From 98ee0c68a2cc86811fc6e4eff6dc068bb5e65504 Mon Sep 17 00:00:00 2001 From: Bret Barkelew Date: Mon, 9 Nov 2020 14:45:21 +0800 Subject: [PATCH] MdeModulePkg: Change TCG MOR variables to use VariablePolicy https://bugzilla.tianocore.org/show_bug.cgi?id=2522 These were previously using VarLock, which is being deprecated. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew Reviewed-by: Dandan Bi Acked-by: Jian J Wang --- .../Variable/RuntimeDxe/TcgMorLockDxe.c | 52 ++++++++++++++----- .../Variable/RuntimeDxe/TcgMorLockSmm.c | 52 +++++++++++++++---- .../RuntimeDxe/VariableRuntimeDxe.inf | 2 + .../RuntimeDxe/VariableStandaloneMm.inf | 1 + 4 files changed, 82 insertions(+), 25 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c index e7accf4ed8..b85f08c48c 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -5,6 +5,7 @@ MOR lock control unsupported. Copyright (c) 2016, Intel Corporation. All rights reserved.
+Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ @@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include "Variable.h" -extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock; +#include +#include /** This service is an MOR/MorLock checker handler for the SetVariable(). @@ -77,11 +79,6 @@ MorLockInit ( NULL // Data ); - // - // Need set this variable to be read-only to prevent other module set it. - // - VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid); - // // The MOR variable can effectively improve platform security only when the // MorLock variable protects the MOR variable. In turn MorLock cannot be made @@ -99,11 +96,6 @@ MorLockInit ( 0, // DataSize NULL // Data ); - VariableLockRequestToLock ( - &mVariableLock, - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, - &gEfiMemoryOverwriteControlDataGuid - ); return EFI_SUCCESS; } @@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe ( VOID ) { - // - // Do nothing. - // + EFI_STATUS Status; + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy; + + // First, we obviously need to locate the VariablePolicy protocol. + Status = gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL, (VOID**)&VariablePolicy ); + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %r\n", __FUNCTION__, Status )); + return; + } + + // If we're successful, go ahead and set the policies to protect the target variables. + Status = RegisterBasicVariablePolicy( VariablePolicy, + &gEfiMemoryOverwriteRequestControlLockGuid, + MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW ); + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status )); + } + Status = RegisterBasicVariablePolicy( VariablePolicy, + &gEfiMemoryOverwriteControlDataGuid, + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW ); + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status )); + } + + return; } diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 085f82035f..ee37942a6b 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "Variable.h" #include - +#include #include typedef struct { @@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe ( { UINTN MorSize; EFI_STATUS MorStatus; + EFI_STATUS Status; + VARIABLE_POLICY_ENTRY *NewPolicy; if (!mMorLockInitializationRequired) { // @@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe ( // The MOR variable is absent; the platform firmware does not support it. // Lock the variable so that no other module may create it. // - VariableLockRequestToLock ( - NULL, // This - MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, - &gEfiMemoryOverwriteControlDataGuid - ); + NewPolicy = NULL; + Status = CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGuid, + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW, + &NewPolicy ); + if (!EFI_ERROR( Status )) { + Status = RegisterVariablePolicy( NewPolicy ); + } + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status )); + ASSERT_EFI_ERROR( Status ); + } + if (NewPolicy != NULL) { + FreePool( NewPolicy ); + } // // Delete the MOR Control Lock variable too (should it exists for some @@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe ( ); mMorLockPassThru = FALSE; - VariableLockRequestToLock ( - NULL, // This - MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, - &gEfiMemoryOverwriteRequestControlLockGuid - ); + NewPolicy = NULL; + Status = CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControlLockGuid, + MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW, + &NewPolicy ); + if (!EFI_ERROR( Status )) { + Status = RegisterVariablePolicy( NewPolicy ); + } + if (EFI_ERROR( Status )) { + DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status )); + ASSERT_EFI_ERROR( Status ); + } + if (NewPolicy != NULL) { + FreePool( NewPolicy ); + } } diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 48ac167906..8debc560e6 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -71,6 +71,7 @@ AuthVariableLib VarCheckLib VariablePolicyLib + VariablePolicyHelperLib [Protocols] gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES @@ -80,6 +81,7 @@ gEfiVariableWriteArchProtocolGuid ## PRODUCES gEfiVariableArchProtocolGuid ## PRODUCES gEdkiiVariableLockProtocolGuid ## PRODUCES + gEdkiiVariablePolicyProtocolGuid ## CONSUMES gEdkiiVarCheckProtocolGuid ## PRODUCES [Guids] diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index d8f480be27..62f2f9252f 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -76,6 +76,7 @@ SynchronizationLib VarCheckLib VariablePolicyLib + VariablePolicyHelperLib [Protocols] gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES -- 2.39.2