]> git.proxmox.com Git - mirror_edk2.git/blob - MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
projects / mirror_edk2.git / blob
? search:


e6734acdf2cca63035d74a0ef258fa70dbcd10c6
[mirror_edk2.git] / MdeModulePkg / Universal / Variable / RuntimeDxe / VariableSmm.c
1 /** @file
2 The sample implementation for SMM variable protocol. And this driver
3 implements an SMI handler to communicate with the DXE runtime driver
4 to provide variable services.
5
6 Caution: This module requires additional review when modified.
7 This driver will have external input - variable data and communicate buffer in SMM mode.
8 This external input must be validated carefully to avoid security issue like
9 buffer overflow, integer overflow.
10
11 SmmVariableHandler() will receive untrusted input and do basic validation.
12
13 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
14 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
15 SmmVariableGetStatistics() should also do validation based on its own knowledge.
16
17 Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
18 Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>
19 This program and the accompanying materials
20 are licensed and made available under the terms and conditions of the BSD License
21 which accompanies this distribution. The full text of the license may be found at
22 http://opensource.org/licenses/bsd-license.php
23
24 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
25 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
26
27 **/
28
29 #include <Protocol/SmmVariable.h>
30 #include <Protocol/SmmFirmwareVolumeBlock.h>
31 #include <Protocol/SmmFaultTolerantWrite.h>
32 #include <Protocol/MmEndOfDxe.h>
33 #include <Protocol/SmmVarCheck.h>
34
35 #include <Library/MmServicesTableLib.h>
36
37 #include <Guid/SmmVariableCommon.h>
38 #include "Variable.h"
39
40 BOOLEAN mAtRuntime = FALSE;
41 UINT8 *mVariableBufferPayload = NULL;
42 UINTN mVariableBufferPayloadSize;
43
44 /**
45 SecureBoot Hook for SetVariable.
46
47 @param[in] VariableName Name of Variable to be found.
48 @param[in] VendorGuid Variable vendor GUID.
49
50 **/
51 VOID
52 EFIAPI
53 SecureBootHook (
54 IN CHAR16 *VariableName,
55 IN EFI_GUID *VendorGuid
56 )
57 {
58 return ;
59 }
60
61 /**
62
63 This code sets variable in storage blocks (Volatile or Non-Volatile).
64
65 @param VariableName Name of Variable to be found.
66 @param VendorGuid Variable vendor GUID.
67 @param Attributes Attribute value of the variable found
68 @param DataSize Size of Data found. If size is less than the
69 data, this value contains the required size.
70 @param Data Data pointer.
71
72 @return EFI_INVALID_PARAMETER Invalid parameter.
73 @return EFI_SUCCESS Set successfully.
74 @return EFI_OUT_OF_RESOURCES Resource not enough to set variable.
75 @return EFI_NOT_FOUND Not found.
76 @return EFI_WRITE_PROTECTED Variable is read-only.
77
78 **/
79 EFI_STATUS
80 EFIAPI
81 SmmVariableSetVariable (
82 IN CHAR16 *VariableName,
83 IN EFI_GUID *VendorGuid,
84 IN UINT32 Attributes,
85 IN UINTN DataSize,
86 IN VOID *Data
87 )
88 {
89 EFI_STATUS Status;
90
91 //
92 // Disable write protection when the calling SetVariable() through EFI_SMM_VARIABLE_PROTOCOL.
93 //
94 mRequestSource = VarCheckFromTrusted;
95 Status = VariableServiceSetVariable (
96 VariableName,
97 VendorGuid,
98 Attributes,
99 DataSize,
100 Data
101 );
102 mRequestSource = VarCheckFromUntrusted;
103 return Status;
104 }
105
106 EFI_SMM_VARIABLE_PROTOCOL gSmmVariable = {
107 VariableServiceGetVariable,
108 VariableServiceGetNextVariableName,
109 SmmVariableSetVariable,
110 VariableServiceQueryVariableInfo
111 };
112
113 EDKII_SMM_VAR_CHECK_PROTOCOL mSmmVarCheck = { VarCheckRegisterSetVariableCheckHandler,
114 VarCheckVariablePropertySet,
115 VarCheckVariablePropertyGet };
116
117 /**
118 Return TRUE if ExitBootServices () has been called.
119
120 @retval TRUE If ExitBootServices () has been called.
