[PATCH v7 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables


Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

Causes AuthService to check
IsVariablePolicyEnabled() before enforcing
write protections to allow variable deletion
when policy engine is disabled.

Only allows deletion, not modification.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
SecurityPkg/Library/AuthVariableLib/AuthService.c | 22 +++++++++++++=
+++----
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 ++
2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk=
g/Library/AuthVariableLib/AuthService.c
index 2f60331f2c04..aca9a5620c28 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -19,12 +19,16 @@
to verify the signature.=0D
=0D
Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
=0D
**/=0D
=0D
#include "AuthServiceInternal.h"=0D
=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
//=0D
// Public Exponent of RSA Key.=0D
//=0D
@@ -217,9 +221,12 @@ NeedPhysicallyPresent(
IN EFI_GUID *VendorGuid=0D
)=0D
{=0D
- if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrC=
mp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0))=0D
- || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (Va=
riableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) {=0D
- return TRUE;=0D
+ // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.=0D
+ if (IsVariablePolicyEnabled()) {=0D
+ if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (St=
rCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0))=0D
+ || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (=
VariableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) {=0D
+ return TRUE;=0D
+ }=0D
}=0D
=0D
return FALSE;=0D
@@ -842,7 +849,8 @@ ProcessVariable (
&OrgVariableInfo=0D
);=0D
=0D
- if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attri=
butes, Data, DataSize, Attributes) && UserPhysicalPresent()) {=0D
+ // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.=0D
+ if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attri=
butes, Data, DataSize, Attributes) && (UserPhysicalPresent() || !IsVariable=
PolicyEnabled())) {=0D
//=0D
// Allow the delete operation of common authenticated variable(AT or A=
W) at user physical presence.=0D
//=0D
@@ -1960,6 +1968,12 @@ VerifyTimeBasedPayload (
=0D
CopyMem (Buffer, PayloadPtr, PayloadSize);=0D
=0D
+ // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.=0D
+ if (PayloadSize =3D=3D 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) =3D=
=3D 0 && !IsVariablePolicyEnabled()) {=0D
+ VerifyStatus =3D TRUE;=0D
+ goto Exit;=0D
+ }=0D
+=0D
if (AuthVarType =3D=3D AuthVarTypePk) {=0D
//=0D
// Verify that the signature has been made with the current Platform K=
ey (no chaining for PK).=0D
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/Secu=
rityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8d4ce14df494..8eadeebcebd7 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -3,6 +3,7 @@
#=0D
# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>=
=0D
# Copyright (c) 2018, ARM Limited. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -41,6 +42,7 @@ [LibraryClasses]
MemoryAllocationLib=0D
BaseCryptLib=0D
PlatformSecureLib=0D
+ VariablePolicyLib=0D
=0D
[Guids]=0D
## CONSUMES ## Variable:L"SetupMode"=0D
--=20
2.28.0.windows.1

Join devel@edk2.groups.io to automatically receive all group messages.