]> git.proxmox.com Git - mirror_edk2.git/blob - MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
MdeModulePkg VariableSmm: Do not need check CommBufferSize buffer
[mirror_edk2.git] / MdeModulePkg / Universal / Variable / RuntimeDxe / VariableSmm.c
1 /** @file
2 The sample implementation for SMM variable protocol. And this driver
3 implements an SMI handler to communicate with the DXE runtime driver
4 to provide variable services.
5
6 Caution: This module requires additional review when modified.
7 This driver will have external input - variable data and communicate buffer in SMM mode.
8 This external input must be validated carefully to avoid security issue like
9 buffer overflow, integer overflow.
10
11 SmmVariableHandler() will receive untrusted input and do basic validation.
12
13 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
14 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
15 SmmVariableGetStatistics() should also do validation based on its own knowledge.
16
17 Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
18 This program and the accompanying materials
19 are licensed and made available under the terms and conditions of the BSD License
20 which accompanies this distribution. The full text of the license may be found at
21 http://opensource.org/licenses/bsd-license.php
22
23 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
24 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
25
26 **/
27
28 #include <Protocol/SmmVariable.h>
29 #include <Protocol/SmmFirmwareVolumeBlock.h>
30 #include <Protocol/SmmFaultTolerantWrite.h>
31 #include <Protocol/SmmEndOfDxe.h>
32 #include <Protocol/SmmVarCheck.h>
33
34 #include <Library/SmmServicesTableLib.h>
35 #include <Library/SmmMemLib.h>
36
37 #include <Guid/SmmVariableCommon.h>
38 #include "Variable.h"
39
40 extern VARIABLE_INFO_ENTRY *gVariableInfo;
41 EFI_HANDLE mSmmVariableHandle = NULL;
42 EFI_HANDLE mVariableHandle = NULL;
43 BOOLEAN mAtRuntime = FALSE;
44 UINT8 *mVariableBufferPayload = NULL;
45 UINTN mVariableBufferPayloadSize;
46 extern BOOLEAN mEndOfDxe;
47 extern VAR_CHECK_REQUEST_SOURCE mRequestSource;
48
49 /**
50 SecureBoot Hook for SetVariable.
51
52 @param[in] VariableName Name of Variable to be found.
53 @param[in] VendorGuid Variable vendor GUID.
54
55 **/
56 VOID
57 EFIAPI
58 SecureBootHook (
59 IN CHAR16 *VariableName,
60 IN EFI_GUID *VendorGuid
61 )
62 {
63 return ;
64 }
65
66 /**
67
68 This code sets variable in storage blocks (Volatile or Non-Volatile).
69
70 @param VariableName Name of Variable to be found.
71 @param VendorGuid Variable vendor GUID.
72 @param Attributes Attribute value of the variable found
73 @param DataSize Size of Data found. If size is less than the
74 data, this value contains the required size.
75 @param Data Data pointer.
76
77 @return EFI_INVALID_PARAMETER Invalid parameter.
78 @return EFI_SUCCESS Set successfully.
79 @return EFI_OUT_OF_RESOURCES Resource not enough to set variable.
80 @return EFI_NOT_FOUND Not found.
81 @return EFI_WRITE_PROTECTED Variable is read-only.
82
83 **/
84 EFI_STATUS
85 EFIAPI
86 SmmVariableSetVariable (
87 IN CHAR16 *VariableName,
88 IN EFI_GUID *VendorGuid,
89 IN UINT32 Attributes,
90 IN UINTN DataSize,
91 IN VOID *Data
92 )
93 {
94 EFI_STATUS Status;
95
96 //
97 // Disable write protection when the calling SetVariable() through EFI_SMM_VARIABLE_PROTOCOL.