121 **/
122 BOOLEAN
123 AtRuntime (
124 VOID
125 )
126 {
127 return mAtRuntime;
128 }
129
130 /**
131 Initializes a basic mutual exclusion lock.
132
133 This function initializes a basic mutual exclusion lock to the released state
134 and returns the lock. Each lock provides mutual exclusion access at its task
135 priority level. Since there is no preemption or multiprocessor support in EFI,
136 acquiring the lock only consists of raising to the locks TPL.
137 If Lock is NULL, then ASSERT().
138 If Priority is not a valid TPL value, then ASSERT().
139
140 @param Lock A pointer to the lock data structure to initialize.
141 @param Priority EFI TPL is associated with the lock.
142
143 @return The lock.
144
145 **/
146 EFI_LOCK *
147 InitializeLock (
148 IN OUT EFI_LOCK *Lock,
149 IN EFI_TPL Priority
150 )
151 {
152 return Lock;
153 }
154
155 /**
156 Acquires lock only at boot time. Simply returns at runtime.
157
158 This is a temperary function that will be removed when
159 EfiAcquireLock() in UefiLib can handle the call in UEFI
160 Runtimer driver in RT phase.
161 It calls EfiAcquireLock() at boot time, and simply returns
162 at runtime.
163
164 @param Lock A pointer to the lock to acquire.
165
166 **/
167 VOID
168 AcquireLockOnlyAtBootTime (
169 IN EFI_LOCK *Lock
170 )
171 {
172
173 }
174
175
176 /**
177 Releases lock only at boot time. Simply returns at runtime.
178
179 This is a temperary function which will be removed when
180 EfiReleaseLock() in UefiLib can handle the call in UEFI
181 Runtimer driver in RT phase.
182 It calls EfiReleaseLock() at boot time and simply returns
183 at runtime.
184
185 @param Lock A pointer to the lock to release.
186
187 **/
188 VOID
189 ReleaseLockOnlyAtBootTime (
190 IN EFI_LOCK *Lock
191 )
192 {
193
194 }
195
196 /**
197 Retrieve the SMM Fault Tolerent Write protocol interface.
198
199 @param[out] FtwProtocol The interface of SMM Ftw protocol
200
201 @retval EFI_SUCCESS The SMM FTW protocol instance was found and returned in FtwProtocol.
202 @retval EFI_NOT_FOUND The SMM FTW protocol instance was not found.
203 @retval EFI_INVALID_PARAMETER SarProtocol is NULL.
204
205 **/
206 EFI_STATUS
207 GetFtwProtocol (
208 OUT VOID **FtwProtocol
209 )
210 {
211 EFI_STATUS Status;
212
213 //
214 // Locate Smm Fault Tolerent Write protocol
215 //
216 Status = gMmst->MmLocateProtocol (
217 &gEfiSmmFaultTolerantWriteProtocolGuid,
218 NULL,
219 FtwProtocol
220 );
221 return Status;
222 }
223
224
225 /**
226 Retrieve the SMM FVB protocol interface by HANDLE.
227
228 @param[in] FvBlockHandle The handle of SMM FVB protocol that provides services for
229 reading, writing, and erasing the target block.
230 @param[out] FvBlock The interface of SMM FVB protocol
231
232 @retval EFI_SUCCESS The interface information for the specified protocol was returned.
233 @retval EFI_UNSUPPORTED The device does not support the SMM FVB protocol.
234 @retval EFI_INVALID_PARAMETER FvBlockHandle is not a valid EFI_HANDLE or FvBlock is NULL.
235
236 **/
237 EFI_STATUS
238 GetFvbByHandle (
239 IN EFI_HANDLE FvBlockHandle,
240 OUT EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL **FvBlock
241 )
242 {
243 //
244 // To get the SMM FVB protocol interface on the handle
245 //
246 return gMmst->MmHandleProtocol (
247 FvBlockHandle,
248 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
249 (VOID **) FvBlock
250 );
251 }
252
253
254 /**
255 Function returns an array of handles that support the SMM FVB protocol
256 in a buffer allocated from pool.
