]> git.proxmox.com Git - mirror_edk2.git/blame - SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
projects / mirror_edk2.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use SmmMemLib to check communication buffer.
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / VariableSmm.c
CommitLineData
0c18794e 1/** @file\r
2 The sample implementation for SMM variable protocol. And this driver \r
3 implements an SMI handler to communicate with the DXE runtime driver \r
4 to provide variable services.\r
5\r
dc204d5a
JY		 6 Caution: This module requires additional review when modified.\r
7 This driver will have external input - variable data and communicate buffer in SMM mode.\r
8 This external input must be validated carefully to avoid security issue like\r
9 buffer overflow, integer overflow.\r
10\r
11 SmmVariableHandler() will receive untrusted input and do basic validation.\r
12\r
13 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(), \r
14 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(), \r
15 SmmVariableGetStatistics() should also do validation based on its own knowledge.\r
16\r
17409b7a 17Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>\r
0c18794e 18This program and the accompanying materials \r
19are licensed and made available under the terms and conditions of the BSD License \r
20which accompanies this distribution. The full text of the license may be found at \r
21http://opensource.org/licenses/bsd-license.php\r
22\r
23THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, \r
24WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
25\r
26**/\r
27\r
28#include <Protocol/SmmVariable.h>\r
29#include <Protocol/SmmFirmwareVolumeBlock.h>\r
30#include <Protocol/SmmFaultTolerantWrite.h>\r
25a4e71a 31#include <Protocol/SmmAccess2.h>\r
6ab9f441 32#include <Protocol/SmmEndOfDxe.h>\r
17409b7a 33#include <Protocol/SmmVarCheck.h>\r
25a4e71a 34\r
0c18794e 35#include <Library/SmmServicesTableLib.h>\r
9054e55a 36#include <Library/SmmMemLib.h>\r
0c18794e 37\r
38#include <Guid/AuthenticatedVariableFormat.h>\r
39#include <Guid/SmmVariableCommon.h>\r
40#include "Variable.h"\r
41\r
42extern VARIABLE_INFO_ENTRY *gVariableInfo;\r
43EFI_HANDLE mSmmVariableHandle = NULL;\r
44EFI_HANDLE mVariableHandle = NULL;\r
45BOOLEAN mAtRuntime = FALSE;\r
46EFI_GUID mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}};\r
5e5bb2a9
SZ		 47UINT8 *mVariableBufferPayload = NULL;\r
48UINTN mVariableBufferPayloadSize;\r
6ab9f441
RN		 49extern BOOLEAN mEndOfDxe;\r
50extern BOOLEAN mEnableLocking;\r
51\r
c1d93242
JY		 52/**\r
53 SecureBoot Hook for SetVariable.\r
54\r
55 @param[in] VariableName Name of Variable to be found.\r
56 @param[in] VendorGuid Variable vendor GUID.\r
57\r
58**/\r
59VOID\r
60EFIAPI\r
61SecureBootHook (\r
62 IN CHAR16 *VariableName,\r
63 IN EFI_GUID *VendorGuid\r
64 )\r
65{\r
66 return ;\r
67}\r
68\r
6ab9f441
RN		 69/**\r
70\r
71 This code sets variable in storage blocks (Volatile or Non-Volatile).\r
72\r
73 @param VariableName Name of Variable to be found.\r
74 @param VendorGuid Variable vendor GUID.\r
75 @param Attributes Attribute value of the variable found\r
76 @param DataSize Size of Data found. If size is less than the\r
77 data, this value contains the required size.\r
78 @param Data Data pointer.\r
79\r
80 @return EFI_INVALID_PARAMETER Invalid parameter.\r
81 @return EFI_SUCCESS Set successfully.\r
82 @return EFI_OUT_OF_RESOURCES Resource not enough to set variable.\r
83 @return EFI_NOT_FOUND Not found.\r
84 @return EFI_WRITE_PROTECTED Variable is read-only.\r
85\r
86**/\r
87EFI_STATUS\r
88EFIAPI\r
89SmmVariableSetVariable (\r
90 IN CHAR16 *VariableName,\r
91 IN EFI_GUID *VendorGuid,\r
92 IN UINT32 Attributes,\r
93 IN UINTN DataSize,\r
94 IN VOID *Data\r
95 )\r
96{\r
97 EFI_STATUS Status;\r
98\r
99 //\r
100 // Disable write protection when the calling SetVariable() through EFI_SMM_VARIABLE_PROTOCOL.\r
101 //\r
102 mEnableLocking = FALSE;\r
103 Status = VariableServiceSetVariable (\r
104 VariableName,\r
105 VendorGuid,\r
106 Attributes,\r
107 DataSize,\r
108 Data\r
109 );\r
110 mEnableLocking = TRUE;\r
111 return Status;\r
112}\r
5e5bb2a9 113\r
