Date   

[PATCH v7 13/14] MdeModulePkg: Drop VarLock from RuntimeDxe variable driver

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

Now that everything should be moved to
VariablePolicy, drop support for the
deprecated VarLock SMI interface and
associated functions from variable RuntimeDxe.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c | 49=
+-------------
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c | 71=
++++++++++++++++++++
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 1=
+
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 1=
+
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1=
+
5 files changed, 75 insertions(+), 48 deletions(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c b/MdeMod=
ulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
index f15219df5eb8..486d85b022e1 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
@@ -3,60 +3,13 @@
and variable lock protocol based on VarCheckLib.=0D
=0D
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
=0D
**/=0D
=0D
#include "Variable.h"=0D
=0D
-/**=0D
- Mark a variable that will become read-only after leaving the DXE phase o=
f execution.=0D
- Write request coming from SMM environment through EFI_SMM_VARIABLE_PROTO=
COL is allowed.=0D
-=0D
- @param[in] This The VARIABLE_LOCK_PROTOCOL instance.=0D
- @param[in] VariableName A pointer to the variable name that will be mad=
e read-only subsequently.=0D
- @param[in] VendorGuid A pointer to the vendor GUID that will be made =
read-only subsequently.=0D
-=0D
- @retval EFI_SUCCESS The variable specified by the VariableName=
and the VendorGuid was marked=0D
- as pending to be read-only.=0D
- @retval EFI_INVALID_PARAMETER VariableName or VendorGuid is NULL.=0D
- Or VariableName is an empty string.=0D
- @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVE=
NT_GROUP_READY_TO_BOOT has=0D
- already been signaled.=0D
- @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold the l=
ock request.=0D
-**/=0D
-EFI_STATUS=0D
-EFIAPI=0D
-VariableLockRequestToLock (=0D
- IN CONST EDKII_VARIABLE_LOCK_PROTOCOL *This,=0D
- IN CHAR16 *VariableName,=0D
- IN EFI_GUID *VendorGuid=0D
- )=0D
-{=0D
- EFI_STATUS Status;=0D
- VAR_CHECK_VARIABLE_PROPERTY Property;=0D
-=0D
- AcquireLockOnlyAtBootTime (&mVariableModuleGlobal->VariableGlobal.Variab=
leServicesLock);=0D
-=0D
- Status =3D VarCheckLibVariablePropertyGet (VariableName, VendorGuid, &Pr=
operty);=0D
- if (!EFI_ERROR (Status)) {=0D
- Property.Property |=3D VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY;=0D
- } else {=0D
- Property.Revision =3D VAR_CHECK_VARIABLE_PROPERTY_REVISION;=0D
- Property.Property =3D VAR_CHECK_VARIABLE_PROPERTY_READ_ONLY;=0D
- Property.Attributes =3D 0;=0D
- Property.MinSize =3D 1;=0D
- Property.MaxSize =3D MAX_UINTN;=0D
- }=0D
- Status =3D VarCheckLibVariablePropertySet (VariableName, VendorGuid, &Pr=
operty);=0D
-=0D
- DEBUG ((EFI_D_INFO, "[Variable] Lock: %g:%s %r\n", VendorGuid, VariableN=
ame, Status));=0D
-=0D
- ReleaseLockOnlyAtBootTime (&mVariableModuleGlobal->VariableGlobal.Variab=
leServicesLock);=0D
-=0D
- return Status;=0D
-}=0D
-=0D
/**=0D
Register SetVariable check handler.=0D
=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstT=
oLock.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLo=
ck.c
new file mode 100644
index 000000000000..1f7f0b7ef06c
--- /dev/null
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c
@@ -0,0 +1,71 @@
+/** @file -- VariableLockRequstToLock.c=0D
+Temporary location of the RequestToLock shim code while=0D
+projects are moved to VariablePolicy. Should be removed when deprecated.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#include <Uefi.h>=0D
+=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/MemoryAllocationLib.h>=0D
+=0D
+#include <Protocol/VariableLock.h>=0D
+=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyLib.h>=0D
+#include <Library/VariablePolicyHelperLib.h>=0D
+=0D
+=0D
+/**=0D
+ DEPRECATED. THIS IS ONLY HERE AS A CONVENIENCE WHILE PORTING.=0D
+ Mark a variable that will become read-only after leaving the DXE phase o=
f execution.=0D
+ Write request coming from SMM environment through EFI_SMM_VARIABLE_PROTO=
COL is allowed.=0D
+=0D
+ @param[in] This The VARIABLE_LOCK_PROTOCOL instance.=0D
+ @param[in] VariableName A pointer to the variable name that will be mad=
e read-only subsequently.=0D
+ @param[in] VendorGuid A pointer to the vendor GUID that will be made =
read-only subsequently.=0D
+=0D
+ @retval EFI_SUCCESS The variable specified by the VariableName=
and the VendorGuid was marked=0D
+ as pending to be read-only.=0D
+ @retval EFI_INVALID_PARAMETER VariableName or VendorGuid is NULL.=0D
+ Or VariableName is an empty string.=0D
+ @retval EFI_ACCESS_DENIED EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVE=
NT_GROUP_READY_TO_BOOT has=0D
+ already been signaled.=0D
+ @retval EFI_OUT_OF_RESOURCES There is not enough resource to hold the l=
ock request.=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+VariableLockRequestToLock (=0D
+ IN CONST EDKII_VARIABLE_LOCK_PROTOCOL *This,=0D
+ IN CHAR16 *VariableName,=0D
+ IN EFI_GUID *VendorGuid=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ VARIABLE_POLICY_ENTRY *NewPolicy;=0D
+=0D
+ NewPolicy =3D NULL;=0D
+ Status =3D CreateBasicVariablePolicy( VendorGuid,=0D
+ VariableName,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW,=0D
+ &NewPolicy );=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D RegisterVariablePolicy( NewPolicy );=0D
+ }=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI=
ON__, VariableName, Status ));=0D
+ ASSERT_EFI_ERROR( Status );=0D
+ }=0D
+ if (NewPolicy !=3D NULL) {=0D
+ FreePool( NewPolicy );=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.=
inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 8debc560e6dc..3005e9617423 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -49,6 +49,7 @@ [Sources]
VarCheck.c=0D
VariableExLib.c=0D
SpeculationBarrierDxe.c=0D
+ VariableLockRequstToLock.c=0D
=0D
[Packages]=0D
MdePkg/MdePkg.dec=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf b/M=
deModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
index bbc8d2080193..26fbad97339f 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
@@ -58,6 +58,7 @@ [Sources]
VariableExLib.c=0D
TcgMorLockSmm.c=0D
SpeculationBarrierSmm.c=0D
+ VariableLockRequstToLock.c=0D
=0D
[Packages]=0D
MdePkg/MdePkg.dec=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM=
m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index 62f2f9252f43..7c6fdf4d65fd 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -58,6 +58,7 @@ [Sources]
VariableExLib.c=0D
TcgMorLockSmm.c=0D
SpeculationBarrierSmm.c=0D
+ VariableLockRequstToLock.c=0D
=0D
[Packages]=0D
MdePkg/MdePkg.dec=0D
--=20
2.28.0.windows.1


[PATCH v7 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

These were previously using VarLock, which is
being deprecated.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 +=
+++++++++++++------
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 52 +=
++++++++++++++-----
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1 +
4 files changed, 82 insertions(+), 25 deletions(-)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/M=
deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
index e7accf4ed806..b85f08c48c11 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
@@ -5,6 +5,7 @@
MOR lock control unsupported.=0D
=0D
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
=0D
**/=0D
@@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/BaseMemoryLib.h>=0D
#include "Variable.h"=0D
=0D
-extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyHelperLib.h>=0D
=0D
/**=0D
This service is an MOR/MorLock checker handler for the SetVariable().=0D
@@ -77,11 +79,6 @@ MorLockInit (
NULL // Data=0D
);=0D
=0D
- //=0D
- // Need set this variable to be read-only to prevent other module set it=
.=0D
- //=0D
- VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONT=
ROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);=0D
-=0D
//=0D
// The MOR variable can effectively improve platform security only when =
the=0D
// MorLock variable protects the MOR variable. In turn MorLock cannot be=
made=0D
@@ -99,11 +96,6 @@ MorLockInit (
0, // DataSize=0D
NULL // Data=0D
);=0D
- VariableLockRequestToLock (=0D
- &mVariableLock,=0D
- MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D
- &gEfiMemoryOverwriteControlDataGuid=0D
- );=0D
=0D
return EFI_SUCCESS;=0D
}=0D
@@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe (
VOID=0D
)=0D
{=0D
- //=0D
- // Do nothing.=0D
- //=0D
+ EFI_STATUS Status;=0D
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;=0D
+=0D
+ // First, we obviously need to locate the VariablePolicy protocol.=0D
+ Status =3D gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL,=
(VOID**)&VariablePolicy );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %=
r\n", __FUNCTION__, Status ));=0D
+ return;=0D
+ }=0D
+=0D
+ // If we're successful, go ahead and set the policies to protect the tar=
get variables.=0D
+ Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D
+ &gEfiMemoryOverwriteRequestControl=
LockGuid,=0D
+ MEMORY_OVERWRITE_REQUEST_CONTROL_L=
OCK_NAME,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI=
ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D
+ }=0D
+ Status =3D RegisterBasicVariablePolicy( VariablePolicy,=0D
+ &gEfiMemoryOverwriteControlDataGui=
d,=0D
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_=
NAME,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTI=
ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D
+ }=0D
+=0D
+ return;=0D
}=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M=
deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 085f82035f4b..ee37942a6b0c 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "Variable.h"=0D
=0D
#include <Protocol/VariablePolicy.h>=0D
-=0D
+#include <Library/VariablePolicyHelperLib.h>=0D
#include <Library/VariablePolicyLib.h>=0D
=0D
typedef struct {=0D
@@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe (
{=0D
UINTN MorSize;=0D
EFI_STATUS MorStatus;=0D
+ EFI_STATUS Status;=0D
+ VARIABLE_POLICY_ENTRY *NewPolicy;=0D
=0D
if (!mMorLockInitializationRequired) {=0D
//=0D
@@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe (
// The MOR variable is absent; the platform firmware does not support it=
.=0D
// Lock the variable so that no other module may create it.=0D
//=0D
- VariableLockRequestToLock (=0D
- NULL, // This=0D
- MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,=0D
- &gEfiMemoryOverwriteControlDataGuid=0D
- );=0D
+ NewPolicy =3D NULL;=0D
+ Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGui=
d,=0D
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_NA=
ME,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW,=0D
+ &NewPolicy );=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D RegisterVariablePolicy( NewPolicy );=0D
+ }=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI=
ON__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));=0D
+ ASSERT_EFI_ERROR( Status );=0D
+ }=0D
+ if (NewPolicy !=3D NULL) {=0D
+ FreePool( NewPolicy );=0D
+ }=0D
=0D
//=0D
// Delete the MOR Control Lock variable too (should it exists for some=0D
@@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe (
);=0D
mMorLockPassThru =3D FALSE;=0D
=0D
- VariableLockRequestToLock (=0D
- NULL, // This=0D
- MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,=0D
- &gEfiMemoryOverwriteRequestControlLockGuid=0D
- );=0D
+ NewPolicy =3D NULL;=0D
+ Status =3D CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControl=
LockGuid,=0D
+ MEMORY_OVERWRITE_REQUEST_CONTROL_LOC=
K_NAME,=0D
+ VARIABLE_POLICY_NO_MIN_SIZE,=0D
+ VARIABLE_POLICY_NO_MAX_SIZE,=0D
+ VARIABLE_POLICY_NO_MUST_ATTR,=0D
+ VARIABLE_POLICY_NO_CANT_ATTR,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW,=0D
+ &NewPolicy );=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D RegisterVariablePolicy( NewPolicy );=0D
+ }=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTI=
ON__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));=0D
+ ASSERT_EFI_ERROR( Status );=0D
+ }=0D
+ if (NewPolicy !=3D NULL) {=0D
+ FreePool( NewPolicy );=0D
+ }=0D
}=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.=
inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 48ac167906f7..8debc560e6dc 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -71,6 +71,7 @@ [LibraryClasses]
AuthVariableLib=0D
VarCheckLib=0D
VariablePolicyLib=0D
+ VariablePolicyHelperLib=0D
=0D
[Protocols]=0D
gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D
@@ -80,6 +81,7 @@ [Protocols]
gEfiVariableWriteArchProtocolGuid ## PRODUCES=0D
gEfiVariableArchProtocolGuid ## PRODUCES=0D
gEdkiiVariableLockProtocolGuid ## PRODUCES=0D
+ gEdkiiVariablePolicyProtocolGuid ## CONSUMES=0D
gEdkiiVarCheckProtocolGuid ## PRODUCES=0D
=0D
[Guids]=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM=
m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index d8f480be27cc..62f2f9252f43 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -76,6 +76,7 @@ [LibraryClasses]
SynchronizationLib=0D
VarCheckLib=0D
VariablePolicyLib=0D
+ VariablePolicyHelperLib=0D
=0D
[Protocols]=0D
gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D
--=20
2.28.0.windows.1


[PATCH v7 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

Causes AuthService to check
IsVariablePolicyEnabled() before enforcing
write protections to allow variable deletion
when policy engine is disabled.

Only allows deletion, not modification.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
SecurityPkg/Library/AuthVariableLib/AuthService.c | 22 +++++++++++++=
+++----
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 ++
2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk=
g/Library/AuthVariableLib/AuthService.c
index 2f60331f2c04..aca9a5620c28 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -19,12 +19,16 @@
to verify the signature.=0D
=0D
Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
=0D
**/=0D
=0D
#include "AuthServiceInternal.h"=0D
=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
//=0D
// Public Exponent of RSA Key.=0D
//=0D
@@ -217,9 +221,12 @@ NeedPhysicallyPresent(
IN EFI_GUID *VendorGuid=0D
)=0D
{=0D
- if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrC=
mp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0))=0D
- || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (Va=
riableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) {=0D
- return TRUE;=0D
+ // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.=0D
+ if (IsVariablePolicyEnabled()) {=0D
+ if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (St=
rCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0))=0D
+ || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (=
VariableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) {=0D
+ return TRUE;=0D
+ }=0D
}=0D
=0D
return FALSE;=0D
@@ -842,7 +849,8 @@ ProcessVariable (
&OrgVariableInfo=0D
);=0D
=0D
- if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attri=
butes, Data, DataSize, Attributes) && UserPhysicalPresent()) {=0D
+ // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.=0D
+ if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attri=
butes, Data, DataSize, Attributes) && (UserPhysicalPresent() || !IsVariable=
PolicyEnabled())) {=0D
//=0D
// Allow the delete operation of common authenticated variable(AT or A=
W) at user physical presence.=0D
//=0D
@@ -1960,6 +1968,12 @@ VerifyTimeBasedPayload (
=0D
CopyMem (Buffer, PayloadPtr, PayloadSize);=0D
=0D
+ // If the VariablePolicy engine is disabled, allow deletion of any authe=
nticated variables.=0D
+ if (PayloadSize =3D=3D 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) =3D=
=3D 0 && !IsVariablePolicyEnabled()) {=0D
+ VerifyStatus =3D TRUE;=0D
+ goto Exit;=0D
+ }=0D
+=0D
if (AuthVarType =3D=3D AuthVarTypePk) {=0D
//=0D
// Verify that the signature has been made with the current Platform K=
ey (no chaining for PK).=0D
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/Secu=
rityPkg/Library/AuthVariableLib/AuthVariableLib.inf
index 8d4ce14df494..8eadeebcebd7 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf
@@ -3,6 +3,7 @@
#=0D
# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>=
=0D
# Copyright (c) 2018, ARM Limited. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -41,6 +42,7 @@ [LibraryClasses]
MemoryAllocationLib=0D
BaseCryptLib=0D
PlatformSecureLib=0D
+ VariablePolicyLib=0D
=0D
[Guids]=0D
## CONSUMES ## Variable:L"SetupMode"=0D
--=20
2.28.0.windows.1


[PATCH v7 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

TcgMorLockSmm provides special protections for
the TCG MOR variables. This will check
IsVariablePolicyEnabled() before enforcing
them to allow variable deletion when policy
engine is disabled.