257
258 @param[out] NumberHandles The number of handles returned in Buffer.
259 @param[out] Buffer A pointer to the buffer to return the requested
260 array of handles that support SMM FVB protocol.
261
262 @retval EFI_SUCCESS The array of handles was returned in Buffer, and the number of
263 handles in Buffer was returned in NumberHandles.
264 @retval EFI_NOT_FOUND No SMM FVB handle was found.
265 @retval EFI_OUT_OF_RESOURCES There is not enough pool memory to store the matching results.
266 @retval EFI_INVALID_PARAMETER NumberHandles is NULL or Buffer is NULL.
267
268 **/
269 EFI_STATUS
270 GetFvbCountAndBuffer (
271 OUT UINTN *NumberHandles,
272 OUT EFI_HANDLE **Buffer
273 )
274 {
275 EFI_STATUS Status;
276 UINTN BufferSize;
277
278 if ((NumberHandles == NULL) || (Buffer == NULL)) {
279 return EFI_INVALID_PARAMETER;
280 }
281
282 BufferSize = 0;
283 *NumberHandles = 0;
284 *Buffer = NULL;
285 Status = gMmst->MmLocateHandle (
286 ByProtocol,
287 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
288 NULL,
289 &BufferSize,
290 *Buffer
291 );
292 if (EFI_ERROR(Status) && Status != EFI_BUFFER_TOO_SMALL) {
293 return EFI_NOT_FOUND;
294 }
295
296 *Buffer = AllocatePool (BufferSize);
297 if (*Buffer == NULL) {
298 return EFI_OUT_OF_RESOURCES;
299 }
300
301 Status = gMmst->MmLocateHandle (
302 ByProtocol,
303 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
304 NULL,
305 &BufferSize,
306 *Buffer
307 );
308
309 *NumberHandles = BufferSize / sizeof(EFI_HANDLE);
310 if (EFI_ERROR(Status)) {
311 *NumberHandles = 0;
312 FreePool (*Buffer);
313 *Buffer = NULL;
314 }
315
316 return Status;
317 }
318
319
320 /**
321 Get the variable statistics information from the information buffer pointed by gVariableInfo.
322
323 Caution: This function may be invoked at SMM runtime.
324 InfoEntry and InfoSize are external input. Care must be taken to make sure not security issue at runtime.
325
326 @param[in, out] InfoEntry A pointer to the buffer of variable information entry.
327 On input, point to the variable information returned last time. if
328 InfoEntry->VendorGuid is zero, return the first information.
329 On output, point to the next variable information.
330 @param[in, out] InfoSize On input, the size of the variable information buffer.
331 On output, the returned variable information size.
332
333 @retval EFI_SUCCESS The variable information is found and returned successfully.
334 @retval EFI_UNSUPPORTED No variable inoformation exists in variable driver. The
335 PcdVariableCollectStatistics should be set TRUE to support it.
336 @retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the next variable information.
337 @retval EFI_INVALID_PARAMETER Input parameter is invalid.
