[PATCH v7 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy


Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

These were previously using VarLock, which is
being deprecated.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 +=
+++++++++++++------
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 52 +=
++++++++++++++-----
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1 +
4 files changed, 82 insertions(+), 25 deletions(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M=
deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
index e7accf4ed806..b85f08c48c11 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
@@ -5,6 +5,7 @@
MOR lock control unsupported.=0D
=0D
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
=0D
**/=0D
@@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/BaseMemoryLib.h>=0D
#include "Variable.h"=0D
=0D
-extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyHelperLib.h>=0D
=0D
/**=0D
This service is an MOR/MorLock checker handler for the SetVariable().=0D
@@ -77,11 +79,6 @@ MorLockInit (
NULL // Data=0D
);=0D
=0D
- //=0D
- // Need set this variable to be read-only to prevent other module set it=
.=0D
- //=0D
- VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONT=
ROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);=0D
-=0D
//=0D
// The MOR variable can effectively improve platform security only when =
the=0D
// MorLock variable protects the MOR variable. In turn MorLock cannot be=
made=0D
@@ -99,11 +96,6 @@ MorLockInit (
0, // DataSize=0D
NULL // Data=0D
);=0D
- VariableLockRequestToLock (=0D
- &mVariableLock,=0D
- MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D
- &gEfiMemoryOverwriteControlDataGuid=0D
- );=0D
=0D
return EFI_SUCCESS;=0D
}=0D
@@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe (
VOID=0D
)=0D
{=0D
- //=0D
- // Do nothing.=0D
- //=0D
+ EFI_STATUS Status;=0D
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;=0D
+=0D
+ // First, we obviously need to locate the VariablePolicy protocol.=0D
+ Status =3D gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL,=
(VOID**)&VariablePolicy );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %=
r\n", __FUNCTION__, Status ));=0D
+ return;=0D
+ }=0D
+=0D
+ // If we're successful, go ahead and set the policies to protect the tar=
get variables.=0D
+ Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D
+ &gEfiMemoryOverwriteRequestControl=
LockGuid,=0D
+ MEMORY_OVERWRITE_REQUEST_CONTROL_L=
OCK_NAME,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI=
ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D
+ }=0D
+ Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D
+ &gEfiMemoryOverwriteControlDataGui=
d,=0D
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_=
NAME,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI=
ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D
+ }=0D
+=0D
+ return;=0D
}=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M=
deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 085f82035f4b..ee37942a6b0c 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "Variable.h"=0D
=0D
#include <Protocol/VariablePolicy.h>=0D
-=0D
+#include <Library/VariablePolicyHelperLib.h>=0D
#include <Library/VariablePolicyLib.h>=0D
=0D
typedef struct {=0D
@@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe (
{=0D
UINTN MorSize;=0D
EFI_STATUS MorStatus;=0D
+ EFI_STATUS Status;=0D
+ VARIABLE_POLICY_ENTRY *NewPolicy;=0D
=0D
if (!mMorLockInitializationRequired) {=0D
//=0D
@@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe (
// The MOR variable is absent; the platform firmware does not support it=
.=0D
// Lock the variable so that no other module may create it.=0D
//=0D
- VariableLockRequestToLock (=0D
- NULL, // This=0D
- MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D
- &gEfiMemoryOverwriteControlDataGuid=0D
- );=0D
+ NewPolicy =3D NULL;=0D
+ Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGui=
d,=0D
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_NA=
ME,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW,=0D
+ &NewPolicy );=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D RegisterVariablePolicy( NewPolicy );=0D
+ }=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI=
ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D
+ ASSERT_EFI_ERROR( Status );=0D
+ }=0D
+ if (NewPolicy !=3D NULL) {=0D
+ FreePool( NewPolicy );=0D
+ }=0D
=0D
//=0D
// Delete the MOR Control Lock variable too (should it exists for some=0D
@@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe (
);=0D
mMorLockPassThru =3D FALSE;=0D
=0D
- VariableLockRequestToLock (=0D
- NULL, // This=0D
- MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,=0D
- &gEfiMemoryOverwriteRequestControlLockGuid=0D
- );=0D
+ NewPolicy =3D NULL;=0D
+ Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControl=
LockGuid,=0D
+ MEMORY_OVERWRITE_REQUEST_CONTROL_LOC=
K_NAME,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW,=0D
+ &NewPolicy );=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D RegisterVariablePolicy( NewPolicy );=0D
+ }=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI=
ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D
+ ASSERT_EFI_ERROR( Status );=0D
+ }=0D
+ if (NewPolicy !=3D NULL) {=0D
+ FreePool( NewPolicy );=0D
+ }=0D
}=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.=
inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 48ac167906f7..8debc560e6dc 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -71,6 +71,7 @@ [LibraryClasses]
AuthVariableLib=0D
VarCheckLib=0D
VariablePolicyLib=0D
+ VariablePolicyHelperLib=0D
=0D
[Protocols]=0D
gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D
@@ -80,6 +81,7 @@ [Protocols]
gEfiVariableWriteArchProtocolGuid ## PRODUCES=0D
gEfiVariableArchProtocolGuid ## PRODUCES=0D
gEdkiiVariableLockProtocolGuid ## PRODUCES=0D
+ gEdkiiVariablePolicyProtocolGuid ## CONSUMES=0D
gEdkiiVarCheckProtocolGuid ## PRODUCES=0D
=0D
[Guids]=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM=
m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index d8f480be27cc..62f2f9252f43 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -76,6 +76,7 @@ [LibraryClasses]
SynchronizationLib=0D
VarCheckLib=0D
VariablePolicyLib=0D
+ VariablePolicyHelperLib=0D
=0D
[Protocols]=0D
gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D
--=20
2.28.0.windows.1

Join devel@edk2.groups.io to automatically receive all group messages.