MOR lock control unsupported.\r
\r
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
+Copyright (c) Microsoft Corporation.\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
#include <Library/BaseMemoryLib.h>\r
#include "Variable.h"\r
\r
-extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;\r
+#include <Protocol/VariablePolicy.h>\r
+#include <Library/VariablePolicyHelperLib.h>\r
\r
/**\r
This service is an MOR/MorLock checker handler for the SetVariable().\r
NULL // Data\r
);\r
\r
- //\r
- // Need set this variable to be read-only to prevent other module set it.\r
- //\r
- VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);\r
-\r
//\r
// The MOR variable can effectively improve platform security only when the\r
// MorLock variable protects the MOR variable. In turn MorLock cannot be made\r
0, // DataSize\r
NULL // Data\r
);\r
- VariableLockRequestToLock (\r
- &mVariableLock,\r
- MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
- &gEfiMemoryOverwriteControlDataGuid\r
- );\r
\r
return EFI_SUCCESS;\r
}\r
VOID\r
)\r
{\r
- //\r
- // Do nothing.\r
- //\r
+ EFI_STATUS Status;\r
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;\r
+\r
+ // First, we obviously need to locate the VariablePolicy protocol.\r
+ Status = gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL, (VOID**)&VariablePolicy );\r
+ if (EFI_ERROR( Status )) {\r
+ DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %r\n", __FUNCTION__, Status ));\r
+ return;\r
+ }\r
+\r
+ // If we're successful, go ahead and set the policies to protect the target variables.\r
+ Status = RegisterBasicVariablePolicy( VariablePolicy,\r
+ &gEfiMemoryOverwriteRequestControlLockGuid,\r
+ MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
+ VARIABLE_POLICY_NO_MIN_SIZE,\r
+ VARIABLE_POLICY_NO_MAX_SIZE,\r
+ VARIABLE_POLICY_NO_MUST_ATTR,\r
+ VARIABLE_POLICY_NO_CANT_ATTR,\r
+ VARIABLE_POLICY_TYPE_LOCK_NOW );\r
+ if (EFI_ERROR( Status )) {\r
+ DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));\r
+ }\r
+ Status = RegisterBasicVariablePolicy( VariablePolicy,\r
+ &gEfiMemoryOverwriteControlDataGuid,\r
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
+ VARIABLE_POLICY_NO_MIN_SIZE,\r
+ VARIABLE_POLICY_NO_MAX_SIZE,\r
+ VARIABLE_POLICY_NO_MUST_ATTR,\r
+ VARIABLE_POLICY_NO_CANT_ATTR,\r
+ VARIABLE_POLICY_TYPE_LOCK_NOW );\r
+ if (EFI_ERROR( Status )) {\r
+ DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));\r
+ }\r
+\r
+ return;\r
}\r
#include "Variable.h"\r
\r
#include <Protocol/VariablePolicy.h>\r
-\r
+#include <Library/VariablePolicyHelperLib.h>\r
#include <Library/VariablePolicyLib.h>\r
\r
typedef struct {\r
{\r
UINTN MorSize;\r
EFI_STATUS MorStatus;\r
+ EFI_STATUS Status;\r
+ VARIABLE_POLICY_ENTRY *NewPolicy;\r
\r
if (!mMorLockInitializationRequired) {\r
//\r
// The MOR variable is absent; the platform firmware does not support it.\r
// Lock the variable so that no other module may create it.\r
//\r
- VariableLockRequestToLock (\r
- NULL, // This\r
- MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
- &gEfiMemoryOverwriteControlDataGuid\r
- );\r
+ NewPolicy = NULL;\r
+ Status = CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGuid,\r
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,\r
+ VARIABLE_POLICY_NO_MIN_SIZE,\r
+ VARIABLE_POLICY_NO_MAX_SIZE,\r
+ VARIABLE_POLICY_NO_MUST_ATTR,\r
+ VARIABLE_POLICY_NO_CANT_ATTR,\r
+ VARIABLE_POLICY_TYPE_LOCK_NOW,\r
+ &NewPolicy );\r
+ if (!EFI_ERROR( Status )) {\r
+ Status = RegisterVariablePolicy( NewPolicy );\r
+ }\r
+ if (EFI_ERROR( Status )) {\r
+ DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));\r
+ ASSERT_EFI_ERROR( Status );\r
+ }\r
+ if (NewPolicy != NULL) {\r
+ FreePool( NewPolicy );\r
+ }\r
\r
//\r
// Delete the MOR Control Lock variable too (should it exists for some\r
);\r
mMorLockPassThru = FALSE;\r
\r
- VariableLockRequestToLock (\r
- NULL, // This\r
- MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
- &gEfiMemoryOverwriteRequestControlLockGuid\r
- );\r
+ NewPolicy = NULL;\r
+ Status = CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControlLockGuid,\r
+ MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,\r
+ VARIABLE_POLICY_NO_MIN_SIZE,\r
+ VARIABLE_POLICY_NO_MAX_SIZE,\r
+ VARIABLE_POLICY_NO_MUST_ATTR,\r
+ VARIABLE_POLICY_NO_CANT_ATTR,\r
+ VARIABLE_POLICY_TYPE_LOCK_NOW,\r
+ &NewPolicy );\r
+ if (!EFI_ERROR( Status )) {\r
+ Status = RegisterVariablePolicy( NewPolicy );\r
+ }\r
+ if (EFI_ERROR( Status )) {\r
+ DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));\r
+ ASSERT_EFI_ERROR( Status );\r
+ }\r
+ if (NewPolicy != NULL) {\r
+ FreePool( NewPolicy );\r
+ }\r
}\r