[in]  VariableName the name of the vendor's variable, as a\r
                           Null-Terminated Unicode String\r
  @param[in]  VendorGuid   Unify identifier for vendor.\r
  @param[in]  Attributes   Attributes bitmask to set for the variable.\r
  @param[in]  DataSize     The size in bytes of Data-Buffer.\r
  @param[in]  Data         Point to the content of the variable.\r
\r
  @retval  EFI_SUCCESS            The MOR/MorLock check pass, and Variable\r
                                  driver can store the variable data.\r
  @retval  EFI_INVALID_PARAMETER  The MOR/MorLock data or data size or\r
                                  attributes is not allowed for MOR variable.\r
  @retval  EFI_ACCESS_DENIED      The MOR/MorLock is locked.\r
  @retval  EFI_ALREADY_STARTED    The MorLock variable is handled inside this\r
                                  function. Variable driver can just return\r
                                  EFI_SUCCESS.\r
**/\r
EFI_STATUS\r
SetVariableCheckHandlerMor (\r
  IN CHAR16    *VariableName,\r
  IN EFI_GUID  *VendorGuid,\r
  IN UINT32    Attributes,\r
  IN UINTN     DataSize,\r
  IN VOID      *Data\r
  )\r
{\r
  //\r
  // do not handle non-MOR variable\r
  //\r
  if (!IsAnyMorVariable (VariableName, VendorGuid)) {\r
    return EFI_SUCCESS;\r
  }\r
\r
  // Permit deletion when policy is disabled.\r
  if (!IsVariablePolicyEnabled () && ((Attributes == 0) || (DataSize == 0))) {\r
    return EFI_SUCCESS;\r
  }\r
\r
  //\r
  // MorLock variable\r
  //\r
  if (IsMorLockVariable (VariableName, VendorGuid)) {\r
    return SetVariableCheckHandlerMorLock (\r
             VariableName,\r
             VendorGuid,\r
             Attributes,\r
             DataSize,\r
             Data\r
             );\r
  }\r
\r
  //\r
  // Mor Variable\r
  //\r
\r
  //\r
  // Permit deletion for passthru request.\r
  //\r
  if (((Attributes == 0) || (DataSize == 0)) && mMorPassThru) {\r
    return EFI_SUCCESS;\r
  }\r
\r
  //\r
  // Basic Check\r
  //\r
  if ((Attributes != (EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS)) ||\r
      (DataSize != sizeof (UINT8)) ||\r
      (Data == NULL))\r
  {\r
    return EFI_INVALID_PARAMETER;\r
  }\r
\r
  if (mMorLockState == MorLockStateLocked) {\r
    //\r
    // If lock, deny access\r
    //\r
    return EFI_ACCESS_DENIED;\r
  }\r
\r
  //\r
  // grant access\r
  //\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  Initialization for MOR Control Lock.\r
\r
  @retval EFI_SUCCESS     MorLock initialization success.\r
  @return Others          Some error occurs.\r
**/\r
EFI_STATUS\r
MorLockInit (\r
  VOID\r
  )\r
{\r
  mMorLockInitializationRequired = TRUE;\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  Delayed initialization for MOR Control Lock at EndOfDxe.\r
\r
  This function performs any operations queued by MorLockInit().\r
**/\r
VOID\r
MorLockInitAtEndOfDxe (\r
  VOID\r
  )\r
{\r
  UINTN                  MorSize;\r
  EFI_STATUS             MorStatus;\r
  EFI_STATUS             Status;\r
  VARIABLE_POLICY_ENTRY  *NewPolicy;\r
\r
  if (!mMorLockInitializationRequired) {\r
    //\r
    // The EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL has never been installed, thus\r
    // the variable write service is unavailable. This should never happen.\r
    //\r
    ASSERT (FALSE);\r
    return;\r
  }\r
