MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c

   1 /** @file
   2   TCG MOR (Memory Overwrite Request) Lock Control support (DXE version).
   3
   4   This module clears MemoryOverwriteRequestControlLock variable to indicate
   5   MOR lock control unsupported.
   6
   7 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
   8 This program and the accompanying materials
   9 are licensed and made available under the terms and conditions of the BSD License
  10 which accompanies this distribution.  The full text of the license may be found at
  11 http://opensource.org/licenses/bsd-license.php
  12
  13 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
  14 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
  15
  16 **/
  17
  18 #include <PiDxe.h>
  19 #include <Guid/MemoryOverwriteControl.h>
  20 #include <IndustryStandard/MemoryOverwriteRequestControlLock.h>
  21 #include <Library/DebugLib.h>
  22 #include <Library/BaseLib.h>
  23 #include <Library/BaseMemoryLib.h>
  24 #include "Variable.h"
  25
  26 extern EDKII_VARIABLE_LOCK_PROTOCOL     mVariableLock;
  27
  28 /**
  29   This service is an MOR/MorLock checker handler for the SetVariable().
  30
  31   @param[in]  VariableName the name of the vendor's variable, as a
  32                            Null-Terminated Unicode String
  33   @param[in]  VendorGuid   Unify identifier for vendor.
  34   @param[in]  Attributes   Attributes bitmask to set for the variable.
  35   @param[in]  DataSize     The size in bytes of Data-Buffer.
  36   @param[in]  Data         Point to the content of the variable.
  37
  38   @retval  EFI_SUCCESS            The MOR/MorLock check pass, and Variable
  39                                   driver can store the variable data.
  40   @retval  EFI_INVALID_PARAMETER  The MOR/MorLock data or data size or
  41                                   attributes is not allowed for MOR variable.
  42   @retval  EFI_ACCESS_DENIED      The MOR/MorLock is locked.
  43   @retval  EFI_ALREADY_STARTED    The MorLock variable is handled inside this
  44                                   function. Variable driver can just return
  45                                   EFI_SUCCESS.
  46 **/
  47 EFI_STATUS
  48 SetVariableCheckHandlerMor (
  49   IN CHAR16     *VariableName,
  50   IN EFI_GUID   *VendorGuid,
  51   IN UINT32     Attributes,
  52   IN UINTN      DataSize,
  53   IN VOID       *Data
  54   )
  55 {
  56   //
  57   // Just let it pass. No need provide protection for DXE version.
  58   //
  59   return EFI_SUCCESS;
  60 }
  61
  62 /**
  63   Initialization for MOR Control Lock.
  64
  65   @retval EFI_SUCCESS     MorLock initialization success.
  66   @return Others          Some error occurs.
  67 **/
  68 EFI_STATUS
  69 MorLockInit (
  70   VOID
  71   )
  72 {
  73   //
  74   // Always clear variable to report unsupported to OS.
  75   // The reason is that the DXE version is not proper to provide *protection*.
  76   // BIOS should use SMM version variable driver to provide such capability.
  77   //
  78   VariableServiceSetVariable (
  79     MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
  80     &gEfiMemoryOverwriteRequestControlLockGuid,
  81     0,                                          // Attributes
  82     0,                                          // DataSize
  83     NULL                                        // Data
  84     );
  85
  86   //
  87   // Need set this variable to be read-only to prevent other module set it.
  88   //
  89   VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);
  90
  91   //
  92   // The MOR variable can effectively improve platform security only when the
  93   // MorLock variable protects the MOR variable. In turn MorLock cannot be made
  94   // secure without SMM support in the platform firmware (see above).
  95   //
  96   // Thus, delete the MOR variable, should it exist for any reason (some OSes
  97   // are known to create MOR unintentionally, in an attempt to set it), then
  98   // also lock the MOR variable, in order to prevent other modules from
  99   // creating it.
 100   //
 101   VariableServiceSetVariable (
 102     MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
 103     &gEfiMemoryOverwriteControlDataGuid,
 104     0,                                      // Attributes
 105     0,                                      // DataSize
 106     NULL                                    // Data
 107     );
 108   VariableLockRequestToLock (
 109     &mVariableLock,
 110     MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
 111     &gEfiMemoryOverwriteControlDataGuid
 112     );
 113
 114   return EFI_SUCCESS;
 115 }
 116
 117 /**
 118   Delayed initialization for MOR Control Lock at EndOfDxe.
 119
 120   This function performs any operations queued by MorLockInit().
 121 **/
 122 VOID
 123 MorLockInitAtEndOfDxe (
 124   VOID
 125   )
 126 {
 127   //
 128   // Do nothing.
 129   //
 130 }