]> git.proxmox.com Git - mirror_edk2.git/blob - SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c
projects / mirror_edk2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SecurityPkg: Cleanup gEfiSmmAccess2ProtocolGuid reference.
[mirror_edk2.git] / SecurityPkg / VariableAuthenticated / RuntimeDxe / VariableSmm.c
1 /** @file
2 The sample implementation for SMM variable protocol. And this driver
3 implements an SMI handler to communicate with the DXE runtime driver
4 to provide variable services.
5
6 Caution: This module requires additional review when modified.
7 This driver will have external input - variable data and communicate buffer in SMM mode.
8 This external input must be validated carefully to avoid security issue like
9 buffer overflow, integer overflow.
10
11 SmmVariableHandler() will receive untrusted input and do basic validation.
12
13 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
14 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
15 SmmVariableGetStatistics() should also do validation based on its own knowledge.
16
17 Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
18 This program and the accompanying materials
19 are licensed and made available under the terms and conditions of the BSD License
20 which accompanies this distribution. The full text of the license may be found at
21 http://opensource.org/licenses/bsd-license.php
22
23 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
24 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
25
26 **/
27
28 #include <Protocol/SmmVariable.h>
29 #include <Protocol/SmmFirmwareVolumeBlock.h>
30 #include <Protocol/SmmFaultTolerantWrite.h>
31 #include <Protocol/SmmEndOfDxe.h>
32 #include <Protocol/SmmVarCheck.h>
33
34 #include <Library/SmmServicesTableLib.h>
35 #include <Library/SmmMemLib.h>
36
37 #include <Guid/AuthenticatedVariableFormat.h>
38 #include <Guid/SmmVariableCommon.h>
39 #include "Variable.h"
40
41 extern VARIABLE_INFO_ENTRY *gVariableInfo;
42 EFI_HANDLE mSmmVariableHandle = NULL;
43 EFI_HANDLE mVariableHandle = NULL;
44 BOOLEAN mAtRuntime = FALSE;
45 EFI_GUID mZeroGuid = {0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}};
46 UINT8 *mVariableBufferPayload = NULL;
47 UINTN mVariableBufferPayloadSize;
48 extern BOOLEAN mEndOfDxe;
49 extern BOOLEAN mEnableLocking;
50
51 /**
52 SecureBoot Hook for SetVariable.
53
54 @param[in] VariableName Name of Variable to be found.
55 @param[in] VendorGuid Variable vendor GUID.
56
57 **/
58 VOID
59 EFIAPI
60 SecureBootHook (
61 IN CHAR16 *VariableName,
62 IN EFI_GUID *VendorGuid
63 )
64 {
65 return ;
66 }
67
68 /**
69
70 This code sets variable in storage blocks (Volatile or Non-Volatile).
71
72 @param VariableName Name of Variable to be found.
73 @param VendorGuid Variable vendor GUID.
74 @param Attributes Attribute value of the variable found
75 @param DataSize Size of Data found. If size is less than the
76 data, this value contains the required size.
77 @param Data Data pointer.
78
79 @return EFI_INVALID_PARAMETER Invalid parameter.
80 @return EFI_SUCCESS Set successfully.
81 @return EFI_OUT_OF_RESOURCES Resource not enough to set variable.
82 @return EFI_NOT_FOUND Not found.
83 @return EFI_WRITE_PROTECTED Variable is read-only.
84
85 **/
86 EFI_STATUS
87 EFIAPI
88 SmmVariableSetVariable (
89 IN CHAR16 *VariableName,
90 IN EFI_GUID *VendorGuid,
91 IN UINT32 Attributes,
92 IN UINTN DataSize,
93 IN VOID *Data
94 )
95 {
96 EFI_STATUS Status;
97
98 //
99 // Disable write protection when the calling SetVariable() through EFI_SMM_VARIABLE_PROTOCOL.