\r
  //\r
  // Check if the MOR variable exists.\r
  //\r
  MorSize   = 0;\r
  MorStatus = VariableServiceGetVariable (\r
                MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
                &gEfiMemoryOverwriteControlDataGuid,\r
                NULL,                                   // Attributes\r
                &MorSize,\r
                NULL                                    // Data\r
                );\r
  //\r
  // We provided a zero-sized buffer, so the above call can never succeed.\r
  //\r
  ASSERT (EFI_ERROR (MorStatus));\r
\r
  if (MorStatus == EFI_BUFFER_TOO_SMALL) {\r
    //\r
    // The MOR variable exists.\r
    //\r
    // Some OSes don't follow the TCG's Platform Reset Attack Mitigation spec\r
    // in that the OS should never create the MOR variable, only read and write\r
    // it -- these OSes (unintentionally) create MOR if the platform firmware\r
    // does not produce it. Whether this is the case (from the last OS boot)\r
    // can be deduced from the absence of the TCG / TCG2 protocols, as edk2's\r
    // MOR implementation depends on (one of) those protocols.\r
    //\r
    if (VariableHaveTcgProtocols ()) {\r
      //\r
      // The MOR variable originates from the platform firmware; set the MOR\r
      // Control Lock variable to report the locking capability to the OS.\r
      //\r
      SetMorLockVariable (0);\r
      return;\r
    }\r
\r
    //\r
    // The MOR variable's origin is inexplicable; delete it.\r
    //\r
    DEBUG ((\r
      DEBUG_WARN,\r
      "%a: deleting unexpected / unsupported variable %g:%s\n",\r
      __FUNCTION__,\r
      &gEfiMemoryOverwriteControlDataGuid,\r
      MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME\r
      ));\r
\r
    mMorPassThru = TRUE;\r
    VariableServiceSetVariable (\r
      MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
      &gEfiMemoryOverwriteControlDataGuid,\r
      0,                                      // Attributes\r
      0,                                      // DataSize\r
      NULL                                    // Data\r
      );\r
    mMorPassThru = FALSE;\r
  }\r
\r
  //\r
  // The MOR variable is absent; the platform firmware does not support it.\r
  // Lock the variable so that no other module may create it.\r
  //\r
  NewPolicy = NULL;\r
  Status    = CreateBasicVariablePolicy (\r
                &gEfiMemoryOverwriteControlDataGuid,\r
                MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
                VARIABLE_POLICY_NO_MIN_SIZE,\r
                VARIABLE_POLICY_NO_MAX_SIZE,\r
                VARIABLE_POLICY_NO_MUST_ATTR,\r
                VARIABLE_POLICY_NO_CANT_ATTR,\r
                VARIABLE_POLICY_TYPE_LOCK_NOW,\r
                &NewPolicy\r
                );\r
  if (!EFI_ERROR (Status)) {\r
    Status = RegisterVariablePolicy (NewPolicy);\r
  }\r
\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status));\r
    ASSERT_EFI_ERROR (Status);\r
  }\r
\r
  if (NewPolicy != NULL) {\r
    FreePool (NewPolicy);\r
  }\r
\r
  //\r
  // Delete the MOR Control Lock variable too (should it exists for some\r
  // reason) and prevent other modules from creating it.\r
  //\r
  mMorLockPassThru = TRUE;\r
  VariableServiceSetVariable (\r
    MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