0c18794e 114EFI_SMM_VARIABLE_PROTOCOL gSmmVariable = {\r
115 VariableServiceGetVariable,\r
116 VariableServiceGetNextVariableName,\r
6ab9f441 117 SmmVariableSetVariable,\r
0c18794e 118 VariableServiceQueryVariableInfo\r
119};\r
120\r
17409b7a
SZ		 121EDKII_SMM_VAR_CHECK_PROTOCOL mSmmVarCheck = { VarCheckRegisterSetVariableCheckHandler,\r
122 VarCheckVariablePropertySet,\r
123 VarCheckVariablePropertyGet };\r
124\r
0c18794e 125/**\r
126 Return TRUE if ExitBootServices () has been called.\r
127 \r
128 @retval TRUE If ExitBootServices () has been called.\r
129**/\r
130BOOLEAN\r
131AtRuntime (\r
132 VOID\r
133 )\r
134{\r
135 return mAtRuntime;\r
136}\r
137\r
138/**\r
139 Initializes a basic mutual exclusion lock.\r
140\r
141 This function initializes a basic mutual exclusion lock to the released state \r
142 and returns the lock. Each lock provides mutual exclusion access at its task \r
143 priority level. Since there is no preemption or multiprocessor support in EFI,\r
144 acquiring the lock only consists of raising to the locks TPL.\r
145 If Lock is NULL, then ASSERT().\r
146 If Priority is not a valid TPL value, then ASSERT().\r
147\r
148 @param Lock A pointer to the lock data structure to initialize.\r
149 @param Priority EFI TPL is associated with the lock.\r
150\r
151 @return The lock.\r
152\r
153**/\r
154EFI_LOCK *\r
155InitializeLock (\r
156 IN OUT EFI_LOCK *Lock,\r
157 IN EFI_TPL Priority\r
158 )\r
159{\r
160 return Lock;\r
161}\r
162\r
163/**\r
164 Acquires lock only at boot time. Simply returns at runtime.\r
165\r
166 This is a temperary function that will be removed when\r
167 EfiAcquireLock() in UefiLib can handle the call in UEFI\r
168 Runtimer driver in RT phase.\r
169 It calls EfiAcquireLock() at boot time, and simply returns\r
170 at runtime.\r
171\r
172 @param Lock A pointer to the lock to acquire.\r
173\r
174**/\r
175VOID\r
176AcquireLockOnlyAtBootTime (\r
177 IN EFI_LOCK *Lock\r
178 )\r
179{\r
180\r
181}\r
182\r
183\r
184/**\r
185 Releases lock only at boot time. Simply returns at runtime.\r
186\r
187 This is a temperary function which will be removed when\r
188 EfiReleaseLock() in UefiLib can handle the call in UEFI\r
189 Runtimer driver in RT phase.\r
190 It calls EfiReleaseLock() at boot time and simply returns\r
191 at runtime.\r
192\r
193 @param Lock A pointer to the lock to release.\r
194\r
195**/\r
196VOID\r
197ReleaseLockOnlyAtBootTime (\r
198 IN EFI_LOCK *Lock\r
199 )\r
200{\r
201\r
202}\r
203\r
204/**\r
205 Retrive the SMM Fault Tolerent Write protocol interface.\r
206\r
207 @param[out] FtwProtocol The interface of SMM Ftw protocol\r
208\r
209 @retval EFI_SUCCESS The SMM FTW protocol instance was found and returned in FtwProtocol.\r
210 @retval EFI_NOT_FOUND The SMM FTW protocol instance was not found.\r
211 @retval EFI_INVALID_PARAMETER SarProtocol is NULL.\r
212\r
213**/\r
214EFI_STATUS\r
215GetFtwProtocol (\r
216 OUT VOID **FtwProtocol\r
217 )\r
218{\r
219 EFI_STATUS Status;\r
220\r
221 //\r
222 // Locate Smm Fault Tolerent Write protocol\r
223 //\r
224 Status = gSmst->SmmLocateProtocol (\r
225 &gEfiSmmFaultTolerantWriteProtocolGuid, \r
226 NULL, \r
227 FtwProtocol\r
228 );\r
229 return Status;\r
230}\r
231\r
232\r
233/**\r
234 Retrive the SMM FVB protocol interface by HANDLE.\r
235\r
236 @param[in] FvBlockHandle The handle of SMM FVB protocol that provides services for\r
237 reading, writing, and erasing the target block.\r
238 @param[out] FvBlock The interface of SMM FVB protocol\r
239\r
240 @retval EFI_SUCCESS The interface information for the specified protocol was returned.\r
241 @retval EFI_UNSUPPORTED The device does not support the SMM FVB protocol.\r
242 @retval EFI_INVALID_PARAMETER FvBlockHandle is not a valid EFI_HANDLE or FvBlock is NULL.\r
243\r
244**/\r
245EFI_STATUS\r
246GetFvbByHandle (\r
247 IN EFI_HANDLE FvBlockHandle,\r
248 OUT EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL **FvBlock\r
249 )\r
250{\r
251 //\r
252 // To get the SMM FVB protocol interface on the handle\r
253 //\r
254 return gSmst->SmmHandleProtocol (\r
255 FvBlockHandle,\r
256 &gEfiSmmFirmwareVolumeBlockProtocolGuid,\r
257 (VOID **) FvBlock\r