Only allows deletion, not modification.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 +=
+++++++++
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 2 ++
2 files changed, 12 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/M=
deModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 6d80eb64341a..085f82035f4b 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -5,6 +5,7 @@
This module adds Variable Hook and check MemoryOverwriteRequestControlLo=
ck.=0D
=0D
Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
=0D
**/=0D
@@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/BaseMemoryLib.h>=0D
#include "Variable.h"=0D
=0D
+#include <Protocol/VariablePolicy.h>=0D
+=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
typedef struct {=0D
CHAR16 *VariableName;=0D
EFI_GUID *VendorGuid;=0D
@@ -341,6 +346,11 @@ SetVariableCheckHandlerMor (
return EFI_SUCCESS;=0D
}=0D
=0D
+ // Permit deletion when policy is disabled.=0D
+ if (!IsVariablePolicyEnabled() && ((Attributes =3D=3D 0) || (DataSize =
=3D=3D 0))) {=0D
+ return EFI_SUCCESS;=0D
+ }=0D
+=0D
//=0D
// MorLock variable=0D
//=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneM=
m.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index 6e17f6cdf588..d8f480be27cc 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -20,6 +20,7 @@
#=0D
# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>=0D
# Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
##=0D
@@ -74,6 +75,7 @@ [LibraryClasses]
StandaloneMmDriverEntryPoint=0D
SynchronizationLib=0D
VarCheckLib=0D
+ VariablePolicyLib=0D
=0D
[Protocols]=0D
gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D
--=20
2.28.0.windows.1


[PATCH v7 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

VariablePolicy is an updated interface to
replace VarLock and VarCheckProtocol.

Add connective code to publish the VariablePolicy protocol
and wire it to either the SMM communication interface
or directly into the VariablePolicyLib business logic.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 53=
++
MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c | 642=
++++++++++++++++++++
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 14=
+
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2=
+
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3=
+
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf | 11=
+
6 files changed, 725 insertions(+)