    &gEfiMemoryOverwriteRequestControlLockGuid,\r
    0,                                          // Attributes\r
    0,                                          // DataSize\r
    NULL                                        // Data\r
    );\r
  mMorLockPassThru = FALSE;\r
\r
  NewPolicy = NULL;\r
  Status    = CreateBasicVariablePolicy (\r
                &gEfiMemoryOverwriteRequestControlLockGuid,\r
                MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
                VARIABLE_POLICY_NO_MIN_SIZE,\r
                VARIABLE_POLICY_NO_MAX_SIZE,\r
                VARIABLE_POLICY_NO_MUST_ATTR,\r
                VARIABLE_POLICY_NO_CANT_ATTR,\r
                VARIABLE_POLICY_TYPE_LOCK_NOW,\r
                &NewPolicy\r
                );\r
  if (!EFI_ERROR (Status)) {\r
    Status = RegisterVariablePolicy (NewPolicy);\r
  }\r
\r
  if (EFI_ERROR (Status)) {\r
    DEBUG ((DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status));\r
    ASSERT_EFI_ERROR (Status);\r
  }\r
\r
  if (NewPolicy != NULL) {\r
    FreePool (NewPolicy);\r
  }\r
}\r
Commit	Line	Data
abad83e6 JY	1	/** @file\r
	2	TCG MOR (Memory Overwrite Request) Lock Control support (SMM version).\r
	3	\r
	4	This module initilizes MemoryOverwriteRequestControlLock variable.\r
	5	This module adds Variable Hook and check MemoryOverwriteRequestControlLock.\r
	6	\r
5da2c9b2	7	Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>\r
e176bafc	8	Copyright (c) Microsoft Corporation.\r
9d510e61	9	SPDX-License-Identifier: BSD-2-Clause-Patent\r
abad83e6 JY	10	\r
	11	**/\r
	12	\r
	13	#include <PiDxe.h>\r
	14	#include <Guid/MemoryOverwriteControl.h>\r
	15	#include <IndustryStandard/MemoryOverwriteRequestControlLock.h>\r
	16	#include <Library/DebugLib.h>\r
	17	#include <Library/BaseLib.h>\r
	18	#include <Library/BaseMemoryLib.h>\r
	19	#include "Variable.h"\r
	20	\r
e176bafc	21	#include <Protocol/VariablePolicy.h>\r
98ee0c68	22	#include <Library/VariablePolicyHelperLib.h>\r
e176bafc BB	23	#include <Library/VariablePolicyLib.h>\r
e176bafc BB	24	\r
abad83e6	25	typedef struct {\r
1436aea4 MK	26	CHAR16 *VariableName;\r
1436aea4 MK	27	EFI_GUID *VendorGuid;\r
abad83e6 JY	28	} VARIABLE_TYPE;\r
	29	\r
	30	VARIABLE_TYPE mMorVariableType[] = {\r
1436aea4 MK	31	{ MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, &gEfiMemoryOverwriteControlDataGuid },\r
1436aea4 MK	32	{ MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid },\r
abad83e6 JY	33	};\r
abad83e6 JY	34	\r
1436aea4	35	BOOLEAN mMorPassThru = FALSE;\r
fda8f631	36	\r
1436aea4 MK	37	#define MOR_LOCK_DATA_UNLOCKED 0x0\r
	38	#define MOR_LOCK_DATA_LOCKED_WITHOUT_KEY 0x1\r
	39	#define MOR_LOCK_DATA_LOCKED_WITH_KEY 0x2\r
abad83e6 JY	40	\r
	41	#define MOR_LOCK_V1_SIZE 1\r
	42	#define MOR_LOCK_V2_KEY_SIZE 8\r
	43	\r
	44	typedef enum {\r
	45	MorLockStateUnlocked = 0,\r
1436aea4	46	MorLockStateLocked = 1,\r
abad83e6 JY	47	} MOR_LOCK_STATE;\r
abad83e6 JY	48	\r
7516532f	49	BOOLEAN mMorLockInitializationRequired = FALSE;\r
abad83e6 JY	50	UINT8 mMorLockKey[MOR_LOCK_V2_KEY_SIZE];\r
	51	BOOLEAN mMorLockKeyEmpty = TRUE;\r
	52	BOOLEAN mMorLockPassThru = FALSE;\r
1436aea4	53	MOR_LOCK_STATE mMorLockState = MorLockStateUnlocked;\r
abad83e6 JY	54	\r
	55	/**\r
	56	Returns if this is MOR related variable.\r
	57	\r
	58	@param VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String\r