338
339 **/
340 EFI_STATUS
341 SmmVariableGetStatistics (
342 IN OUT VARIABLE_INFO_ENTRY *InfoEntry,
343 IN OUT UINTN *InfoSize
344 )
345 {
346 VARIABLE_INFO_ENTRY *VariableInfo;
347 UINTN NameSize;
348 UINTN StatisticsInfoSize;
349 CHAR16 *InfoName;
350 UINTN InfoNameMaxSize;
351 EFI_GUID VendorGuid;
352
353 if (InfoEntry == NULL) {
354 return EFI_INVALID_PARAMETER;
355 }
356
357 VariableInfo = gVariableInfo;
358 if (VariableInfo == NULL) {
359 return EFI_UNSUPPORTED;
360 }
361
362 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY);
363 if (*InfoSize < StatisticsInfoSize) {
364 *InfoSize = StatisticsInfoSize;
365 return EFI_BUFFER_TOO_SMALL;
366 }
367 InfoName = (CHAR16 *)(InfoEntry + 1);
368 InfoNameMaxSize = (*InfoSize - sizeof (VARIABLE_INFO_ENTRY));
369
370 CopyGuid (&VendorGuid, &InfoEntry->VendorGuid);
371
372 if (IsZeroGuid (&VendorGuid)) {
373 //
374 // Return the first variable info
375 //
376 NameSize = StrSize (VariableInfo->Name);
377 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + NameSize;
378 if (*InfoSize < StatisticsInfoSize) {
379 *InfoSize = StatisticsInfoSize;
380 return EFI_BUFFER_TOO_SMALL;
381 }
382 CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
383 CopyMem (InfoName, VariableInfo->Name, NameSize);
384 *InfoSize = StatisticsInfoSize;
385 return EFI_SUCCESS;
386 }
387
388 //
389 // Get the next variable info
390 //
391 while (VariableInfo != NULL) {
392 if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) {
393 NameSize = StrSize (VariableInfo->Name);
394 if (NameSize <= InfoNameMaxSize) {
395 if (CompareMem (VariableInfo->Name, InfoName, NameSize) == 0) {
396 //
397 // Find the match one
398 //
399 VariableInfo = VariableInfo->Next;
400 break;
401 }
402 }
403 }
404 VariableInfo = VariableInfo->Next;
405 };
406
407 if (VariableInfo == NULL) {
408 *InfoSize = 0;
409 return EFI_SUCCESS;
410 }
411
412 //
413 // Output the new variable info
414 //
415 NameSize = StrSize (VariableInfo->Name);
416 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + NameSize;
417 if (*InfoSize < StatisticsInfoSize) {
418 *InfoSize = StatisticsInfoSize;
419 return EFI_BUFFER_TOO_SMALL;
420 }
421
422 CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
423 CopyMem (InfoName, VariableInfo->Name, NameSize);
424 *InfoSize = StatisticsInfoSize;
425
426 return EFI_SUCCESS;
427 }
428
429
430 /**
431 Communication service SMI Handler entry.
432
433 This SMI handler provides services for the variable wrapper driver.
434
435 Caution: This function may receive untrusted input.
436 This variable data and communicate buffer are external input, so this function will do basic validation.
437 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
438 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
439 SmmVariableGetStatistics() should also do validation based on its own knowledge.
440
441 @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
442 @param[in] RegisterContext Points to an optional handler context which was specified when the
443 handler was registered.
444 @param[in, out] CommBuffer A pointer to a collection of data in memory that will
445 be conveyed from a non-SMM environment into an SMM environment.
446 @param[in, out] CommBufferSize The size of the CommBuffer.
447
448 @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
449 should still be called.
450 @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
451 still be called.
452 @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
453 be called.
454 @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
455 **/
456 EFI_STATUS
457 EFIAPI
458 SmmVariableHandler (
459 IN EFI_HANDLE DispatchHandle,
460 IN CONST VOID *RegisterContext,
461 IN OUT VOID *CommBuffer,
462 IN OUT UINTN *CommBufferSize
463 )
464 {
465 EFI_STATUS Status;
466 SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader;
467 SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;
468 SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *GetNextVariableName;
469 SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo;
470 SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *GetPayloadSize;
471 VARIABLE_INFO_ENTRY *VariableInfo;
472 SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock;
473 SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty;
474 UINTN InfoSize;
475 UINTN NameBufferSize;
476 UINTN CommBufferPayloadSize;
477 UINTN TempCommBufferSize;
478
479 //
480 // If input is invalid, stop processing this SMI
481 //
482 if (CommBuffer == NULL || CommBufferSize == NULL) {
483 return EFI_SUCCESS;
484 }
485
486 TempCommBufferSize = *CommBufferSize;
487
488 if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
489 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n"));
490 return EFI_SUCCESS;
491 }
492 CommBufferPayloadSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
493 if (CommBufferPayloadSize > mVariableBufferPayloadSize) {
494 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));
495 return EFI_SUCCESS;
496 }
497
498 if (!VariableSmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
499 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));
500 return EFI_SUCCESS;
501 }
502
503 SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer;
504 switch (SmmVariableFunctionHeader->Function) {
505 case SMM_VARIABLE_FUNCTION_GET_VARIABLE:
506 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
507 DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n"));
508 return EFI_SUCCESS;
509 }
510 //
511 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
512 //
513 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
514 SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
515 if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
516 ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
517 //
518 // Prevent InfoSize overflow happen
519 //
520 Status = EFI_ACCESS_DENIED;
521 goto EXIT;
522 }
523 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
524 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
525
526 //
527 // SMRAM range check already covered before
528 //
529 if (InfoSize > CommBufferPayloadSize) {
530 DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n"));
531 Status = EFI_ACCESS_DENIED;
532 goto EXIT;
533 }
534
535 //
536 // The VariableSpeculationBarrier() call here is to ensure the previous
537 // range/content checks for the CommBuffer have been completed before the
538 // subsequent consumption of the CommBuffer content.