258 );\r
259}\r
260\r
261\r
262/**\r
263 Function returns an array of handles that support the SMM FVB protocol\r
264 in a buffer allocated from pool. \r
265\r
266 @param[out] NumberHandles The number of handles returned in Buffer.\r
267 @param[out] Buffer A pointer to the buffer to return the requested\r
268 array of handles that support SMM FVB protocol.\r
269\r
270 @retval EFI_SUCCESS The array of handles was returned in Buffer, and the number of\r
271 handles in Buffer was returned in NumberHandles.\r
272 @retval EFI_NOT_FOUND No SMM FVB handle was found.\r
273 @retval EFI_OUT_OF_RESOURCES There is not enough pool memory to store the matching results.\r
274 @retval EFI_INVALID_PARAMETER NumberHandles is NULL or Buffer is NULL.\r
275\r
276**/\r
277EFI_STATUS\r
278GetFvbCountAndBuffer (\r
279 OUT UINTN *NumberHandles,\r
280 OUT EFI_HANDLE **Buffer\r
281 )\r
282{\r
283 EFI_STATUS Status;\r
284 UINTN BufferSize;\r
285\r
286 if ((NumberHandles == NULL) || (Buffer == NULL)) {\r
287 return EFI_INVALID_PARAMETER;\r
288 }\r
289\r
290 BufferSize = 0;\r
291 *NumberHandles = 0;\r
292 *Buffer = NULL;\r
293 Status = gSmst->SmmLocateHandle (\r
294 ByProtocol,\r
295 &gEfiSmmFirmwareVolumeBlockProtocolGuid,\r
296 NULL,\r
297 &BufferSize,\r
298 *Buffer\r
299 );\r
300 if (EFI_ERROR(Status) && Status != EFI_BUFFER_TOO_SMALL) {\r
301 return EFI_NOT_FOUND;\r
302 }\r
303\r
304 *Buffer = AllocatePool (BufferSize);\r
305 if (*Buffer == NULL) {\r
306 return EFI_OUT_OF_RESOURCES;\r
307 }\r
308\r
309 Status = gSmst->SmmLocateHandle (\r
310 ByProtocol,\r
311 &gEfiSmmFirmwareVolumeBlockProtocolGuid,\r
312 NULL,\r
313 &BufferSize,\r
314 *Buffer\r
315 );\r
316\r
317 *NumberHandles = BufferSize / sizeof(EFI_HANDLE);\r
318 if (EFI_ERROR(Status)) {\r
319 *NumberHandles = 0;\r
5e5bb2a9
SZ		 320 FreePool (*Buffer);\r
321 *Buffer = NULL;\r
0c18794e 322 }\r
323\r
324 return Status;\r
325}\r
326\r
327\r
328/**\r
329 Get the variable statistics information from the information buffer pointed by gVariableInfo.\r
330\r
dc204d5a
JY		 331 Caution: This function may be invoked at SMM runtime.\r
332 InfoEntry and InfoSize are external input. Care must be taken to make sure not security issue at runtime.\r
333\r
648f98d1 334 @param[in, out] InfoEntry A pointer to the buffer of variable information entry.\r
335 On input, point to the variable information returned last time. if \r
336 InfoEntry->VendorGuid is zero, return the first information.\r
337 On output, point to the next variable information.\r
338 @param[in, out] InfoSize On input, the size of the variable information buffer.\r
339 On output, the returned variable information size.\r
340\r
341 @retval EFI_SUCCESS The variable information is found and returned successfully.\r
342 @retval EFI_UNSUPPORTED No variable inoformation exists in variable driver. The \r
343 PcdVariableCollectStatistics should be set TRUE to support it.\r
344 @retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the next variable information.\r
345 @retval EFI_INVALID_PARAMETER Input parameter is invalid.\r
0c18794e 346\r
347**/\r
348EFI_STATUS\r
349SmmVariableGetStatistics (\r
350 IN OUT VARIABLE_INFO_ENTRY *InfoEntry,\r
351 IN OUT UINTN *InfoSize\r
352 )\r
353{\r
354 VARIABLE_INFO_ENTRY *VariableInfo;\r
355 UINTN NameLength;\r
356 UINTN StatisticsInfoSize;\r
357 CHAR16 *InfoName;\r
5e5bb2a9 358 EFI_GUID VendorGuid;\r
0c18794e 359 \r
648f98d1 360 if (InfoEntry == NULL) {\r
361 return EFI_INVALID_PARAMETER;\r
362 }\r
363 \r
0c18794e 364 VariableInfo = gVariableInfo; \r
365 if (VariableInfo == NULL) {\r
366 return EFI_UNSUPPORTED;\r
367 }\r
368\r
369 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + StrSize (VariableInfo->Name);\r
12373f2c 370 if (*InfoSize < StatisticsInfoSize) {\r
0c18794e 371 *InfoSize = StatisticsInfoSize;\r
372 return EFI_BUFFER_TOO_SMALL;\r
373 }\r
374 InfoName = (CHAR16 *)(InfoEntry + 1);\r
375\r
5e5bb2a9
SZ		 376 CopyGuid (&VendorGuid, &InfoEntry->VendorGuid);\r
377\r
378 if (CompareGuid (&VendorGuid, &mZeroGuid)) {\r
0c18794e 379 //\r
380 // Return the first variable info\r
381 //\r
382 CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));\r
