--- /dev/null
+/** @file\r
+ Provides an abstracted interface for configuring PK related variable protection.\r
+\r
+ Copyright (c) Microsoft Corporation.\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
+\r
+**/\r
+\r
+#ifndef PLATFORM_PK_PROTECTION_LIB_H_\r
+#define PLATFORM_PK_PROTECTION_LIB_H_\r
+\r
+/**\r
+ Disable any applicable protection against variable 'PK'. The implementation\r
+ of this interface is platform specific, depending on the protection techniques\r
+ used per platform.\r
+\r
+ Note: It is the platform's responsibility to conduct cautious operation after\r
+ disabling this protection.\r
+\r
+ @retval EFI_SUCCESS State has been successfully updated.\r
+ @retval Others Error returned from implementation specific\r
+ underying APIs.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DisablePKProtection (\r
+ VOID\r
+ );\r
+\r
+#endif\r
--- /dev/null
+/** @file\r
+ Provides an abstracted interface for configuring PK related variable protection.\r
+\r
+ Copyright (c) Microsoft Corporation.\r
+ SPDX-License-Identifier: BSD-2-Clause-Patent\r
+\r
+**/\r
+#include <Uefi.h>\r
+#include <Protocol/VariablePolicy.h>\r
+\r
+#include <Library/DebugLib.h>\r
+#include <Library/UefiBootServicesTableLib.h>\r
+\r
+/**\r
+ Disable any applicable protection against variable 'PK'. The implementation\r
+ of this interface is platform specific, depending on the protection techniques\r
+ used per platform.\r
+\r
+ Note: It is the platform's responsibility to conduct cautious operation after\r
+ disabling this protection.\r
+\r
+ @retval EFI_SUCCESS State has been successfully updated.\r
+ @retval Others Error returned from implementation specific\r
+ underying APIs.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DisablePKProtection (\r
+ VOID\r
+ )\r
+{\r
+ EFI_STATUS Status;\r
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;\r
+\r
+ DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__));\r
+\r
+ // IMPORTANT NOTE: This operation is sticky and leaves variable protections disabled.\r
+ // The system *MUST* be reset after performing this operation.\r
+ Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy);\r
+ if (!EFI_ERROR (Status)) {\r
+ Status = VariablePolicy->DisableVariablePolicy ();\r
+ // EFI_ALREADY_STARTED means that everything is currently disabled.\r
+ // This should be considered SUCCESS.\r
+ if (Status == EFI_ALREADY_STARTED) {\r
+ Status = EFI_SUCCESS;\r
+ }\r
+ }\r
+\r
+ return Status;\r
+}\r
--- /dev/null
+## @file\r
+# Provides an abstracted interface for configuring PK related variable protection.\r
+#\r
+# Copyright (c) Microsoft Corporation.\r
+# SPDX-License-Identifier: BSD-2-Clause-Patent\r
+#\r
+##\r
+\r
+[Defines]\r
+ INF_VERSION = 0x00010005\r
+ BASE_NAME = PlatformPKProtectionLibVarPolicy\r
+ FILE_GUID = AE0C5992-526C-4518-93BA-3C2611B801E0\r
+ MODULE_TYPE = DXE_DRIVER\r
+ VERSION_STRING = 1.0\r
+ LIBRARY_CLASS = PlatformPKProtectionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION\r
+\r
+#\r
+# The following information is for reference only and not required by the build tools.\r
+#\r
+# VALID_ARCHITECTURES = IA32 X64 AARCH64\r
+#\r
+\r
+[Sources]\r
+ PlatformPKProtectionLibVarPolicy.c\r
+\r
+[Packages]\r
+ MdePkg/MdePkg.dec\r
+ MdeModulePkg/MdeModulePkg.dec\r
+ SecurityPkg/SecurityPkg.dec\r
+\r
+[LibraryClasses]\r
+ DebugLib\r
+ UefiBootServicesTableLib\r
+\r
+[Protocols]\r
+ gEdkiiVariablePolicyProtocolGuid\r
## @libraryclass Provides support to enroll Secure Boot keys.\r
#\r
SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h\r
+\r
+ ## @libraryclass Provides support to manage variable 'PK' related protections.\r
+ #\r
+ PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h\r
+\r
[Guids]\r
## Security package token space guid.\r
# Include/Guid/SecurityPkgTokenSpace.h\r
TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf\r
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf\r
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf\r
+ PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf\r
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf\r
TdxLib|MdePkg/Library/TdxLib/TdxLib.inf\r
\r
#\r
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf\r
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf\r
+ SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf\r
\r
#\r
# Other\r