539 //
540 VariableSpeculationBarrier ();
541 if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
542 //
543 // Make sure VariableName is A Null-terminated string.
544 //
545 Status = EFI_ACCESS_DENIED;
546 goto EXIT;
547 }
548
549 Status = VariableServiceGetVariable (
550 SmmVariableHeader->Name,
551 &SmmVariableHeader->Guid,
552 &SmmVariableHeader->Attributes,
553 &SmmVariableHeader->DataSize,
554 (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
555 );
556 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
557 break;
558
559 case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:
560 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
561 DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n"));
562 return EFI_SUCCESS;
563 }
564 //
565 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
566 //
567 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
568 GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload;
569 if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
570 //
571 // Prevent InfoSize overflow happen
572 //
573 Status = EFI_ACCESS_DENIED;
574 goto EXIT;
575 }
576 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize;
577
578 //
579 // SMRAM range check already covered before
580 //
581 if (InfoSize > CommBufferPayloadSize) {
582 DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));
583 Status = EFI_ACCESS_DENIED;
584 goto EXIT;
585 }
586
587 NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);
588 if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') {
589 //
590 // Make sure input VariableName is A Null-terminated string.
591 //
592 Status = EFI_ACCESS_DENIED;
593 goto EXIT;
594 }
595
596 Status = VariableServiceGetNextVariableName (
597 &GetNextVariableName->NameSize,
598 GetNextVariableName->Name,
599 &GetNextVariableName->Guid
600 );
601 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
602 break;
603
604 case SMM_VARIABLE_FUNCTION_SET_VARIABLE:
605 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
606 DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n"));
607 return EFI_SUCCESS;
608 }
609 //
610 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
611 //
612 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
613 SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
614 if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
615 ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
616 //
617 // Prevent InfoSize overflow happen
618 //
619 Status = EFI_ACCESS_DENIED;
620 goto EXIT;
621 }
622 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
623 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
624
625 //
626 // SMRAM range check already covered before
627 // Data buffer should not contain SMM range
628 //
629 if (InfoSize > CommBufferPayloadSize) {
630 DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n"));
631 Status = EFI_ACCESS_DENIED;
632 goto EXIT;
633 }
634
635 //
636 // The VariableSpeculationBarrier() call here is to ensure the previous
637 // range/content checks for the CommBuffer have been completed before the
638 // subsequent consumption of the CommBuffer content.
639 //
640 VariableSpeculationBarrier ();
641 if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
642 //
643 // Make sure VariableName is A Null-terminated string.
