2 TCG MOR (Memory Overwrite Request) Lock Control support (DXE version).
4 This module clears MemoryOverwriteRequestControlLock variable to indicate
5 MOR lock control unsupported.
7 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
8 Copyright (c) Microsoft Corporation.
9 SPDX-License-Identifier: BSD-2-Clause-Patent
14 #include <Guid/MemoryOverwriteControl.h>
15 #include <IndustryStandard/MemoryOverwriteRequestControlLock.h>
16 #include <Library/DebugLib.h>
17 #include <Library/BaseLib.h>
18 #include <Library/BaseMemoryLib.h>
21 #include <Protocol/VariablePolicy.h>
22 #include <Library/VariablePolicyHelperLib.h>
25 This service is an MOR/MorLock checker handler for the SetVariable().
27 @param[in] VariableName the name of the vendor's variable, as a
28 Null-Terminated Unicode String
29 @param[in] VendorGuid Unify identifier for vendor.
30 @param[in] Attributes Attributes bitmask to set for the variable.
31 @param[in] DataSize The size in bytes of Data-Buffer.
32 @param[in] Data Point to the content of the variable.
34 @retval EFI_SUCCESS The MOR/MorLock check pass, and Variable
35 driver can store the variable data.
36 @retval EFI_INVALID_PARAMETER The MOR/MorLock data or data size or
37 attributes is not allowed for MOR variable.
38 @retval EFI_ACCESS_DENIED The MOR/MorLock is locked.
39 @retval EFI_ALREADY_STARTED The MorLock variable is handled inside this
40 function. Variable driver can just return
44 SetVariableCheckHandlerMor (
45 IN CHAR16
*VariableName
,
46 IN EFI_GUID
*VendorGuid
,
53 // Just let it pass. No need provide protection for DXE version.
59 Initialization for MOR Control Lock.
61 @retval EFI_SUCCESS MorLock initialization success.
62 @return Others Some error occurs.
70 // Always clear variable to report unsupported to OS.
71 // The reason is that the DXE version is not proper to provide *protection*.
72 // BIOS should use SMM version variable driver to provide such capability.
74 VariableServiceSetVariable (
75 MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME
,
76 &gEfiMemoryOverwriteRequestControlLockGuid
,
83 // The MOR variable can effectively improve platform security only when the
84 // MorLock variable protects the MOR variable. In turn MorLock cannot be made
85 // secure without SMM support in the platform firmware (see above).
87 // Thus, delete the MOR variable, should it exist for any reason (some OSes
88 // are known to create MOR unintentionally, in an attempt to set it), then
89 // also lock the MOR variable, in order to prevent other modules from
92 VariableServiceSetVariable (
93 MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME
,
94 &gEfiMemoryOverwriteControlDataGuid
,
104 Delayed initialization for MOR Control Lock at EndOfDxe.
106 This function performs any operations queued by MorLockInit().
109 MorLockInitAtEndOfDxe (
114 EDKII_VARIABLE_POLICY_PROTOCOL
*VariablePolicy
;
116 // First, we obviously need to locate the VariablePolicy protocol.
117 Status
= gBS
->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid
, NULL
, (VOID
**)&VariablePolicy
);
118 if (EFI_ERROR (Status
)) {
119 DEBUG ((DEBUG_ERROR
, "%a - Could not locate VariablePolicy protocol! %r\n", __FUNCTION__
, Status
));
123 // If we're successful, go ahead and set the policies to protect the target variables.
124 Status
= RegisterBasicVariablePolicy (
126 &gEfiMemoryOverwriteRequestControlLockGuid
,
127 MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME
,
128 VARIABLE_POLICY_NO_MIN_SIZE
,
129 VARIABLE_POLICY_NO_MAX_SIZE
,
130 VARIABLE_POLICY_NO_MUST_ATTR
,
131 VARIABLE_POLICY_NO_CANT_ATTR
,
132 VARIABLE_POLICY_TYPE_LOCK_NOW
134 if (EFI_ERROR (Status
)) {
135 DEBUG ((DEBUG_ERROR
, "%a - Could not lock variable %s! %r\n", __FUNCTION__
, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME
, Status
));
138 Status
= RegisterBasicVariablePolicy (
140 &gEfiMemoryOverwriteControlDataGuid
,
141 MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME
,
142 VARIABLE_POLICY_NO_MIN_SIZE
,
143 VARIABLE_POLICY_NO_MAX_SIZE
,
144 VARIABLE_POLICY_NO_MUST_ATTR
,
145 VARIABLE_POLICY_NO_CANT_ATTR
,
146 VARIABLE_POLICY_TYPE_LOCK_NOW
148 if (EFI_ERROR (Status
)) {
149 DEBUG ((DEBUG_ERROR
, "%a - Could not lock variable %s! %r\n", __FUNCTION__
, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME
, Status
));