100 //
101 mEnableLocking = FALSE;
102 Status = VariableServiceSetVariable (
103 VariableName,
104 VendorGuid,
105 Attributes,
106 DataSize,
107 Data
108 );
109 mEnableLocking = TRUE;
110 return Status;
111 }
112
113 EFI_SMM_VARIABLE_PROTOCOL gSmmVariable = {
114 VariableServiceGetVariable,
115 VariableServiceGetNextVariableName,
116 SmmVariableSetVariable,
117 VariableServiceQueryVariableInfo
118 };
119
120 EDKII_SMM_VAR_CHECK_PROTOCOL mSmmVarCheck = { VarCheckRegisterSetVariableCheckHandler,
121 VarCheckVariablePropertySet,
122 VarCheckVariablePropertyGet };
123
124 /**
125 Return TRUE if ExitBootServices () has been called.
126
127 @retval TRUE If ExitBootServices () has been called.
128 **/
129 BOOLEAN
130 AtRuntime (
131 VOID
132 )
133 {
134 return mAtRuntime;
135 }
136
137 /**
138 Initializes a basic mutual exclusion lock.
139
140 This function initializes a basic mutual exclusion lock to the released state
141 and returns the lock. Each lock provides mutual exclusion access at its task
142 priority level. Since there is no preemption or multiprocessor support in EFI,
143 acquiring the lock only consists of raising to the locks TPL.
144 If Lock is NULL, then ASSERT().
145 If Priority is not a valid TPL value, then ASSERT().
146
147 @param Lock A pointer to the lock data structure to initialize.
148 @param Priority EFI TPL is associated with the lock.
149
150 @return The lock.
151
152 **/
153 EFI_LOCK *
154 InitializeLock (
155 IN OUT EFI_LOCK *Lock,
156 IN EFI_TPL Priority
157 )
158 {
159 return Lock;
160 }
161
162 /**
163 Acquires lock only at boot time. Simply returns at runtime.
164
165 This is a temperary function that will be removed when
166 EfiAcquireLock() in UefiLib can handle the call in UEFI
167 Runtimer driver in RT phase.
168 It calls EfiAcquireLock() at boot time, and simply returns
169 at runtime.
170
171 @param Lock A pointer to the lock to acquire.
172
173 **/
174 VOID
175 AcquireLockOnlyAtBootTime (
176 IN EFI_LOCK *Lock
177 )
178 {
179
180 }
181
182
183 /**
184 Releases lock only at boot time. Simply returns at runtime.
185
186 This is a temperary function which will be removed when
187 EfiReleaseLock() in UefiLib can handle the call in UEFI
188 Runtimer driver in RT phase.
189 It calls EfiReleaseLock() at boot time and simply returns
190 at runtime.
191
192 @param Lock A pointer to the lock to release.
193
194 **/
195 VOID
196 ReleaseLockOnlyAtBootTime (
197 IN EFI_LOCK *Lock
198 )
199 {
200
201 }
202
203 /**
204 Retrive the SMM Fault Tolerent Write protocol interface.
205
206 @param[out] FtwProtocol The interface of SMM Ftw protocol
207
208 @retval EFI_SUCCESS The SMM FTW protocol instance was found and returned in FtwProtocol.
209 @retval EFI_NOT_FOUND The SMM FTW protocol instance was not found.
210 @retval EFI_INVALID_PARAMETER SarProtocol is NULL.
211
212 **/
213 EFI_STATUS
214 GetFtwProtocol (
215 OUT VOID **FtwProtocol
216 )
217 {
218 EFI_STATUS Status;
219
220 //
221 // Locate Smm Fault Tolerent Write protocol
222 //
223 Status = gSmst->SmmLocateProtocol (
224 &gEfiSmmFaultTolerantWriteProtocolGuid,
225 NULL,
226 FtwProtocol
227 );
228 return Status;
229 }
230
231
232 /**
233 Retrive the SMM FVB protocol interface by HANDLE.
234
235 @param[in] FvBlockHandle The handle of SMM FVB protocol that provides services for
236 reading, writing, and erasing the target block.