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/Mde=
ModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
index 7d2b6c8e1fad..d404d4763e54 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
@@ -5,18 +5,34 @@
Copyright (C) 2013, Red Hat, Inc.=0D
Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>=0D
(C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>=0D
+Copyright (c) Microsoft Corporation.=0D
SPDX-License-Identifier: BSD-2-Clause-Patent=0D
=0D
**/=0D
=0D
#include "Variable.h"=0D
=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ProtocolIsVariablePolicyEnabled (=0D
+ OUT BOOLEAN *State=0D
+ );=0D
+=0D
EFI_HANDLE mHandle =3D NULL;=0D
EFI_EVENT mVirtualAddressChangeEvent =3D NULL;=0D
VOID *mFtwRegistration =3D NULL;=0D
VOID ***mVarCheckAddressPointer =3D NULL;=0D
UINTN mVarCheckAddressPointerCount =3D 0;=0D
EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock =3D { Varia=
bleLockRequestToLock };=0D
+EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol =3D { EDKII=
_VARIABLE_POLICY_PROTOCOL_REVISION,=0D
+ Disabl=
eVariablePolicy,=0D
+ Protoc=
olIsVariablePolicyEnabled,=0D
+ Regist=
erVariablePolicy,=0D
+ DumpVa=
riablePolicy,=0D
+ LockVa=
riablePolicy };=0D
EDKII_VAR_CHECK_PROTOCOL mVarCheck =3D { VarCh=
eckRegisterSetVariableCheckHandler,=0D
VarChe=
ckVariablePropertySet,=0D
VarChe=
ckVariablePropertyGet };=0D
@@ -303,6 +319,8 @@ OnReadyToBoot (
}=0D
}=0D
=0D
+ ASSERT_EFI_ERROR (LockVariablePolicy ());=0D
+=0D
gBS->CloseEvent (Event);=0D
}=0D
=0D
@@ -466,6 +484,28 @@ FtwNotificationEvent (
}=0D
=0D
=0D
+/**=0D
+ This API function returns whether or not the policy engine is=0D
+ currently being enforced.=0D
+=0D
+ @param[out] State Pointer to a return value for whether the poli=
cy enforcement=0D
+ is currently enabled.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval Others An error has prevented this command from compl=
eting.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ProtocolIsVariablePolicyEnabled (=0D
+ OUT BOOLEAN *State=0D
+ )=0D
+{=0D
+ *State =3D IsVariablePolicyEnabled ();=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
+=0D
/**=0D
Variable Driver main entry point. The Variable driver places the 4 EFI=0D
runtime services in the EFI System Table and installs arch protocols=0D
@@ -576,6 +616,19 @@ VariableServiceInitialize (
);=0D
ASSERT_EFI_ERROR (Status);=0D
=0D
+ // Register and initialize the VariablePolicy engine.=0D
+ Status =3D InitVariablePolicyLib (VariableServiceGetVariable);=0D
+ ASSERT_EFI_ERROR (Status);=0D
+ Status =3D VarCheckRegisterSetVariableCheckHandler (ValidateSetVariable)=
;=0D
+ ASSERT_EFI_ERROR (Status);=0D
+ Status =3D gBS->InstallMultipleProtocolInterfaces (=0D
+ &mHandle,=0D
+ &gEdkiiVariablePolicyProtocolGuid,=0D
+ &mVariablePolicyProtocol,=0D
+ NULL=0D
+ );=0D
+ ASSERT_EFI_ERROR (Status);=0D
+=0D
return EFI_SUCCESS;=0D
}=0D
=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDx=
e.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
new file mode 100644
index 000000000000..0e72b9ea1cf2
--- /dev/null
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
@@ -0,0 +1,642 @@
+/** @file -- VariablePolicySmmDxe.c=0D
+This protocol allows communication with Variable Policy Engine.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#include <Library/BaseLib.h>=0D
+#include <Library/UefiLib.h>=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/SafeIntLib.h>=0D
+#include <Library/UefiBootServicesTableLib.h>=0D
+#include <Library/BaseMemoryLib.h>=0D
+#include <Library/MemoryAllocationLib.h>=0D
+=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Protocol/MmCommunication2.h>=0D
+=0D
+#include <Guid/VarCheckPolicyMmi.h>=0D
+=0D
+#include "Variable.h"=0D
+=0D
+EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol;=0D
+EFI_MM_COMMUNICATION2_PROTOCOL *mMmCommunication;=0D
+=0D
+VOID *mMmCommunicationBuffer;=0D
+UINTN mMmCommunicationBufferSize;=0D
+EFI_LOCK mMmCommunicationLock;=0D
+=0D
+/**=0D
+ Internal helper function to consolidate communication method.=0D
+=0D
+ @param[in,out] CommBuffer=0D
+ @param[in,out] CommSize Size of the CommBuffer.=0D
+=0D
+ @retval EFI_STATUS Result from communication method.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+InternalMmCommunicate (=0D
+ IN OUT VOID *CommBuffer,=0D
+ IN OUT UINTN *CommSize=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ if (CommBuffer =3D=3D NULL || CommSize =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+ Status =3D mMmCommunication->Communicate (mMmCommunication, CommBuffer, =
CommBuffer, CommSize);=0D
+ return Status;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function disables the variable policy enforcement. If it's=0D
+ already been called once, will return EFI_ALREADY_STARTED.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_ALREADY_STARTED Has already been called once this boot=
.=0D
+ @retval EFI_WRITE_PROTECTED Interface has been locked until reboot=
.=0D
+ @retval EFI_WRITE_PROTECTED Interface option is disabled by platfo=
rm PCD.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ProtocolDisableVariablePolicy (=0D
+ VOID=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ EFI_MM_COMMUNICATE_HEADER *CommHeader;=0D
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyHeader;=0D
+ UINTN BufferSize;=0D
+=0D
+ // Check the PCD for convenience.=0D
+ // This would also be rejected by the lib, but why go to MM if we don't =
have to?=0D
+ if (!PcdGetBool (PcdAllowVariablePolicyEnforcementDisable)) {=0D
+ return EFI_WRITE_PROTECTED;=0D
+ }=0D
+=0D
+ AcquireLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ // Set up the MM communication.=0D
+ BufferSize =3D mMmCommunicationBufferSize;=0D
+ CommHeader =3D mMmCommunicationBuffer;=0D
+ PolicyHeader =3D (VAR_CHECK_POLICY_COMM_HEADER*)&CommHeader->Data;=0D
+ CopyGuid( &CommHeader->HeaderGuid, &gVarCheckPolicyLibMmiHandlerGuid );=
=0D
+ CommHeader->MessageLength =3D BufferSize;=0D
+ PolicyHeader->Signature =3D VAR_CHECK_POLICY_COMM_SIG;=0D
+ PolicyHeader->Revision =3D VAR_CHECK_POLICY_COMM_REVISION;=0D
+ PolicyHeader->Command =3D VAR_CHECK_POLICY_COMMAND_DISABLE;=0D
+=0D
+ Status =3D InternalMmCommunicate (CommHeader, &BufferSize);=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - MmCommunication returned %r.\n", __FUNCTION=
__, Status ));=0D
+=0D
+ ReleaseLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ return (EFI_ERROR( Status )) ? Status : PolicyHeader->Result;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function returns whether or not the policy engine is=0D
+ currently being enforced.=0D
+=0D
+ @param[out] State Pointer to a return value for whether the poli=
cy enforcement=0D
+ is currently enabled.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval Others An error has prevented this command from compl=
eting.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ProtocolIsVariablePolicyEnabled (=0D
+ OUT BOOLEAN *State=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ EFI_MM_COMMUNICATE_HEADER *CommHeader;=0D
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyHeader;=0D
+ VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *CommandParams;=0D
+ UINTN BufferSize;=0D
+=0D
+ if (State =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ AcquireLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ // Set up the MM communication.=0D
+ BufferSize =3D mMmCommunicationBufferSize;=0D
+ CommHeader =3D mMmCommunicationBuffer;=0D
+ PolicyHeader =3D (VAR_CHECK_POLICY_COMM_HEADER*)&CommHeader->Data;=0D
+ CommandParams =3D (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS*)(PolicyHeade=
r + 1);=0D
+ CopyGuid( &CommHeader->HeaderGuid, &gVarCheckPolicyLibMmiHandlerGuid );=
=0D
+ CommHeader->MessageLength =3D BufferSize;=0D
+ PolicyHeader->Signature =3D VAR_CHECK_POLICY_COMM_SIG;=0D
+ PolicyHeader->Revision =3D VAR_CHECK_POLICY_COMM_REVISION;=0D
+ PolicyHeader->Command =3D VAR_CHECK_POLICY_COMMAND_IS_ENABLED;=0D
+=0D
+ Status =3D InternalMmCommunicate (CommHeader, &BufferSize);=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - MmCommunication returned %r.\n", __FUNCTION=
__, Status ));=0D
+=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D PolicyHeader->Result;=0D
+ *State =3D CommandParams->State;=0D
+ }=0D
+=0D
+ ReleaseLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ return Status;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function validates and registers a new policy with=0D
+ the policy enforcement engine.=0D
+=0D
+ @param[in] NewPolicy Pointer to the incoming policy structure.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_INVALID_PARAMETER NewPolicy is NULL or is internally i=
nconsistent.=0D
+ @retval EFI_ALREADY_STARTED An identical matching policy already=
exists.=0D
+ @retval EFI_WRITE_PROTECTED The interface has been locked until =
the next reboot.=0D
+ @retval EFI_UNSUPPORTED Policy enforcement has been disabled=
. No reason to add more policies.=0D
+ @retval EFI_ABORTED A calculation error has prevented th=
is function from completing.=0D
+ @retval EFI_OUT_OF_RESOURCES Cannot grow the table to hold any mo=
re policies.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ProtocolRegisterVariablePolicy (=0D
+ IN CONST VARIABLE_POLICY_ENTRY *NewPolicy=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ EFI_MM_COMMUNICATE_HEADER *CommHeader;=0D
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyHeader;=0D
+ VOID *PolicyBuffer;=0D
+ UINTN BufferSize;=0D
+ UINTN RequiredSize;=0D
+=0D
+ if (NewPolicy =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // First, make sure that the required size does not exceed the capabilit=
ies=0D
+ // of the MmCommunication buffer.=0D
+ RequiredSize =3D OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + sizeof(VAR=
_CHECK_POLICY_COMM_HEADER);=0D
+ Status =3D SafeUintnAdd( RequiredSize, NewPolicy->Size, &RequiredSize );=
=0D
+ if (EFI_ERROR( Status ) || RequiredSize > mMmCommunicationBufferSize) {=
=0D
+ DEBUG(( DEBUG_ERROR, "%a - Policy too large for buffer! %r, %d > %d \n=
", __FUNCTION__,=0D
+ Status, RequiredSize, mMmCommunicationBufferSize ));=0D
+ return EFI_OUT_OF_RESOURCES;=0D
+ }=0D
+=0D
+ AcquireLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ // Set up the MM communication.=0D
+ BufferSize =3D mMmCommunicationBufferSize;=0D
+ CommHeader =3D mMmCommunicationBuffer;=0D
+ PolicyHeader =3D (VAR_CHECK_POLICY_COMM_HEADER*)&CommHeader->Data;=0D
+ PolicyBuffer =3D (VOID*)(PolicyHeader + 1);=0D
+ CopyGuid( &CommHeader->HeaderGuid, &gVarCheckPolicyLibMmiHandlerGuid );=
=0D
+ CommHeader->MessageLength =3D BufferSize;=0D
+ PolicyHeader->Signature =3D VAR_CHECK_POLICY_COMM_SIG;=0D
+ PolicyHeader->Revision =3D VAR_CHECK_POLICY_COMM_REVISION;=0D
+ PolicyHeader->Command =3D VAR_CHECK_POLICY_COMMAND_REGISTER;=0D
+=0D
+ // Copy the policy into place. This copy is safe because we've already t=
ested above.=0D
+ CopyMem( PolicyBuffer, NewPolicy, NewPolicy->Size );=0D
+=0D
+ Status =3D InternalMmCommunicate (CommHeader, &BufferSize);=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - MmCommunication returned %r.\n", __FUNCTION=
__, Status ));=0D
+=0D
+ ReleaseLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ return (EFI_ERROR( Status )) ? Status : PolicyHeader->Result;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function takes care of the overhead of formatting, sending, =
and interpreting=0D
+ the results for a single DumpVariablePolicy request.=0D
+=0D
+ @param[in] PageRequested The page of the paginated results from M=
M. 0 for metadata.=0D
+ @param[out] TotalSize The total size of the entire buffer. Ret=
urned as part of metadata.=0D
+ @param[out] PageSize The size of the current page being retur=
ned. Not valid as part of metadata.=0D
+ @param[out] HasMore A flag indicating whether there are more=
pages after this one.=0D
+ @param[out] Buffer The start of the current page from MM.=0D
+=0D
+ @retval EFI_SUCCESS Output params have been updated (eit=
her metadata or dump page).=0D
+ @retval EFI_INVALID_PARAMETER One of the output params is NULL.=0D
+ @retval Others Response from MM handler.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+DumpVariablePolicyHelper (=0D
+ IN UINT32 PageRequested,=0D
+ OUT UINT32 *TotalSize,=0D
+ OUT UINT32 *PageSize,=0D
+ OUT BOOLEAN *HasMore,=0D
+ OUT UINT8 **Buffer=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ EFI_MM_COMMUNICATE_HEADER *CommHeader;=0D
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyHeader;=0D
+ VAR_CHECK_POLICY_COMM_DUMP_PARAMS *CommandParams;=0D
+ UINTN BufferSize;=0D
+=0D
+ if (TotalSize =3D=3D NULL || PageSize =3D=3D NULL || HasMore =3D=3D NULL=
|| Buffer =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // Set up the MM communication.=0D
+ BufferSize =3D mMmCommunicationBufferSize;=0D
+ CommHeader =3D mMmCommunicationBuffer;=0D
+ PolicyHeader =3D (VAR_CHECK_POLICY_COMM_HEADER*)&CommHeader->Data;=0D
+ CommandParams =3D (VAR_CHECK_POLICY_COMM_DUMP_PARAMS*)(PolicyHeader + 1)=
;=0D
+ CopyGuid( &CommHeader->HeaderGuid, &gVarCheckPolicyLibMmiHandlerGuid );=
=0D
+ CommHeader->MessageLength =3D BufferSize;=0D
+ PolicyHeader->Signature =3D VAR_CHECK_POLICY_COMM_SIG;=0D
+ PolicyHeader->Revision =3D VAR_CHECK_POLICY_COMM_REVISION;=0D
+ PolicyHeader->Command =3D VAR_CHECK_POLICY_COMMAND_DUMP;=0D
+=0D
+ CommandParams->PageRequested =3D PageRequested;=0D
+=0D
+ Status =3D InternalMmCommunicate (CommHeader, &BufferSize);=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - MmCommunication returned %r.\n", __FUNCTION=
__, Status ));=0D
+=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D PolicyHeader->Result;=0D
+ *TotalSize =3D CommandParams->TotalSize;=0D
+ *PageSize =3D CommandParams->PageSize;=0D
+ *HasMore =3D CommandParams->HasMore;=0D
+ *Buffer =3D (UINT8*)(CommandParams + 1);=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function will dump the entire contents of the variable policy t=
able.=0D
+=0D
+ Similar to GetVariable, the first call can be made with a 0 size and it =
will return=0D
+ the size of the buffer required to hold the entire table.=0D
+=0D
+ @param[out] Policy Pointer to the policy buffer. Can be NULL if Siz=
e is 0.=0D
+ @param[in,out] Size On input, the size of the output buffer. On outp=
ut, the size=0D
+ of the data returned.=0D
+=0D
+ @retval EFI_SUCCESS Policy data is in the output buffer =
and Size has been updated.=0D
+ @retval EFI_INVALID_PARAMETER Size is NULL, or Size is non-zero an=
d Policy is NULL.=0D
+ @retval EFI_BUFFER_TOO_SMALL Size is insufficient to hold policy.=