644 //
645 Status = EFI_ACCESS_DENIED;
646 goto EXIT;
647 }
648
649 Status = VariableServiceSetVariable (
650 SmmVariableHeader->Name,
651 &SmmVariableHeader->Guid,
652 SmmVariableHeader->Attributes,
653 SmmVariableHeader->DataSize,
654 (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
655 );
656 break;
657
658 case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:
659 if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) {
660 DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n"));
661 return EFI_SUCCESS;
662 }
663 QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;
664
665 Status = VariableServiceQueryVariableInfo (
666 QueryVariableInfo->Attributes,
667 &QueryVariableInfo->MaximumVariableStorageSize,
668 &QueryVariableInfo->RemainingVariableStorageSize,
669 &QueryVariableInfo->MaximumVariableSize
670 );
671 break;
672
673 case SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE:
674 if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE)) {
675 DEBUG ((EFI_D_ERROR, "GetPayloadSize: SMM communication buffer size invalid!\n"));
676 return EFI_SUCCESS;
677 }
678 GetPayloadSize = (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *) SmmVariableFunctionHeader->Data;
679 GetPayloadSize->VariablePayloadSize = mVariableBufferPayloadSize;
680 Status = EFI_SUCCESS;
681 break;
682
683 case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:
684 if (AtRuntime()) {
685 Status = EFI_UNSUPPORTED;
686 break;
687 }
688 if (!mEndOfDxe) {
689 MorLockInitAtEndOfDxe ();
690 mEndOfDxe = TRUE;
691 VarCheckLibInitializeAtEndOfDxe (NULL);
692 //
693 // The initialization for variable quota.
694 //
695 InitializeVariableQuota ();
696 }
697 ReclaimForOS ();
698 Status = EFI_SUCCESS;
699 break;
700
701 case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:
702 mAtRuntime = TRUE;
703 Status = EFI_SUCCESS;
704 break;
705
706 case SMM_VARIABLE_FUNCTION_GET_STATISTICS:
707 VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;
708 InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
709
710 //
711 // Do not need to check SmmVariableFunctionHeader->Data in SMRAM here.
712 // It is covered by previous CommBuffer check
713 //
714
715 //
716 // Do not need to check CommBufferSize buffer as it should point to SMRAM
717 // that was used by SMM core to cache CommSize from SmmCommunication protocol.
718 //
719
720 Status = SmmVariableGetStatistics (VariableInfo, &InfoSize);
721 *CommBufferSize = InfoSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
722 break;
723
724 case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE:
725 if (mEndOfDxe) {
726 Status = EFI_ACCESS_DENIED;
727 } else {
728 VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data;
729 Status = VariableLockRequestToLock (
730 NULL,
731 VariableToLock->Name,
732 &VariableToLock->Guid
733 );
734 }
735 break;
736 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET:
737 if (mEndOfDxe) {
738 Status = EFI_ACCESS_DENIED;
739 } else {
740 CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) SmmVariableFunctionHeader->Data;
741 Status = VarCheckVariablePropertySet (
742 CommVariableProperty->Name,
743 &CommVariableProperty->Guid,
744 &CommVariableProperty->VariableProperty
745 );
746 }
747 break;
748 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:
749 if (CommBufferPayloadSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
750 DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: SMM communication buffer size invalid!\n"));
751 return EFI_SUCCESS;
752 }
753 //
754 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
755 //
756 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
757 CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) mVariableBufferPayload;
758 if ((UINTN) (~0) - CommVariableProperty->NameSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
759 //
760 // Prevent InfoSize overflow happen
761 //
762 Status = EFI_ACCESS_DENIED;
763 goto EXIT;
764 }
765 InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + CommVariableProperty->NameSize;
766
767 //
768 // SMRAM range check already covered before
769 //
770 if (InfoSize > CommBufferPayloadSize) {
771 DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: Data size exceed communication buffer size limit!\n"));
772 Status = EFI_ACCESS_DENIED;
773 goto EXIT;
774 }
775
776 //
777 // The VariableSpeculationBarrier() call here is to ensure the previous
778 // range/content checks for the CommBuffer have been completed before the
779 // subsequent consumption of the CommBuffer content.
780 //
781 VariableSpeculationBarrier ();
782 if (CommVariableProperty->NameSize < sizeof (CHAR16) || CommVariableProperty->Name[CommVariableProperty->NameSize/sizeof (CHAR16) - 1] != L'\0') {
783 //
784 // Make sure VariableName is A Null-terminated string.