237 @param[out] FvBlock The interface of SMM FVB protocol
238
239 @retval EFI_SUCCESS The interface information for the specified protocol was returned.
240 @retval EFI_UNSUPPORTED The device does not support the SMM FVB protocol.
241 @retval EFI_INVALID_PARAMETER FvBlockHandle is not a valid EFI_HANDLE or FvBlock is NULL.
242
243 **/
244 EFI_STATUS
245 GetFvbByHandle (
246 IN EFI_HANDLE FvBlockHandle,
247 OUT EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL **FvBlock
248 )
249 {
250 //
251 // To get the SMM FVB protocol interface on the handle
252 //
253 return gSmst->SmmHandleProtocol (
254 FvBlockHandle,
255 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
256 (VOID **) FvBlock
257 );
258 }
259
260
261 /**
262 Function returns an array of handles that support the SMM FVB protocol
263 in a buffer allocated from pool.
264
265 @param[out] NumberHandles The number of handles returned in Buffer.
266 @param[out] Buffer A pointer to the buffer to return the requested
267 array of handles that support SMM FVB protocol.
268
269 @retval EFI_SUCCESS The array of handles was returned in Buffer, and the number of
270 handles in Buffer was returned in NumberHandles.
271 @retval EFI_NOT_FOUND No SMM FVB handle was found.
272 @retval EFI_OUT_OF_RESOURCES There is not enough pool memory to store the matching results.
273 @retval EFI_INVALID_PARAMETER NumberHandles is NULL or Buffer is NULL.
274
275 **/
276 EFI_STATUS
277 GetFvbCountAndBuffer (
278 OUT UINTN *NumberHandles,
279 OUT EFI_HANDLE **Buffer
280 )
281 {
282 EFI_STATUS Status;
283 UINTN BufferSize;
284
285 if ((NumberHandles == NULL) || (Buffer == NULL)) {
286 return EFI_INVALID_PARAMETER;
287 }
288
289 BufferSize = 0;
290 *NumberHandles = 0;
291 *Buffer = NULL;
292 Status = gSmst->SmmLocateHandle (
293 ByProtocol,
294 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
295 NULL,
296 &BufferSize,
297 *Buffer
298 );
299 if (EFI_ERROR(Status) && Status != EFI_BUFFER_TOO_SMALL) {
300 return EFI_NOT_FOUND;
301 }
302
303 *Buffer = AllocatePool (BufferSize);
304 if (*Buffer == NULL) {
305 return EFI_OUT_OF_RESOURCES;
306 }
307
308 Status = gSmst->SmmLocateHandle (
309 ByProtocol,
310 &gEfiSmmFirmwareVolumeBlockProtocolGuid,
311 NULL,
312 &BufferSize,
313 *Buffer
314 );
315
316 *NumberHandles = BufferSize / sizeof(EFI_HANDLE);
317 if (EFI_ERROR(Status)) {
318 *NumberHandles = 0;
319 FreePool (*Buffer);
320 *Buffer = NULL;
321 }
322
323 return Status;
324 }
325
326
327 /**
328 Get the variable statistics information from the information buffer pointed by gVariableInfo.
329
330 Caution: This function may be invoked at SMM runtime.
331 InfoEntry and InfoSize are external input. Care must be taken to make sure not security issue at runtime.
332
333 @param[in, out] InfoEntry A pointer to the buffer of variable information entry.
334 On input, point to the variable information returned last time. if
335 InfoEntry->VendorGuid is zero, return the first information.
336 On output, point to the next variable information.
337 @param[in, out] InfoSize On input, the size of the variable information buffer.
338 On output, the returned variable information size.
339
340 @retval EFI_SUCCESS The variable information is found and returned successfully.
341 @retval EFI_UNSUPPORTED No variable inoformation exists in variable driver. The
342 PcdVariableCollectStatistics should be set TRUE to support it.
343 @retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the next variable information.