98 //
99 mRequestSource = VarCheckFromTrusted;
100 Status = VariableServiceSetVariable (
101 VariableName,
102 VendorGuid,
103 Attributes,
104 DataSize,
105 Data
106 );
107 mRequestSource = VarCheckFromUntrusted;
108 return Status;
109 }
110
111 EFI_SMM_VARIABLE_PROTOCOL gSmmVariable = {
112 VariableServiceGetVariable,
113 VariableServiceGetNextVariableName,
114 SmmVariableSetVariable,
115 VariableServiceQueryVariableInfo
116 };
117
118 EDKII_SMM_VAR_CHECK_PROTOCOL mSmmVarCheck = { VarCheckRegisterSetVariableCheckHandler,
119 VarCheckVariablePropertySet,
120 VarCheckVariablePropertyGet };
121
122 /**
123 Return TRUE if ExitBootServices () has been called.
124
125 @retval TRUE If ExitBootServices () has been called.
126 **/
127 BOOLEAN
128 AtRuntime (
129 VOID
130 )
131 {
132 return mAtRuntime;
133 }
134
135 /**
136 Initializes a basic mutual exclusion lock.
137
138 This function initializes a basic mutual exclusion lock to the released state
139 and returns the lock. Each lock provides mutual exclusion access at its task
140 priority level. Since there is no preemption or multiprocessor support in EFI,
141 acquiring the lock only consists of raising to the locks TPL.
142 If Lock is NULL, then ASSERT().
143 If Priority is not a valid TPL value, then ASSERT().
144
145 @param Lock A pointer to the lock data structure to initialize.
146 @param Priority EFI TPL is associated with the lock.
147
148 @return The lock.
149
150 **/
151 EFI_LOCK *
152 InitializeLock (
153 IN OUT EFI_LOCK *Lock,
154 IN EFI_TPL Priority
155 )
156 {
157 return Lock;
158 }
159
160 /**
161 Acquires lock only at boot time. Simply returns at runtime.
162
163 This is a temperary function that will be removed when
164 EfiAcquireLock() in UefiLib can handle the call in UEFI
165 Runtimer driver in RT phase.
166 It calls EfiAcquireLock() at boot time, and simply returns
167 at runtime.
168
169 @param Lock A pointer to the lock to acquire.
170
171 **/
172 VOID
173 AcquireLockOnlyAtBootTime (
174 IN EFI_LOCK *Lock
175 )
176 {
177
178 }
179
180
181 /**
182 Releases lock only at boot time. Simply returns at runtime.
183
184 This is a temperary function which will be removed when
185 EfiReleaseLock() in UefiLib can handle the call in UEFI
186 Runtimer driver in RT phase.
187 It calls EfiReleaseLock() at boot time and simply returns
188 at runtime.
189
190 @param Lock A pointer to the lock to release.
191
192 **/
193 VOID
194 ReleaseLockOnlyAtBootTime (
195 IN EFI_LOCK *Lock
196 )
197 {
198
199 }
200
201 /**
202 Retrieve the SMM Fault Tolerent Write protocol interface.
203
204 @param[out] FtwProtocol The interface of SMM Ftw protocol
205
206 @retval EFI_SUCCESS The SMM FTW protocol instance was found and returned in FtwProtocol.
207 @retval EFI_NOT_FOUND The SMM FTW protocol instance was not found.
208 @retval EFI_INVALID_PARAMETER SarProtocol is NULL.
209
210 **/
211 EFI_STATUS
212 GetFtwProtocol (
213 OUT VOID **FtwProtocol
214 )
215 {
216 EFI_STATUS Status;
217
218 //
219 // Locate Smm Fault Tolerent Write protocol
220 //
221 Status = gSmst->SmmLocateProtocol (
222 &gEfiSmmFaultTolerantWriteProtocolGuid,
223 NULL,
224 FtwProtocol
225 );
226 return Status;
227 }
228
229
230 /**
231 Retrieve the SMM FVB protocol interface by HANDLE.
232
233 @param[in] FvBlockHandle The handle of SMM FVB protocol that provides services for
234 reading, writing, and erasing the target block.
235 @param[out] FvBlock The interface of SMM FVB protocol
236
237 @retval EFI_SUCCESS The interface information for the specified protocol was returned.
