]>
Commit | Line | Data |
---|---|---|
0c18794e | 1 | /** @file\r |
2 | Implement all four UEFI Runtime Variable services for the nonvolatile\r | |
3 | and volatile storage space and install variable architecture protocol\r | |
4 | based on SMM variable module.\r | |
5 | \r | |
dc204d5a JY |
6 | Caution: This module requires additional review when modified.\r |
7 | This driver will have external input - variable data.\r | |
8 | This external input must be validated carefully to avoid security issue like\r | |
9 | buffer overflow, integer overflow.\r | |
10 | \r | |
11 | RuntimeServiceGetVariable() and RuntimeServiceSetVariable() are external API\r | |
12 | to receive data buffer. The size should be checked carefully.\r | |
13 | \r | |
14 | InitCommunicateBuffer() is really function to check the variable data size.\r | |
15 | \r | |
aab9212f | 16 | Copyright (c) 2010 - 2013, Intel Corporation. All rights reserved.<BR>\r |
0c18794e | 17 | This program and the accompanying materials \r |
18 | are licensed and made available under the terms and conditions of the BSD License \r | |
19 | which accompanies this distribution. The full text of the license may be found at \r | |
20 | http://opensource.org/licenses/bsd-license.php\r | |
21 | \r | |
22 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, \r | |
23 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
24 | \r | |
25 | **/\r | |
26 | \r | |
27 | #include <PiDxe.h>\r | |
28 | #include <Protocol/VariableWrite.h>\r | |
29 | #include <Protocol/Variable.h>\r | |
30 | #include <Protocol/SmmCommunication.h>\r | |
31 | #include <Protocol/SmmVariable.h>\r | |
32 | \r | |
33 | #include <Library/UefiBootServicesTableLib.h>\r | |
34 | #include <Library/UefiRuntimeServicesTableLib.h>\r | |
35 | #include <Library/MemoryAllocationLib.h>\r | |
36 | #include <Library/UefiDriverEntryPoint.h>\r | |
37 | #include <Library/UefiRuntimeLib.h>\r | |
38 | #include <Library/BaseMemoryLib.h>\r | |
39 | #include <Library/DebugLib.h>\r | |
40 | #include <Library/PcdLib.h>\r | |
41 | #include <Library/UefiLib.h>\r | |
42 | #include <Library/BaseLib.h>\r | |
43 | \r | |
44 | #include <Guid/EventGroup.h>\r | |
45 | #include <Guid/AuthenticatedVariableFormat.h>\r | |
46 | #include <Guid/SmmVariableCommon.h>\r | |
47 | \r | |
48 | EFI_HANDLE mHandle = NULL; \r | |
49 | EFI_SMM_VARIABLE_PROTOCOL *mSmmVariable = NULL;\r | |
50 | EFI_EVENT mVirtualAddressChangeEvent = NULL;\r | |
51 | EFI_SMM_COMMUNICATION_PROTOCOL *mSmmCommunication = NULL;\r | |
52 | UINT8 *mVariableBuffer = NULL;\r | |
53 | UINT8 *mVariableBufferPhysical = NULL;\r | |
54 | UINTN mVariableBufferSize;\r | |
6ed1ec59 | 55 | EFI_LOCK mVariableServicesLock;\r |
0c18794e | 56 | \r |
6ed1ec59 SZ |
57 | /**\r |
58 | Acquires lock only at boot time. Simply returns at runtime.\r | |
59 | \r | |
60 | This is a temperary function that will be removed when\r | |
61 | EfiAcquireLock() in UefiLib can handle the call in UEFI\r | |
62 | Runtimer driver in RT phase.\r | |
63 | It calls EfiAcquireLock() at boot time, and simply returns\r | |
64 | at runtime.\r | |
65 | \r | |
66 | @param Lock A pointer to the lock to acquire.\r | |
67 | \r | |
68 | **/\r | |
69 | VOID\r | |
70 | AcquireLockOnlyAtBootTime (\r | |
71 | IN EFI_LOCK *Lock\r | |
72 | )\r | |
73 | {\r | |
74 | if (!EfiAtRuntime ()) {\r | |
75 | EfiAcquireLock (Lock);\r | |
76 | }\r | |
77 | }\r | |
78 | \r | |
79 | /**\r | |
80 | Releases lock only at boot time. Simply returns at runtime.\r | |
81 | \r | |
82 | This is a temperary function which will be removed when\r | |
83 | EfiReleaseLock() in UefiLib can handle the call in UEFI\r | |
84 | Runtimer driver in RT phase.\r | |
85 | It calls EfiReleaseLock() at boot time and simply returns\r | |
86 | at runtime.\r | |
87 | \r | |
88 | @param Lock A pointer to the lock to release.\r | |
89 | \r | |
90 | **/\r | |
91 | VOID\r | |
92 | ReleaseLockOnlyAtBootTime (\r | |
93 | IN EFI_LOCK *Lock\r | |
94 | )\r | |
95 | {\r | |
96 | if (!EfiAtRuntime ()) {\r | |
