VariableServiceSetVariable (\r
MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
&gEfiMemoryOverwriteRequestControlLockGuid,\r
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- 0,\r
- NULL\r
+ 0, // Attributes\r
+ 0, // DataSize\r
+ NULL // Data\r
);\r
\r
//\r
// Need set this variable to be read-only to prevent other module set it.\r
//\r
VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);\r
+\r
+ //\r
+ // The MOR variable can effectively improve platform security only when the\r
+ // MorLock variable protects the MOR variable. In turn MorLock cannot be made\r
+ // secure without SMM support in the platform firmware (see above).\r
+ //\r
+ // Thus, delete the MOR variable, should it exist for any reason (some OSes\r
+ // are known to create MOR unintentionally, in an attempt to set it), then\r
+ // also lock the MOR variable, in order to prevent other modules from\r
+ // creating it.\r
+ //\r
+ VariableServiceSetVariable (\r
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
+ &gEfiMemoryOverwriteControlDataGuid,\r
+ 0, // Attributes\r
+ 0, // DataSize\r
+ NULL // Data\r
+ );\r
+ VariableLockRequestToLock (\r
+ &mVariableLock,\r
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
+ &gEfiMemoryOverwriteControlDataGuid\r
+ );\r
+\r
return EFI_SUCCESS;\r
}\r
\r