MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c

   1 /** @file
   2   TCG MOR (Memory Overwrite Request) Lock Control support (DXE version).
   3
   4   This module clears MemoryOverwriteRequestControlLock variable to indicate
   5   MOR lock control unsupported.
   6
   7 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
   8 SPDX-License-Identifier: BSD-2-Clause-Patent
   9
  10 **/
  11
  12 #include <PiDxe.h>
  13 #include <Guid/MemoryOverwriteControl.h>
  14 #include <IndustryStandard/MemoryOverwriteRequestControlLock.h>
  15 #include <Library/DebugLib.h>
  16 #include <Library/BaseLib.h>
  17 #include <Library/BaseMemoryLib.h>
  18 #include "Variable.h"
  19
  20 extern EDKII_VARIABLE_LOCK_PROTOCOL     mVariableLock;
  21
  22 /**
  23   This service is an MOR/MorLock checker handler for the SetVariable().
  24
  25   @param[in]  VariableName the name of the vendor's variable, as a
  26                            Null-Terminated Unicode String
  27   @param[in]  VendorGuid   Unify identifier for vendor.
  28   @param[in]  Attributes   Attributes bitmask to set for the variable.
  29   @param[in]  DataSize     The size in bytes of Data-Buffer.
  30   @param[in]  Data         Point to the content of the variable.
  31
  32   @retval  EFI_SUCCESS            The MOR/MorLock check pass, and Variable
  33                                   driver can store the variable data.
  34   @retval  EFI_INVALID_PARAMETER  The MOR/MorLock data or data size or
  35                                   attributes is not allowed for MOR variable.
  36   @retval  EFI_ACCESS_DENIED      The MOR/MorLock is locked.
  37   @retval  EFI_ALREADY_STARTED    The MorLock variable is handled inside this
  38                                   function. Variable driver can just return
  39                                   EFI_SUCCESS.
  40 **/
  41 EFI_STATUS
  42 SetVariableCheckHandlerMor (
  43   IN CHAR16     *VariableName,
  44   IN EFI_GUID   *VendorGuid,
  45   IN UINT32     Attributes,
  46   IN UINTN      DataSize,
  47   IN VOID       *Data
  48   )
  49 {
  50   //
  51   // Just let it pass. No need provide protection for DXE version.
  52   //
  53   return EFI_SUCCESS;
  54 }
  55
  56 /**
  57   Initialization for MOR Control Lock.
  58
  59   @retval EFI_SUCCESS     MorLock initialization success.
  60   @return Others          Some error occurs.
  61 **/
  62 EFI_STATUS
  63 MorLockInit (
  64   VOID
  65   )
  66 {
  67   //
  68   // Always clear variable to report unsupported to OS.
  69   // The reason is that the DXE version is not proper to provide *protection*.
  70   // BIOS should use SMM version variable driver to provide such capability.
  71   //
  72   VariableServiceSetVariable (
  73     MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
  74     &gEfiMemoryOverwriteRequestControlLockGuid,
  75     0,                                          // Attributes
  76     0,                                          // DataSize
  77     NULL                                        // Data
  78     );
  79
  80   //
  81   // Need set this variable to be read-only to prevent other module set it.
  82   //
  83   VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);
  84
  85   //
  86   // The MOR variable can effectively improve platform security only when the
  87   // MorLock variable protects the MOR variable. In turn MorLock cannot be made
  88   // secure without SMM support in the platform firmware (see above).
  89   //
  90   // Thus, delete the MOR variable, should it exist for any reason (some OSes
  91   // are known to create MOR unintentionally, in an attempt to set it), then
  92   // also lock the MOR variable, in order to prevent other modules from
  93   // creating it.
  94   //
  95   VariableServiceSetVariable (
  96     MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
  97     &gEfiMemoryOverwriteControlDataGuid,
  98     0,                                      // Attributes
  99     0,                                      // DataSize
 100     NULL                                    // Data
 101     );
 102   VariableLockRequestToLock (
 103     &mVariableLock,
 104     MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
 105     &gEfiMemoryOverwriteControlDataGuid
 106     );
 107
 108   return EFI_SUCCESS;
 109 }
 110
 111 /**
 112   Delayed initialization for MOR Control Lock at EndOfDxe.
 113
 114   This function performs any operations queued by MorLockInit().
 115 **/
 116 VOID
 117 MorLockInitAtEndOfDxe (
 118   VOID
 119   )
 120 {
 121   //
 122   // Do nothing.
 123   //
 124 }