238 @retval EFI_UNSUPPORTED The device does not support the SMM FVB protocol.
239 @retval EFI_INVALID_PARAMETER FvBlockHandle is not a valid EFI_HANDLE or FvBlock is NULL.
240
241 **/
242 EFI_STATUS
243 GetFvbByHandle (
244 IN EFI_HANDLE FvBlockHandle,
245 OUT EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL **FvBlock
246 )
247 {
248 //
249 // To get the SMM FVB protocol interface on the handle
250 //
251 return gSmst->SmmHandleProtocol (
252 FvBlockHandle,
253 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
254 (VOID **) FvBlock
255 );
256 }
257
258
259 /**
260 Function returns an array of handles that support the SMM FVB protocol
261 in a buffer allocated from pool.
262
263 @param[out] NumberHandles The number of handles returned in Buffer.
264 @param[out] Buffer A pointer to the buffer to return the requested
265 array of handles that support SMM FVB protocol.
266
267 @retval EFI_SUCCESS The array of handles was returned in Buffer, and the number of
268 handles in Buffer was returned in NumberHandles.
269 @retval EFI_NOT_FOUND No SMM FVB handle was found.
270 @retval EFI_OUT_OF_RESOURCES There is not enough pool memory to store the matching results.
271 @retval EFI_INVALID_PARAMETER NumberHandles is NULL or Buffer is NULL.
272
273 **/
274 EFI_STATUS
275 GetFvbCountAndBuffer (
276 OUT UINTN *NumberHandles,
277 OUT EFI_HANDLE **Buffer
278 )
279 {
280 EFI_STATUS Status;
281 UINTN BufferSize;
282
283 if ((NumberHandles == NULL) || (Buffer == NULL)) {
284 return EFI_INVALID_PARAMETER;
285 }
286
287 BufferSize = 0;
288 *NumberHandles = 0;
289 *Buffer = NULL;
290 Status = gSmst->SmmLocateHandle (
291 ByProtocol,
292 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
293 NULL,
294 &BufferSize,
295 *Buffer
296 );
297 if (EFI_ERROR(Status) && Status != EFI_BUFFER_TOO_SMALL) {
298 return EFI_NOT_FOUND;
299 }
300
301 *Buffer = AllocatePool (BufferSize);
302 if (*Buffer == NULL) {
303 return EFI_OUT_OF_RESOURCES;
304 }
305
306 Status = gSmst->SmmLocateHandle (
307 ByProtocol,
308 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
309 NULL,
310 &BufferSize,
311 *Buffer
312 );
313
314 *NumberHandles = BufferSize / sizeof(EFI_HANDLE);
315 if (EFI_ERROR(Status)) {
316 *NumberHandles = 0;
317 FreePool (*Buffer);
318 *Buffer = NULL;
319 }
320
321 return Status;
322 }
323
324
325 /**
326 Get the variable statistics information from the information buffer pointed by gVariableInfo.
327
328 Caution: This function may be invoked at SMM runtime.
329 InfoEntry and InfoSize are external input. Care must be taken to make sure not security issue at runtime.
330
331 @param[in, out] InfoEntry A pointer to the buffer of variable information entry.
332 On input, point to the variable information returned last time. if
333 InfoEntry->VendorGuid is zero, return the first information.
334 On output, point to the next variable information.
335 @param[in, out] InfoSize On input, the size of the variable information buffer.
336 On output, the returned variable information size.
337
338 @retval EFI_SUCCESS The variable information is found and returned successfully.
339 @retval EFI_UNSUPPORTED No variable inoformation exists in variable driver. The
340 PcdVariableCollectStatistics should be set TRUE to support it.
341 @retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the next variable information.
342 @retval EFI_INVALID_PARAMETER Input parameter is invalid.