97 | EfiReleaseLock (Lock);\r | |
98 | }\r | |
99 | }\r | |
0c18794e | 100 | \r |
101 | /**\r | |
102 | Initialize the communicate buffer using DataSize and Function.\r | |
103 | \r | |
104 | The communicate size is: SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE +\r | |
105 | DataSize.\r | |
106 | \r | |
dc204d5a JY |
107 | Caution: This function may receive untrusted input.\r |
108 | The data size external input, so this function will validate it carefully to avoid buffer overflow.\r | |
109 | \r | |
0c18794e | 110 | @param[out] DataPtr Points to the data in the communicate buffer.\r |
111 | @param[in] DataSize The data size to send to SMM.\r | |
112 | @param[in] Function The function number to initialize the communicate header.\r | |
113 | \r | |
114 | @retval EFI_INVALID_PARAMETER The data size is too big.\r | |
115 | @retval EFI_SUCCESS Find the specified variable.\r | |
116 | \r | |
117 | **/\r | |
118 | EFI_STATUS\r | |
119 | InitCommunicateBuffer (\r | |
120 | OUT VOID **DataPtr OPTIONAL,\r | |
121 | IN UINTN DataSize,\r | |
122 | IN UINTN Function\r | |
123 | )\r | |
124 | {\r | |
125 | EFI_SMM_COMMUNICATE_HEADER *SmmCommunicateHeader; \r | |
126 | SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader; \r | |
127 | \r | |
128 | \r | |
129 | if (DataSize + SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE > mVariableBufferSize) {\r | |
130 | return EFI_INVALID_PARAMETER;\r | |
131 | }\r | |
132 | \r | |
133 | SmmCommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *) mVariableBuffer;\r | |
134 | CopyGuid (&SmmCommunicateHeader->HeaderGuid, &gEfiSmmVariableProtocolGuid);\r | |
135 | SmmCommunicateHeader->MessageLength = DataSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r | |
136 | \r | |
137 | SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *) SmmCommunicateHeader->Data;\r | |
138 | SmmVariableFunctionHeader->Function = Function;\r | |
139 | if (DataPtr != NULL) {\r | |
140 | *DataPtr = SmmVariableFunctionHeader->Data;\r | |
141 | }\r | |
142 | \r | |
143 | return EFI_SUCCESS;\r | |
144 | }\r | |
145 | \r | |
146 | \r | |
147 | /**\r | |
148 | Send the data in communicate buffer to SMM.\r | |
149 | \r | |
150 | @param[in] DataSize This size of the function header and the data.\r | |
151 | \r | |
152 | @retval EFI_SUCCESS Success is returned from the functin in SMM.\r | |
153 | @retval Others Failure is returned from the function in SMM. \r | |
154 | \r | |
155 | **/\r | |
156 | EFI_STATUS\r | |
157 | SendCommunicateBuffer (\r | |
158 | IN UINTN DataSize\r | |
159 | )\r | |
160 | {\r | |
161 | EFI_STATUS Status;\r | |
162 | UINTN CommSize;\r | |
163 | EFI_SMM_COMMUNICATE_HEADER *SmmCommunicateHeader; \r | |
164 | SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader;\r | |
165 | \r | |
166 | CommSize = DataSize + SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r | |
167 | Status = mSmmCommunication->Communicate (mSmmCommunication, mVariableBufferPhysical, &CommSize);\r | |
168 | ASSERT_EFI_ERROR (Status);\r | |
169 | \r | |
170 | SmmCommunicateHeader = (EFI_SMM_COMMUNICATE_HEADER *) mVariableBuffer;\r | |
171 | SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)SmmCommunicateHeader->Data;\r | |
172 | return SmmVariableFunctionHeader->ReturnStatus;\r | |
173 | }\r | |
174 | \r | |
175 | \r | |
176 | /**\r | |
177 | This code finds variable in storage blocks (Volatile or Non-Volatile).\r | |
178 | \r | |
dc204d5a JY |
179 | Caution: This function may receive untrusted input.\r |
180 | The data size is external input, so this function will validate it carefully to avoid buffer overflow.\r | |
181 | \r | |
0c18794e | 182 | @param[in] VariableName Name of Variable to be found.\r |
183 | @param[in] VendorGuid Variable vendor GUID.\r | |
184 | @param[out] Attributes Attribute value of the variable found.\r | |
185 | @param[in, out] DataSize Size of Data found. If size is less than the\r | |
186 | data, this value contains the required size.\r | |
187 | @param[out] Data Data pointer.\r | |
188 | \r | |