344 @retval EFI_INVALID_PARAMETER Input parameter is invalid.
345
346 **/
347 EFI_STATUS
348 SmmVariableGetStatistics (
349 IN OUT VARIABLE_INFO_ENTRY *InfoEntry,
350 IN OUT UINTN *InfoSize
351 )
352 {
353 VARIABLE_INFO_ENTRY *VariableInfo;
354 UINTN NameLength;
355 UINTN StatisticsInfoSize;
356 CHAR16 *InfoName;
357 EFI_GUID VendorGuid;
358
359 if (InfoEntry == NULL) {
360 return EFI_INVALID_PARAMETER;
361 }
362
363 VariableInfo = gVariableInfo;
364 if (VariableInfo == NULL) {
365 return EFI_UNSUPPORTED;
366 }
367
368 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + StrSize (VariableInfo->Name);
369 if (*InfoSize < StatisticsInfoSize) {
370 *InfoSize = StatisticsInfoSize;
371 return EFI_BUFFER_TOO_SMALL;
372 }
373 InfoName = (CHAR16 *)(InfoEntry + 1);
374
375 CopyGuid (&VendorGuid, &InfoEntry->VendorGuid);
376
377 if (CompareGuid (&VendorGuid, &mZeroGuid)) {
378 //
379 // Return the first variable info
380 //
381 CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
382 CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name));
383 *InfoSize = StatisticsInfoSize;
384 return EFI_SUCCESS;
385 }
386
387 //
388 // Get the next variable info
389 //
390 while (VariableInfo != NULL) {
391 if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) {
392 NameLength = StrSize (VariableInfo->Name);
393 if (NameLength == StrSize (InfoName)) {
394 if (CompareMem (VariableInfo->Name, InfoName, NameLength) == 0) {
395 //
396 // Find the match one
397 //
398 VariableInfo = VariableInfo->Next;
399 break;
400 }
401 }
402 }
403 VariableInfo = VariableInfo->Next;
404 };
405
406 if (VariableInfo == NULL) {
407 *InfoSize = 0;
408 return EFI_SUCCESS;
409 }
410
411 //
412 // Output the new variable info
413 //
414 StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + StrSize (VariableInfo->Name);
415 if (*InfoSize < StatisticsInfoSize) {
416 *InfoSize = StatisticsInfoSize;
417 return EFI_BUFFER_TOO_SMALL;
418 }
419
420 CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
421 CopyMem (InfoName, VariableInfo->Name, StrSize (VariableInfo->Name));
422 *InfoSize = StatisticsInfoSize;
423
424 return EFI_SUCCESS;
425 }
426
427
428 /**
429 Communication service SMI Handler entry.
430
431 This SMI handler provides services for the variable wrapper driver.
432
433 Caution: This function may receive untrusted input.
434 This variable data and communicate buffer are external input, so this function will do basic validation.
435 Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
436 VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
437 SmmVariableGetStatistics() should also do validation based on its own knowledge.
438
439 @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
440 @param[in] RegisterContext Points to an optional handler context which was specified when the
441 handler was registered.
442 @param[in, out] CommBuffer A pointer to a collection of data in memory that will
443 be conveyed from a non-SMM environment into an SMM environment.
444 @param[in, out] CommBufferSize The size of the CommBuffer.
445
446 @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
447 should still be called.
448 @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
449 still be called.
450 @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
451 be called.