383 CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name));\r
384 *InfoSize = StatisticsInfoSize;\r
385 return EFI_SUCCESS;\r
386 }\r
387\r
388 //\r
389 // Get the next variable info\r
390 //\r
391 while (VariableInfo != NULL) {\r
5e5bb2a9 392 if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) {\r
0c18794e 393 NameLength = StrSize (VariableInfo->Name);\r
394 if (NameLength == StrSize (InfoName)) {\r
395 if (CompareMem (VariableInfo->Name, InfoName, NameLength) == 0) {\r
396 //\r
397 // Find the match one\r
398 //\r
399 VariableInfo = VariableInfo->Next;\r
400 break;\r
401 }\r
402 }\r
403 }\r
404 VariableInfo = VariableInfo->Next;\r
405 };\r
406 \r
407 if (VariableInfo == NULL) {\r
408 *InfoSize = 0;\r
409 return EFI_SUCCESS;\r
410 }\r
411\r
412 //\r
413 // Output the new variable info\r
414 //\r
415 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + StrSize (VariableInfo->Name);\r
416 if (*InfoSize < StatisticsInfoSize) {\r
417 *InfoSize = StatisticsInfoSize;\r
418 return EFI_BUFFER_TOO_SMALL;\r
419 }\r
420\r
421 CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));\r
422 CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name));\r
423 *InfoSize = StatisticsInfoSize;\r
424 \r
425 return EFI_SUCCESS;\r
426}\r
427\r
428\r
429/**\r
430 Communication service SMI Handler entry.\r
431\r
432 This SMI handler provides services for the variable wrapper driver.\r
433\r
dc204d5a
JY		 434 Caution: This function may receive untrusted input.\r
435 This variable data and communicate buffer are external input, so this function will do basic validation.\r
436 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(), \r
437 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(), \r
438 SmmVariableGetStatistics() should also do validation based on its own knowledge.\r
439\r
0c18794e 440 @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().\r
441 @param[in] RegisterContext Points to an optional handler context which was specified when the\r
442 handler was registered.\r
443 @param[in, out] CommBuffer A pointer to a collection of data in memory that will\r
444 be conveyed from a non-SMM environment into an SMM environment.\r
445 @param[in, out] CommBufferSize The size of the CommBuffer.\r
446\r
447 @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers \r
448 should still be called.\r
449 @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should \r
450 still be called.\r
451 @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still \r
452 be called.\r
453 @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.\r
648f98d1 454\r
0c18794e 455**/\r
456EFI_STATUS\r
457EFIAPI\r
458SmmVariableHandler (\r
459 IN EFI_HANDLE DispatchHandle,\r
460 IN CONST VOID *RegisterContext,\r
461 IN OUT VOID *CommBuffer,\r
462 IN OUT UINTN *CommBufferSize\r
463 )\r
464{\r
465 EFI_STATUS Status;\r
466 SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader;\r
467 SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;\r
468 SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *GetNextVariableName;\r
469 SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo;\r
470 VARIABLE_INFO_ENTRY *VariableInfo;\r
6ab9f441 471 SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock;\r
17409b7a 472 SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty;\r
0c18794e 473 UINTN InfoSize;\r
9d00d20e 474 UINTN NameBufferSize;\r
5e5bb2a9 475 UINTN CommBufferPayloadSize;\r
164a9b67 476 UINTN TempCommBufferSize;\r
0c18794e 477\r
25a4e71a 478 //\r
479 // If input is invalid, stop processing this SMI\r
480 //\r
481 if (CommBuffer == NULL || CommBufferSize == NULL) {\r
482 return EFI_SUCCESS;\r
648f98d1 483 }\r
0c18794e 484\r
164a9b67
SZ		 485 TempCommBufferSize = *CommBufferSize;\r
486\r
487 if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {\r
5e5bb2a9
SZ		 488 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n"));\r
489 return EFI_SUCCESS;\r
490 }\r
164a9b67 491 CommBufferPayloadSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r
5e5bb2a9
SZ		 492 if (CommBufferPayloadSize > mVariableBufferPayloadSize) {\r
493 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));\r