343
344 **/
345 EFI_STATUS
346 SmmVariableGetStatistics (
347 IN OUT VARIABLE_INFO_ENTRY *InfoEntry,
348 IN OUT UINTN *InfoSize
349 )
350 {
351 VARIABLE_INFO_ENTRY *VariableInfo;
352 UINTN NameLength;
353 UINTN StatisticsInfoSize;
354 CHAR16 *InfoName;
355 EFI_GUID VendorGuid;
356
357 if (InfoEntry == NULL) {
358 return EFI_INVALID_PARAMETER;
359 }
360
361 VariableInfo = gVariableInfo;
362 if (VariableInfo == NULL) {
363 return EFI_UNSUPPORTED;
364 }
365
366 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + StrSize (VariableInfo->Name);
367 if (*InfoSize < StatisticsInfoSize) {
368 *InfoSize = StatisticsInfoSize;
369 return EFI_BUFFER_TOO_SMALL;
370 }
371 InfoName = (CHAR16 *)(InfoEntry + 1);
372
373 CopyGuid (&VendorGuid, &InfoEntry->VendorGuid);
374
375 if (IsZeroGuid (&VendorGuid)) {
376 //
377 // Return the first variable info
378 //
379 CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
380 CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name));
381 *InfoSize = StatisticsInfoSize;
382 return EFI_SUCCESS;
383 }
384
385 //
386 // Get the next variable info
387 //
388 while (VariableInfo != NULL) {
389 if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) {
390 NameLength = StrSize (VariableInfo->Name);
391 if (NameLength == StrSize (InfoName)) {
392 if (CompareMem (VariableInfo->Name, InfoName, NameLength) == 0) {
393 //
394 // Find the match one
395 //
396 VariableInfo = VariableInfo->Next;
397 break;
398 }
399 }
400 }
401 VariableInfo = VariableInfo->Next;
402 };
403
404 if (VariableInfo == NULL) {
405 *InfoSize = 0;
406 return EFI_SUCCESS;
407 }
408
409 //
410 // Output the new variable info
411 //
412 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + StrSize (VariableInfo->Name);
413 if (*InfoSize < StatisticsInfoSize) {
414 *InfoSize = StatisticsInfoSize;
415 return EFI_BUFFER_TOO_SMALL;
416 }
417
418 CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
419 CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name));
420 *InfoSize = StatisticsInfoSize;
421
422 return EFI_SUCCESS;
423 }
424
425
426 /**
427 Communication service SMI Handler entry.
428
429 This SMI handler provides services for the variable wrapper driver.
430
431 Caution: This function may receive untrusted input.
432 This variable data and communicate buffer are external input, so this function will do basic validation.
433 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
434 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
435 SmmVariableGetStatistics() should also do validation based on its own knowledge.
436
437 @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
438 @param[in] RegisterContext Points to an optional handler context which was specified when the
439 handler was registered.
440 @param[in, out] CommBuffer A pointer to a collection of data in memory that will
441 be conveyed from a non-SMM environment into an SMM environment.
442 @param[in, out] CommBufferSize The size of the CommBuffer.
443
444 @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
445 should still be called.
446 @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
447 still be called.
448 @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
449 be called.
