]> git.proxmox.com Git - mirror_edk2.git/blobdiff - MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
projects / mirror_edk2.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
MdeModulePkg Variable: Abstract GetHobVariableStore function
[mirror_edk2.git] / MdeModulePkg / Universal / Variable / RuntimeDxe / TcgMorLockDxe.c
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
index dfdc1febc86869d2bfdce2dd96ea1a5251e64c52..fb4e13ab25a78c809f9f85c470cb7b4e4308c736 100644 (file)
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
@@ -78,14 +78,53 @@ MorLockInit (
   VariableServiceSetVariable (\r
     MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
     &gEfiMemoryOverwriteRequestControlLockGuid,\r
-    EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
-    0,\r
-    NULL\r
+    0,                                          // Attributes\r
+    0,                                          // DataSize\r
+    NULL                                        // Data\r
     );\r
 \r
   //\r
   // Need set this variable to be read-only to prevent other module set it.\r
   //\r
   VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);\r
+\r
+  //\r
+  // The MOR variable can effectively improve platform security only when the\r
+  // MorLock variable protects the MOR variable. In turn MorLock cannot be made\r
+  // secure without SMM support in the platform firmware (see above).\r
+  //\r
+  // Thus, delete the MOR variable, should it exist for any reason (some OSes\r
+  // are known to create MOR unintentionally, in an attempt to set it), then\r
+  // also lock the MOR variable, in order to prevent other modules from\r
+  // creating it.\r
+  //\r
+  VariableServiceSetVariable (\r
+    MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
+    &gEfiMemoryOverwriteControlDataGuid,\r
+    0,                                      // Attributes\r
+    0,                                      // DataSize\r
+    NULL                                    // Data\r
+    );\r
+  VariableLockRequestToLock (\r
+    &mVariableLock,\r
+    MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
+    &gEfiMemoryOverwriteControlDataGuid\r
+    );\r
+\r
   return EFI_SUCCESS;\r
 }\r
+\r
+/**\r
+  Delayed initialization for MOR Control Lock at EndOfDxe.\r
+\r
+  This function performs any operations queued by MorLockInit().\r
+**/\r
+VOID\r
+MorLockInitAtEndOfDxe (\r
+  VOID\r
+  )\r
+{\r
+  //\r
+  // Do nothing.\r
+  //\r
+}\r
EFI Development Kit II mirror for PVE