	59	@param VendorGuid Unify identifier for vendor.\r
	60	\r
	61	@retval TRUE The variable is MOR related.\r
	62	@retval FALSE The variable is NOT MOR related.\r
	63	**/\r
	64	BOOLEAN\r
	65	IsAnyMorVariable (\r
1436aea4 MK	66	IN CHAR16 *VariableName,\r
1436aea4 MK	67	IN EFI_GUID *VendorGuid\r
abad83e6 JY	68	)\r
abad83e6 JY	69	{\r
1436aea4	70	UINTN Index;\r
abad83e6	71	\r
1436aea4	72	for (Index = 0; Index < sizeof (mMorVariableType)/sizeof (mMorVariableType[0]); Index++) {\r
abad83e6	73	if ((StrCmp (VariableName, mMorVariableType[Index].VariableName) == 0) &&\r
1436aea4 MK	74	(CompareGuid (VendorGuid, mMorVariableType[Index].VendorGuid)))\r
1436aea4 MK	75	{\r
abad83e6 JY	76	return TRUE;\r
	77	}\r
	78	}\r
1436aea4	79	\r
abad83e6 JY	80	return FALSE;\r
	81	}\r
	82	\r
	83	/**\r
	84	Returns if this is MOR lock variable.\r
	85	\r
	86	@param VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String\r
	87	@param VendorGuid Unify identifier for vendor.\r
	88	\r
	89	@retval TRUE The variable is MOR lock variable.\r
	90	@retval FALSE The variable is NOT MOR lock variable.\r
	91	**/\r
	92	BOOLEAN\r
	93	IsMorLockVariable (\r
1436aea4 MK	94	IN CHAR16 *VariableName,\r
1436aea4 MK	95	IN EFI_GUID *VendorGuid\r
abad83e6 JY	96	)\r
	97	{\r
	98	if ((StrCmp (VariableName, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME) == 0) &&\r
1436aea4 MK	99	(CompareGuid (VendorGuid, &gEfiMemoryOverwriteRequestControlLockGuid)))\r
1436aea4 MK	100	{\r
abad83e6 JY	101	return TRUE;\r
abad83e6 JY	102	}\r
1436aea4	103	\r
abad83e6 JY	104	return FALSE;\r
	105	}\r
	106	\r
	107	/**\r
	108	Set MOR lock variable.\r
	109	\r
	110	@param Data MOR Lock variable data.\r
	111	\r
	112	@retval EFI_SUCCESS The firmware has successfully stored the variable and its data as\r
	113	defined by the Attributes.\r
	114	@retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied, or the\r
	115	DataSize exceeds the maximum allowed.\r
	116	@retval EFI_INVALID_PARAMETER VariableName is an empty Unicode string.\r
	117	@retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the variable and its data.\r
	118	@retval EFI_DEVICE_ERROR The variable could not be saved due to a hardware failure.\r
	119	@retval EFI_WRITE_PROTECTED The variable in question is read-only.\r
	120	@retval EFI_WRITE_PROTECTED The variable in question cannot be deleted.\r
4073f85d	121	@retval EFI_SECURITY_VIOLATION The variable could not be written due to EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS\r
abad83e6 JY	122	set but the AuthInfo does NOT pass the validation check carried\r
	123	out by the firmware.\r
	124	@retval EFI_NOT_FOUND The variable trying to be updated or deleted was not found.\r
	125	**/\r
	126	EFI_STATUS\r
	127	SetMorLockVariable (\r
	128	IN UINT8 Data\r
	129	)\r
	130	{\r
	131	EFI_STATUS Status;\r
	132	\r
	133	mMorLockPassThru = TRUE;\r
1436aea4 MK	134	Status = VariableServiceSetVariable (\r
	135	MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
	136	&gEfiMemoryOverwriteRequestControlLockGuid,\r
	137	EFI_VARIABLE_NON_VOLATILE \| EFI_VARIABLE_BOOTSERVICE_ACCESS \| EFI_VARIABLE_RUNTIME_ACCESS,\r
	138	sizeof (Data),\r
	139	&Data\r
	140	);\r
abad83e6 JY	141	mMorLockPassThru = FALSE;\r
	142	return Status;\r
	143	}\r
	144	\r
	145	/**\r
	146	This service is an MorLock checker handler for the SetVariable().\r
	147	\r