452 @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
453
454 **/
455 EFI_STATUS
456 EFIAPI
457 SmmVariableHandler (
458 IN EFI_HANDLE DispatchHandle,
459 IN CONST VOID *RegisterContext,
460 IN OUT VOID *CommBuffer,
461 IN OUT UINTN *CommBufferSize
462 )
463 {
464 EFI_STATUS Status;
465 SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader;
466 SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;
467 SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *GetNextVariableName;
468 SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo;
469 VARIABLE_INFO_ENTRY *VariableInfo;
470 SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock;
471 SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty;
472 UINTN InfoSize;
473 UINTN NameBufferSize;
474 UINTN CommBufferPayloadSize;
475 UINTN TempCommBufferSize;
476
477 //
478 // If input is invalid, stop processing this SMI
479 //
480 if (CommBuffer == NULL || CommBufferSize == NULL) {
481 return EFI_SUCCESS;
482 }
483
484 TempCommBufferSize = *CommBufferSize;
485
486 if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
487 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n"));
488 return EFI_SUCCESS;
489 }
490 CommBufferPayloadSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
491 if (CommBufferPayloadSize > mVariableBufferPayloadSize) {
492 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));
493 return EFI_SUCCESS;
494 }
495
496 if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
497 DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));
498 return EFI_SUCCESS;
499 }
500
501 SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer;
502
503 switch (SmmVariableFunctionHeader->Function) {
504 case SMM_VARIABLE_FUNCTION_GET_VARIABLE:
505 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
506 DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n"));
507 return EFI_SUCCESS;
508 }
509 //
510 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
511 //
512 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
513 SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
514 if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
515 ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
516 //
517 // Prevent InfoSize overflow happen
518 //
519 Status = EFI_ACCESS_DENIED;
520 goto EXIT;
521 }
522 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
523 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
524
525 //
526 // SMRAM range check already covered before
527 //
528 if (InfoSize > CommBufferPayloadSize) {
529 DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n"));
530 Status = EFI_ACCESS_DENIED;
531 goto EXIT;
532 }
533
534 if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
535 //
536 // Make sure VariableName is A Null-terminated string.
537 //
538 Status = EFI_ACCESS_DENIED;
539 goto EXIT;
540 }
541
542 Status = VariableServiceGetVariable (
543 SmmVariableHeader->Name,
544 &SmmVariableHeader->Guid,
545 &SmmVariableHeader->Attributes,
546 &SmmVariableHeader->DataSize,
547 (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
548 );
549 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
550 break;
551
552 case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:
553 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
554 DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n"));
555 return EFI_SUCCESS;
556 }
557 //
558 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
559 //
560 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
561 GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload;
562 if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
563 //
564 // Prevent InfoSize overflow happen
565 //
566 Status = EFI_ACCESS_DENIED;
567 goto EXIT;
568 }
569 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize;
570
571 //
572 // SMRAM range check already covered before
573 //
574 if (InfoSize > CommBufferPayloadSize) {
575 DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));
576 Status = EFI_ACCESS_DENIED;
577 goto EXIT;
578 }
579
580 NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);
581 if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') {
582 //
583 // Make sure input VariableName is A Null-terminated string.
584 //
585 Status = EFI_ACCESS_DENIED;
586 goto EXIT;
587 }
588
589 Status = VariableServiceGetNextVariableName (
590 &GetNextVariableName->NameSize,
591 GetNextVariableName->Name,
592 &GetNextVariableName->Guid
593 );
594 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
595 break;
596
597 case SMM_VARIABLE_FUNCTION_SET_VARIABLE:
598 if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
599 DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n"));
600 return EFI_SUCCESS;
601 }
602 //
603 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
604 //
605 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
606 SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
607 if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
608 ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
609 //
610 // Prevent InfoSize overflow happen
611 //
612 Status = EFI_ACCESS_DENIED;
613 goto EXIT;
614 }
615 InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
616 + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
617
618 //
619 // SMRAM range check already covered before
620 // Data buffer should not contain SMM range
621 //
622 if (InfoSize > CommBufferPayloadSize) {
623 DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n"));
624 Status = EFI_ACCESS_DENIED;
625 goto EXIT;
626 }
627
628 if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
629 //
630 // Make sure VariableName is A Null-terminated string.