189 | @retval EFI_INVALID_PARAMETER Invalid parameter.\r | |
190 | @retval EFI_SUCCESS Find the specified variable.\r | |
191 | @retval EFI_NOT_FOUND Not found.\r | |
192 | @retval EFI_BUFFER_TO_SMALL DataSize is too small for the result.\r | |
193 | \r | |
194 | **/\r | |
195 | EFI_STATUS\r | |
196 | EFIAPI\r | |
197 | RuntimeServiceGetVariable (\r | |
198 | IN CHAR16 *VariableName,\r | |
199 | IN EFI_GUID *VendorGuid,\r | |
200 | OUT UINT32 *Attributes OPTIONAL,\r | |
201 | IN OUT UINTN *DataSize,\r | |
202 | OUT VOID *Data\r | |
203 | )\r | |
204 | {\r | |
205 | EFI_STATUS Status;\r | |
206 | UINTN PayloadSize;\r | |
207 | SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;\r | |
3a146f2a | 208 | UINTN SmmCommBufPayloadSize;\r |
209 | UINTN TempDataSize;\r | |
0c18794e | 210 | \r |
211 | if (VariableName == NULL || VendorGuid == NULL || DataSize == NULL) {\r | |
212 | return EFI_INVALID_PARAMETER;\r | |
213 | }\r | |
214 | \r | |
215 | if ((*DataSize != 0) && (Data == NULL)) {\r | |
216 | return EFI_INVALID_PARAMETER;\r | |
217 | }\r | |
6ed1ec59 | 218 | \r |
3a146f2a | 219 | //\r |
220 | // SMM Communication Buffer max payload size\r | |
221 | //\r | |
222 | SmmCommBufPayloadSize = mVariableBufferSize - (SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE);\r | |
223 | TempDataSize = *DataSize;\r | |
224 | \r | |
225 | //\r | |
226 | // If VariableName exceeds SMM payload limit. Return failure\r | |
227 | //\r | |
228 | if (StrSize (VariableName) > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {\r | |
3588bb35 SZ |
229 | return EFI_INVALID_PARAMETER;\r |
230 | }\r | |
231 | \r | |
6ed1ec59 SZ |
232 | AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r |
233 | \r | |
0c18794e | 234 | //\r |
235 | // Init the communicate buffer. The buffer data size is:\r | |
6ed1ec59 | 236 | // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r |
0c18794e | 237 | //\r |
3a146f2a | 238 | if (TempDataSize > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - StrSize (VariableName)) {\r |
239 | //\r | |
240 | // If output data buffer exceed SMM payload limit. Trim output buffer to SMM payload size\r | |
241 | //\r | |
242 | TempDataSize = SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) - StrSize (VariableName);\r | |
243 | }\r | |
244 | PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName) + TempDataSize;\r | |
245 | \r | |
0c18794e | 246 | Status = InitCommunicateBuffer ((VOID **)&SmmVariableHeader, PayloadSize, SMM_VARIABLE_FUNCTION_GET_VARIABLE);\r |
247 | if (EFI_ERROR (Status)) {\r | |
6ed1ec59 | 248 | goto Done;\r |
0c18794e | 249 | }\r |
250 | ASSERT (SmmVariableHeader != NULL);\r | |
251 | \r | |
252 | CopyGuid (&SmmVariableHeader->Guid, VendorGuid);\r | |
3a146f2a | 253 | SmmVariableHeader->DataSize = TempDataSize;\r |
0c18794e | 254 | SmmVariableHeader->NameSize = StrSize (VariableName);\r |
255 | if (Attributes == NULL) {\r | |
256 | SmmVariableHeader->Attributes = 0;\r | |
257 | } else {\r | |
258 | SmmVariableHeader->Attributes = *Attributes;\r | |
259 | }\r | |
260 | CopyMem (SmmVariableHeader->Name, VariableName, SmmVariableHeader->NameSize);\r | |
261 | \r | |
262 | //\r | |
263 | // Send data to SMM.\r | |
264 | //\r | |
265 | Status = SendCommunicateBuffer (PayloadSize);\r | |
266 | \r | |
267 | //\r | |
268 | // Get data from SMM.\r | |
269 | //\r | |
3a146f2a | 270 | if (Status == EFI_SUCCESS || Status == EFI_BUFFER_TOO_SMALL) {\r |
271 | //\r | |
272 | // SMM CommBuffer DataSize can be a trimed value\r | |
273 | // Only update DataSize when needed\r | |
274 | //\r | |
275 | *DataSize = SmmVariableHeader->DataSize;\r | |
276 | }\r | |
0c18794e | 277 | if (Attributes != NULL) {\r |
278 | *Attributes = SmmVariableHeader->Attributes;\r | |
279 | }\r | |
280 | \r | |
281 | if (EFI_ERROR (Status)) {\r | |
6ed1ec59 | 282 | goto Done;\r |
0c18794e | 283 | }\r |
284 | \r | |
285 | CopyMem (Data, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize, SmmVariableHeader->DataSize);\r | |
286 | \r | |
6ed1ec59 SZ |
287 | Done:\r |