Size updated with required size.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ProtocolDumpVariablePolicy (=0D
+ OUT UINT8 *Policy OPTIONAL,=0D
+ IN OUT UINT32 *Size=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ UINT8 *Source;=0D
+ UINT8 *Destination;=0D
+ UINT32 PolicySize;=0D
+ UINT32 PageSize;=0D
+ BOOLEAN HasMore;=0D
+ UINT32 PageIndex;=0D
+=0D
+ if (Size =3D=3D NULL || (*Size > 0 && Policy =3D=3D NULL)) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ AcquireLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ // Repeat this whole process until we either have a failure case or get =
the entire buffer.=0D
+ do {=0D
+ // First, we must check the zero page to determine the buffer size and=
=0D
+ // reset the internal state.=0D
+ PolicySize =3D 0;=0D
+ PageSize =3D 0;=0D
+ HasMore =3D FALSE;=0D
+ Status =3D DumpVariablePolicyHelper (0, &PolicySize, &PageSize, &HasMo=
re, &Source);=0D
+ if (EFI_ERROR (Status)) {=0D
+ break;=0D
+ }=0D
+=0D
+ // If we're good, we can at least check the required size now.=0D
+ if (*Size < PolicySize) {=0D
+ *Size =3D PolicySize;=0D
+ Status =3D EFI_BUFFER_TOO_SMALL;=0D
+ break;=0D
+ }=0D
+=0D
+ // On further thought, let's update the size either way.=0D
+ *Size =3D PolicySize;=0D
+ // And get ready to ROCK.=0D
+ Destination =3D Policy;=0D
+=0D
+ // Keep looping and copying until we're either done or freak out.=0D
+ for (PageIndex =3D 1; !EFI_ERROR (Status) && HasMore && PageIndex < MA=
X_UINT32; PageIndex++) {=0D
+ Status =3D DumpVariablePolicyHelper (PageIndex, &PolicySize, &PageSi=
ze, &HasMore, &Source);=0D
+ if (!EFI_ERROR (Status)) {=0D
+ CopyMem (Destination, Source, PageSize);=0D
+ Destination +=3D PageSize;=0D
+ }=0D
+ }=0D
+=0D
+ // Next, we check to see whether=0D
+ } while (Status =3D=3D EFI_TIMEOUT);=0D
+=0D
+ ReleaseLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ // There's currently no use for this, but it shouldn't be hard to implem=
ent.=0D
+ return Status;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function locks the interface so that no more policy updates=0D
+ can be performed or changes made to the enforcement until the next boot.=
=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval Others An error has prevented this command from compl=
eting.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ProtocolLockVariablePolicy (=0D
+ VOID=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ EFI_MM_COMMUNICATE_HEADER *CommHeader;=0D
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyHeader;=0D
+ UINTN BufferSize;=0D
+=0D
+ AcquireLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ // Set up the MM communication.=0D
+ BufferSize =3D mMmCommunicationBufferSize;=0D
+ CommHeader =3D mMmCommunicationBuffer;=0D
+ PolicyHeader =3D (VAR_CHECK_POLICY_COMM_HEADER*)&CommHeader->Data;=0D
+ CopyGuid( &CommHeader->HeaderGuid, &gVarCheckPolicyLibMmiHandlerGuid );=
=0D
+ CommHeader->MessageLength =3D BufferSize;=0D
+ PolicyHeader->Signature =3D VAR_CHECK_POLICY_COMM_SIG;=0D
+ PolicyHeader->Revision =3D VAR_CHECK_POLICY_COMM_REVISION;=0D
+ PolicyHeader->Command =3D VAR_CHECK_POLICY_COMMAND_LOCK;=0D
+=0D
+ Status =3D InternalMmCommunicate (CommHeader, &BufferSize);=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - MmCommunication returned %r.\n", __FUNCTION=
__, Status ));=0D
+=0D
+ ReleaseLockOnlyAtBootTime (&mMmCommunicationLock);=0D
+=0D
+ return (EFI_ERROR( Status )) ? Status : PolicyHeader->Result;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function locates the shared comm buffer and assigns it to in=
put pointers.=0D
+=0D
+ @param[in,out] BufferSize On input, the minimum buffer size requir=
ed INCLUDING the MM communicate header.=0D
+ On output, the size of the matching buff=
er found.=0D
+ @param[out] LocatedBuffer A pointer to the matching buffer.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_INVALID_PARAMETER One of the output pointers was NULL.=
=0D
+ @retval EFI_OUT_OF_RESOURCES Not enough memory to allocate a comm=
buffer.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+InitMmCommonCommBuffer (=0D
+ IN OUT UINTN *BufferSize,=0D
+ OUT VOID **LocatedBuffer=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+=0D
+ Status =3D EFI_SUCCESS;=0D
+=0D
+ // Make sure that we're working with good pointers.=0D
+ if (BufferSize =3D=3D NULL || LocatedBuffer =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // Allocate the runtime memory for the comm buffer.=0D
+ *LocatedBuffer =3D AllocateRuntimePool (*BufferSize);=0D
+ if (*LocatedBuffer =3D=3D NULL) {=0D
+ Status =3D EFI_OUT_OF_RESOURCES;=0D
+ *BufferSize =3D 0;=0D
+ }=0D
+=0D
+ EfiInitializeLock (&mMmCommunicationLock, TPL_NOTIFY);=0D
+=0D
+ return Status;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper is responsible for telemetry and any other actions that=0D
+ need to be taken if the VariablePolicy fails to lock.=0D
+=0D
+ NOTE: It's possible that parts of this handling will need to become=0D
+ part of a platform policy.=0D
+=0D
+ @param[in] FailureStatus The failure that was reported by LockVariabl=
ePolicy=0D
+=0D
+**/=0D
+STATIC=0D
+VOID=0D
+VariablePolicyHandleFailureToLock (=0D
+ IN EFI_STATUS FailureStatus=0D
+ )=0D
+{=0D
+ // For now, there's no agreed-upon policy for this.=0D
+ return;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ EndOfDxe Callback=0D
+ Lock the VariablePolicy interface if it hasn't already been locked.=0D
+=0D
+ @param[in] Event Event whose notification function is being invoked=
=0D
+ @param[in] Context Pointer to the notification function's context=0D
+=0D
+**/=0D
+STATIC=0D
+VOID=0D
+EFIAPI=0D
+LockPolicyInterfaceAtEndOfDxe (=0D
+ IN EFI_EVENT Event,=0D
+ IN VOID *Context=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+=0D
+ Status =3D ProtocolLockVariablePolicy();=0D
+=0D
+ if (EFI_ERROR( Status )) {=0D
+ VariablePolicyHandleFailureToLock( Status );=0D
+ }=0D
+ else {=0D
+ gBS->CloseEvent( Event );=0D
+ }=0D
+=0D
+}=0D
+=0D
+=0D
+/**=0D
+ Convert internal pointer addresses to virtual addresses.=0D
+=0D
+ @param[in] Event Event whose notification function is being invoked=
.=0D
+ @param[in] Context The pointer to the notification function's context=
, which=0D
+ is implementation-dependent.=0D
+**/=0D
+STATIC=0D
+VOID=0D
+EFIAPI=0D
+VariablePolicyVirtualAddressCallback (=0D
+ IN EFI_EVENT Event,=0D
+ IN VOID *Context=0D
+ )=0D
+{=0D
+ EfiConvertPointer (0, (VOID **)&mMmCommunication);=0D
+ EfiConvertPointer (0, (VOID **)&mMmCommunicationBuffer);=0D
+}=0D
+=0D
+=0D
+/**=0D
+ The driver's entry point.=0D
+=0D
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.=
=0D
+ @param[in] SystemTable A pointer to the EFI System Table.=0D
+=0D
+ @retval EFI_SUCCESS The entry point executed successfully.=0D
+ @retval other Some error occured when executing this entry poi=
nt.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+VariablePolicySmmDxeMain (=0D
+ IN EFI_HANDLE ImageHandle,=0D
+ IN EFI_SYSTEM_TABLE *SystemTable=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ BOOLEAN ProtocolInstalled;=0D
+ BOOLEAN CallbackRegistered;=0D
+ BOOLEAN VirtualAddressChangeRegistered;=0D
+ EFI_EVENT EndOfDxeEvent;=0D
+ EFI_EVENT VirtualAddressChangeEvent;=0D
+=0D
+ Status =3D EFI_SUCCESS;=0D
+ ProtocolInstalled =3D FALSE;=0D
+ CallbackRegistered =3D FALSE;=0D
+ VirtualAddressChangeRegistered =3D FALSE;=0D
+=0D
+ // Update the minimum buffer size.=0D
+ mMmCommunicationBufferSize =3D VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE;=0D
+ // Locate the shared comm buffer to use for sending MM commands.=0D
+ Status =3D InitMmCommonCommBuffer( &mMmCommunicationBufferSize, &mMmComm=
unicationBuffer );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG((DEBUG_ERROR, "%a - Failed to locate a viable MM comm buffer! %r=
\n", __FUNCTION__, Status));=0D
+ ASSERT_EFI_ERROR( Status );=0D
+ return Status;=0D
+ }=0D
+=0D
+ // Locate the MmCommunication protocol.=0D
+ Status =3D gBS->LocateProtocol( &gEfiMmCommunication2ProtocolGuid, NULL,=
(VOID**)&mMmCommunication );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG((DEBUG_ERROR, "%a - Failed to locate MmCommunication protocol! %=
r\n", __FUNCTION__, Status));=0D
+ ASSERT_EFI_ERROR( Status );=0D
+ return Status;=0D
+ }=0D
+=0D
+ // Configure the VariablePolicy protocol structure.=0D
+ mVariablePolicyProtocol.Revision =3D EDKII_VARIABLE_POLIC=
Y_PROTOCOL_REVISION;=0D
+ mVariablePolicyProtocol.DisableVariablePolicy =3D ProtocolDisableVaria=
blePolicy;=0D
+ mVariablePolicyProtocol.IsVariablePolicyEnabled =3D ProtocolIsVariablePo=
licyEnabled;=0D
+ mVariablePolicyProtocol.RegisterVariablePolicy =3D ProtocolRegisterVari=
ablePolicy;=0D
+ mVariablePolicyProtocol.DumpVariablePolicy =3D ProtocolDumpVariable=
Policy;=0D
+ mVariablePolicyProtocol.LockVariablePolicy =3D ProtocolLockVariable=
Policy;=0D
+=0D
+ // Register all the protocols and return the status.=0D
+ Status =3D gBS->InstallMultipleProtocolInterfaces( &ImageHandle,=0D
+ &gEdkiiVariablePolicyPr=
otocolGuid, &mVariablePolicyProtocol,=0D
+ NULL );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Failed to install protocol! %r\n", __FUNCTI=
ON__, Status ));=0D
+ goto Exit;=0D
+ }=0D
+ else {=0D
+ ProtocolInstalled =3D TRUE;=0D
+ }=0D
+=0D
+ //=0D
+ // Register a callback for EndOfDxe so that the interface is at least lo=
cked before=0D
+ // dispatching any bootloaders or UEFI apps.=0D
+ Status =3D gBS->CreateEventEx( EVT_NOTIFY_SIGNAL,=0D
+ TPL_CALLBACK,=0D
+ LockPolicyInterfaceAtEndOfDxe,=0D
+ NULL,=0D
+ &gEfiEndOfDxeEventGroupGuid,=0D
+ &EndOfDxeEvent );=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Failed to create EndOfDxe event! %r\n", __F=
UNCTION__, Status ));=0D
+ goto Exit;=0D
+ }=0D
+ else {=0D
+ CallbackRegistered =3D TRUE;=0D
+ }=0D
+=0D
+ //=0D
+ // Register a VirtualAddressChange callback for the MmComm protocol and =
Comm buffer.=0D
+ Status =3D gBS->CreateEventEx (EVT_NOTIFY_SIGNAL,=0D
+ TPL_NOTIFY,=0D
+ VariablePolicyVirtualAddressCallback,=0D
+ NULL,=0D
+ &gEfiEventVirtualAddressChangeGuid,=0D
+ &VirtualAddressChangeEvent);=0D
+ if (EFI_ERROR( Status )) {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Failed to create VirtualAddressChange event=
! %r\n", __FUNCTION__, Status ));=0D
+ goto Exit;=0D
+ }=0D
+ else {=0D
+ VirtualAddressChangeRegistered =3D TRUE;=0D
+ }=0D
+=0D
+=0D
+Exit:=0D
+ //=0D
+ // If we're about to return a failed status (and unload this driver), we=
must first undo anything that=0D
+ // has been successfully done.=0D
+ if (EFI_ERROR( Status )) {=0D
+ if (ProtocolInstalled) {=0D
+ gBS->UninstallProtocolInterface( &ImageHandle, &gEdkiiVariablePolicy=
ProtocolGuid, &mVariablePolicyProtocol );=0D
+ }=0D
+ if (CallbackRegistered) {=0D
+ gBS->CloseEvent( EndOfDxeEvent );=0D
+ }=0D
+ if (VirtualAddressChangeRegistered) {=0D
+ gBS->CloseEvent( VirtualAddressChangeEvent );=0D
+ }=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeD=
xe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
index 663a1aaa128f..c47e614d81f4 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
@@ -65,6 +65,17 @@ EFI_LOCK mVariableServicesLock;
EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;=0D
EDKII_VAR_CHECK_PROTOCOL mVarCheck;=0D
=0D
+/**=0D
+ The logic to initialize the VariablePolicy engine is in its own file.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+VariablePolicySmmDxeMain (=0D
+ IN EFI_HANDLE ImageHandle,=0D
+ IN EFI_SYSTEM_TABLE *SystemTable=0D
+ );=0D
+=0D
/**=0D
Some Secure Boot Policy Variable may update following other variable cha=
nges(SecureBoot follows PK change, etc).=0D
Record their initial State when variable write service is ready.=0D
@@ -1796,6 +1807,9 @@ VariableSmmRuntimeInitialize (
&mVirtualAddressChangeEvent=0D
);=0D
=0D
+ // Initialize the VariablePolicy protocol and engine.=0D
+ VariablePolicySmmDxeMain (ImageHandle, SystemTable);=0D
+=0D
return EFI_SUCCESS;=0D
}=0D
=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.=
inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index ceea5d1ff9ac..48ac167906f7 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -10,6 +10,7 @@
# buffer overflow or integer overflow.=0D
#=0D
# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
##=0D
@@ -69,6 +70,7 @@ [LibraryClasses]
TpmMeasurementLib=0D
AuthVariableLib=0D
VarCheckLib=0D
+ VariablePolicyLib=0D
=0D
[Protocols]=0D
gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf b/M=
deModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
index bc3033588d40..bbc8d2080193 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
@@ -19,6 +19,7 @@
# the authentication service provided in this driver will be broken, and =
the behavior is undefined.=0D
#=0D
# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
##=0D
@@ -78,6 +79,8 @@ [LibraryClasses]
AuthVariableLib=0D
VarCheckLib=0D
UefiBootServicesTableLib=0D
+ VariablePolicyLib=0D
+ VariablePolicyHelperLib=0D
=0D
[Protocols]=0D
gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES=0D
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeD=
xe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i=
nf
index 01564e4c5068..b6dbc839e023 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
@@ -14,6 +14,7 @@
# the authentication service provided in this driver will be broken, and =
the behavior is undefined.=0D
#=0D
# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.<BR>=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
##=0D
@@ -42,6 +43,7 @@ [Sources]
VariableParsing.c=0D
VariableParsing.h=0D
Variable.h=0D
+ VariablePolicySmmDxe.c=0D
=0D
[Packages]=0D
MdePkg/MdePkg.dec=0D
@@ -56,6 +58,8 @@ [LibraryClasses]
DxeServicesTableLib=0D
UefiDriverEntryPoint=0D
TpmMeasurementLib=0D
+ SafeIntLib=0D
+ PcdLib=0D
=0D
[Protocols]=0D
gEfiVariableWriteArchProtocolGuid ## PRODUCES=0D
@@ -67,11 +71,15 @@ [Protocols]
gEfiSmmVariableProtocolGuid=0D
gEdkiiVariableLockProtocolGuid ## PRODUCES=0D
gEdkiiVarCheckProtocolGuid ## PRODUCES=0D
+ gEdkiiVariablePolicyProtocolGuid ## PRODUCES=0D
=0D
[FeaturePcd]=0D
gEfiMdeModulePkgTokenSpaceGuid.PcdEnableVariableRuntimeCache #=
# CONSUMES=0D
gEfiMdeModulePkgTokenSpaceGuid.PcdVariableCollectStatistics #=
# CONSUMES=0D
=0D
+[Pcd]=0D
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable =
## CONSUMES=0D
+=0D
[Guids]=0D
## PRODUCES ## GUID # Signature of Variable store header=0D
## CONSUMES ## GUID # Signature of Variable store header=0D
@@ -99,6 +107,9 @@ [Guids]
## SOMETIMES_CONSUMES ## Variable:L"dbt"=0D
gEfiImageSecurityDatabaseGuid=0D
=0D
+ gVarCheckPolicyLibMmiHandlerGuid=0D
+ gEfiEndOfDxeEventGroupGuid=0D
+=0D
[Depex]=0D
gEfiMmCommunication2ProtocolGuid=0D
=0D
--=20
2.28.0.windows.1