25a4e71a 494 return EFI_SUCCESS;\r
495 }\r
496\r
9054e55a 497 if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {\r
5e5bb2a9 498 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));\r
25a4e71a 499 return EFI_SUCCESS;\r
500 }\r
501 \r
0c18794e 502 SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer;\r
25a4e71a 503 \r
0c18794e 504 switch (SmmVariableFunctionHeader->Function) {\r
505 case SMM_VARIABLE_FUNCTION_GET_VARIABLE:\r
5e5bb2a9
SZ		 506 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
507 DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n"));\r
508 return EFI_SUCCESS;\r
509 }\r
510 //\r
511 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
512 //\r
513 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
514 SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;\r
9d00d20e
SZ		 515 if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||\r
516 ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {\r
517 //\r
518 // Prevent InfoSize overflow happen\r
519 //\r
520 Status = EFI_ACCESS_DENIED;\r
521 goto EXIT;\r
522 }\r
25a4e71a 523 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) \r
524 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;\r
525\r
526 //\r
527 // SMRAM range check already covered before\r
528 //\r
5e5bb2a9
SZ		 529 if (InfoSize > CommBufferPayloadSize) {\r
530 DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n"));\r
25a4e71a 531 Status = EFI_ACCESS_DENIED;\r
532 goto EXIT;\r
533 }\r
534\r
9d00d20e
SZ		 535 if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {\r
536 //\r
537 // Make sure VariableName is A Null-terminated string.\r
538 //\r
539 Status = EFI_ACCESS_DENIED;\r
540 goto EXIT;\r
541 }\r
542\r
0c18794e 543 Status = VariableServiceGetVariable (\r
544 SmmVariableHeader->Name,\r
545 &SmmVariableHeader->Guid,\r
546 &SmmVariableHeader->Attributes,\r
547 &SmmVariableHeader->DataSize,\r
548 (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize\r
549 );\r
5e5bb2a9 550 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);\r
0c18794e 551 break;\r
552 \r
553 case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:\r
5e5bb2a9
SZ		 554 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
555 DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n"));\r
556 return EFI_SUCCESS;\r
557 }\r
558 //\r
559 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
560 //\r
561 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
562 GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload;\r
9d00d20e
SZ		 563 if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r
564 //\r
565 // Prevent InfoSize overflow happen\r
566 //\r
567 Status = EFI_ACCESS_DENIED;\r
568 goto EXIT;\r
569 }\r
25a4e71a 570 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize;\r
571\r
572 //\r
573 // SMRAM range check already covered before\r
574 //\r
5e5bb2a9
SZ		 575 if (InfoSize > CommBufferPayloadSize) {\r
576 DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));\r
25a4e71a 577 Status = EFI_ACCESS_DENIED;\r
578 goto EXIT;\r
579 }\r
580\r
5e5bb2a9 581 NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);\r
9d00d20e
SZ		 582 if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') {\r
583 //\r
584 // Make sure input VariableName is A Null-terminated string.\r
585 //\r
586 Status = EFI_ACCESS_DENIED;\r
587 goto EXIT;\r
588 }\r
589\r
0c18794e 590 Status = VariableServiceGetNextVariableName (\r
591 &GetNextVariableName->NameSize,\r
592 GetNextVariableName->Name,\r
593 &GetNextVariableName->Guid\r
594 );\r
5e5bb2a9 595 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);\r
0c18794e 596 break;\r
597 \r
598 case SMM_VARIABLE_FUNCTION_SET_VARIABLE:\r
5e5bb2a9
SZ		 599 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r
600 DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n"));\r
601 return EFI_SUCCESS;\r
602 }\r
603 //\r
604 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
605 //\r
606 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
607 SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;\r
9d00d20e
SZ		 608 if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||\r