288 | ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r | |
0c18794e | 289 | return Status;\r |
290 | }\r | |
291 | \r | |
292 | \r | |
293 | /**\r | |
294 | This code Finds the Next available variable.\r | |
295 | \r | |
296 | @param[in, out] VariableNameSize Size of the variable name.\r | |
297 | @param[in, out] VariableName Pointer to variable name.\r | |
298 | @param[in, out] VendorGuid Variable Vendor Guid.\r | |
299 | \r | |
300 | @retval EFI_INVALID_PARAMETER Invalid parameter.\r | |
301 | @retval EFI_SUCCESS Find the specified variable.\r | |
302 | @retval EFI_NOT_FOUND Not found.\r | |
303 | @retval EFI_BUFFER_TO_SMALL DataSize is too small for the result.\r | |
304 | \r | |
305 | **/\r | |
306 | EFI_STATUS\r | |
307 | EFIAPI\r | |
308 | RuntimeServiceGetNextVariableName (\r | |
309 | IN OUT UINTN *VariableNameSize,\r | |
310 | IN OUT CHAR16 *VariableName,\r | |
311 | IN OUT EFI_GUID *VendorGuid\r | |
312 | )\r | |
313 | {\r | |
314 | EFI_STATUS Status;\r | |
315 | UINTN PayloadSize;\r | |
316 | SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *SmmGetNextVariableName;\r | |
0c55190f | 317 | UINTN SmmCommBufPayloadSize;\r |
0c18794e | 318 | \r |
319 | if (VariableNameSize == NULL || VariableName == NULL || VendorGuid == NULL) {\r | |
320 | return EFI_INVALID_PARAMETER;\r | |
321 | }\r | |
6ed1ec59 | 322 | \r |
0c55190f | 323 | //\r |
324 | // SMM Communication Buffer max payload size\r | |
325 | //\r | |
326 | SmmCommBufPayloadSize = mVariableBufferSize - (SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE);\r | |
327 | \r | |
328 | //\r | |
329 | // If input string exceeds SMM payload limit. Return failure\r | |
330 | //\r | |
331 | if (StrSize (VariableName) > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r | |
3588bb35 SZ |
332 | return EFI_INVALID_PARAMETER;\r |
333 | }\r | |
334 | \r | |
6ed1ec59 SZ |
335 | AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r |
336 | \r | |
0c18794e | 337 | //\r |
338 | // Init the communicate buffer. The buffer data size is:\r | |
339 | // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r | |
340 | //\r | |
0c55190f | 341 | if (*VariableNameSize > SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {\r |
342 | //\r | |
343 | // If output buffer exceed SMM payload limit. Trim output buffer to SMM payload size\r | |
344 | //\r | |
345 | *VariableNameSize = SmmCommBufPayloadSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);\r | |
346 | }\r | |
347 | //\r | |
348 | // Payload should be Guid + NameSize + MAX of Input & Output buffer\r | |
349 | //\r | |
350 | PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + MAX (*VariableNameSize, StrSize (VariableName));\r | |
351 | \r | |
0c18794e | 352 | Status = InitCommunicateBuffer ((VOID **)&SmmGetNextVariableName, PayloadSize, SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME);\r |
353 | if (EFI_ERROR (Status)) {\r | |
6ed1ec59 | 354 | goto Done;\r |
0c18794e | 355 | }\r |
356 | ASSERT (SmmGetNextVariableName != NULL);\r | |
357 | \r | |
0c55190f | 358 | //\r |
359 | // SMM comm buffer->NameSize is buffer size for return string\r | |
360 | //\r | |
0c18794e | 361 | SmmGetNextVariableName->NameSize = *VariableNameSize;\r |
0c55190f | 362 | \r |
0c18794e | 363 | CopyGuid (&SmmGetNextVariableName->Guid, VendorGuid);\r |
0c55190f | 364 | //\r |
365 | // Copy whole string\r | |
366 | //\r | |
367 | CopyMem (SmmGetNextVariableName->Name, VariableName, StrSize (VariableName));\r | |
0c18794e | 368 | \r |
369 | //\r | |
370 | // Send data to SMM\r | |
371 | //\r | |
372 | Status = SendCommunicateBuffer (PayloadSize);\r | |
373 | \r | |
374 | //\r | |
375 | // Get data from SMM.\r | |
376 | //\r | |
377 | *VariableNameSize = SmmGetNextVariableName->NameSize; \r | |
378 | if (EFI_ERROR (Status)) {\r | |
6ed1ec59 | 379 | goto Done;\r |
0c18794e | 380 | }\r |
381 | \r | |
382 | CopyGuid (VendorGuid, &SmmGetNextVariableName->Guid);\r | |
383 | CopyMem (VariableName, SmmGetNextVariableName->Name, SmmGetNextVariableName->NameSize); \r | |
