SecurityPkg: PlatformPKProtectionLib: Added PK protection interface

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911

This patch provides an abstracted interface for platform to implement PK
variable related protection interface, which is designed to be used when
PK variable is about to be changed by UEFI firmware.

This change also provided a variable policy based library implementation
to accomodate platforms that supports variable policy for variable
protections.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>
Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>

diff --git a/SecurityPkg/Include/Library/PlatformPKProtectionLib.h b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h
new file mode 100644 (file)
index 0000000..3586a47
--- /dev/null
+++ b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h
@@ -0,0 +1,31 @@
+/** @file\r
+  Provides an abstracted interface for configuring PK related variable protection.\r
+\r
+  Copyright (c) Microsoft Corporation.\r
+  SPDX-License-Identifier: BSD-2-Clause-Patent\r
+\r
+**/\r
+\r
+#ifndef PLATFORM_PK_PROTECTION_LIB_H_\r
+#define PLATFORM_PK_PROTECTION_LIB_H_\r
+\r
+/**\r
+  Disable any applicable protection against variable 'PK'. The implementation\r
+  of this interface is platform specific, depending on the protection techniques\r
+  used per platform.\r
+\r
+  Note: It is the platform's responsibility to conduct cautious operation after\r
+        disabling this protection.\r
+\r
+  @retval     EFI_SUCCESS             State has been successfully updated.\r
+  @retval     Others                  Error returned from implementation specific\r
+                                      underying APIs.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DisablePKProtection (\r
+  VOID\r
+  );\r
+\r
+#endif\r

diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
new file mode 100644 (file)
index 0000000..a264924
--- /dev/null
+++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
@@ -0,0 +1,51 @@
+/** @file\r
+  Provides an abstracted interface for configuring PK related variable protection.\r
+\r
+  Copyright (c) Microsoft Corporation.\r
+  SPDX-License-Identifier: BSD-2-Clause-Patent\r
+\r
+**/\r
+#include <Uefi.h>\r
+#include <Protocol/VariablePolicy.h>\r
+\r
+#include <Library/DebugLib.h>\r
+#include <Library/UefiBootServicesTableLib.h>\r
+\r
+/**\r
+  Disable any applicable protection against variable 'PK'. The implementation\r
+  of this interface is platform specific, depending on the protection techniques\r
+  used per platform.\r
+\r
+  Note: It is the platform's responsibility to conduct cautious operation after\r
+        disabling this protection.\r
+\r
+  @retval     EFI_SUCCESS             State has been successfully updated.\r
+  @retval     Others                  Error returned from implementation specific\r
+                                      underying APIs.\r
+\r
+**/\r
+EFI_STATUS\r
+EFIAPI\r
+DisablePKProtection (\r
+  VOID\r
+  )\r
+{\r
+  EFI_STATUS                      Status;\r
+  EDKII_VARIABLE_POLICY_PROTOCOL  *VariablePolicy;\r
+\r
+  DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__));\r
+\r
+  // IMPORTANT NOTE: This operation is sticky and leaves variable protections disabled.\r
+  //                  The system *MUST* be reset after performing this operation.\r
+  Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy);\r
+  if (!EFI_ERROR (Status)) {\r
+    Status = VariablePolicy->DisableVariablePolicy ();\r
+    // EFI_ALREADY_STARTED means that everything is currently disabled.\r
+    // This should be considered SUCCESS.\r
+    if (Status == EFI_ALREADY_STARTED) {\r
+      Status = EFI_SUCCESS;\r
+    }\r
+  }\r
+\r
+  return Status;\r
+}\r

diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
new file mode 100644 (file)
index 0000000..df42ce0
--- /dev/null
+++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
@@ -0,0 +1,36 @@
+## @file\r
+#  Provides an abstracted interface for configuring PK related variable protection.\r
+#\r
+#  Copyright (c) Microsoft Corporation.\r
+#  SPDX-License-Identifier: BSD-2-Clause-Patent\r
+#\r
+##\r
+\r
+[Defines]\r
+  INF_VERSION                    = 0x00010005\r
+  BASE_NAME                      = PlatformPKProtectionLibVarPolicy\r
+  FILE_GUID                      = AE0C5992-526C-4518-93BA-3C2611B801E0\r
+  MODULE_TYPE                    = DXE_DRIVER\r
+  VERSION_STRING                 = 1.0\r
+  LIBRARY_CLASS                  = PlatformPKProtectionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION\r
+\r
+#\r
+# The following information is for reference only and not required by the build tools.\r
+#\r
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64\r
+#\r
+\r
+[Sources]\r
+  PlatformPKProtectionLibVarPolicy.c\r
+\r
+[Packages]\r
+  MdePkg/MdePkg.dec\r
+  MdeModulePkg/MdeModulePkg.dec\r
+  SecurityPkg/SecurityPkg.dec\r
+\r
+[LibraryClasses]\r
+  DebugLib\r
+  UefiBootServicesTableLib\r
+\r
+[Protocols]\r
+  gEdkiiVariablePolicyProtocolGuid\r

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 0ee75efc1a97142009b83a0f2c120c3614d598c2..7ecf9565d98ca668658eb5f3c9c3d31b0e7b6098 100644 (file)
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -99,6 +99,11 @@
   ## @libraryclass  Provides support to enroll Secure Boot keys.\r
   #\r
   SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h\r
+\r
+  ## @libraryclass  Provides support to manage variable 'PK' related protections.\r
+  #\r
+  PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h\r
+\r
 [Guids]\r
   ## Security package token space guid.\r
   # Include/Guid/SecurityPkgTokenSpace.h\r

diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index d883747474e41908eec9a8322d96b25eac3775cb..f48187650f2f6c3ae4f8d0b760e29acd1c3ee8d7 100644 (file)
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -71,6 +71,7 @@
   TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf\r
   MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf\r
   SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf\r
+  PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf\r
   SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf\r
   TdxLib|MdePkg/Library/TdxLib/TdxLib.inf\r
 \r
@@ -261,6 +262,7 @@
   #\r
   SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf\r
   SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf\r
+  SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf\r
 \r
   #\r
   # Other\r