[PATCH v7 08/14] UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

Cc: Maurice Ma <maurice.ma@intel.com>
Cc: Guo Dong <guo.dong@intel.com>
Cc: Benjamin You <benjamin.you@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Maurice Ma <maurice.ma@intel.com>
---
UefiPayloadPkg/UefiPayloadPkgIa32.dsc | 4 ++++
UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 4 ++++
2 files changed, 8 insertions(+)

diff --git a/UefiPayloadPkg/UefiPayloadPkgIa32.dsc b/UefiPayloadPkg/UefiPay=
loadPkgIa32.dsc
index 460da1c504dc..6301e83ab30a 100644
--- a/UefiPayloadPkg/UefiPayloadPkgIa32.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkgIa32.dsc
@@ -4,6 +4,7 @@
# Provides drivers and definitions to create uefi payload for bootloaders.=
=0D
#=0D
# Copyright (c) 2014 - 2020, Intel Corporation. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
##=0D
@@ -208,6 +209,8 @@ [LibraryClasses]
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf=0D
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
=0D
[LibraryClasses.IA32.SEC]=0D
DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf=0D
@@ -257,6 +260,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf=0D
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAll=
ocationLib.inf=0D
ReportStatusCodeLib|MdeModulePkg/Library/RuntimeDxeReportStatusCodeLib/R=
untimeDxeReportStatusCodeLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
=0D
[LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION]=
=0D
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf=0D
diff --git a/UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc b/UefiPayloadPkg/Uefi=
PayloadPkgIa32X64.dsc
index 942bc9076634..8cddb94911f7 100644
--- a/UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc
+++ b/UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc
@@ -4,6 +4,7 @@
# Provides drivers and definitions to create uefi payload for bootloaders.=
=0D
#=0D
# Copyright (c) 2014 - 2020, Intel Corporation. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
##=0D
@@ -209,6 +210,8 @@ [LibraryClasses]
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf=0D
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
=0D
[LibraryClasses.IA32.SEC]=0D
DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf=0D
@@ -258,6 +261,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf=0D
MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAll=
ocationLib.inf=0D
ReportStatusCodeLib|MdeModulePkg/Library/RuntimeDxeReportStatusCodeLib/R=
untimeDxeReportStatusCodeLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
=0D
[LibraryClasses.common.UEFI_DRIVER,LibraryClasses.common.UEFI_APPLICATION]=
=0D
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf=0D
--=20
2.28.0.windows.1


[PATCH v7 07/14] ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
ArmVirtPkg/ArmVirt.dsc.inc | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
index cf44fc73890b..0af6d839cf11 100644
--- a/ArmVirtPkg/ArmVirt.dsc.inc
+++ b/ArmVirtPkg/ArmVirt.dsc.inc
@@ -2,6 +2,7 @@
# Copyright (c) 2011-2015, ARM Limited. All rights reserved.=0D
# Copyright (c) 2014, Linaro Limited. All rights reserved.=0D
# Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -173,6 +174,8 @@ [LibraryClasses.common]
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
!endif=0D
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManag=
erLib.inf=0D
=0D
ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseRepor=
tStatusCodeLibNull.inf=0D
@@ -246,6 +249,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
!if $(TARGET) !=3D RELEASE=0D
DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibS=
erialPort.inf=0D
!endif=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
=0D
!if $(SECURE_BOOT_ENABLE) =3D=3D TRUE=0D
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf=0D
--=20
2.28.0.windows.1


[PATCH v7 06/14] EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
EmulatorPkg/EmulatorPkg.dsc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/EmulatorPkg/EmulatorPkg.dsc b/EmulatorPkg/EmulatorPkg.dsc
index 86a62717353b..3bb6e0373ca8 100644
--- a/EmulatorPkg/EmulatorPkg.dsc
+++ b/EmulatorPkg/EmulatorPkg.dsc
@@ -6,6 +6,7 @@
#=0D
# Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>=0D
# Portions copyright (c) 2010 - 2011, Apple Inc. All rights reserved.<BR>=
=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -108,6 +109,8 @@ [LibraryClasses]
TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem=
entLibNull.inf=0D
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
SortLib|MdeModulePkg/Library/BaseSortLib/BaseSortLib.inf=0D
ShellLib|ShellPkg/Library/UefiShellLib/UefiShellLib.inf=0D
FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf=0D
--=20
2.28.0.windows.1


[PATCH v7 05/14] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
---
OvmfPkg/OvmfPkgIa32.dsc | 5 +++++
OvmfPkg/OvmfPkgIa32X64.dsc | 5 +++++
OvmfPkg/OvmfPkgX64.dsc | 5 +++++
OvmfPkg/OvmfXen.dsc | 4 ++++
4 files changed, 19 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 133a9a93c071..f9867167b070 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -3,6 +3,7 @@
#=0D
# Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>=
=0D
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -197,6 +198,8 @@ [LibraryClasses]
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
!endif=0D
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
=0D
=0D
#=0D
@@ -336,6 +339,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf=0D
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf=0D
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf=
=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
=0D
[LibraryClasses.common.UEFI_DRIVER]=0D
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf=0D
@@ -963,6 +967,7 @@ [Components]
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf {=0D
<LibraryClasses>=0D
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf=0D
+ NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf=0D
}=0D
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf=0D
=0D
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 338c38db29b5..440b60c758d3 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -3,6 +3,7 @@
#=0D
# Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>=
=0D
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -201,6 +202,8 @@ [LibraryClasses]
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
!endif=0D
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
=0D
=0D
#=0D
@@ -340,6 +343,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf=0D
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf=0D
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf=
=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
=0D
[LibraryClasses.common.UEFI_DRIVER]=0D
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf=0D
@@ -978,6 +982,7 @@ [Components.X64]
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf {=0D
<LibraryClasses>=0D
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf=0D
+ NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf=0D
}=0D
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf=0D
=0D
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index b80710fbdca4..3098f5b48f65 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -3,6 +3,7 @@
#=0D
# Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>=
=0D
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -201,6 +202,8 @@ [LibraryClasses]
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
!endif=0D
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
=0D
=0D
#=0D
@@ -340,6 +343,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf=0D
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf=0D
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf=
=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
=0D
[LibraryClasses.common.UEFI_DRIVER]=0D
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf=0D
@@ -974,6 +978,7 @@ [Components]
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf {=0D
<LibraryClasses>=0D
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf=0D
+ NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf=0D
}=0D
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf=0D
=0D
diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
index 37b63a874067..1b1857fb74fd 100644
--- a/OvmfPkg/OvmfXen.dsc
+++ b/OvmfPkg/OvmfXen.dsc
@@ -4,6 +4,7 @@
# Copyright (c) 2006 - 2020, Intel Corporation. All rights reserved.<BR>=
=0D
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>=0D
# Copyright (c) 2019, Citrix Systems, Inc.=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -182,6 +183,8 @@ [LibraryClasses]
=0D
AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib=
Null.inf=0D
VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
=0D
=0D
#=0D
@@ -290,6 +293,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf=0D
PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf=0D
QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf=
=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
=0D
[LibraryClasses.common.UEFI_DRIVER]=0D
PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf=0D
--=20
2.28.0.windows.1


[PATCH v7 04/14] MdeModulePkg: Define the VarCheckPolicyLib and SMM interface

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

VariablePolicy is an updated interface to
replace VarLock and VarCheckProtocol.

This is an instance of a VarCheckLib that is backed by the
VariablePolicyLib business logic. It also publishes the SMM
calling interface for messages from the DXE protocol.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c | 345 +++++++=
+++++++++++++
MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | 54 +++
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf | 42 +++
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni | 12 +
MdeModulePkg/MdeModulePkg.dec | 4 +
MdeModulePkg/MdeModulePkg.dsc | 2 +
6 files changed, 459 insertions(+)

diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c b/M=
deModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
new file mode 100644
index 000000000000..5a0a1599ab41
--- /dev/null
+++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
@@ -0,0 +1,345 @@
+/** @file -- VarCheckPolicyLib.c=0D
+This is a NULL library instance that leverages the VarCheck interface=0D
+and the business logic behind the VariablePolicy code to make its decision=
s.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#include <Library/VarCheckLib.h>=0D
+#include <Library/BaseLib.h>=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/SafeIntLib.h>=0D
+#include <Library/MmServicesTableLib.h>=0D
+#include <Library/SmmMemLib.h>=0D
+#include <Library/BaseMemoryLib.h>=0D
+#include <Library/MemoryAllocationLib.h>=0D
+=0D
+#include <Protocol/MmCommunication.h>=0D
+=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
+#include <Guid/VarCheckPolicyMmi.h>=0D
+=0D
+//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+// As a VarCheck library, we're linked into the VariableServices=0D
+// and may not be able to call them indirectly. To get around this,=0D
+// use the internal GetVariable function to query the variable store.=0D
+//=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+EFI_STATUS=0D
+EFIAPI=0D
+VariableServiceGetVariable (=0D
+ IN CHAR16 *VariableName,=0D
+ IN EFI_GUID *VendorGuid,=0D
+ OUT UINT32 *Attributes OPTIONAL,=0D
+ IN OUT UINTN *DataSize,=0D
+ OUT VOID *Data=0D
+ );=0D
+=0D
+=0D
+UINT8 mSecurityEvalBuffer[VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE];=0D
+=0D
+=0D
+/**=0D
+ MM Communication Handler to recieve commands from the DXE protocol for=0D
+ Variable Policies. This communication channel is used to register new po=
licies=0D
+ and poll and toggle the enforcement of variable policies.=0D
+=0D
+ @param[in] DispatchHandle All parameters standard to MM commun=
ications convention.=0D
+ @param[in] RegisterContext All parameters standard to MM commun=
ications convention.=0D
+ @param[in,out] CommBuffer All parameters standard to MM commun=
ications convention.=0D
+ @param[in,out] CommBufferSize All parameters standard to MM commun=
ications convention.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_INVALID_PARAMETER CommBuffer or CommBufferSize is null=
pointer.=0D
+ @retval EFI_INVALID_PARAMETER CommBuffer size is wrong.=0D
+ @retval EFI_INVALID_PARAMETER Revision or signature don't match.=0D
+=0D
+**/=0D
+STATIC=0D
+EFI_STATUS=0D
+EFIAPI=0D
+VarCheckPolicyLibMmiHandler (=0D
+ IN EFI_HANDLE DispatchHandle,=0D
+ IN CONST VOID *RegisterContext,=0D
+ IN OUT VOID *CommBuffer,=0D
+ IN OUT UINTN *CommBufferSize=0D
+ )=0D
+{=0D
+ UINTN InternalCommBufferSize;=0D
+ VOID *InternalCommBuffer;=0D
+ EFI_STATUS Status;=0D
+ EFI_STATUS SubCommandStatus;=0D
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyCommmHeader;=0D
+ VAR_CHECK_POLICY_COMM_HEADER *InternalPolicyCommmHeader;=0D
+ VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *IsEnabledParams;=0D
+ VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsIn;=0D
+ VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsOut;=0D
+ UINT8 *DumpInputBuffer;=0D
+ UINT8 *DumpOutputBuffer;=0D
+ UINTN DumpTotalPages;=0D
+ VARIABLE_POLICY_ENTRY *PolicyEntry;=0D
+ UINTN ExpectedSize;=0D
+ UINT32 TempSize;=0D
+ // Pagination Cache Variables=0D
+ static UINT8 *PaginationCache =3D NULL;=0D
+ static UINTN PaginationCacheSize =3D 0;=0D
+ static UINT32 CurrentPaginationCommand =3D 0=
;=0D
+=0D
+ Status =3D EFI_SUCCESS;=0D
+=0D
+ //=0D
+ // Validate some input parameters.=0D
+ //=0D
+ // If either of the pointers are NULL, we can't proceed.=0D
+ if (CommBuffer =3D=3D NULL || CommBufferSize =3D=3D NULL) {=0D
+ DEBUG(( DEBUG_INFO, "%a - Invalid comm buffer pointers!\n", __FUNCTION=
__ ));=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+ // Make sure that the buffer does not overlap SMM.=0D
+ // This should be covered by the SmiManage infrastructure, but just to b=
e safe...=0D
+ InternalCommBufferSize =3D *CommBufferSize;=0D
+ if (InternalCommBufferSize > VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE || !Sm=
mIsBufferOutsideSmmValid((UINTN)CommBuffer, (UINT64)InternalCommBufferSize)=
) {=0D
+ DEBUG ((DEBUG_ERROR, "%a - Invalid CommBuffer supplied! 0x%016lX[0x%01=
6lX]\n", __FUNCTION__, CommBuffer, InternalCommBufferSize));=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+ // If the size does not meet a minimum threshold, we cannot proceed.=0D
+ ExpectedSize =3D sizeof(VAR_CHECK_POLICY_COMM_HEADER);=0D
+ if (InternalCommBufferSize < ExpectedSize) {=0D
+ DEBUG(( DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __FUNCTION=
__, InternalCommBufferSize, ExpectedSize ));=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ //=0D
+ // Before proceeding any further, copy the buffer internally so that we =
can compare=0D
+ // without worrying about TOCTOU.=0D
+ //=0D
+ InternalCommBuffer =3D &mSecurityEvalBuffer[0];=0D
+ CopyMem(InternalCommBuffer, CommBuffer, InternalCommBufferSize);=0D
+ PolicyCommmHeader =3D CommBuffer;=0D
+ InternalPolicyCommmHeader =3D InternalCommBuffer;=0D
+ // Check the revision and the signature of the comm header.=0D
+ if (InternalPolicyCommmHeader->Signature !=3D VAR_CHECK_POLICY_COMM_SIG =
||=0D
+ InternalPolicyCommmHeader->Revision !=3D VAR_CHECK_POLICY_COMM_REVIS=
ION) {=0D
+ DEBUG(( DEBUG_INFO, "%a - Signature or revision are incorrect!\n", __F=
UNCTION__ ));=0D
+ // We have verified the buffer is not null and have enough size to hol=
d Result field.=0D
+ PolicyCommmHeader->Result =3D EFI_INVALID_PARAMETER;=0D
+ return EFI_SUCCESS;=0D
+ }=0D
+=0D
+ // If we're in the middle of a paginated dump and any other command is s=
ent,=0D
+ // pagination cache must be cleared.=0D
+ if (PaginationCache !=3D NULL && InternalPolicyCommmHeader->Command !=3D=
CurrentPaginationCommand) {=0D
+ FreePool (PaginationCache);=0D
+ PaginationCache =3D NULL;=0D
+ PaginationCacheSize =3D 0;=0D
+ CurrentPaginationCommand =3D 0;=0D
+ }=0D
+=0D
+ //=0D
+ // Now we can process the command as it was sent.=0D
+ //=0D
+ PolicyCommmHeader->Result =3D EFI_ABORTED; // Set a default return fo=
r incomplete commands.=0D
+ switch(InternalPolicyCommmHeader->Command) {=0D
+ case VAR_CHECK_POLICY_COMMAND_DISABLE:=0D
+ PolicyCommmHeader->Result =3D DisableVariablePolicy();=0D
+ break;=0D
+=0D
+ case VAR_CHECK_POLICY_COMMAND_IS_ENABLED:=0D
+ // Make sure that we're dealing with a reasonable size.=0D
+ // This add should be safe because these are fixed sizes so far.=0D
+ ExpectedSize +=3D sizeof(VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS);=0D
+ if (InternalCommBufferSize < ExpectedSize) {=0D
+ DEBUG(( DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __FUNC=
TION__, InternalCommBufferSize, ExpectedSize ));=0D
+ PolicyCommmHeader->Result =3D EFI_INVALID_PARAMETER;=0D
+ break;=0D
+ }=0D
+=0D
+ // Now that we know we've got a valid size, we can fill in the rest =
of the data.=0D
+ IsEnabledParams =3D (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS*)((UINT=
8*)CommBuffer + sizeof(VAR_CHECK_POLICY_COMM_HEADER));=0D
+ IsEnabledParams->State =3D IsVariablePolicyEnabled();=0D
+ PolicyCommmHeader->Result =3D EFI_SUCCESS;=0D
+ break;=0D
+=0D
+ case VAR_CHECK_POLICY_COMMAND_REGISTER:=0D
+ // Make sure that we're dealing with a reasonable size.=0D
+ // This add should be safe because these are fixed sizes so far.=0D
+ ExpectedSize +=3D sizeof(VARIABLE_POLICY_ENTRY);=0D
+ if (InternalCommBufferSize < ExpectedSize) {=0D
+ DEBUG(( DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __FUNC=
TION__, InternalCommBufferSize, ExpectedSize ));=0D
+ PolicyCommmHeader->Result =3D EFI_INVALID_PARAMETER;=0D
+ break;=0D
+ }=0D
+=0D
+ // At the very least, we can assume that we're working with a valid =
policy entry.=0D
+ // Time to compare its internal size.=0D
+ PolicyEntry =3D (VARIABLE_POLICY_ENTRY*)((UINT8*)InternalCommBuffer =
+ sizeof(VAR_CHECK_POLICY_COMM_HEADER));=0D
+ if (PolicyEntry->Version !=3D VARIABLE_POLICY_ENTRY_REVISION ||=0D
+ PolicyEntry->Size < sizeof(VARIABLE_POLICY_ENTRY) ||=0D
+ EFI_ERROR(SafeUintnAdd(sizeof(VAR_CHECK_POLICY_COMM_HEADER), Pol=
icyEntry->Size, &ExpectedSize)) ||=0D
+ InternalCommBufferSize < ExpectedSize) {=0D
+ DEBUG(( DEBUG_INFO, "%a - Bad policy entry contents!\n", __FUNCTIO=
N__ ));=0D
+ PolicyCommmHeader->Result =3D EFI_INVALID_PARAMETER;=0D
+ break;=0D
+ }=0D
+=0D
+ PolicyCommmHeader->Result =3D RegisterVariablePolicy( PolicyEntry );=
=0D
+ break;=0D
+=0D
+ case VAR_CHECK_POLICY_COMMAND_DUMP:=0D
+ // Make sure that we're dealing with a reasonable size.=0D
+ // This add should be safe because these are fixed sizes so far.=0D
+ ExpectedSize +=3D sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS) + VAR_CH=
ECK_POLICY_MM_DUMP_BUFFER_SIZE;=0D
+ if (InternalCommBufferSize < ExpectedSize) {=0D
+ DEBUG(( DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __FUNC=
TION__, InternalCommBufferSize, ExpectedSize ));=0D
+ PolicyCommmHeader->Result =3D EFI_INVALID_PARAMETER;=0D
+ break;=0D
+ }=0D
+=0D
+ // Now that we know we've got a valid size, we can fill in the rest =
of the data.=0D
+ DumpParamsIn =3D (VAR_CHECK_POLICY_COMM_DUMP_PARAMS*)(InternalPolicy=
CommmHeader + 1);=0D
+ DumpParamsOut =3D (VAR_CHECK_POLICY_COMM_DUMP_PARAMS*)(PolicyCommmHe=
ader + 1);=0D
+=0D
+ // If we're requesting the first page, initialize the cache and get =
the sizes.=0D
+ if (DumpParamsIn->PageRequested =3D=3D 0) {=0D
+ if (PaginationCache !=3D NULL) {=0D
+ FreePool (PaginationCache);=0D
+ PaginationCache =3D NULL;=0D
+ }=0D
+=0D
+ // Determine what the required size is going to be.=0D
+ DumpParamsOut->TotalSize =3D 0;=0D
+ DumpParamsOut->PageSize =3D 0;=0D
+ DumpParamsOut->HasMore =3D FALSE;=0D
+ SubCommandStatus =3D DumpVariablePolicy (NULL, &TempSize);=0D
+ if (SubCommandStatus =3D=3D EFI_BUFFER_TOO_SMALL && TempSize > 0) =
{=0D
+ CurrentPaginationCommand =3D VAR_CHECK_POLICY_COMMAND_DUMP;=0D
+ PaginationCacheSize =3D TempSize;=0D
+ DumpParamsOut->TotalSize =3D TempSize;=0D
+ PaginationCache =3D AllocatePool (PaginationCacheSize);=0D
+ if (PaginationCache =3D=3D NULL) {=0D
+ SubCommandStatus =3D EFI_OUT_OF_RESOURCES;=0D
+ }=0D
+ }=0D
+=0D
+ // If we've allocated our pagination cache, we're good to cache.=0D
+ if (PaginationCache !=3D NULL) {=0D
+ SubCommandStatus =3D DumpVariablePolicy (PaginationCache, &TempS=
ize);=0D
+ }=0D
+=0D
+ // Populate the remaining fields and we can boogie.=0D
+ if (!EFI_ERROR (SubCommandStatus) && PaginationCache !=3D NULL) {=
=0D
+ DumpParamsOut->HasMore =3D TRUE;=0D
+ }=0D
+ } else if (PaginationCache !=3D NULL) {=0D
+ DumpParamsOut->TotalSize =3D (UINT32)PaginationCacheSize;=0D
+ DumpOutputBuffer =3D (UINT8*)(DumpParamsOut + 1);=0D
+=0D
+ // Make sure that we don't over-index the cache.=0D
+ DumpTotalPages =3D PaginationCacheSize / VAR_CHECK_POLICY_MM_DUMP_=
BUFFER_SIZE;=0D
+ if (PaginationCacheSize % VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE) {=
=0D
+ DumpTotalPages++;=0D
+ }=0D
+ if (DumpParamsIn->PageRequested > DumpTotalPages) {=0D
+ SubCommandStatus =3D EFI_INVALID_PARAMETER;=0D
+ } else {=0D
+ // Figure out how far into the page cache we need to go for our =
next page.=0D
+ // We know the blind subtraction won't be bad because we already=
checked for page 0.=0D
+ DumpInputBuffer =3D &PaginationCache[VAR_CHECK_POLICY_MM_DUMP_BU=
FFER_SIZE * (DumpParamsIn->PageRequested - 1)];=0D
+ TempSize =3D VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE;=0D
+ // If we're getting the last page, adjust the PageSize.=0D
+ if (DumpParamsIn->PageRequested =3D=3D DumpTotalPages) {=0D
+ TempSize =3D PaginationCacheSize % VAR_CHECK_POLICY_MM_DUMP_BU=
FFER_SIZE;=0D
+ }=0D
+ CopyMem (DumpOutputBuffer, DumpInputBuffer, TempSize);=0D
+ DumpParamsOut->PageSize =3D TempSize;=0D
+ // If we just got the last page, settle up the cache.=0D
+ if (DumpParamsIn->PageRequested =3D=3D DumpTotalPages) {=0D
+ DumpParamsOut->HasMore =3D FALSE;=0D
+ FreePool (PaginationCache);=0D
+ PaginationCache =3D NULL;=0D
+ PaginationCacheSize =3D 0;=0D
+ CurrentPaginationCommand =3D 0;=0D
+ // Otherwise, we could do more here.=0D
+ } else {=0D
+ DumpParamsOut->HasMore =3D TRUE;=0D
+ }=0D
+=0D
+ // If we made it this far, we're basically good.=0D
+ SubCommandStatus =3D EFI_SUCCESS;=0D
+ }=0D
+ // If we've requested any other page than 0 and the cache is empty, =
we must have timed out.=0D
+ } else {=0D
+ DumpParamsOut->TotalSize =3D 0;=0D
+ DumpParamsOut->PageSize =3D 0;=0D
+ DumpParamsOut->HasMore =3D FALSE;=0D
+ SubCommandStatus =3D EFI_TIMEOUT;=0D
+ }=0D
+=0D
+ // There's currently no use for this, but it shouldn't be hard to im=
plement.=0D
+ PolicyCommmHeader->Result =3D SubCommandStatus;=0D
+ break;=0D
+=0D
+ case VAR_CHECK_POLICY_COMMAND_LOCK:=0D
+ PolicyCommmHeader->Result =3D LockVariablePolicy();=0D
+ break;=0D
+=0D
+ default:=0D
+ // Mark unknown requested command as EFI_UNSUPPORTED.=0D
+ DEBUG(( DEBUG_INFO, "%a - Invalid command requested! %d\n", __FUNCTI=
ON__, PolicyCommmHeader->Command ));=0D
+ PolicyCommmHeader->Result =3D EFI_UNSUPPORTED;=0D
+ break;=0D
+ }=0D
+=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - Command %d returning %r.\n", __FUNCTION__,=
=0D
+ PolicyCommmHeader->Command, PolicyCommmHeader->Result ));=0D
+=0D
+ return Status;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ Constructor function of VarCheckPolicyLib to register VarCheck handler a=
nd=0D
+ SW MMI handlers.=0D
+=0D
+ @param[in] ImageHandle The firmware allocated handle for the EFI imag=
e.=0D
+ @param[in] SystemTable A pointer to the EFI System Table.=0D
+=0D
+ @retval EFI_SUCCESS The constructor executed correctly.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+VarCheckPolicyLibConstructor (=0D
+ IN EFI_HANDLE ImageHandle,=0D
+ IN EFI_SYSTEM_TABLE *SystemTable=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ EFI_HANDLE DiscardedHandle;=0D
+=0D
+ // Initialize the business logic with the internal GetVariable handler.=
=0D
+ Status =3D InitVariablePolicyLib( VariableServiceGetVariable );=0D
+=0D
+ // Only proceed with init if the business logic could be initialized.=0D
+ if (!EFI_ERROR( Status )) {=0D
+ // Register the VarCheck handler for SetVariable filtering.=0D
+ // Forward the check to the business logic of the library.=0D
+ VarCheckLibRegisterSetVariableCheckHandler( ValidateSetVariable );=0D
+=0D
+ // Register the MMI handlers for receiving policy commands.=0D
+ DiscardedHandle =3D NULL;=0D
+ Status =3D gMmst->MmiHandlerRegister( VarCheckPolicyLibMmiHandler,=0D
+ &gVarCheckPolicyLibMmiHandlerGuid,=
=0D
+ &DiscardedHandle );=0D
+ }=0D
+ // Otherwise, there's not much we can do.=0D
+ else {=0D
+ DEBUG(( DEBUG_ERROR, "%a - Cannot Initialize VariablePolicyLib! %r\n",=
__FUNCTION__, Status ));=0D
+ ASSERT_EFI_ERROR( Status );=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
diff --git a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h b/MdeModulePkg/I=
nclude/Guid/VarCheckPolicyMmi.h
new file mode 100644
index 000000000000..77bcc62f3ccf
--- /dev/null
+++ b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
@@ -0,0 +1,54 @@
+/** @file -- VarCheckPolicyMmiCommon.h=0D
+This header contains communication definitions that are shared between DXE=
=0D
+and the MM component of VarCheckPolicy.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+**/=0D
+=0D
+#ifndef _VAR_CHECK_POLICY_MMI_COMMON_H_=0D
+#define _VAR_CHECK_POLICY_MMI_COMMON_H_=0D
+=0D
+#define VAR_CHECK_POLICY_COMM_SIG SIGNATURE_32('V', 'C', 'P', 'C')=
=0D
+#define VAR_CHECK_POLICY_COMM_REVISION 1=0D
+=0D
+#pragma pack(push, 1)=0D
+=0D
+typedef struct _VAR_CHECK_POLICY_COMM_HEADER {=0D
+ UINT32 Signature;=0D
+ UINT32 Revision;=0D
+ UINT32 Command;=0D
+ EFI_STATUS Result;=0D
+} VAR_CHECK_POLICY_COMM_HEADER;=0D
+=0D
+typedef struct _VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS {=0D
+ BOOLEAN State;=0D
+} VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS;=0D
+=0D
+typedef struct _VAR_CHECK_POLICY_COMM_DUMP_PARAMS {=0D
+ UINT32 PageRequested;=0D
+ UINT32 TotalSize;=0D
+ UINT32 PageSize;=0D
+ BOOLEAN HasMore;=0D
+} VAR_CHECK_POLICY_COMM_DUMP_PARAMS;=0D
+=0D
+#pragma pack(pop)=0D
+=0D
+// Make sure that we will hold at least the headers.=0D
+#define VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE MAX((OFFSET_OF(EFI_MM_COMM=
UNICATE_HEADER, Data) + sizeof (VAR_CHECK_POLICY_COMM_HEADER) + EFI_PAGES_T=
O_SIZE(1)), EFI_PAGES_TO_SIZE(4))=0D
+#define VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_=
BUFFER_SIZE - \=0D
+ (OFFSET_OF(EFI_MM_COMM=
UNICATE_HEADER, Data) + \=0D
+ sizeof(VAR_CHECK_POL=
ICY_COMM_HEADER) + \=0D
+ sizeof(VAR_CHECK_POL=
ICY_COMM_DUMP_PARAMS)))=0D
+STATIC_ASSERT (=0D
+ VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_S=
IZE,=0D
+ "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_=
DUMP_BUFFER_SIZE"=0D
+ );=0D
+=0D
+#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x0001=0D
+#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x0002=0D
+#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x0003=0D
+#define VAR_CHECK_POLICY_COMMAND_DUMP 0x0004=0D
+#define VAR_CHECK_POLICY_COMMAND_LOCK 0x0005=0D
+=0D
+#endif // _VAR_CHECK_POLICY_MMI_COMMON_H_=0D
diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf b=
/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
new file mode 100644
index 000000000000..077bcc8990ca
--- /dev/null
+++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
@@ -0,0 +1,42 @@
+## @file VarCheckPolicyLib.inf=0D
+# This is an instance of a VarCheck lib that leverages the business logic =
behind=0D
+# the VariablePolicy code to make its decisions.=0D
+#=0D
+# Copyright (c) Microsoft Corporation.=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+##=0D
+=0D
+[Defines]=0D
+ INF_VERSION =3D 0x00010005=0D
+ BASE_NAME =3D VarCheckPolicyLib=0D
+ FILE_GUID =3D 9C28A48F-C884-4B1F-8B95-DEF125448023=
=0D
+ MODULE_TYPE =3D DXE_RUNTIME_DRIVER=0D
+ VERSION_STRING =3D 1.0=0D
+ LIBRARY_CLASS =3D NULL|DXE_RUNTIME_DRIVER DXE_SMM_DRIVE=
R=0D
+ CONSTRUCTOR =3D VarCheckPolicyLibConstructor=0D
+=0D
+=0D
+[Sources]=0D
+ VarCheckPolicyLib.c=0D
+=0D
+=0D
+[Packages]=0D
+ MdePkg/MdePkg.dec=0D
+ MdeModulePkg/MdeModulePkg.dec=0D
+=0D
+=0D
+[LibraryClasses]=0D
+ BaseLib=0D
+ DebugLib=0D
+ BaseMemoryLib=0D
+ DxeServicesLib=0D
+ MemoryAllocationLib=0D
+ VarCheckLib=0D
+ VariablePolicyLib=0D
+ VariablePolicyHelperLib=0D
+ SafeIntLib=0D
+ MmServicesTableLib=0D
+=0D
+=0D
+[Guids]=0D
+ gVarCheckPolicyLibMmiHandlerGuid ## CONSUME ## Used to register f=
or MM Communication events.=0D
diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni b=
/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
new file mode 100644
index 000000000000..eedeeed15d31
--- /dev/null
+++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
@@ -0,0 +1,12 @@
+// /** @file=0D
+// VarCheckPolicyLib.uni=0D
+//=0D
+// Copyright (c) Microsoft Corporation.=0D
+// SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+//=0D
+// **/=0D
+=0D
+=0D
+#string STR_MODULE_ABSTRACT #language en-US "NULL library impl=
ementation that conforms to the VarCheck interface to allow VariablePolicy =
engine to enforce policies"=0D
+=0D
+#string STR_MODULE_DESCRIPTION #language en-US "NULL library impl=
ementation that conforms to the VarCheck interface to allow VariablePolicy =
engine to enforce policies"=0D
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 51f7f9d7246a..00075528198d 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -385,6 +385,10 @@ [Guids]
## Include/Guid/EndofS3Resume.h=0D
gEdkiiEndOfS3ResumeGuid =3D { 0x96f5296d, 0x05f7, 0x4f3c, {0x84, 0x67, 0=
xe4, 0x56, 0x89, 0x0e, 0x0c, 0xb5 } }=0D
=0D
+ ## Used (similar to Variable Services) to communicate policies to the en=
forcement engine.=0D
+ # {DA1B0D11-D1A7-46C4-9DC9-F3714875C6EB}=0D
+ gVarCheckPolicyLibMmiHandlerGuid =3D { 0xda1b0d11, 0xd1a7, 0x46c4, { 0x9=
d, 0xc9, 0xf3, 0x71, 0x48, 0x75, 0xc6, 0xeb }}=0D
+=0D
## Include/Guid/S3SmmInitDone.h=0D
gEdkiiS3SmmInitDoneGuid =3D { 0x8f9d4825, 0x797d, 0x48fc, { 0x84, 0x71, =
0x84, 0x50, 0x25, 0x79, 0x2e, 0xf6 } }=0D
=0D
diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc
index 37795b9e4f58..f0a75a3b337b 100644
--- a/MdeModulePkg/MdeModulePkg.dsc
+++ b/MdeModulePkg/MdeModulePkg.dsc
@@ -313,6 +313,7 @@ [Components]
MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf=0D
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf=0D
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf=0D
+ MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf=0D
MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf=0D
MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf=0D
@@ -458,6 +459,7 @@ [Components.IA32, Components.X64]
MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf=0D
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf {=0D
<LibraryClasses>=0D
+ NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf=0D
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf=0D
NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf=0D
NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf=0D
--=20
2.28.0.windows.1