384 | \r | |
6ed1ec59 SZ |
385 | Done:\r |
386 | ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r | |
0c18794e | 387 | return Status;\r |
388 | }\r | |
389 | \r | |
390 | /**\r | |
391 | This code sets variable in storage blocks (Volatile or Non-Volatile).\r | |
392 | \r | |
dc204d5a JY |
393 | Caution: This function may receive untrusted input.\r |
394 | The data size and data are external input, so this function will validate it carefully to avoid buffer overflow.\r | |
395 | \r | |
0c18794e | 396 | @param[in] VariableName Name of Variable to be found.\r |
397 | @param[in] VendorGuid Variable vendor GUID.\r | |
398 | @param[in] Attributes Attribute value of the variable found\r | |
399 | @param[in] DataSize Size of Data found. If size is less than the\r | |
400 | data, this value contains the required size.\r | |
401 | @param[in] Data Data pointer.\r | |
402 | \r | |
403 | @retval EFI_INVALID_PARAMETER Invalid parameter.\r | |
404 | @retval EFI_SUCCESS Set successfully.\r | |
405 | @retval EFI_OUT_OF_RESOURCES Resource not enough to set variable.\r | |
406 | @retval EFI_NOT_FOUND Not found.\r | |
407 | @retval EFI_WRITE_PROTECTED Variable is read-only.\r | |
408 | \r | |
409 | **/\r | |
410 | EFI_STATUS\r | |
411 | EFIAPI\r | |
412 | RuntimeServiceSetVariable (\r | |
413 | IN CHAR16 *VariableName,\r | |
414 | IN EFI_GUID *VendorGuid,\r | |
415 | IN UINT32 Attributes,\r | |
416 | IN UINTN DataSize,\r | |
417 | IN VOID *Data\r | |
418 | )\r | |
419 | {\r | |
420 | EFI_STATUS Status;\r | |
421 | UINTN PayloadSize; \r | |
422 | SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;\r | |
423 | \r | |
424 | //\r | |
425 | // Check input parameters.\r | |
426 | //\r | |
427 | if (VariableName == NULL || VariableName[0] == 0 || VendorGuid == NULL) {\r | |
428 | return EFI_INVALID_PARAMETER;\r | |
429 | } \r | |
430 | \r | |
431 | if (DataSize != 0 && Data == NULL) {\r | |
432 | return EFI_INVALID_PARAMETER;\r | |
433 | }\r | |
6ed1ec59 | 434 | \r |
3588bb35 SZ |
435 | if (DataSize >= mVariableBufferSize) {\r |
436 | //\r | |
437 | // DataSize may be near MAX_ADDRESS incorrectly, this can cause the computed PayLoadSize to\r | |
438 | // overflow to a small value and pass the check in InitCommunicateBuffer().\r | |
439 | // To protect against this vulnerability, return EFI_INVALID_PARAMETER if DataSize is >= mVariableBufferSize.\r | |
440 | // And there will be further check to ensure the total size is also not > mVariableBufferSize.\r | |
441 | //\r | |
442 | return EFI_INVALID_PARAMETER;\r | |
443 | }\r | |
444 | \r | |
56251c66 | 445 | if ((UINTN)(~0) - StrSize (VariableName) < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + DataSize) {\r |
446 | //\r | |
447 | // Prevent PayloadSize overflow\r | |
448 | //\r | |
449 | return EFI_INVALID_PARAMETER;\r | |
450 | }\r | |
451 | \r | |
6ed1ec59 | 452 | AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r |
56251c66 | 453 | \r |
0c18794e | 454 | //\r |
455 | // Init the communicate buffer. The buffer data size is:\r | |
456 | // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize.\r | |
457 | //\r | |
458 | PayloadSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + StrSize (VariableName) + DataSize;\r | |
459 | Status = InitCommunicateBuffer ((VOID **)&SmmVariableHeader, PayloadSize, SMM_VARIABLE_FUNCTION_SET_VARIABLE);\r | |
460 | if (EFI_ERROR (Status)) {\r | |
6ed1ec59 | 461 | goto Done;\r |
0c18794e | 462 | }\r |
463 | ASSERT (SmmVariableHeader != NULL);\r | |
464 | \r | |
465 | CopyGuid ((EFI_GUID *) &SmmVariableHeader->Guid, VendorGuid);\r | |
466 | SmmVariableHeader->DataSize = DataSize;\r | |
467 | SmmVariableHeader->NameSize = StrSize (VariableName);\r | |
468 | SmmVariableHeader->Attributes = Attributes;\r | |
469 | CopyMem (SmmVariableHeader->Name, VariableName, SmmVariableHeader->NameSize);\r | |
470 | CopyMem ((UINT8 *) SmmVariableHeader->Name + SmmVariableHeader->NameSize, Data, DataSize);\r | |
471 | \r | |
472 | //\r | |
473 | // Send data to SMM.\r | |