	148	@param VariableName the name of the vendor's variable, as a\r
	149	Null-Terminated Unicode String\r
	150	@param VendorGuid Unify identifier for vendor.\r
	151	@param Attributes Point to memory location to return the attributes of variable. If the point\r
	152	is NULL, the parameter would be ignored.\r
	153	@param DataSize The size in bytes of Data-Buffer.\r
	154	@param Data Point to the content of the variable.\r
	155	\r
	156	@retval EFI_SUCCESS The MorLock check pass, and Variable driver can store the variable data.\r
	157	@retval EFI_INVALID_PARAMETER The MorLock data or data size or attributes is not allowed.\r
	158	@retval EFI_ACCESS_DENIED The MorLock is locked.\r
	159	@retval EFI_WRITE_PROTECTED The MorLock deletion is not allowed.\r
	160	@retval EFI_ALREADY_STARTED The MorLock variable is handled inside this function.\r
	161	Variable driver can just return EFI_SUCCESS.\r
	162	**/\r
	163	EFI_STATUS\r
	164	SetVariableCheckHandlerMorLock (\r
1436aea4 MK	165	IN CHAR16 *VariableName,\r
	166	IN EFI_GUID *VendorGuid,\r
	167	IN UINT32 Attributes,\r
	168	IN UINTN DataSize,\r
	169	IN VOID *Data\r
abad83e6 JY	170	)\r
	171	{\r
	172	EFI_STATUS Status;\r
	173	\r
	174	//\r
	175	// Basic Check\r
	176	//\r
1436aea4	177	if ((Attributes == 0) \|\| (DataSize == 0) \|\| (Data == NULL)) {\r
e3531164 LE	178	//\r
	179	// Permit deletion for passthru request, deny it otherwise.\r
	180	//\r
	181	return mMorLockPassThru ? EFI_SUCCESS : EFI_WRITE_PROTECTED;\r
abad83e6 JY	182	}\r
	183	\r
	184	if ((Attributes != (EFI_VARIABLE_NON_VOLATILE \| EFI_VARIABLE_BOOTSERVICE_ACCESS \| EFI_VARIABLE_RUNTIME_ACCESS)) \|\|\r
1436aea4 MK	185	((DataSize != MOR_LOCK_V1_SIZE) && (DataSize != MOR_LOCK_V2_KEY_SIZE)))\r
1436aea4 MK	186	{\r
abad83e6 JY	187	return EFI_INVALID_PARAMETER;\r
	188	}\r
	189	\r
	190	//\r
	191	// Do not check if the request is passthru.\r
	192	//\r
	193	if (mMorLockPassThru) {\r
	194	return EFI_SUCCESS;\r
	195	}\r
	196	\r
	197	if (mMorLockState == MorLockStateUnlocked) {\r
	198	//\r
	199	// In Unlocked State\r
	200	//\r
	201	if (DataSize == MOR_LOCK_V1_SIZE) {\r
	202	//\r
0a18956d	203	// V1 - lock permanently\r
abad83e6 JY	204	//\r
	205	if ((UINT8 )Data == MOR_LOCK_DATA_UNLOCKED) {\r
	206	//\r
	207	// Unlock\r
	208	//\r
	209	Status = SetMorLockVariable (MOR_LOCK_DATA_UNLOCKED);\r
	210	if (!EFI_ERROR (Status)) {\r
	211	//\r
	212	// return EFI_ALREADY_STARTED to skip variable set.\r
	213	//\r
	214	return EFI_ALREADY_STARTED;\r
	215	} else {\r
	216	//\r
	217	// SetVar fail\r
	218	//\r
	219	return Status;\r
	220	}\r
	221	} else if ((UINT8 )Data == MOR_LOCK_DATA_LOCKED_WITHOUT_KEY) {\r
	222	//\r
	223	// Lock without key\r
	224	//\r
	225	Status = SetMorLockVariable (MOR_LOCK_DATA_LOCKED_WITHOUT_KEY);\r
	226	if (!EFI_ERROR (Status)) {\r
	227	//\r
	228	// Lock success\r
	229	//\r
	230	mMorLockState = MorLockStateLocked;\r
	231	//\r
	232	// return EFI_ALREADY_STARTED to skip variable set.\r
	233	//\r
	234	return EFI_ALREADY_STARTED;\r
	235	} else {\r
	236	//\r
	237	// SetVar fail\r
	238	//\r
	239	return Status;\r
	240	}\r
	241	} else {\r
	242	return EFI_INVALID_PARAMETER;\r
	243	}\r
	244	} else if (DataSize == MOR_LOCK_V2_KEY_SIZE) {\r
	245	//\r
	246	// V2 lock and provision the key\r
	247	//\r
	248	\r
	249	//\r
	250	// Need set here because the data value on flash is different\r
	251	//\r