631 //
632 Status = EFI_ACCESS_DENIED;
633 goto EXIT;
634 }
635
636 Status = VariableServiceSetVariable (
637 SmmVariableHeader->Name,
638 &SmmVariableHeader->Guid,
639 SmmVariableHeader->Attributes,
640 SmmVariableHeader->DataSize,
641 (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
642 );
643 break;
644
645 case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:
646 if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) {
647 DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n"));
648 return EFI_SUCCESS;
649 }
650 QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;
651
652 Status = VariableServiceQueryVariableInfo (
653 QueryVariableInfo->Attributes,
654 &QueryVariableInfo->MaximumVariableStorageSize,
655 &QueryVariableInfo->RemainingVariableStorageSize,
656 &QueryVariableInfo->MaximumVariableSize
657 );
658 break;
659
660 case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:
661 mEndOfDxe = TRUE;
662 //
663 // The initialization for variable quota.
664 //
665 InitializeVariableQuota ();
666 if (AtRuntime()) {
667 Status = EFI_UNSUPPORTED;
668 break;
669 }
670 ReclaimForOS ();
671 Status = EFI_SUCCESS;
672 break;
673
674 case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:
675 mAtRuntime = TRUE;
676 Status = EFI_SUCCESS;
677 break;
678
679 case SMM_VARIABLE_FUNCTION_GET_STATISTICS:
680 VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;
681 InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
682
683 //
684 // Do not need to check SmmVariableFunctionHeader->Data in SMRAM here.
685 // It is covered by previous CommBuffer check
686 //
687
688 if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) {
689 DEBUG ((EFI_D_ERROR, "GetStatistics: SMM communication buffer in SMRAM!\n"));
690 Status = EFI_ACCESS_DENIED;
691 goto EXIT;
692 }
693
694 Status = SmmVariableGetStatistics (VariableInfo, &InfoSize);
695 *CommBufferSize = InfoSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
696 break;
697
698 case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE:
699 if (mEndOfDxe) {
700 Status = EFI_ACCESS_DENIED;
701 } else {
702 VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data;
703 Status = VariableLockRequestToLock (
704 NULL,
705 VariableToLock->Name,
706 &VariableToLock->Guid
707 );
708 }
709 break;
710 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET:
711 if (mEndOfDxe) {
712 Status = EFI_ACCESS_DENIED;
713 } else {
714 CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) SmmVariableFunctionHeader->Data;
715 Status = VarCheckVariablePropertySet (
716 CommVariableProperty->Name,
717 &CommVariableProperty->Guid,
718 &CommVariableProperty->VariableProperty
719 );
720 }
721 break;
722 case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:
723 if (CommBufferPayloadSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
724 DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: SMM communication buffer size invalid!\n"));
725 return EFI_SUCCESS;
726 }
727 //
728 // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
729 //
730 CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
731 CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) mVariableBufferPayload;
732 if ((UINTN) (~0) - CommVariableProperty->NameSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
733 //
734 // Prevent InfoSize overflow happen
735 //
736 Status = EFI_ACCESS_DENIED;
737 goto EXIT;
738 }
739 InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + CommVariableProperty->NameSize;
740
741 //
742 // SMRAM range check already covered before
743 //
744 if (InfoSize > CommBufferPayloadSize) {
745 DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: Data size exceed communication buffer size limit!\n"));
746 Status = EFI_ACCESS_DENIED;
747 goto EXIT;
748 }
749
750 if (CommVariableProperty->NameSize < sizeof (CHAR16) || CommVariableProperty->Name[CommVariableProperty->NameSize/sizeof (CHAR16) - 1] != L'\0') {
751 //
752 // Make sure VariableName is A Null-terminated string.