474 | //\r | |
475 | Status = SendCommunicateBuffer (PayloadSize);\r | |
6ed1ec59 SZ |
476 | \r |
477 | Done:\r | |
478 | ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r | |
0c18794e | 479 | return Status;\r |
480 | }\r | |
481 | \r | |
482 | \r | |
483 | /**\r | |
484 | This code returns information about the EFI variables.\r | |
485 | \r | |
486 | @param[in] Attributes Attributes bitmask to specify the type of variables\r | |
487 | on which to return information.\r | |
488 | @param[out] MaximumVariableStorageSize Pointer to the maximum size of the storage space available\r | |
489 | for the EFI variables associated with the attributes specified.\r | |
490 | @param[out] RemainingVariableStorageSize Pointer to the remaining size of the storage space available\r | |
491 | for EFI variables associated with the attributes specified.\r | |
492 | @param[out] MaximumVariableSize Pointer to the maximum size of an individual EFI variables\r | |
493 | associated with the attributes specified.\r | |
494 | \r | |
495 | @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied.\r | |
496 | @retval EFI_SUCCESS Query successfully.\r | |
497 | @retval EFI_UNSUPPORTED The attribute is not supported on this platform.\r | |
498 | \r | |
499 | **/\r | |
500 | EFI_STATUS\r | |
501 | EFIAPI\r | |
502 | RuntimeServiceQueryVariableInfo (\r | |
503 | IN UINT32 Attributes,\r | |
504 | OUT UINT64 *MaximumVariableStorageSize,\r | |
505 | OUT UINT64 *RemainingVariableStorageSize,\r | |
506 | OUT UINT64 *MaximumVariableSize\r | |
507 | )\r | |
508 | {\r | |
509 | EFI_STATUS Status;\r | |
510 | UINTN PayloadSize;\r | |
511 | SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *SmmQueryVariableInfo;\r | |
512 | \r | |
513 | if(MaximumVariableStorageSize == NULL || RemainingVariableStorageSize == NULL || MaximumVariableSize == NULL || Attributes == 0) {\r | |
514 | return EFI_INVALID_PARAMETER;\r | |
515 | }\r | |
6ed1ec59 SZ |
516 | \r |
517 | AcquireLockOnlyAtBootTime(&mVariableServicesLock);\r | |
518 | \r | |
0c18794e | 519 | //\r |
520 | // Init the communicate buffer. The buffer data size is:\r | |
521 | // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + PayloadSize;\r | |
522 | //\r | |
523 | PayloadSize = sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO);\r | |
524 | Status = InitCommunicateBuffer ((VOID **)&SmmQueryVariableInfo, PayloadSize, SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO);\r | |
525 | if (EFI_ERROR (Status)) {\r | |
6ed1ec59 | 526 | goto Done;\r |
0c18794e | 527 | }\r |
528 | ASSERT (SmmQueryVariableInfo != NULL);\r | |
529 | \r | |
530 | SmmQueryVariableInfo->Attributes = Attributes;\r | |
531 | \r | |
532 | //\r | |
533 | // Send data to SMM.\r | |
534 | //\r | |
535 | Status = SendCommunicateBuffer (PayloadSize);\r | |
536 | if (EFI_ERROR (Status)) {\r | |
6ed1ec59 | 537 | goto Done;\r |
0c18794e | 538 | }\r |
539 | \r | |
540 | //\r | |
541 | // Get data from SMM.\r | |
542 | //\r | |
543 | *MaximumVariableSize = SmmQueryVariableInfo->MaximumVariableSize;\r | |
544 | *MaximumVariableStorageSize = SmmQueryVariableInfo->MaximumVariableStorageSize;\r | |
545 | *RemainingVariableStorageSize = SmmQueryVariableInfo->RemainingVariableStorageSize; \r | |
6ed1ec59 SZ |
546 | \r |
547 | Done:\r | |
548 | ReleaseLockOnlyAtBootTime (&mVariableServicesLock);\r | |
aab9212f | 549 | return Status;\r |
0c18794e | 550 | }\r |
551 | \r | |
552 | \r | |
553 | /**\r | |
554 | Exit Boot Services Event notification handler.\r | |
555 | \r | |
556 | Notify SMM variable driver about the event.\r | |
557 | \r | |
558 | @param[in] Event Event whose notification function is being invoked.\r | |
559 | @param[in] Context Pointer to the notification function's context.\r | |
560 | \r | |
561 | **/\r | |
562 | VOID\r | |
563 | EFIAPI\r | |
564 | OnExitBootServices (\r | |
565 | IN EFI_EVENT Event,\r | |
566 | IN VOID *Context\r | |
567 | )\r | |
568 | {\r | |
569 | //\r | |
570 | // Init the communicate buffer. The buffer data size is:\r | |