	252	Status = SetMorLockVariable (MOR_LOCK_DATA_LOCKED_WITH_KEY);\r
1436aea4	253	if (EFI_ERROR (Status)) {\r
abad83e6 JY	254	//\r
	255	// SetVar fail, do not provision the key\r
	256	//\r
	257	return Status;\r
	258	} else {\r
	259	//\r
	260	// Lock success, provision the key\r
	261	//\r
	262	mMorLockKeyEmpty = FALSE;\r
	263	CopyMem (mMorLockKey, Data, MOR_LOCK_V2_KEY_SIZE);\r
	264	mMorLockState = MorLockStateLocked;\r
	265	//\r
	266	// return EFI_ALREADY_STARTED to skip variable set.\r
	267	//\r
	268	return EFI_ALREADY_STARTED;\r
	269	}\r
	270	} else {\r
	271	ASSERT (FALSE);\r
	272	return EFI_OUT_OF_RESOURCES;\r
	273	}\r
	274	} else {\r
	275	//\r
	276	// In Locked State\r
	277	//\r
	278	if (mMorLockKeyEmpty \|\| (DataSize != MOR_LOCK_V2_KEY_SIZE)) {\r
	279	return EFI_ACCESS_DENIED;\r
	280	}\r
1436aea4	281	\r
abad83e6 JY	282	if ((CompareMem (Data, mMorLockKey, MOR_LOCK_V2_KEY_SIZE) == 0)) {\r
	283	//\r
	284	// Key match - unlock\r
	285	//\r
	286	\r
	287	//\r
	288	// Need set here because the data value on flash is different\r
	289	//\r
	290	Status = SetMorLockVariable (MOR_LOCK_DATA_UNLOCKED);\r
	291	if (EFI_ERROR (Status)) {\r
	292	//\r
	293	// SetVar fail\r
	294	//\r
	295	return Status;\r
	296	} else {\r
	297	//\r
	298	// Unlock Success\r
	299	//\r
1436aea4	300	mMorLockState = MorLockStateUnlocked;\r
abad83e6	301	mMorLockKeyEmpty = TRUE;\r
1436aea4	302	ZeroMem (mMorLockKey, sizeof (mMorLockKey));\r
abad83e6 JY	303	//\r
	304	// return EFI_ALREADY_STARTED to skip variable set.\r
	305	//\r
	306	return EFI_ALREADY_STARTED;\r
	307	}\r
	308	} else {\r
	309	//\r
	310	// Key mismatch - Prevent Dictionary Attack\r
	311	//\r
1436aea4	312	mMorLockState = MorLockStateLocked;\r
abad83e6	313	mMorLockKeyEmpty = TRUE;\r
1436aea4	314	ZeroMem (mMorLockKey, sizeof (mMorLockKey));\r
abad83e6 JY	315	return EFI_ACCESS_DENIED;\r
	316	}\r
	317	}\r
	318	}\r
	319	\r
	320	/**\r
	321	This service is an MOR/MorLock checker handler for the SetVariable().\r
	322	\r
03877377 LE	323	@param[in] VariableName the name of the vendor's variable, as a\r
	324	Null-Terminated Unicode String\r
	325	@param[in] VendorGuid Unify identifier for vendor.\r
	326	@param[in] Attributes Attributes bitmask to set for the variable.\r
	327	@param[in] DataSize The size in bytes of Data-Buffer.\r
	328	@param[in] Data Point to the content of the variable.\r
	329	\r
	330	@retval EFI_SUCCESS The MOR/MorLock check pass, and Variable\r
	331	driver can store the variable data.\r
	332	@retval EFI_INVALID_PARAMETER The MOR/MorLock data or data size or\r
	333	attributes is not allowed for MOR variable.\r
abad83e6	334	@retval EFI_ACCESS_DENIED The MOR/MorLock is locked.\r
03877377 LE	335	@retval EFI_ALREADY_STARTED The MorLock variable is handled inside this\r
	336	function. Variable driver can just return\r
	337	EFI_SUCCESS.\r
abad83e6 JY	338	**/\r
	339	EFI_STATUS\r
	340	SetVariableCheckHandlerMor (\r
1436aea4 MK	341	IN CHAR16 *VariableName,\r
	342	IN EFI_GUID *VendorGuid,\r
	343	IN UINT32 Attributes,\r
	344	IN UINTN DataSize,\r
	345	IN VOID *Data\r
abad83e6 JY	346	)\r
	347	{\r
	348	//\r
	349	// do not handle non-MOR variable\r
	350	//\r
	351	if (!IsAnyMorVariable (VariableName, VendorGuid)) {\r
	352	return EFI_SUCCESS;\r
	353	}\r
	354	\r
e176bafc	355	// Permit deletion when policy is disabled.\r
1436aea4	356	if (!IsVariablePolicyEnabled () && ((Attributes == 0) \|\| (DataSize == 0))) {\r