609 ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {\r
610 //\r
611 // Prevent InfoSize overflow happen\r
612 //\r
613 Status = EFI_ACCESS_DENIED;\r
614 goto EXIT;\r
615 }\r
d17c4eac 616 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)\r
617 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;\r
618\r
619 //\r
620 // SMRAM range check already covered before\r
621 // Data buffer should not contain SMM range\r
622 //\r
5e5bb2a9
SZ		 623 if (InfoSize > CommBufferPayloadSize) {\r
624 DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n"));\r
d17c4eac 625 Status = EFI_ACCESS_DENIED;\r
626 goto EXIT;\r
627 }\r
628\r
9d00d20e
SZ		 629 if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {\r
630 //\r
631 // Make sure VariableName is A Null-terminated string.\r
632 //\r
633 Status = EFI_ACCESS_DENIED;\r
634 goto EXIT;\r
635 }\r
636\r
0c18794e 637 Status = VariableServiceSetVariable (\r
638 SmmVariableHeader->Name,\r
639 &SmmVariableHeader->Guid,\r
640 SmmVariableHeader->Attributes,\r
641 SmmVariableHeader->DataSize,\r
642 (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize\r
643 );\r
644 break;\r
645 \r
646 case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:\r
5e5bb2a9
SZ		 647 if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) {\r
648 DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n"));\r
649 return EFI_SUCCESS;\r
25a4e71a 650 }\r
5e5bb2a9 651 QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;\r
25a4e71a 652 \r
0c18794e 653 Status = VariableServiceQueryVariableInfo (\r
654 QueryVariableInfo->Attributes,\r
655 &QueryVariableInfo->MaximumVariableStorageSize,\r
656 &QueryVariableInfo->RemainingVariableStorageSize,\r
657 &QueryVariableInfo->MaximumVariableSize\r
658 );\r
659 break;\r
660\r
661 case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:\r
6ab9f441 662 mEndOfDxe = TRUE;\r
952ba83c
SZ		 663 //\r
664 // The initialization for variable quota.\r
665 //\r
666 InitializeVariableQuota ();\r
876ac395 667 if (AtRuntime()) {\r
668 Status = EFI_UNSUPPORTED;\r
669 break;\r
670 }\r
0c18794e 671 ReclaimForOS ();\r
672 Status = EFI_SUCCESS;\r
673 break;\r
674 \r
675 case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:\r
676 mAtRuntime = TRUE;\r
677 Status = EFI_SUCCESS;\r
678 break;\r
679\r
680 case SMM_VARIABLE_FUNCTION_GET_STATISTICS:\r
681 VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;\r
164a9b67 682 InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r
25a4e71a 683\r
684 //\r
685 // Do not need to check SmmVariableFunctionHeader->Data in SMRAM here. \r
686 // It is covered by previous CommBuffer check \r
687 //\r
688 \r
9054e55a 689 if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {\r
5e5bb2a9 690 DEBUG ((EFI_D_ERROR, "GetStatistics: SMM communication buffer in SMRAM!\n"));\r
25a4e71a 691 Status = EFI_ACCESS_DENIED;\r
692 goto EXIT;\r
693 } \r
694\r
0c18794e 695 Status = SmmVariableGetStatistics (VariableInfo, &InfoSize);\r
3f5c168f 696 *CommBufferSize = InfoSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r
0c18794e 697 break;\r
698\r
6ab9f441
RN		 699 case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE:\r
700 if (mEndOfDxe) {\r
701 Status = EFI_ACCESS_DENIED;\r
702 } else {\r
703 VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data;\r
704 Status = VariableLockRequestToLock (\r
705 NULL,\r
706 VariableToLock->Name,\r
707 &VariableToLock->Guid\r
708 );\r
709 }\r
710 break;\r
17409b7a
SZ		 711 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET:\r
712 if (mEndOfDxe) {\r
713 Status = EFI_ACCESS_DENIED;\r
714 } else {\r
715 CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) SmmVariableFunctionHeader->Data;\r
716 Status = VarCheckVariablePropertySet (\r
717 CommVariableProperty->Name,\r
718 &CommVariableProperty->Guid,\r
719 &CommVariableProperty->VariableProperty\r
720 );\r
721 }\r
722 break;\r
723 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:\r
724 if (CommBufferPayloadSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {\r
725 DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: SMM communication buffer size invalid!\n"));\r
726 return EFI_SUCCESS;\r
727 }\r
728 //\r