450 @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
451 **/
452 EFI_STATUS
453 EFIAPI
454 SmmVariableHandler (
455 IN EFI_HANDLE DispatchHandle,
456 IN CONST VOID *RegisterContext,
457 IN OUT VOID *CommBuffer,
458 IN OUT UINTN *CommBufferSize
459 )
460 {
461 EFI_STATUS Status;
462 SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader;
463 SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;
464 SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *GetNextVariableName;
465 SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo;
466 SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *GetPayloadSize;
467 VARIABLE_INFO_ENTRY *VariableInfo;
468 SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock;
469 SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty;
470 UINTN InfoSize;
471 UINTN NameBufferSize;
472 UINTN CommBufferPayloadSize;
473 UINTN TempCommBufferSize;
474
475 //
476 // If input is invalid, stop processing this SMI
477 //
478 if (CommBuffer == NULL || CommBufferSize == NULL) {
479 return EFI_SUCCESS;
480 }
481
482 TempCommBufferSize = *CommBufferSize;
483
484 if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
485 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n"));
486 return EFI_SUCCESS;
487 }
488 CommBufferPayloadSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
489 if (CommBufferPayloadSize > mVariableBufferPayloadSize) {
490 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));
491 return EFI_SUCCESS;
492 }
493
494 if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
495 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));
496 return EFI_SUCCESS;
497 }
498
499 SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer;
500 switch (SmmVariableFunctionHeader->Function) {
501 case SMM_VARIABLE_FUNCTION_GET_VARIABLE:
502 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
503 DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n"));
504 return EFI_SUCCESS;
505 }
506 //
507 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
508 //
509 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
510 SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
511 if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
512 ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
513 //
514 // Prevent InfoSize overflow happen
515 //
516 Status = EFI_ACCESS_DENIED;
517 goto EXIT;
518 }
519 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
520 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
521
522 //
523 // SMRAM range check already covered before
524 //
525 if (InfoSize > CommBufferPayloadSize) {
526 DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n"));
527 Status = EFI_ACCESS_DENIED;
528 goto EXIT;
529 }
530
531 if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
532 //
533 // Make sure VariableName is A Null-terminated string.
534 //
535 Status = EFI_ACCESS_DENIED;
536 goto EXIT;
537 }
538
539 Status = VariableServiceGetVariable (
540 SmmVariableHeader->Name,
541 &SmmVariableHeader->Guid,
542 &SmmVariableHeader->Attributes,
543 &SmmVariableHeader->DataSize,
544 (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
545 );
546 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
547 break;
548
549 case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:
550 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
551 DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n"));
552 return EFI_SUCCESS;
553 }
554 //
555 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
556 //
557 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
558 GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload;
559 if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
560 //
561 // Prevent InfoSize overflow happen
562 //
563 Status = EFI_ACCESS_DENIED;
564 goto EXIT;
565 }
566 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize;
567
568 //
569 // SMRAM range check already covered before
570 //
571 if (InfoSize > CommBufferPayloadSize) {
572 DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));
573 Status = EFI_ACCESS_DENIED;
574 goto EXIT;
575 }
576
577 NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);
578 if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') {
579 //
580 // Make sure input VariableName is A Null-terminated string.
581 //
582 Status = EFI_ACCESS_DENIED;
583 goto EXIT;
584 }
585
586 Status = VariableServiceGetNextVariableName (
587 &GetNextVariableName->NameSize,
588 GetNextVariableName->Name,
589 &GetNextVariableName->Guid
590 );
591 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
592 break;
593
594 case SMM_VARIABLE_FUNCTION_SET_VARIABLE:
595 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
596 DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n"));
597 return EFI_SUCCESS;
598 }
599 //
600 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
601 //
602 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
603 SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
604 if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
605 ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
606 //
607 // Prevent InfoSize overflow happen
608 //
609 Status = EFI_ACCESS_DENIED;
610 goto EXIT;
611 }
612 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
613 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
614
615 //
616 // SMRAM range check already covered before
617 // Data buffer should not contain SMM range
618 //
619 if (InfoSize > CommBufferPayloadSize) {
620 DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n"));
621 Status = EFI_ACCESS_DENIED;
622 goto EXIT;
623 }
624
625 if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
626 //
627 // Make sure VariableName is A Null-terminated string.