e176bafc BB	357	return EFI_SUCCESS;\r
	358	}\r
	359	\r
abad83e6 JY	360	//\r
	361	// MorLock variable\r
	362	//\r
	363	if (IsMorLockVariable (VariableName, VendorGuid)) {\r
	364	return SetVariableCheckHandlerMorLock (\r
	365	VariableName,\r
	366	VendorGuid,\r
	367	Attributes,\r
	368	DataSize,\r
	369	Data\r
	370	);\r
	371	}\r
	372	\r
	373	//\r
	374	// Mor Variable\r
	375	//\r
	376	\r
fda8f631 LE	377	//\r
	378	// Permit deletion for passthru request.\r
	379	//\r
	380	if (((Attributes == 0) \|\| (DataSize == 0)) && mMorPassThru) {\r
	381	return EFI_SUCCESS;\r
	382	}\r
	383	\r
abad83e6 JY	384	//\r
	385	// Basic Check\r
	386	//\r
	387	if ((Attributes != (EFI_VARIABLE_NON_VOLATILE \| EFI_VARIABLE_BOOTSERVICE_ACCESS \| EFI_VARIABLE_RUNTIME_ACCESS)) \|\|\r
1436aea4 MK	388	(DataSize != sizeof (UINT8)) \|\|\r
	389	(Data == NULL))\r
	390	{\r
abad83e6 JY	391	return EFI_INVALID_PARAMETER;\r
abad83e6 JY	392	}\r
1436aea4	393	\r
abad83e6 JY	394	if (mMorLockState == MorLockStateLocked) {\r
	395	//\r
	396	// If lock, deny access\r
	397	//\r
	398	return EFI_ACCESS_DENIED;\r
	399	}\r
1436aea4	400	\r
abad83e6 JY	401	//\r
	402	// grant access\r
	403	//\r
	404	return EFI_SUCCESS;\r
	405	}\r
	406	\r
	407	/**\r
03877377	408	Initialization for MOR Control Lock.\r
abad83e6	409	\r
03877377	410	@retval EFI_SUCCESS MorLock initialization success.\r
abad83e6 JY	411	@return Others Some error occurs.\r
	412	**/\r
	413	EFI_STATUS\r
	414	MorLockInit (\r
	415	VOID\r
	416	)\r
	417	{\r
7516532f LE	418	mMorLockInitializationRequired = TRUE;\r
7516532f LE	419	return EFI_SUCCESS;\r
abad83e6	420	}\r
f1304280 LE	421	\r
	422	/**\r
	423	Delayed initialization for MOR Control Lock at EndOfDxe.\r
	424	\r
	425	This function performs any operations queued by MorLockInit().\r
	426	**/\r
	427	VOID\r
	428	MorLockInitAtEndOfDxe (\r
	429	VOID\r
	430	)\r
	431	{\r
1436aea4 MK	432	UINTN MorSize;\r
	433	EFI_STATUS MorStatus;\r
	434	EFI_STATUS Status;\r
	435	VARIABLE_POLICY_ENTRY *NewPolicy;\r
7516532f LE	436	\r
	437	if (!mMorLockInitializationRequired) {\r
	438	//\r
	439	// The EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL has never been installed, thus\r
	440	// the variable write service is unavailable. This should never happen.\r
	441	//\r
	442	ASSERT (FALSE);\r
	443	return;\r
	444	}\r
	445	\r
	446	//\r
	447	// Check if the MOR variable exists.\r
	448	//\r
1436aea4	449	MorSize = 0;\r
7516532f LE	450	MorStatus = VariableServiceGetVariable (\r
	451	MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
	452	&gEfiMemoryOverwriteControlDataGuid,\r
	453	NULL, // Attributes\r
	454	&MorSize,\r
	455	NULL // Data\r
	456	);\r
f1304280	457	//\r
7516532f	458	// We provided a zero-sized buffer, so the above call can never succeed.\r
f1304280	459	//\r
7516532f LE	460	ASSERT (EFI_ERROR (MorStatus));\r
	461	\r
	462	if (MorStatus == EFI_BUFFER_TOO_SMALL) {\r
	463	//\r
fda8f631	464	// The MOR variable exists.\r
7516532f	465	//\r
fda8f631 LE	466	// Some OSes don't follow the TCG's Platform Reset Attack Mitigation spec\r
	467	// in that the OS should never create the MOR variable, only read and write\r
	468	// it -- these OSes (unintentionally) create MOR if the platform firmware\r
	469	// does not produce it. Whether this is the case (from the last OS boot)\r
	470	// can be deduced from the absence of the TCG / TCG2 protocols, as edk2's\r