729 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.\r
730 //\r
731 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);\r
732 CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) mVariableBufferPayload;\r
733 if ((UINTN) (~0) - CommVariableProperty->NameSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {\r
734 //\r
735 // Prevent InfoSize overflow happen\r
736 //\r
737 Status = EFI_ACCESS_DENIED;\r
738 goto EXIT;\r
739 }\r
740 InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + CommVariableProperty->NameSize;\r
741\r
742 //\r
743 // SMRAM range check already covered before\r
744 //\r
745 if (InfoSize > CommBufferPayloadSize) {\r
746 DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: Data size exceed communication buffer size limit!\n"));\r
747 Status = EFI_ACCESS_DENIED;\r
748 goto EXIT;\r
749 }\r
750\r
751 if (CommVariableProperty->NameSize < sizeof (CHAR16) || CommVariableProperty->Name[CommVariableProperty->NameSize/sizeof (CHAR16) - 1] != L'\0') {\r
752 //\r
753 // Make sure VariableName is A Null-terminated string.\r
754 //\r
755 Status = EFI_ACCESS_DENIED;\r
756 goto EXIT;\r
757 }\r
758\r
759 Status = VarCheckVariablePropertyGet (\r
760 CommVariableProperty->Name,\r
761 &CommVariableProperty->Guid,\r
762 &CommVariableProperty->VariableProperty\r
763 );\r
764 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);\r
765 break;\r
6ab9f441 766\r
0c18794e 767 default:\r
0c18794e 768 Status = EFI_UNSUPPORTED;\r
769 }\r
770\r
25a4e71a 771EXIT:\r
0c18794e 772\r
25a4e71a 773 SmmVariableFunctionHeader->ReturnStatus = Status;\r
0c18794e 774 return EFI_SUCCESS;\r
775}\r
776\r
6ab9f441
RN		 777/**\r
778 SMM END_OF_DXE protocol notification event handler.\r
779\r
780 @param Protocol Points to the protocol's unique identifier\r
781 @param Interface Points to the interface instance\r
782 @param Handle The handle on which the interface was installed\r
783\r
784 @retval EFI_SUCCESS SmmEndOfDxeCallback runs successfully\r
785\r
786**/\r
787EFI_STATUS\r
788EFIAPI\r
789SmmEndOfDxeCallback (\r
790 IN CONST EFI_GUID *Protocol,\r
791 IN VOID *Interface,\r
792 IN EFI_HANDLE Handle\r
793 )\r
794{\r
795 DEBUG ((EFI_D_INFO, "[Variable]END_OF_DXE is signaled\n"));\r
796 mEndOfDxe = TRUE;\r
952ba83c
SZ		 797 //\r
798 // The initialization for variable quota.\r
799 //\r
800 InitializeVariableQuota ();\r
93626a53
SZ		 801 if (PcdGetBool (PcdReclaimVariableSpaceAtEndOfDxe)) {\r
802 ReclaimForOS ();\r
803 }\r
6ab9f441
RN		 804 return EFI_SUCCESS;\r
805}\r
0c18794e 806\r
807/**\r
808 SMM Fault Tolerant Write protocol notification event handler.\r
809\r
810 Non-Volatile variable write may needs FTW protocol to reclaim when \r
811 writting variable.\r
812 \r
813 @param Protocol Points to the protocol's unique identifier\r
814 @param Interface Points to the interface instance\r
815 @param Handle The handle on which the interface was installed\r
816\r
817 @retval EFI_SUCCESS SmmEventCallback runs successfully\r
818 @retval EFI_NOT_FOUND The Fvb protocol for variable is not found.\r
819 \r
820 **/\r
821EFI_STATUS\r
822EFIAPI\r
823SmmFtwNotificationEvent (\r
824 IN CONST EFI_GUID *Protocol,\r
825 IN VOID *Interface,\r
826 IN EFI_HANDLE Handle\r
827 )\r
828{\r
829 EFI_STATUS Status;\r
830 EFI_SMM_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol;\r
831 EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL *FtwProtocol;\r
832 EFI_PHYSICAL_ADDRESS NvStorageVariableBase;\r
41982ebb 833 UINTN FtwMaxBlockSize;\r
0c18794e 834 \r
835 if (mVariableModuleGlobal->FvbInstance != NULL) {\r
836 return EFI_SUCCESS;\r
837 }\r
838\r
839 //\r
840 // Ensure SMM FTW protocol is installed.\r
841 //\r
842 Status = GetFtwProtocol ((VOID **)&FtwProtocol);\r
843 if (EFI_ERROR (Status)) {\r
844 return Status;\r
845 }\r
846\r
41982ebb
SZ		 847 Status = FtwProtocol->GetMaxBlockSize (FtwProtocol, &FtwMaxBlockSize);\r
848 if (!EFI_ERROR (Status)) {\r
849 ASSERT (PcdGet32 (PcdFlashNvStorageVariableSize) <= FtwMaxBlockSize);\r
850 }\r
851\r
0c18794e 852 //\r
853 // Find the proper FVB protocol for variable.\r
854 //\r
855 NvStorageVariableBase = (EFI_PHYSICAL_ADDRESS) PcdGet64 (PcdFlashNvStorageVariableBase64);\r