753 //
754 Status = EFI_ACCESS_DENIED;
755 goto EXIT;
756 }
757
758 Status = VarCheckVariablePropertyGet (
759 CommVariableProperty->Name,
760 &CommVariableProperty->Guid,
761 &CommVariableProperty->VariableProperty
762 );
763 CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
764 break;
765
766 default:
767 Status = EFI_UNSUPPORTED;
768 }
769
770 EXIT:
771
772 SmmVariableFunctionHeader->ReturnStatus = Status;
773 return EFI_SUCCESS;
774 }
775
776 /**
777 SMM END_OF_DXE protocol notification event handler.
778
779 @param Protocol Points to the protocol's unique identifier
780 @param Interface Points to the interface instance
781 @param Handle The handle on which the interface was installed
782
783 @retval EFI_SUCCESS SmmEndOfDxeCallback runs successfully
784
785 **/
786 EFI_STATUS
787 EFIAPI
788 SmmEndOfDxeCallback (
789 IN CONST EFI_GUID *Protocol,
790 IN VOID *Interface,
791 IN EFI_HANDLE Handle
792 )
793 {
794 DEBUG ((EFI_D_INFO, "[Variable]END_OF_DXE is signaled\n"));
795 mEndOfDxe = TRUE;
796 //
797 // The initialization for variable quota.
798 //
799 InitializeVariableQuota ();
800 if (PcdGetBool (PcdReclaimVariableSpaceAtEndOfDxe)) {
801 ReclaimForOS ();
802 }
803 return EFI_SUCCESS;
804 }
805
806 /**
807 SMM Fault Tolerant Write protocol notification event handler.
808
809 Non-Volatile variable write may needs FTW protocol to reclaim when
810 writting variable.
811
812 @param Protocol Points to the protocol's unique identifier
813 @param Interface Points to the interface instance
814 @param Handle The handle on which the interface was installed
815
816 @retval EFI_SUCCESS SmmEventCallback runs successfully
817 @retval EFI_NOT_FOUND The Fvb protocol for variable is not found.
818
819 **/
820 EFI_STATUS
821 EFIAPI
822 SmmFtwNotificationEvent (
823 IN CONST EFI_GUID *Protocol,
824 IN VOID *Interface,
825 IN EFI_HANDLE Handle
826 )
827 {
828 EFI_STATUS Status;
829 EFI_SMM_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol;
830 EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL *FtwProtocol;
831 EFI_PHYSICAL_ADDRESS NvStorageVariableBase;
832 UINTN FtwMaxBlockSize;
833
834 if (mVariableModuleGlobal->FvbInstance != NULL) {
835 return EFI_SUCCESS;
836 }
837
838 //
839 // Ensure SMM FTW protocol is installed.
840 //
841 Status = GetFtwProtocol ((VOID **)&FtwProtocol);
842 if (EFI_ERROR (Status)) {
843 return Status;
844 }
845
846 Status = FtwProtocol->GetMaxBlockSize (FtwProtocol, &FtwMaxBlockSize);
847 if (!EFI_ERROR (Status)) {
848 ASSERT (PcdGet32 (PcdFlashNvStorageVariableSize) <= FtwMaxBlockSize);
849 }
850
851 //
852 // Find the proper FVB protocol for variable.
853 //
854 NvStorageVariableBase = (EFI_PHYSICAL_ADDRESS) PcdGet64 (PcdFlashNvStorageVariableBase64);
855 if (NvStorageVariableBase == 0) {
856 NvStorageVariableBase = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);
857 }
858 Status = GetFvbInfoByAddress (NvStorageVariableBase, NULL, &FvbProtocol);
859 if (EFI_ERROR (Status)) {
860 return EFI_NOT_FOUND;
861 }
862
863 mVariableModuleGlobal->FvbInstance = FvbProtocol;
864
865 Status = VariableWriteServiceInitialize ();
866 if (EFI_ERROR (Status)) {
867 DEBUG ((DEBUG_ERROR, "Variable write service initialization failed. Status = %r\n", Status));
868 }
869
870 //
871 // Notify the variable wrapper driver the variable write service is ready
872 //
873 Status = gBS->InstallProtocolInterface (
874 &mSmmVariableHandle,
875 &gSmmVariableWriteGuid,
876 EFI_NATIVE_INTERFACE,
877 NULL
878 );
879 ASSERT_EFI_ERROR (Status);
880
881 return EFI_SUCCESS;
882 }
883
884
885 /**
886 Variable Driver main entry point. The Variable driver places the 4 EFI
887 runtime services in the EFI System Table and installs arch protocols
888 for variable read and write services being available. It also registers
889 a notification function for an EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
890
891 @param[in] ImageHandle The firmware allocated handle for the EFI image.