[PATCH v7 03/14] MdeModulePkg: Define the VariablePolicyHelperLib

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

VariablePolicy is an updated interface to
replace VarLock and VarCheckProtocol.

Add the VariablePolicyHelperLib library, containing
several functions to help with the repetitive process
of creating a correctly structured and packed
VariablePolicy entry.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c |=
396 ++++++++++++++++++++
MdeModulePkg/Include/Library/VariablePolicyHelperLib.h |=
164 ++++++++
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf |=
35 ++
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni |=
12 +
MdeModulePkg/MdeModulePkg.dec |=
5 +
MdeModulePkg/MdeModulePkg.dsc |=
2 +
6 files changed, 614 insertions(+)

diff --git a/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHel=
perLib.c b/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelpe=
rLib.c
new file mode 100644
index 000000000000..0c9299c8b0e1
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c
@@ -0,0 +1,396 @@
+/** @file -- VariablePolicyHelperLib.c=0D
+This library contains helper functions for marshalling and registering=0D
+new policies with the VariablePolicy infrastructure.=0D
+=0D
+This library is currently written against VariablePolicy revision 0x000100=
00.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#include <Uefi.h>=0D
+=0D
+#include <Library/BaseLib.h>=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/BaseMemoryLib.h>=0D
+#include <Library/MemoryAllocationLib.h>=0D
+=0D
+#include <Protocol/VariablePolicy.h>=0D
+=0D
+/**=0D
+ This internal helper function populates the header structure,=0D
+ all common fields, and takes care of fix-ups.=0D
+=0D
+ NOTE: Only use this internally. Assumes correctly-sized buffers.=0D
+=0D
+ @param[out] EntPtr Pointer to the buffer to be populated.=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] LockPolicyType LockPolicyType for the VariablePolicy.=
=0D
+=0D
+**/=0D
+STATIC=0D
+VOID=0D
+PopulateCommonData (=0D
+ OUT VARIABLE_POLICY_ENTRY *EntPtr,=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN UINT8 LockPolicyType=0D
+ )=0D
+{=0D
+ EntPtr->Version =3D VARIABLE_POLICY_ENTRY_REVISION;=0D
+ CopyGuid( &EntPtr->Namespace, Namespace );=0D
+ EntPtr->MinSize =3D MinSize;=0D
+ EntPtr->MaxSize =3D MaxSize;=0D
+ EntPtr->AttributesMustHave =3D AttributesMustHave;=0D
+ EntPtr->AttributesCantHave =3D AttributesCantHave;=0D
+ EntPtr->LockPolicyType =3D LockPolicyType;=0D
+=0D
+ // NOTE: As a heler, fix up MaxSize for compatibility with the old model=
.=0D
+ if (EntPtr->MaxSize =3D=3D 0) {=0D
+ EntPtr->MaxSize =3D VARIABLE_POLICY_NO_MAX_SIZE;=0D
+ }=0D
+=0D
+ return;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function will allocate and populate a new VariablePolicy=0D
+ structure for a policy that does not contain any sub-structures (such as=
=0D
+ VARIABLE_LOCK_ON_VAR_STATE_POLICY).=0D
+=0D
+ NOTE: Caller will need to free structure once finished.=0D
+=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] Name [Optional] If provided, a pointer to the CHAR16 =
array for the target variable name.=0D
+ Otherwise, will create a policy that targets an =
entire namespace.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] LockPolicyType LockPolicyType for the VariablePolicy.=
=0D
+ @param[out] NewEntry If successful, will be set to a pointer to the a=
llocated buffer containing the=0D
+ new policy.=0D
+=0D
+ @retval EFI_SUCCESS Operation completed successfully and=
structure is populated.=0D
+ @retval EFI_INVALID_PARAMETER Namespace is NULL.=0D
+ @retval EFI_INVALID_PARAMETER LockPolicyType is invalid for a basi=
c structure.=0D
+ @retval EFI_BUFFER_TOO_SMALL Finished structure would not fit in =
UINT16 size.=0D
+ @retval EFI_OUT_OF_RESOURCES Could not allocate sufficient space =
for structure.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+CreateBasicVariablePolicy (=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN CONST CHAR16 *Name OPTIONAL,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN UINT8 LockPolicyType,=0D
+ OUT VARIABLE_POLICY_ENTRY **NewEntry=0D
+ )=0D
+{=0D
+ UINTN TotalSize;=0D
+ UINTN NameSize;=0D
+ VARIABLE_POLICY_ENTRY *EntPtr;=0D
+ CHAR16 *CopyName;=0D
+=0D
+ // Check some initial invalid parameters for this function.=0D
+ if (Namespace =3D=3D NULL || NewEntry =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+ if (LockPolicyType !=3D VARIABLE_POLICY_TYPE_NO_LOCK &&=0D
+ LockPolicyType !=3D VARIABLE_POLICY_TYPE_LOCK_NOW &&=0D
+ LockPolicyType !=3D VARIABLE_POLICY_TYPE_LOCK_ON_CREATE) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // Now we've gotta determine the total size of the buffer required for=0D
+ // the VariablePolicy structure.=0D
+ TotalSize =3D sizeof( VARIABLE_POLICY_ENTRY );=0D
+ if (Name !=3D NULL) {=0D
+ NameSize =3D StrnSizeS( Name, MAX_UINT16 );=0D
+ TotalSize +=3D NameSize;=0D
+ }=0D
+ // Make sure the size fits within a VARIABLE_POLICY_ENTRY.Size.=0D
+ ASSERT( TotalSize <=3D MAX_UINT16 );=0D
+ if (TotalSize > MAX_UINT16) {=0D
+ return EFI_BUFFER_TOO_SMALL;=0D
+ }=0D
+=0D
+ // Allocate a buffer to hold all the data. We're on the home stretch.=0D
+ *NewEntry =3D AllocatePool( TotalSize );=0D
+ if (*NewEntry =3D=3D NULL) {=0D
+ return EFI_OUT_OF_RESOURCES;=0D
+ }=0D
+=0D
+ // If we're still here, we're basically done.=0D
+ // Copy the data and GET... OUT....=0D
+ EntPtr =3D *NewEntry;=0D
+ PopulateCommonData ( EntPtr,=0D
+ Namespace,=0D
+ MinSize,=0D
+ MaxSize,=0D
+ AttributesMustHave,=0D
+ AttributesCantHave,=0D
+ LockPolicyType );=0D
+ EntPtr->Size =3D (UINT16)TotalSize; // This is safe =
because we've already checked.=0D
+ EntPtr->OffsetToName =3D sizeof(VARIABLE_POLICY_ENTRY);=0D
+ if (Name !=3D NULL) {=0D
+ CopyName =3D (CHAR16*)((UINT8*)EntPtr + EntPtr->OffsetToName);=0D
+ CopyMem( CopyName, Name, NameSize );=0D
+ }=0D
+=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function will allocate and populate a new VariablePolicy=0D
+ structure for a policy with a lock type of VARIABLE_POLICY_TYPE_LOCK_ON_=
VAR_STATE.=0D
+=0D
+ NOTE: Caller will need to free structure once finished.=0D
+=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] Name [Optional] If provided, a pointer to the CHAR16 =
array for the target variable name.=0D
+ Otherwise, will create a policy that targets an =
entire namespace.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] VarStateNamespace Pointer to the EFI_GUID for the VARIAB=
LE_LOCK_ON_VAR_STATE_POLICY.Namespace.=0D
+ @param[in] VarStateValue Value for the VARIABLE_LOCK_ON_VAR_STA=
TE_POLICY.Value.=0D
+ @param[in] VarStateName Pointer to the CHAR16 array for the VA=
RIABLE_LOCK_ON_VAR_STATE_POLICY.Name.=0D
+ @param[out] NewEntry If successful, will be set to a pointer to the a=
llocated buffer containing the=0D
+ new policy.=0D
+=0D
+ @retval EFI_SUCCESS Operation completed successfully and=
structure is populated.=0D
+ @retval EFI_INVALID_PARAMETER Namespace, VarStateNamespace, VarSta=
teName is NULL.=0D
+ @retval EFI_BUFFER_TOO_SMALL Finished structure would not fit in =
UINT16 size.=0D
+ @retval EFI_OUT_OF_RESOURCES Could not allocate sufficient space =
for structure.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+CreateVarStateVariablePolicy (=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN CONST CHAR16 *Name OPTIONAL,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN CONST EFI_GUID *VarStateNamespace,=0D
+ IN UINT8 VarStateValue,=0D
+ IN CONST CHAR16 *VarStateName,=0D
+ OUT VARIABLE_POLICY_ENTRY **NewEntry=0D
+ )=0D
+{=0D
+ UINTN TotalSize;=0D
+ UINTN NameSize;=0D
+ UINTN VarStateNameSize;=0D
+ VARIABLE_POLICY_ENTRY *EntPtr;=0D
+ CHAR16 *CopyName;=0D
+ VARIABLE_LOCK_ON_VAR_STATE_POLICY *CopyPolicy;=0D
+=0D
+ // Check some initial invalid parameters for this function.=0D
+ if (Namespace =3D=3D NULL || VarStateNamespace =3D=3D NULL ||=0D
+ VarStateName =3D=3D NULL || NewEntry =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // Now we've gotta determine the total size of the buffer required for=0D
+ // the VariablePolicy structure.=0D
+ VarStateNameSize =3D StrnSizeS( VarStateName, MAX_UINT16 );=0D
+ TotalSize =3D sizeof( VARIABLE_POLICY_ENTRY ) +=0D
+ sizeof(VARIABLE_LOCK_ON_VAR_STATE_POLICY) +=0D
+ VarStateNameSize;=0D
+ if (Name !=3D NULL) {=0D
+ NameSize =3D StrnSizeS( Name, MAX_UINT16 );=0D
+ TotalSize +=3D NameSize;=0D
+ }=0D
+ // Make sure the size fits within a VARIABLE_POLICY_ENTRY.Size.=0D
+ ASSERT( TotalSize <=3D MAX_UINT16 );=0D
+ if (TotalSize > MAX_UINT16) {=0D
+ return EFI_BUFFER_TOO_SMALL;=0D
+ }=0D
+=0D
+ // Allocate a buffer to hold all the data. We're on the home stretch.=0D
+ *NewEntry =3D AllocatePool( TotalSize );=0D
+ if (*NewEntry =3D=3D NULL) {=0D
+ return EFI_OUT_OF_RESOURCES;=0D
+ }=0D
+=0D
+ // If we're still here, we're basically done.=0D
+ // Copy the data and GET... OUT....=0D
+ EntPtr =3D *NewEntry;=0D
+ PopulateCommonData ( EntPtr,=0D
+ Namespace,=0D
+ MinSize,=0D
+ MaxSize,=0D
+ AttributesMustHave,=0D
+ AttributesCantHave,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE );=0D
+ EntPtr->Size =3D (UINT16)TotalSize; // This is safe =
because we've already checked.=0D
+ EntPtr->OffsetToName =3D sizeof(VARIABLE_POLICY_ENTRY) +=0D
+ sizeof(VARIABLE_LOCK_ON_VAR_STATE_POLICY) =
+=0D
+ (UINT16)VarStateNameSize;=0D
+=0D
+ CopyPolicy =3D (VARIABLE_LOCK_ON_VAR_STATE_POLICY*)((UINT8*)EntPtr + siz=
eof(VARIABLE_POLICY_ENTRY));=0D
+ CopyName =3D (CHAR16*)((UINT8*)CopyPolicy + sizeof(VARIABLE_LOCK_ON_VAR_=
STATE_POLICY));=0D
+ CopyGuid( &CopyPolicy->Namespace, VarStateNamespace );=0D
+ CopyPolicy->Value =3D VarStateValue;=0D
+ CopyMem( CopyName, VarStateName, VarStateNameSize );=0D
+=0D
+ if (Name !=3D NULL) {=0D
+ CopyName =3D (CHAR16*)((UINT8*)EntPtr + EntPtr->OffsetToName);=0D
+ CopyMem( CopyName, Name, NameSize );=0D
+ }=0D
+=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function does everything that CreateBasicVariablePolicy() do=
es, but also=0D
+ uses the passed in protocol to register the policy with the infrastructu=
re.=0D
+ Does not return a buffer, does not require the caller to free anything.=
=0D
+=0D
+ @param[in] VariablePolicy Pointer to a valid instance of the VariableP=
olicy protocol.=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] Name [Optional] If provided, a pointer to the CHAR16 =
array for the target variable name.=0D
+ Otherwise, will create a policy that targets an =
entire namespace.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] LockPolicyType LockPolicyType for the VariablePolicy.=
=0D
+=0D
+ @retval EFI_INVALID_PARAMETER VariablePolicy pointer is NULL.=0D
+ @retval EFI_STATUS Status returned by CreateBasicVariable=
Policy() or RegisterVariablePolicy().=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+RegisterBasicVariablePolicy (=0D
+ IN EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy,=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN CONST CHAR16 *Name OPTIONAL,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN UINT8 LockPolicyType=0D
+ )=0D
+{=0D
+ VARIABLE_POLICY_ENTRY *NewEntry;=0D
+ EFI_STATUS Status;=0D
+=0D
+ // Check the simple things.=0D
+ if (VariablePolicy =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // Create the new entry and make sure that everything worked.=0D
+ NewEntry =3D NULL;=0D
+ Status =3D CreateBasicVariablePolicy( Namespace,=0D
+ Name,=0D
+ MinSize,=0D
+ MaxSize,=0D
+ AttributesMustHave,=0D
+ AttributesCantHave,=0D
+ LockPolicyType,=0D
+ &NewEntry );=0D
+=0D
+ // If that was successful, attempt to register the new policy.=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D VariablePolicy->RegisterVariablePolicy( NewEntry );=0D
+ }=0D
+=0D
+ // If we allocated the buffer, free the buffer.=0D
+ if (NewEntry !=3D NULL) {=0D
+ FreePool( NewEntry );=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function does everything that CreateBasicVariablePolicy() do=
es, but also=0D
+ uses the passed in protocol to register the policy with the infrastructu=
re.=0D
+ Does not return a buffer, does not require the caller to free anything.=
=0D
+=0D
+ @param[in] VariablePolicy Pointer to a valid instance of the VariableP=
olicy protocol.=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] Name [Optional] If provided, a pointer to the CHAR16 =
array for the target variable name.=0D
+ Otherwise, will create a policy that targets an =
entire namespace.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] VarStateNamespace Pointer to the EFI_GUID for the VARIAB=
LE_LOCK_ON_VAR_STATE_POLICY.Namespace.=0D
+ @param[in] VarStateName Pointer to the CHAR16 array for the VA=
RIABLE_LOCK_ON_VAR_STATE_POLICY.Name.=0D
+ @param[in] VarStateValue Value for the VARIABLE_LOCK_ON_VAR_STA=
TE_POLICY.Value.=0D
+=0D
+ @retval EFI_INVALID_PARAMETER VariablePolicy pointer is NULL.=0D
+ @retval EFI_STATUS Status returned by CreateBasicVariablePolicy()=
or RegisterVariablePolicy().=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+RegisterVarStateVariablePolicy (=0D
+ IN EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy,=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN CONST CHAR16 *Name OPTIONAL,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN CONST EFI_GUID *VarStateNamespace,=0D
+ IN CONST CHAR16 *VarStateName,=0D
+ IN UINT8 VarStateValue=0D
+ )=0D
+{=0D
+ VARIABLE_POLICY_ENTRY *NewEntry;=0D
+ EFI_STATUS Status;=0D
+=0D
+ // Check the simple things.=0D
+ if (VariablePolicy =3D=3D NULL) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // Create the new entry and make sure that everything worked.=0D
+ NewEntry =3D NULL;=0D
+ Status =3D CreateVarStateVariablePolicy( Namespace,=0D
+ Name,=0D
+ MinSize,=0D
+ MaxSize,=0D
+ AttributesMustHave,=0D
+ AttributesCantHave,=0D
+ VarStateNamespace,=0D
+ VarStateValue,=0D
+ VarStateName,=0D
+ &NewEntry );=0D
+=0D
+ // If that was successful, attempt to register the new policy.=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D VariablePolicy->RegisterVariablePolicy( NewEntry );=0D
+ }=0D
+=0D
+ // If we allocated the buffer, free the buffer.=0D
+ if (NewEntry !=3D NULL) {=0D
+ FreePool( NewEntry );=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
diff --git a/MdeModulePkg/Include/Library/VariablePolicyHelperLib.h b/MdeMo=
dulePkg/Include/Library/VariablePolicyHelperLib.h
new file mode 100644
index 000000000000..3b75e9786094
--- /dev/null
+++ b/MdeModulePkg/Include/Library/VariablePolicyHelperLib.h
@@ -0,0 +1,164 @@
+/** @file -- VariablePolicyHelperLib.h=0D
+This library contains helper functions for marshalling and registering=0D
+new policies with the VariablePolicy infrastructure.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#ifndef _EDKII_VARIABLE_POLICY_HELPER_LIB_H_=0D
+#define _EDKII_VARIABLE_POLICY_HELPER_LIB_H_=0D
+=0D
+#include <Protocol/VariablePolicy.h>=0D
+=0D
+/**=0D
+ This helper function will allocate and populate a new VariablePolicy=0D
+ structure for a policy that does not contain any sub-structures (such as=
=0D
+ VARIABLE_LOCK_ON_VAR_STATE_POLICY).=0D
+=0D
+ NOTE: Caller will need to free structure once finished.=0D
+=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] Name [Optional] If provided, a pointer to the CHAR16 =
array for the target variable name.=0D
+ Otherwise, will create a policy that targets an =
entire namespace.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] LockPolicyType LockPolicyType for the VariablePolicy.=
=0D
+ @param[out] NewEntry If successful, will be set to a pointer to the a=
llocated buffer containing the=0D
+ new policy.=0D
+=0D
+ @retval EFI_SUCCESS Operation completed successfully and=
structure is populated.=0D
+ @retval EFI_INVALID_PARAMETER Namespace is NULL.=0D
+ @retval EFI_INVALID_PARAMETER LockPolicyType is invalid for a basi=
c structure.=0D
+ @retval EFI_BUFFER_TOO_SMALL Finished structure would not fit in =
UINT16 size.=0D
+ @retval EFI_OUT_OF_RESOURCES Could not allocate sufficient space =
for structure.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+CreateBasicVariablePolicy (=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN CONST CHAR16 *Name OPTIONAL,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN UINT8 LockPolicyType,=0D
+ OUT VARIABLE_POLICY_ENTRY **NewEntry=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This helper function will allocate and populate a new VariablePolicy=0D
+ structure for a policy with a lock type of VARIABLE_POLICY_TYPE_LOCK_ON_=
VAR_STATE.=0D
+=0D
+ NOTE: Caller will need to free structure once finished.=0D
+=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] Name [Optional] If provided, a pointer to the CHAR16 =
array for the target variable name.=0D
+ Otherwise, will create a policy that targets an =
entire namespace.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] VarStateNamespace Pointer to the EFI_GUID for the VARIAB=
LE_LOCK_ON_VAR_STATE_POLICY.Namespace.=0D
+ @param[in] VarStateValue Value for the VARIABLE_LOCK_ON_VAR_STA=
TE_POLICY.Value.=0D
+ @param[in] VarStateName Pointer to the CHAR16 array for the VA=
RIABLE_LOCK_ON_VAR_STATE_POLICY.Name.=0D
+ @param[out] NewEntry If successful, will be set to a pointer to the a=
llocated buffer containing the=0D
+ new policy.=0D
+=0D
+ @retval EFI_SUCCESS Operation completed successfully and=
structure is populated.=0D
+ @retval EFI_INVALID_PARAMETER Namespace, VarStateNamespace, VarSta=
teName is NULL.=0D
+ @retval EFI_BUFFER_TOO_SMALL Finished structure would not fit in =
UINT16 size.=0D
+ @retval EFI_OUT_OF_RESOURCES Could not allocate sufficient space =
for structure.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+CreateVarStateVariablePolicy (=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN CONST CHAR16 *Name OPTIONAL,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN CONST EFI_GUID *VarStateNamespace,=0D
+ IN UINT8 VarStateValue,=0D
+ IN CONST CHAR16 *VarStateName,=0D
+ OUT VARIABLE_POLICY_ENTRY **NewEntry=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This helper function does everything that CreateBasicVariablePolicy() do=
es, but also=0D
+ uses the passed in protocol to register the policy with the infrastructu=
re.=0D
+ Does not return a buffer, does not require the caller to free anything.=
=0D
+=0D
+ @param[in] VariablePolicy Pointer to a valid instance of the VariableP=
olicy protocol.=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] Name [Optional] If provided, a pointer to the CHAR16 =
array for the target variable name.=0D
+ Otherwise, will create a policy that targets an =
entire namespace.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] LockPolicyType LockPolicyType for the VariablePolicy.=
=0D
+=0D
+ @retval EFI_INVALID_PARAMETER VariablePolicy pointer is NULL.=0D
+ @retval EFI_STATUS Status returned by CreateBasicVariable=
Policy() or RegisterVariablePolicy().=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+RegisterBasicVariablePolicy (=0D
+ IN EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy,=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN CONST CHAR16 *Name OPTIONAL,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN UINT8 LockPolicyType=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This helper function does everything that CreateBasicVariablePolicy() do=
es, but also=0D
+ uses the passed in protocol to register the policy with the infrastructu=
re.=0D
+ Does not return a buffer, does not require the caller to free anything.=
=0D
+=0D
+ @param[in] VariablePolicy Pointer to a valid instance of the VariableP=
olicy protocol.=0D
+ @param[in] Namespace Pointer to an EFI_GUID for the target variable n=
amespace that this policy will protect.=0D
+ @param[in] Name [Optional] If provided, a pointer to the CHAR16 =
array for the target variable name.=0D
+ Otherwise, will create a policy that targets an =
entire namespace.=0D
+ @param[in] MinSize MinSize for the VariablePolicy.=0D
+ @param[in] MaxSize MaxSize for the VariablePolicy.=0D
+ @param[in] AttributesMustHave AttributesMustHave for the VariablePol=
icy.=0D
+ @param[in] AttributesCantHave AttributesCantHave for the VariablePol=
icy.=0D
+ @param[in] VarStateNamespace Pointer to the EFI_GUID for the VARIAB=
LE_LOCK_ON_VAR_STATE_POLICY.Namespace.=0D
+ @param[in] VarStateName Pointer to the CHAR16 array for the VA=
RIABLE_LOCK_ON_VAR_STATE_POLICY.Name.=0D
+ @param[in] VarStateValue Value for the VARIABLE_LOCK_ON_VAR_STA=
TE_POLICY.Value.=0D
+=0D
+ @retval EFI_INVALID_PARAMETER VariablePolicy pointer is NULL.=0D
+ @retval EFI_STATUS Status returned by CreateBasicVariablePolicy()=
or RegisterVariablePolicy().=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+RegisterVarStateVariablePolicy (=0D
+ IN EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy,=0D
+ IN CONST EFI_GUID *Namespace,=0D
+ IN CONST CHAR16 *Name OPTIONAL,=0D
+ IN UINT32 MinSize,=0D
+ IN UINT32 MaxSize,=0D
+ IN UINT32 AttributesMustHave,=0D
+ IN UINT32 AttributesCantHave,=0D
+ IN CONST EFI_GUID *VarStateNamespace,=0D
+ IN CONST CHAR16 *VarStateName,=0D
+ IN UINT8 VarStateValue=0D
+ );=0D
+=0D
+#endif // _EDKII_VARIABLE_POLICY_HELPER_LIB_H_=0D
diff --git a/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHel=
perLib.inf b/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHel=
perLib.inf
new file mode 100644
index 000000000000..506abf580e94
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.=
inf
@@ -0,0 +1,35 @@
+## @file VariablePolicyHelperLib.inf=0D
+# This library contains helper functions for marshalling and registering=0D
+# new policies with the VariablePolicy infrastructure.=0D
+#=0D
+# This library is currently written against VariablePolicy revision 0x0001=
0000.=0D
+#=0D
+# Copyright (c) Microsoft Corporation.=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+##=0D
+=0D
+=0D
+[Defines]=0D
+ INF_VERSION =3D 0x00010017=0D
+ BASE_NAME =3D VariablePolicyHelperLib=0D
+ # MODULE_UNI_FILE =3D VariablePolicyHelperLib.uni=0D
+ FILE_GUID =3D B3C2206B-FDD1-4AED-8352-FC5EC34C5630=0D
+ VERSION_STRING =3D 1.0=0D
+ MODULE_TYPE =3D BASE=0D
+ LIBRARY_CLASS =3D VariablePolicyHelperLib=0D
+=0D
+=0D
+[Sources]=0D
+ VariablePolicyHelperLib.c=0D
+=0D
+=0D
+[Packages]=0D
+ MdePkg/MdePkg.dec=0D
+ MdeModulePkg/MdeModulePkg.dec=0D
+=0D
+=0D
+[LibraryClasses]=0D
+ BaseLib=0D
+ DebugLib=0D
+ MemoryAllocationLib=0D
+ BaseMemoryLib=0D
diff --git a/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHel=
perLib.uni b/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHel=
perLib.uni
new file mode 100644
index 000000000000..39cbf11a4ce9
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.=
uni
@@ -0,0 +1,12 @@
+// /** @file=0D
+// VariablePolicyHelperLib.uni=0D
+//=0D
+// Copyright (c) Microsoft Corporation.=0D
+// SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+//=0D
+// **/=0D
+=0D
+=0D
+#string STR_MODULE_ABSTRACT #language en-US "Library containin=
g helper functions for marshalling and registering new policies with the Va=
riablePolicy infrastructure"=0D
+=0D
+#string STR_MODULE_DESCRIPTION #language en-US "Library containin=
g helper functions for marshalling and registering new policies with the Va=
riablePolicy infrastructure"=0D
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 51c7057bfd1b..51f7f9d7246a 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -149,6 +149,11 @@ [LibraryClasses]
#=0D
DisplayUpdateProgressLib|Include/Library/DisplayUpdateProgressLib.h=0D
=0D
+ ## @libraryclass This library contains helper functions for marshallin=
g and=0D
+ # registering new policies with the VariablePolicy infrastructure.=0D
+ #=0D
+ VariablePolicyHelperLib|Include/Library/VariablePolicyHelperLib.h=0D
+=0D
[Guids]=0D
## MdeModule package token space guid=0D
# Include/Guid/MdeModulePkgTokenSpace.h=0D
diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc
index 14b6ed536962..37795b9e4f58 100644
--- a/MdeModulePkg/MdeModulePkg.dsc
+++ b/MdeModulePkg/MdeModulePkg.dsc
@@ -99,6 +99,7 @@ [LibraryClasses]
BmpSupportLib|MdeModulePkg/Library/BaseBmpSupportLib/BaseBmpSupportLib.i=
nf=0D
SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf=0D
DisplayUpdateProgressLib|MdeModulePkg/Library/DisplayUpdateProgressLibGr=
aphics/DisplayUpdateProgressLibGraphics.inf=0D
+ VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var=
iablePolicyHelperLib.inf=0D
=0D
[LibraryClasses.EBC.PEIM]=0D
IoLib|MdePkg/Library/PeiIoLibCpuIo/PeiIoLibCpuIo.inf=0D
@@ -225,6 +226,7 @@ [Components]
MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServicesLib.inf=0D
MdeModulePkg/Library/BaseHobLibNull/BaseHobLibNull.inf=0D
MdeModulePkg/Library/BaseMemoryAllocationLibNull/BaseMemoryAllocationLib=
Null.inf=0D
+ MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf=
=0D
=0D
MdeModulePkg/Bus/Pci/PciHostBridgeDxe/PciHostBridgeDxe.inf=0D
MdeModulePkg/Bus/Pci/PciSioSerialDxe/PciSioSerialDxe.inf=0D
--=20
2.28.0.windows.1