856 if (NvStorageVariableBase == 0) {\r
857 NvStorageVariableBase = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);\r
858 }\r
859 Status = GetFvbInfoByAddress (NvStorageVariableBase, NULL, &FvbProtocol);\r
860 if (EFI_ERROR (Status)) {\r
861 return EFI_NOT_FOUND;\r
862 }\r
863\r
864 mVariableModuleGlobal->FvbInstance = FvbProtocol;\r
865 \r
866 Status = VariableWriteServiceInitialize ();\r
25da08c8
DG		 867 if (EFI_ERROR (Status)) {\r
868 DEBUG ((DEBUG_ERROR, "Variable write service initialization failed. Status = %r\n", Status));\r
869 }\r
0c18794e 870 \r
871 //\r
872 // Notify the variable wrapper driver the variable write service is ready\r
873 //\r
874 Status = gBS->InstallProtocolInterface (\r
875 &mSmmVariableHandle,\r
876 &gSmmVariableWriteGuid,\r
877 EFI_NATIVE_INTERFACE,\r
878 NULL\r
879 );\r
880 ASSERT_EFI_ERROR (Status);\r
881 \r
882 return EFI_SUCCESS;\r
883}\r
884\r
885\r
886/**\r
887 Variable Driver main entry point. The Variable driver places the 4 EFI\r
888 runtime services in the EFI System Table and installs arch protocols \r
889 for variable read and write services being available. It also registers\r
890 a notification function for an EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.\r
891\r
892 @param[in] ImageHandle The firmware allocated handle for the EFI image. \r
893 @param[in] SystemTable A pointer to the EFI System Table.\r
894 \r
895 @retval EFI_SUCCESS Variable service successfully initialized.\r
896\r
897**/\r
898EFI_STATUS\r
899EFIAPI\r
900VariableServiceInitialize (\r
901 IN EFI_HANDLE ImageHandle,\r
902 IN EFI_SYSTEM_TABLE *SystemTable\r
903 )\r
904{\r
905 EFI_STATUS Status;\r
906 EFI_HANDLE VariableHandle;\r
907 VOID *SmmFtwRegistration;\r
6ab9f441 908 VOID *SmmEndOfDxeRegistration;\r
25a4e71a 909\r
0c18794e 910 //\r
911 // Variable initialize.\r
912 //\r
913 Status = VariableCommonInitialize ();\r
914 ASSERT_EFI_ERROR (Status);\r
915\r
916 //\r
917 // Install the Smm Variable Protocol on a new handle.\r
918 //\r
919 VariableHandle = NULL;\r
920 Status = gSmst->SmmInstallProtocolInterface (\r
921 &VariableHandle,\r
922 &gEfiSmmVariableProtocolGuid,\r
923 EFI_NATIVE_INTERFACE,\r
924 &gSmmVariable\r
925 );\r
926 ASSERT_EFI_ERROR (Status);\r
927\r
17409b7a
SZ		 928 Status = gSmst->SmmInstallProtocolInterface (\r
929 &VariableHandle,\r
930 &gEdkiiSmmVarCheckProtocolGuid,\r
931 EFI_NATIVE_INTERFACE,\r
932 &mSmmVarCheck\r
933 );\r
934 ASSERT_EFI_ERROR (Status);\r
935\r
5e5bb2a9 936 mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) +\r
17409b7a 937 OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - sizeof (VARIABLE_HEADER);\r
5e5bb2a9
SZ		 938\r
939 Status = gSmst->SmmAllocatePool (\r
940 EfiRuntimeServicesData,\r
941 mVariableBufferPayloadSize,\r
942 (VOID **)&mVariableBufferPayload\r
943 );\r
944 ASSERT_EFI_ERROR (Status);\r
945\r
0c18794e 946 ///\r
947 /// Register SMM variable SMI handler\r
948 ///\r
949 VariableHandle = NULL;\r
950 Status = gSmst->SmiHandlerRegister (SmmVariableHandler, &gEfiSmmVariableProtocolGuid, &VariableHandle);\r
951 ASSERT_EFI_ERROR (Status);\r
952 \r
953 //\r
954 // Notify the variable wrapper driver the variable service is ready\r
955 //\r
956 Status = SystemTable->BootServices->InstallProtocolInterface (\r
957 &mVariableHandle,\r
958 &gEfiSmmVariableProtocolGuid,\r
959 EFI_NATIVE_INTERFACE,\r
960 &gSmmVariable\r
961 );\r
962 ASSERT_EFI_ERROR (Status);\r
963 \r
6ab9f441
RN		 964 //\r
965 // Register EFI_SMM_END_OF_DXE_PROTOCOL_GUID notify function.\r
966 //\r
967 Status = gSmst->SmmRegisterProtocolNotify (\r
968 &gEfiSmmEndOfDxeProtocolGuid,\r
969 SmmEndOfDxeCallback,\r
970 &SmmEndOfDxeRegistration\r
971 );\r
972 ASSERT_EFI_ERROR (Status);\r
973\r
0c18794e 974 //\r
975 // Register FtwNotificationEvent () notify function.\r
976 // \r
977 Status = gSmst->SmmRegisterProtocolNotify (\r
978 &gEfiSmmFaultTolerantWriteProtocolGuid,\r
979 SmmFtwNotificationEvent,\r
980 &SmmFtwRegistration\r
981 );\r
982 ASSERT_EFI_ERROR (Status);\r
983\r
984 SmmFtwNotificationEvent (NULL, NULL, NULL);\r
985 \r
986 return EFI_SUCCESS;\r
987}\r
988\r
989\r
EFI Development Kit II mirror for PVE