628 //
629 Status = EFI_ACCESS_DENIED;
630 goto EXIT;
631 }
632
633 Status = VariableServiceSetVariable (
634 SmmVariableHeader->Name,
635 &SmmVariableHeader->Guid,
636 SmmVariableHeader->Attributes,
637 SmmVariableHeader->DataSize,
638 (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
639 );
640 break;
641
642 case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:
643 if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) {
644 DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n"));
645 return EFI_SUCCESS;
646 }
647 QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;
648
649 Status = VariableServiceQueryVariableInfo (
650 QueryVariableInfo->Attributes,
651 &QueryVariableInfo->MaximumVariableStorageSize,
652 &QueryVariableInfo->RemainingVariableStorageSize,
653 &QueryVariableInfo->MaximumVariableSize
654 );
655 break;
656
657 case SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE:
658 if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE)) {
659 DEBUG ((EFI_D_ERROR, "GetPayloadSize: SMM communication buffer size invalid!\n"));
660 return EFI_SUCCESS;
661 }
662 GetPayloadSize = (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *) SmmVariableFunctionHeader->Data;
663 GetPayloadSize->VariablePayloadSize = mVariableBufferPayloadSize;
664 Status = EFI_SUCCESS;
665 break;
666
667 case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:
668 if (AtRuntime()) {
669 Status = EFI_UNSUPPORTED;
670 break;
671 }
672 if (!mEndOfDxe) {
673 mEndOfDxe = TRUE;
674 VarCheckLibInitializeAtEndOfDxe (NULL);
675 //
676 // The initialization for variable quota.
677 //
678 InitializeVariableQuota ();
679 }
680 ReclaimForOS ();
681 Status = EFI_SUCCESS;
682 break;
683
684 case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:
685 mAtRuntime = TRUE;
686 Status = EFI_SUCCESS;
687 break;
688
689 case SMM_VARIABLE_FUNCTION_GET_STATISTICS:
690 VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;
691 InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
692
693 //
694 // Do not need to check SmmVariableFunctionHeader->Data in SMRAM here.
695 // It is covered by previous CommBuffer check
696 //
697
698 //
699 // Do not need to check CommBufferSize buffer as it should point to SMRAM
700 // that was used by SMM core to cache CommSize from SmmCommunication protocol.
701 //
702
703 Status = SmmVariableGetStatistics (VariableInfo, &InfoSize);
704 *CommBufferSize = InfoSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
705 break;
706
707 case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE:
708 if (mEndOfDxe) {
709 Status = EFI_ACCESS_DENIED;
710 } else {
711 VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data;
712 Status = VariableLockRequestToLock (
713 NULL,
714 VariableToLock->Name,
715 &VariableToLock->Guid
716 );
717 }
718 break;
719 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET:
720 if (mEndOfDxe) {
721 Status = EFI_ACCESS_DENIED;
722 } else {
723 CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) SmmVariableFunctionHeader->Data;
724 Status = VarCheckVariablePropertySet (
725 CommVariableProperty->Name,
726 &CommVariableProperty->Guid,
727 &CommVariableProperty->VariableProperty
728 );
729 }
730 break;
731 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:
732 if (CommBufferPayloadSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
733 DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: SMM communication buffer size invalid!\n"));
734 return EFI_SUCCESS;
735 }
736 //
737 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
738 //
739 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
740 CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) mVariableBufferPayload;
741 if ((UINTN) (~0) - CommVariableProperty->NameSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
742 //
743 // Prevent InfoSize overflow happen
744 //
745 Status = EFI_ACCESS_DENIED;
746 goto EXIT;
747 }
748 InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + CommVariableProperty->NameSize;
749
750 //
751 // SMRAM range check already covered before
752 //
753 if (InfoSize > CommBufferPayloadSize) {
754 DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: Data size exceed communication buffer size limit!\n"));
755 Status = EFI_ACCESS_DENIED;
756 goto EXIT;
757 }
758
759 if (CommVariableProperty->NameSize < sizeof (CHAR16) || CommVariableProperty->Name[CommVariableProperty->NameSize/sizeof (CHAR16) - 1] != L'\0') {
760 //
761 // Make sure VariableName is A Null-terminated string.
