SecurityPkg: AuthVariableLib: Cache UserPhysicalPresent in AuthVariableLib

AuthVariableLib is updated to cache the UserPhysicalPresent state to global variable. This avoids calling PlatformSecureLib during runtime and makes PhysicalPresent state consistent during one boot.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6e1e284801124cb71c1982aea8ee27becd7d3968..1d49b6a16e49b2b93814fef3fea179c2444c2629 100644 (file)
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -931,7 +931,7 @@ ProcessVarWithPk (
   // Init state of Del. State may change due to secure check\r
   //\r
   Del = FALSE;\r
-  if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {\r
+  if ((InCustomMode() && mUserPhysicalPresent) || (mPlatformMode == SETUP_MODE && !IsPk)) {\r
     Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);\r
     PayloadSize = DataSize - AUTHINFO2_SIZE (Data);\r
     if (PayloadSize == 0) {\r
@@ -1049,7 +1049,7 @@ ProcessVarWithKek (
   }\r
 \r
   Status = EFI_SUCCESS;\r
-  if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {\r
+  if (mPlatformMode == USER_MODE && !(InCustomMode() && mUserPhysicalPresent)) {\r
     //\r
     // Time-based, verify against X509 Cert KEK.\r
     //\r
@@ -1204,7 +1204,7 @@ ProcessVariable (
              &OrgVariableInfo\r
              );\r
 \r
-  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) {\r
+  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && mUserPhysicalPresent) {\r
     //\r
     // Allow the delete operation of common authenticated variable at user physical presence.\r
     //\r
@@ -1222,7 +1222,7 @@ ProcessVariable (
     return Status;\r
   }\r
 \r
-  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {\r
+  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !mUserPhysicalPresent) {\r
     //\r
     // This variable is protected, only physical present user could modify its value.\r
     //\r

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index e7c4bf043d94d90924310fe3414ac4bb82664222..ac7ea89a803866cb53cb620fe2772d100bfd31f2 100644 (file)
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -128,6 +128,7 @@ extern UINT8    *mCertDbStore;
 extern UINT32   mMaxCertDbSize;\r
 extern UINT32   mPlatformMode;\r
 extern UINT8    mVendorKeyState;\r
+extern BOOLEAN  mUserPhysicalPresent;\r
 \r
 extern VOID     *mHashCtx;\r
 \r

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index c4fbb649f1fd0335e44df1ceb049cb0d385d5871..dd35a444092e6e293dc29c4e538f41e2f7c08a1a 100644 (file)
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -35,6 +35,7 @@ UINT8    *mCertDbStore;
 UINT32   mMaxCertDbSize;\r
 UINT32   mPlatformMode;\r
 UINT8    mVendorKeyState;\r
+BOOLEAN  mUserPhysicalPresent;\r
 \r
 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};\r
 \r
@@ -435,6 +436,12 @@ AuthVariableLibInitialize (
   AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;\r
   AuthVarLibContextOut->AddressPointerCount = sizeof (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);\r
 \r
+  //\r
+  // Cache UserPhysicalPresent State. \r
+  // Platform should report PhysicalPresent before this point\r
+  //\r
+  mUserPhysicalPresent = UserPhysicalPresent();\r
+\r
   return Status;\r
 }\r
 \r