571 | // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE.\r | |
572 | //\r | |
573 | InitCommunicateBuffer (NULL, 0, SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE); \r | |
574 | \r | |
575 | //\r | |
576 | // Send data to SMM.\r | |
577 | //\r | |
578 | SendCommunicateBuffer (0);\r | |
579 | }\r | |
580 | \r | |
581 | \r | |
582 | /**\r | |
583 | On Ready To Boot Services Event notification handler.\r | |
584 | \r | |
585 | Notify SMM variable driver about the event.\r | |
586 | \r | |
587 | @param[in] Event Event whose notification function is being invoked\r | |
588 | @param[in] Context Pointer to the notification function's context\r | |
589 | \r | |
590 | **/\r | |
591 | VOID\r | |
592 | EFIAPI\r | |
593 | OnReadyToBoot (\r | |
594 | IN EFI_EVENT Event,\r | |
595 | IN VOID *Context\r | |
596 | )\r | |
597 | {\r | |
598 | //\r | |
599 | // Init the communicate buffer. The buffer data size is:\r | |
600 | // SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE.\r | |
601 | //\r | |
602 | InitCommunicateBuffer (NULL, 0, SMM_VARIABLE_FUNCTION_READY_TO_BOOT);\r | |
603 | \r | |
604 | //\r | |
605 | // Send data to SMM.\r | |
606 | //\r | |
607 | SendCommunicateBuffer (0);\r | |
608 | }\r | |
609 | \r | |
610 | \r | |
611 | /**\r | |
612 | Notification function of EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE.\r | |
613 | \r | |
614 | This is a notification function registered on EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.\r | |
615 | It convers pointer to new virtual address.\r | |
616 | \r | |
617 | @param[in] Event Event whose notification function is being invoked.\r | |
618 | @param[in] Context Pointer to the notification function's context.\r | |
619 | \r | |
620 | **/\r | |
621 | VOID\r | |
622 | EFIAPI\r | |
623 | VariableAddressChangeEvent (\r | |
624 | IN EFI_EVENT Event,\r | |
625 | IN VOID *Context\r | |
626 | )\r | |
627 | {\r | |
628 | EfiConvertPointer (0x0, (VOID **) &mVariableBuffer);\r | |
629 | EfiConvertPointer (0x0, (VOID **) &mSmmCommunication);\r | |
630 | }\r | |
631 | \r | |
632 | \r | |
633 | /**\r | |
634 | Initialize variable service and install Variable Architectural protocol.\r | |
635 | \r | |
636 | @param[in] Event Event whose notification function is being invoked.\r | |
637 | @param[in] Context Pointer to the notification function's context.\r | |
638 | \r | |
639 | **/\r | |
640 | VOID\r | |
641 | EFIAPI\r | |
642 | SmmVariableReady (\r | |
643 | IN EFI_EVENT Event,\r | |
644 | IN VOID *Context\r | |
645 | )\r | |
646 | {\r | |
647 | EFI_STATUS Status;\r | |
648 | \r | |
649 | Status = gBS->LocateProtocol (&gEfiSmmVariableProtocolGuid, NULL, (VOID **)&mSmmVariable);\r | |
650 | if (EFI_ERROR (Status)) {\r | |
651 | return;\r | |
652 | }\r | |
653 | \r | |
654 | Status = gBS->LocateProtocol (&gEfiSmmCommunicationProtocolGuid, NULL, (VOID **) &mSmmCommunication);\r | |
655 | ASSERT_EFI_ERROR (Status);\r | |
656 | \r | |
657 | //\r | |
658 | // Allocate memory for variable store.\r | |
659 | //\r | |
660 | mVariableBufferSize = SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;\r | |
661 | mVariableBufferSize += MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize));\r | |
662 | mVariableBuffer = AllocateRuntimePool (mVariableBufferSize);\r | |
663 | ASSERT (mVariableBuffer != NULL);\r | |
664 | \r | |
665 | //\r | |
666 | // Save the buffer physical address used for SMM conmunication.\r | |
667 | //\r | |
668 | mVariableBufferPhysical = mVariableBuffer;\r | |
669 | \r | |
670 | gRT->GetVariable = RuntimeServiceGetVariable;\r | |
671 | gRT->GetNextVariableName = RuntimeServiceGetNextVariableName;\r | |
672 | gRT->SetVariable = RuntimeServiceSetVariable;\r | |
673 | gRT->QueryVariableInfo = RuntimeServiceQueryVariableInfo;\r | |
674 | \r | |
675 | //\r | |
676 | // Install the Variable Architectural Protocol on a new handle.\r | |
677 | //\r | |
678 | Status = gBS->InstallProtocolInterface (\r | |
679 | &mHandle,\r | |
680 | &gEfiVariableArchProtocolGuid, \r | |
681 | EFI_NATIVE_INTERFACE,\r | |