762 //
763 Status = EFI_ACCESS_DENIED;
764 goto EXIT;
765 }
766
767 Status = VarCheckVariablePropertyGet (
768 CommVariableProperty->Name,
769 &CommVariableProperty->Guid,
770 &CommVariableProperty->VariableProperty
771 );
772 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
773 break;
774
775 default:
776 Status = EFI_UNSUPPORTED;
777 }
778
779 EXIT:
780
781 SmmVariableFunctionHeader->ReturnStatus = Status;
782
783 return EFI_SUCCESS;
784 }
785
786 /**
787 SMM END_OF_DXE protocol notification event handler.
788
789 @param Protocol Points to the protocol's unique identifier
790 @param Interface Points to the interface instance
791 @param Handle The handle on which the interface was installed
792
793 @retval EFI_SUCCESS SmmEndOfDxeCallback runs successfully
794
795 **/
796 EFI_STATUS
797 EFIAPI
798 SmmEndOfDxeCallback (
799 IN CONST EFI_GUID *Protocol,
800 IN VOID *Interface,
801 IN EFI_HANDLE Handle
802 )
803 {
804 DEBUG ((EFI_D_INFO, "[Variable]SMM_END_OF_DXE is signaled\n"));
805 mEndOfDxe = TRUE;
806 VarCheckLibInitializeAtEndOfDxe (NULL);
807 //
808 // The initialization for variable quota.
809 //
810 InitializeVariableQuota ();
811 if (PcdGetBool (PcdReclaimVariableSpaceAtEndOfDxe)) {
812 ReclaimForOS ();
813 }
814
815 return EFI_SUCCESS;
816 }
817
818 /**
819 SMM Fault Tolerant Write protocol notification event handler.
820
821 Non-Volatile variable write may needs FTW protocol to reclaim when
822 writting variable.
823
824 @param Protocol Points to the protocol's unique identifier
825 @param Interface Points to the interface instance
826 @param Handle The handle on which the interface was installed
827
828 @retval EFI_SUCCESS SmmEventCallback runs successfully
829 @retval EFI_NOT_FOUND The Fvb protocol for variable is not found.
830
831 **/
832 EFI_STATUS
833 EFIAPI
834 SmmFtwNotificationEvent (
835 IN CONST EFI_GUID *Protocol,
836 IN VOID *Interface,
837 IN EFI_HANDLE Handle
838 )
839 {
840 EFI_STATUS Status;
841 EFI_SMM_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol;
842 EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL *FtwProtocol;
843 EFI_PHYSICAL_ADDRESS NvStorageVariableBase;
844 UINTN FtwMaxBlockSize;
845
846 if (mVariableModuleGlobal->FvbInstance != NULL) {
847 return EFI_SUCCESS;
848 }
849
850 //
851 // Ensure SMM FTW protocol is installed.
852 //
853 Status = GetFtwProtocol ((VOID **)&FtwProtocol);
854 if (EFI_ERROR (Status)) {
855 return Status;
856 }
857
858 Status = FtwProtocol->GetMaxBlockSize (FtwProtocol, &FtwMaxBlockSize);
859 if (!EFI_ERROR (Status)) {
860 ASSERT (PcdGet32 (PcdFlashNvStorageVariableSize) <= FtwMaxBlockSize);
861 }
862
863 //
864 // Find the proper FVB protocol for variable.
865 //
866 NvStorageVariableBase = (EFI_PHYSICAL_ADDRESS) PcdGet64 (PcdFlashNvStorageVariableBase64);
867 if (NvStorageVariableBase == 0) {
868 NvStorageVariableBase = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);
869 }
870 Status = GetFvbInfoByAddress (NvStorageVariableBase, NULL, &FvbProtocol);
871 if (EFI_ERROR (Status)) {
872 return EFI_NOT_FOUND;
873 }
874
875 mVariableModuleGlobal->FvbInstance = FvbProtocol;
876
877 Status = VariableWriteServiceInitialize ();
878 if (EFI_ERROR (Status)) {
879 DEBUG ((DEBUG_ERROR, "Variable write service initialization failed. Status = %r\n", Status));
880 }
881
882 //
883 // Notify the variable wrapper driver the variable write service is ready
884 //
885 Status = gBS->InstallProtocolInterface (
886 &mSmmVariableHandle,
887 &gSmmVariableWriteGuid,
888 EFI_NATIVE_INTERFACE,
889 NULL
890 );
891 ASSERT_EFI_ERROR (Status);
892
893 return EFI_SUCCESS;
894 }
895
896
897 /**
898 Variable Driver main entry point. The Variable driver places the 4 EFI
899 runtime services in the EFI System Table and installs arch protocols
900 for variable read and write services being available. It also registers
901 a notification function for an EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
902
903 @param[in] ImageHandle The firmware allocated handle for the EFI image.