	471	// MOR implementation depends on (one of) those protocols.\r
	472	//\r
a855f63e	473	if (VariableHaveTcgProtocols ()) {\r
fda8f631 LE	474	//\r
	475	// The MOR variable originates from the platform firmware; set the MOR\r
	476	// Control Lock variable to report the locking capability to the OS.\r
	477	//\r
	478	SetMorLockVariable (0);\r
	479	return;\r
	480	}\r
	481	\r
	482	//\r
	483	// The MOR variable's origin is inexplicable; delete it.\r
	484	//\r
	485	DEBUG ((\r
	486	DEBUG_WARN,\r
	487	"%a: deleting unexpected / unsupported variable %g:%s\n",\r
	488	__FUNCTION__,\r
	489	&gEfiMemoryOverwriteControlDataGuid,\r
	490	MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME\r
	491	));\r
	492	\r
	493	mMorPassThru = TRUE;\r
	494	VariableServiceSetVariable (\r
	495	MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
	496	&gEfiMemoryOverwriteControlDataGuid,\r
	497	0, // Attributes\r
	498	0, // DataSize\r
	499	NULL // Data\r
	500	);\r
	501	mMorPassThru = FALSE;\r
7516532f LE	502	}\r
	503	\r
	504	//\r
fda8f631 LE	505	// The MOR variable is absent; the platform firmware does not support it.\r
	506	// Lock the variable so that no other module may create it.\r
	507	//\r
98ee0c68	508	NewPolicy = NULL;\r
1436aea4 MK	509	Status = CreateBasicVariablePolicy (\r
	510	&gEfiMemoryOverwriteControlDataGuid,\r
	511	MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
	512	VARIABLE_POLICY_NO_MIN_SIZE,\r
	513	VARIABLE_POLICY_NO_MAX_SIZE,\r
	514	VARIABLE_POLICY_NO_MUST_ATTR,\r
	515	VARIABLE_POLICY_NO_CANT_ATTR,\r
	516	VARIABLE_POLICY_TYPE_LOCK_NOW,\r
	517	&NewPolicy\r
	518	);\r
	519	if (!EFI_ERROR (Status)) {\r
	520	Status = RegisterVariablePolicy (NewPolicy);\r
98ee0c68	521	}\r
1436aea4 MK	522	\r
	523	if (EFI_ERROR (Status)) {\r
	524	DEBUG ((DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status));\r
	525	ASSERT_EFI_ERROR (Status);\r
98ee0c68	526	}\r
1436aea4	527	\r
98ee0c68	528	if (NewPolicy != NULL) {\r
1436aea4	529	FreePool (NewPolicy);\r
98ee0c68	530	}\r
fda8f631 LE	531	\r
	532	//\r
	533	// Delete the MOR Control Lock variable too (should it exists for some\r
	534	// reason) and prevent other modules from creating it.\r
7516532f LE	535	//\r
	536	mMorLockPassThru = TRUE;\r
	537	VariableServiceSetVariable (\r
	538	MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
	539	&gEfiMemoryOverwriteRequestControlLockGuid,\r
	540	0, // Attributes\r
	541	0, // DataSize\r
	542	NULL // Data\r
	543	);\r
	544	mMorLockPassThru = FALSE;\r
	545	\r
98ee0c68	546	NewPolicy = NULL;\r
1436aea4 MK	547	Status = CreateBasicVariablePolicy (\r
	548	&gEfiMemoryOverwriteRequestControlLockGuid,\r
	549	MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
	550	VARIABLE_POLICY_NO_MIN_SIZE,\r
	551	VARIABLE_POLICY_NO_MAX_SIZE,\r
	552	VARIABLE_POLICY_NO_MUST_ATTR,\r
	553	VARIABLE_POLICY_NO_CANT_ATTR,\r
	554	VARIABLE_POLICY_TYPE_LOCK_NOW,\r
	555	&NewPolicy\r
	556	);\r
	557	if (!EFI_ERROR (Status)) {\r
	558	Status = RegisterVariablePolicy (NewPolicy);\r
98ee0c68	559	}\r
1436aea4 MK	560	\r
	561	if (EFI_ERROR (Status)) {\r
	562	DEBUG ((DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status));\r
	563	ASSERT_EFI_ERROR (Status);\r
98ee0c68	564	}\r
1436aea4	565	\r
98ee0c68	566	if (NewPolicy != NULL) {\r
1436aea4	567	FreePool (NewPolicy);\r
98ee0c68	568	}\r
f1304280	569	}\r