892 @param[in] SystemTable A pointer to the EFI System Table.
893
894 @retval EFI_SUCCESS Variable service successfully initialized.
895
896 **/
897 EFI_STATUS
898 EFIAPI
899 VariableServiceInitialize (
900 IN EFI_HANDLE ImageHandle,
901 IN EFI_SYSTEM_TABLE *SystemTable
902 )
903 {
904 EFI_STATUS Status;
905 EFI_HANDLE VariableHandle;
906 VOID *SmmFtwRegistration;
907 VOID *SmmEndOfDxeRegistration;
908
909 //
910 // Variable initialize.
911 //
912 Status = VariableCommonInitialize ();
913 ASSERT_EFI_ERROR (Status);
914
915 //
916 // Install the Smm Variable Protocol on a new handle.
917 //
918 VariableHandle = NULL;
919 Status = gSmst->SmmInstallProtocolInterface (
920 &VariableHandle,
921 &gEfiSmmVariableProtocolGuid,
922 EFI_NATIVE_INTERFACE,
923 &gSmmVariable
924 );
925 ASSERT_EFI_ERROR (Status);
926
927 Status = gSmst->SmmInstallProtocolInterface (
928 &VariableHandle,
929 &gEdkiiSmmVarCheckProtocolGuid,
930 EFI_NATIVE_INTERFACE,
931 &mSmmVarCheck
932 );
933 ASSERT_EFI_ERROR (Status);
934
935 mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) +
936 OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - sizeof (VARIABLE_HEADER);
937
938 Status = gSmst->SmmAllocatePool (
939 EfiRuntimeServicesData,
940 mVariableBufferPayloadSize,
941 (VOID **)&mVariableBufferPayload
942 );
943 ASSERT_EFI_ERROR (Status);
944
945 ///
946 /// Register SMM variable SMI handler
947 ///
948 VariableHandle = NULL;
949 Status = gSmst->SmiHandlerRegister (SmmVariableHandler, &gEfiSmmVariableProtocolGuid, &VariableHandle);
950 ASSERT_EFI_ERROR (Status);
951
952 //
953 // Notify the variable wrapper driver the variable service is ready
954 //
955 Status = SystemTable->BootServices->InstallProtocolInterface (
956 &mVariableHandle,
957 &gEfiSmmVariableProtocolGuid,
958 EFI_NATIVE_INTERFACE,
959 &gSmmVariable
960 );
961 ASSERT_EFI_ERROR (Status);
962
963 //
964 // Register EFI_SMM_END_OF_DXE_PROTOCOL_GUID notify function.
965 //
966 Status = gSmst->SmmRegisterProtocolNotify (
967 &gEfiSmmEndOfDxeProtocolGuid,
968 SmmEndOfDxeCallback,
969 &SmmEndOfDxeRegistration
970 );
971 ASSERT_EFI_ERROR (Status);
972
973 //
974 // Register FtwNotificationEvent () notify function.
975 //
976 Status = gSmst->SmmRegisterProtocolNotify (
977 &gEfiSmmFaultTolerantWriteProtocolGuid,
978 SmmFtwNotificationEvent,
979 &SmmFtwRegistration
980 );
981 ASSERT_EFI_ERROR (Status);
982
983 SmmFtwNotificationEvent (NULL, NULL, NULL);
984
985 return EFI_SUCCESS;
986 }
987
988
EFI Development Kit II mirror for PVE