904 @param[in] SystemTable A pointer to the EFI System Table.
905
906 @retval EFI_SUCCESS Variable service successfully initialized.
907
908 **/
909 EFI_STATUS
910 EFIAPI
911 VariableServiceInitialize (
912 IN EFI_HANDLE ImageHandle,
913 IN EFI_SYSTEM_TABLE *SystemTable
914 )
915 {
916 EFI_STATUS Status;
917 EFI_HANDLE VariableHandle;
918 VOID *SmmFtwRegistration;
919 VOID *SmmEndOfDxeRegistration;
920
921 //
922 // Variable initialize.
923 //
924 Status = VariableCommonInitialize ();
925 ASSERT_EFI_ERROR (Status);
926
927 //
928 // Install the Smm Variable Protocol on a new handle.
929 //
930 VariableHandle = NULL;
931 Status = gSmst->SmmInstallProtocolInterface (
932 &VariableHandle,
933 &gEfiSmmVariableProtocolGuid,
934 EFI_NATIVE_INTERFACE,
935 &gSmmVariable
936 );
937 ASSERT_EFI_ERROR (Status);
938
939 Status = gSmst->SmmInstallProtocolInterface (
940 &VariableHandle,
941 &gEdkiiSmmVarCheckProtocolGuid,
942 EFI_NATIVE_INTERFACE,
943 &mSmmVarCheck
944 );
945 ASSERT_EFI_ERROR (Status);
946
947 mVariableBufferPayloadSize = GetNonVolatileMaxVariableSize () +
948 OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - GetVariableHeaderSize ();
949
950 Status = gSmst->SmmAllocatePool (
951 EfiRuntimeServicesData,
952 mVariableBufferPayloadSize,
953 (VOID **)&mVariableBufferPayload
954 );
955 ASSERT_EFI_ERROR (Status);
956
957 ///
958 /// Register SMM variable SMI handler
959 ///
960 VariableHandle = NULL;
961 Status = gSmst->SmiHandlerRegister (SmmVariableHandler, &gEfiSmmVariableProtocolGuid, &VariableHandle);
962 ASSERT_EFI_ERROR (Status);
963
964 //
965 // Notify the variable wrapper driver the variable service is ready
966 //
967 Status = SystemTable->BootServices->InstallProtocolInterface (
968 &mVariableHandle,
969 &gEfiSmmVariableProtocolGuid,
970 EFI_NATIVE_INTERFACE,
971 &gSmmVariable
972 );
973 ASSERT_EFI_ERROR (Status);
974
975 //
976 // Register EFI_SMM_END_OF_DXE_PROTOCOL_GUID notify function.
977 //
978 Status = gSmst->SmmRegisterProtocolNotify (
979 &gEfiSmmEndOfDxeProtocolGuid,
980 SmmEndOfDxeCallback,
981 &SmmEndOfDxeRegistration
982 );
983 ASSERT_EFI_ERROR (Status);
984
985 //
986 // Register FtwNotificationEvent () notify function.
987 //
988 Status = gSmst->SmmRegisterProtocolNotify (
989 &gEfiSmmFaultTolerantWriteProtocolGuid,
990 SmmFtwNotificationEvent,
991 &SmmFtwRegistration
992 );
993 ASSERT_EFI_ERROR (Status);
994
995 SmmFtwNotificationEvent (NULL, NULL, NULL);
996
997 return EFI_SUCCESS;
998 }
999
1000
EFI Development Kit II mirror for PVE