682 | NULL\r | |
683 | );\r | |
684 | ASSERT_EFI_ERROR (Status);\r | |
685 | }\r | |
686 | \r | |
687 | \r | |
688 | /**\r | |
689 | SMM Non-Volatile variable write service is ready notify event handler.\r | |
690 | \r | |
691 | @param[in] Event Event whose notification function is being invoked.\r | |
692 | @param[in] Context Pointer to the notification function's context.\r | |
693 | \r | |
694 | **/\r | |
695 | VOID\r | |
696 | EFIAPI\r | |
697 | SmmVariableWriteReady (\r | |
698 | IN EFI_EVENT Event,\r | |
699 | IN VOID *Context\r | |
700 | )\r | |
701 | {\r | |
702 | EFI_STATUS Status;\r | |
703 | VOID *ProtocolOps;\r | |
704 | \r | |
705 | //\r | |
706 | // Check whether the protocol is installed or not.\r | |
707 | //\r | |
708 | Status = gBS->LocateProtocol (&gSmmVariableWriteGuid, NULL, (VOID **) &ProtocolOps);\r | |
709 | if (EFI_ERROR (Status)) {\r | |
710 | return;\r | |
711 | }\r | |
712 | \r | |
713 | Status = gBS->InstallProtocolInterface (\r | |
714 | &mHandle,\r | |
715 | &gEfiVariableWriteArchProtocolGuid, \r | |
716 | EFI_NATIVE_INTERFACE,\r | |
717 | NULL\r | |
718 | );\r | |
719 | ASSERT_EFI_ERROR (Status); \r | |
720 | }\r | |
721 | \r | |
722 | \r | |
723 | /**\r | |
724 | Variable Driver main entry point. The Variable driver places the 4 EFI\r | |
725 | runtime services in the EFI System Table and installs arch protocols \r | |
726 | for variable read and write services being available. It also registers\r | |
727 | a notification function for an EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.\r | |
728 | \r | |
729 | @param[in] ImageHandle The firmware allocated handle for the EFI image. \r | |
730 | @param[in] SystemTable A pointer to the EFI System Table.\r | |
731 | \r | |
732 | @retval EFI_SUCCESS Variable service successfully initialized.\r | |
733 | \r | |
734 | **/\r | |
735 | EFI_STATUS\r | |
736 | EFIAPI\r | |
737 | VariableSmmRuntimeInitialize (\r | |
738 | IN EFI_HANDLE ImageHandle,\r | |
739 | IN EFI_SYSTEM_TABLE *SystemTable\r | |
740 | )\r | |
741 | {\r | |
742 | VOID *SmmVariableRegistration;\r | |
743 | VOID *SmmVariableWriteRegistration;\r | |
744 | EFI_EVENT OnReadyToBootEvent;\r | |
745 | EFI_EVENT ExitBootServiceEvent;\r | |
6ed1ec59 SZ |
746 | \r |
747 | EfiInitializeLock (&mVariableServicesLock, TPL_NOTIFY);\r | |
748 | \r | |
0c18794e | 749 | //\r |
750 | // Smm variable service is ready\r | |
751 | //\r | |
752 | EfiCreateProtocolNotifyEvent (\r | |
753 | &gEfiSmmVariableProtocolGuid, \r | |
754 | TPL_CALLBACK, \r | |
755 | SmmVariableReady, \r | |
756 | NULL, \r | |
757 | &SmmVariableRegistration\r | |
758 | );\r | |
759 | \r | |
760 | //\r | |
761 | // Smm Non-Volatile variable write service is ready\r | |
762 | //\r | |
763 | EfiCreateProtocolNotifyEvent (\r | |
764 | &gSmmVariableWriteGuid, \r | |
765 | TPL_CALLBACK, \r | |
766 | SmmVariableWriteReady, \r | |
767 | NULL, \r | |
768 | &SmmVariableWriteRegistration\r | |
769 | );\r | |
770 | \r | |
771 | //\r | |
772 | // Register the event to reclaim variable for OS usage.\r | |
773 | //\r | |
774 | EfiCreateEventReadyToBootEx (\r | |
775 | TPL_NOTIFY, \r | |
776 | OnReadyToBoot, \r | |
777 | NULL, \r | |
778 | &OnReadyToBootEvent\r | |
779 | ); \r | |
780 | \r | |
781 | //\r | |
782 | // Register the event to inform SMM variable that it is at runtime.\r | |
783 | //\r | |
784 | gBS->CreateEventEx (\r | |
785 | EVT_NOTIFY_SIGNAL,\r | |
786 | TPL_NOTIFY,\r | |
787 | OnExitBootServices,\r | |
788 | NULL,\r | |
789 | &gEfiEventExitBootServicesGuid,\r | |
790 | &ExitBootServiceEvent\r | |
791 | ); \r | |
792 | \r | |
793 | //\r | |
794 | // Register the event to convert the pointer for runtime.\r | |
795 | //\r | |
796 | gBS->CreateEventEx (\r | |
797 | EVT_NOTIFY_SIGNAL,\r | |
798 | TPL_NOTIFY,\r | |
799 | VariableAddressChangeEvent,\r | |
800 | NULL,\r | |
801 | &gEfiEventVirtualAddressChangeGuid,\r | |
802 | &mVirtualAddressChangeEvent\r | |
803 | );\r | |
804 | \r | |
805 | return EFI_SUCCESS;\r | |
806 | }\r | |
807 | \r |