785 //
786 Status = EFI_ACCESS_DENIED;
787 goto EXIT;
788 }
789
790 Status = VarCheckVariablePropertyGet (
791 CommVariableProperty->Name,
792 &CommVariableProperty->Guid,
793 &CommVariableProperty->VariableProperty
794 );
795 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
796 break;
797
798 default:
799 Status = EFI_UNSUPPORTED;
800 }
801
802 EXIT:
803
804 SmmVariableFunctionHeader->ReturnStatus = Status;
805
806 return EFI_SUCCESS;
807 }
808
809 /**
810 SMM END_OF_DXE protocol notification event handler.
811
812 @param Protocol Points to the protocol's unique identifier
813 @param Interface Points to the interface instance
814 @param Handle The handle on which the interface was installed
815
816 @retval EFI_SUCCESS SmmEndOfDxeCallback runs successfully
817
818 **/
819 EFI_STATUS
820 EFIAPI
821 SmmEndOfDxeCallback (
822 IN CONST EFI_GUID *Protocol,
823 IN VOID *Interface,
824 IN EFI_HANDLE Handle
825 )
826 {
827 DEBUG ((EFI_D_INFO, "[Variable]SMM_END_OF_DXE is signaled\n"));
828 MorLockInitAtEndOfDxe ();
829 mEndOfDxe = TRUE;
830 VarCheckLibInitializeAtEndOfDxe (NULL);
831 //
832 // The initialization for variable quota.
833 //
834 InitializeVariableQuota ();
835 if (PcdGetBool (PcdReclaimVariableSpaceAtEndOfDxe)) {
836 ReclaimForOS ();
837 }
838
839 return EFI_SUCCESS;
840 }
841
842 /**
843 Initializes variable write service for SMM.
844
845 **/
846 VOID
847 VariableWriteServiceInitializeSmm (
848 VOID
849 )
850 {
851 EFI_STATUS Status;
852
853 Status = VariableWriteServiceInitialize ();
854 if (EFI_ERROR (Status)) {
855 DEBUG ((DEBUG_ERROR, "Variable write service initialization failed. Status = %r\n", Status));
856 }
857
858 //
859 // Notify the variable wrapper driver the variable write service is ready
860 //
861 VariableNotifySmmWriteReady ();
862 }
863
864 /**
865 SMM Fault Tolerant Write protocol notification event handler.
866
867 Non-Volatile variable write may needs FTW protocol to reclaim when
868 writting variable.
869
870 @param Protocol Points to the protocol's unique identifier
871 @param Interface Points to the interface instance
872 @param Handle The handle on which the interface was installed
873
874 @retval EFI_SUCCESS SmmEventCallback runs successfully
875 @retval EFI_NOT_FOUND The Fvb protocol for variable is not found.
876
877 **/
878 EFI_STATUS
879 EFIAPI
880 SmmFtwNotificationEvent (
881 IN CONST EFI_GUID *Protocol,
882 IN VOID *Interface,
883 IN EFI_HANDLE Handle
884 )
885 {
886 EFI_STATUS Status;
887 EFI_PHYSICAL_ADDRESS VariableStoreBase;
888 EFI_SMM_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol;
889 EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL *FtwProtocol;
890 EFI_PHYSICAL_ADDRESS NvStorageVariableBase;
891 UINTN FtwMaxBlockSize;
892
893 if (mVariableModuleGlobal->FvbInstance != NULL) {
894 return EFI_SUCCESS;
895 }
896
897 //
898 // Ensure SMM FTW protocol is installed.
899 //
900 Status = GetFtwProtocol ((VOID **)&FtwProtocol);
901 if (EFI_ERROR (Status)) {
902 return Status;
903 }
904
905 Status = FtwProtocol->GetMaxBlockSize (FtwProtocol, &FtwMaxBlockSize);
906 if (!EFI_ERROR (Status)) {
907 ASSERT (PcdGet32 (PcdFlashNvStorageVariableSize) <= FtwMaxBlockSize);
908 }
909
910 NvStorageVariableBase = NV_STORAGE_VARIABLE_BASE;
911 VariableStoreBase = NvStorageVariableBase + mNvFvHeaderCache->HeaderLength;
912
913 //
914 // Let NonVolatileVariableBase point to flash variable store base directly after FTW ready.
915 //
916 mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase = VariableStoreBase;
917
918 //
919 // Find the proper FVB protocol for variable.
920 //
921 Status = GetFvbInfoByAddress (NvStorageVariableBase, NULL, &FvbProtocol);
922 if (EFI_ERROR (Status)) {
923 return EFI_NOT_FOUND;
924 }
925
926 mVariableModuleGlobal->FvbInstance = FvbProtocol;
927
928 //
929 // Initializes variable write service after FTW was ready.
930 //
931 VariableWriteServiceInitializeSmm ();
932
933 return EFI_SUCCESS;
934 }
935
936
937 /**
938 Variable Driver main entry point. The Variable driver places the 4 EFI
939 runtime services in the EFI System Table and installs arch protocols
940 for variable read and write services being available. It also registers
941 a notification function for an EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
942
943 @retval EFI_SUCCESS Variable service successfully initialized.
944
945 **/
946 EFI_STATUS
947 EFIAPI
948 MmVariableServiceInitialize (
949 VOID
950 )
951 {
952 EFI_STATUS Status;
953 EFI_HANDLE VariableHandle;
954 VOID *SmmFtwRegistration;
955 VOID *SmmEndOfDxeRegistration;
956
957 //
958 // Variable initialize.
959 //
960 Status = VariableCommonInitialize ();
961 ASSERT_EFI_ERROR (Status);
962
963 //
964 // Install the Smm Variable Protocol on a new handle.
965 //
966 VariableHandle = NULL;
967 Status = gMmst->MmInstallProtocolInterface (
968 &VariableHandle,
969 &gEfiSmmVariableProtocolGuid,
970 EFI_NATIVE_INTERFACE,
971 &gSmmVariable
972 );
973 ASSERT_EFI_ERROR (Status);
974
975 Status = gMmst->MmInstallProtocolInterface (
976 &VariableHandle,
977 &gEdkiiSmmVarCheckProtocolGuid,
978 EFI_NATIVE_INTERFACE,
979 &mSmmVarCheck
980 );
981 ASSERT_EFI_ERROR (Status);
982
983 mVariableBufferPayloadSize = GetMaxVariableSize () +
984 OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - GetVariableHeaderSize ();
985
986 Status = gMmst->MmAllocatePool (
987 EfiRuntimeServicesData,
988 mVariableBufferPayloadSize,
989 (VOID **)&mVariableBufferPayload
990 );
991 ASSERT_EFI_ERROR (Status);
992
993 ///
994 /// Register SMM variable SMI handler
995 ///
996 VariableHandle = NULL;
997 Status = gMmst->MmiHandlerRegister (SmmVariableHandler, &gEfiSmmVariableProtocolGuid, &VariableHandle);
998 ASSERT_EFI_ERROR (Status);
999
1000 //
1001 // Notify the variable wrapper driver the variable service is ready
1002 //
1003 VariableNotifySmmReady ();
1004
1005 //
1006 // Register EFI_SMM_END_OF_DXE_PROTOCOL_GUID notify function.
1007 //
1008 Status = gMmst->MmRegisterProtocolNotify (
1009 &gEfiMmEndOfDxeProtocolGuid,
1010 SmmEndOfDxeCallback,
1011 &SmmEndOfDxeRegistration
1012 );
1013 ASSERT_EFI_ERROR (Status);
1014
1015 //
1016 // Register FtwNotificationEvent () notify function.
1017 //
1018 Status = gMmst->MmRegisterProtocolNotify (
1019 &gEfiSmmFaultTolerantWriteProtocolGuid,
1020 SmmFtwNotificationEvent,
1021 &SmmFtwRegistration
1022 );
1023 ASSERT_EFI_ERROR (Status);
1024
1025 SmmFtwNotificationEvent (NULL, NULL, NULL);
1026
1027 return EFI_SUCCESS;
1028 }
1029
1030
EFI Development Kit II mirror for PVE