[PATCH v7 02/14] MdeModulePkg: Define the VariablePolicyLib

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

VariablePolicy is an updated interface to
replace VarLock and VarCheckProtocol.

Add the VariablePolicyLib library that implements
the portable business logic for the VariablePolicy
engine.

Also add host-based CI test cases for the lib.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c =
| 46 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDxe.c=
| 85 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c =
| 830 +++++++
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePoli=
cyUnitTest.c | 2452 ++++++++++++++++++++
MdeModulePkg/Include/Library/VariablePolicyLib.h =
| 207 ++
MdeModulePkg/Library/VariablePolicyLib/ReadMe.md =
| 410 ++++
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf =
| 49 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni =
| 12 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf =
| 51 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePoli=
cyUnitTest.inf | 45 +
MdeModulePkg/MdeModulePkg.ci.yaml =
| 4 +-
MdeModulePkg/MdeModulePkg.dec =
| 3 +
MdeModulePkg/MdeModulePkg.dsc =
| 5 +
MdeModulePkg/Test/MdeModulePkgHostTest.dsc =
| 11 +
14 files changed, 4209 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInit=
Null.c b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull=
.c
new file mode 100644
index 000000000000..ad2ee0b2fb8f
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c
@@ -0,0 +1,46 @@
+/** @file -- VariablePolicyExtraInitNull.c=0D
+This file contains extra init and deinit routines that don't do anything=0D
+extra.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#include <Library/UefiRuntimeServicesTableLib.h>=0D
+=0D
+=0D
+/**=0D
+ An extra init hook that enables the RuntimeDxe library instance to=0D
+ register VirtualAddress change callbacks. Among other things.=0D
+=0D
+ @retval EFI_SUCCESS Everything is good. Continue with init.=0D
+ @retval Others Uh... don't continue.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+VariablePolicyExtraInit (=0D
+ VOID=0D
+ )=0D
+{=0D
+ // NULL implementation.=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ An extra deinit hook that enables the RuntimeDxe library instance to=0D
+ register VirtualAddress change callbacks. Among other things.=0D
+=0D
+ @retval EFI_SUCCESS Everything is good. Continue with deinit.=0D
+ @retval Others Uh... don't continue.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+VariablePolicyExtraDeinit (=0D
+ VOID=0D
+ )=0D
+{=0D
+ // NULL implementation.=0D
+ return EFI_SUCCESS;=0D
+}=0D
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInit=
RuntimeDxe.c b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraIn=
itRuntimeDxe.c
new file mode 100644
index 000000000000..3ca87048b14b
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntime=
Dxe.c
@@ -0,0 +1,85 @@
+/** @file -- VariablePolicyExtraInitRuntimeDxe.c=0D
+This file contains extra init and deinit routines that register and unregi=
ster=0D
+VariableAddressChange callbacks.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#include <Library/UefiBootServicesTableLib.h>=0D
+#include <Library/UefiRuntimeServicesTableLib.h>=0D
+=0D
+extern EFI_GET_VARIABLE mGetVariableHelper;=0D
+extern UINT8 *mPolicyTable;=0D
+STATIC BOOLEAN mIsVirtualAddrConverted;=0D
+STATIC EFI_EVENT mVariablePolicyLibVirtualAddressChangeEvent =3D=
NULL;=0D
+=0D
+/**=0D
+ For the RuntimeDxe version of this lib, convert internal pointer address=
es to virtual addresses.=0D
+=0D
+ @param[in] Event Event whose notification function is being invoked=
.=0D
+ @param[in] Context The pointer to the notification function's context=
, which=0D
+ is implementation-dependent.=0D
+**/=0D
+STATIC=0D
+VOID=0D
+EFIAPI=0D
+VariablePolicyLibVirtualAddressCallback (=0D
+ IN EFI_EVENT Event,=0D
+ IN VOID *Context=0D
+ )=0D
+{=0D
+ gRT->ConvertPointer (0, (VOID **)&mPolicyTable);=0D
+ gRT->ConvertPointer (0, (VOID **)&mGetVariableHelper);=0D
+ mIsVirtualAddrConverted =3D TRUE;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ An extra init hook that enables the RuntimeDxe library instance to=0D
+ register VirtualAddress change callbacks. Among other things.=0D
+=0D
+ @retval EFI_SUCCESS Everything is good. Continue with init.=0D
+ @retval Others Uh... don't continue.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+VariablePolicyExtraInit (=0D
+ VOID=0D
+ )=0D
+{=0D
+ return gBS->CreateEventEx (EVT_NOTIFY_SIGNAL,=0D
+ TPL_NOTIFY,=0D
+ VariablePolicyLibVirtualAddressCallback,=0D
+ NULL,=0D
+ &gEfiEventVirtualAddressChangeGuid,=0D
+ &mVariablePolicyLibVirtualAddressChangeEvent=
);=0D
+}=0D
+=0D
+=0D
+/**=0D
+ An extra deinit hook that enables the RuntimeDxe library instance to=0D
+ register VirtualAddress change callbacks. Among other things.=0D
+=0D
+ @retval EFI_SUCCESS Everything is good. Continue with deinit.=0D
+ @retval Others Uh... don't continue.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+VariablePolicyExtraDeinit (=0D
+ VOID=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+=0D
+ Status =3D EFI_SUCCESS;=0D
+ if (mIsVirtualAddrConverted) {=0D
+ Status =3D gBS->CloseEvent (mVariablePolicyLibVirtualAddressChangeEven=
t);=0D
+ }=0D
+ else {=0D
+ Status =3D EFI_SUCCESS;=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c b/M=
deModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
new file mode 100644
index 000000000000..5029ddb96adb
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
@@ -0,0 +1,830 @@
+/** @file -- VariablePolicyLib.c=0D
+Business logic for Variable Policy enforcement.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#include <Uefi.h>=0D
+=0D
+#include <Library/SafeIntLib.h>=0D
+#include <Library/MemoryAllocationLib.h>=0D
+#include <Library/BaseMemoryLib.h>=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/PcdLib.h>=0D
+=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
+=0D
+// IMPORTANT NOTE: This library is currently rife with multiple return sta=
tements=0D
+// for error handling. A refactor should remove these at s=
ome point.=0D
+=0D
+//=0D
+// This library was designed with advanced unit-test features.=0D
+// This define handles the configuration.=0D
+#ifdef INTERNAL_UNIT_TEST=0D
+#undef STATIC=0D
+#define STATIC // Nothing...=0D
+#endif=0D
+=0D
+// An abstracted GetVariable interface that enables configuration regardle=
ss of the environment.=0D
+EFI_GET_VARIABLE mGetVariableHelper =3D NULL;=0D
+=0D
+// Master switch to lock this entire interface. Does not stop enforcement,=
=0D
+// just prevents the configuration from being changed for the rest of the =
boot.=0D
+STATIC BOOLEAN mInterfaceLocked =3D FALSE;=0D
+=0D
+// Master switch to disable the entire interface for a single boot.=0D
+// This will disable all policy enforcement for the duration of the boot.=
=0D
+STATIC BOOLEAN mProtectionDisabled =3D FALSE;=0D
+=0D
+// Table to hold all the current policies.=0D
+UINT8 *mPolicyTable =3D NULL;=0D
+STATIC UINT32 mCurrentTableSize =3D 0;=0D
+STATIC UINT32 mCurrentTableUsage =3D 0;=0D
+STATIC UINT32 mCurrentTableCount =3D 0;=0D
+=0D
+#define POLICY_TABLE_STEP_SIZE 0x1000=0D
+=0D
+// NOTE: DO NOT USE THESE MACROS on any structure that has not been valida=
ted.=0D
+// Current table data has already been sanitized.=0D
+#define GET_NEXT_POLICY(CurPolicy) (VARIABLE_POLICY_ENTRY*)((UINT8*)Cur=
Policy + CurPolicy->Size)=0D
+#define GET_POLICY_NAME(CurPolicy) (CHAR16*)((UINTN)CurPolicy + CurPoli=
cy->OffsetToName)=0D
+=0D
+#define MATCH_PRIORITY_EXACT 0=0D
+#define MATCH_PRIORITY_MAX MATCH_PRIORITY_EXACT=0D
+#define MATCH_PRIORITY_MIN MAX_UINT8=0D
+=0D
+=0D
+/**=0D
+ An extra init hook that enables the RuntimeDxe library instance to=0D
+ register VirtualAddress change callbacks. Among other things.=0D
+=0D
+ @retval EFI_SUCCESS Everything is good. Continue with init.=0D
+ @retval Others Uh... don't continue.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+VariablePolicyExtraInit (=0D
+ VOID=0D
+ );=0D
+=0D
+/**=0D
+ An extra deinit hook that enables the RuntimeDxe library instance to=0D
+ register VirtualAddress change callbacks. Among other things.=0D
+=0D
+ @retval EFI_SUCCESS Everything is good. Continue with deinit.=0D
+ @retval Others Uh... don't continue.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+VariablePolicyExtraDeinit (=0D
+ VOID=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This helper function determines whether the structure of an incoming pol=
icy=0D
+ is valid and internally consistent.=0D
+=0D
+ @param[in] NewPolicy Pointer to the incoming policy structure.=0D
+=0D
+ @retval TRUE=0D
+ @retval FALSE Pointer is NULL, size is wrong, strings are empty, o=
r=0D
+ substructures overlap.=0D
+=0D
+**/=0D
+STATIC=0D
+BOOLEAN=0D
+IsValidVariablePolicyStructure (=0D
+ IN CONST VARIABLE_POLICY_ENTRY *NewPolicy=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ UINTN EntryEnd;=0D
+ CHAR16 *CheckChar;=0D
+ UINTN WildcardCount;=0D
+=0D
+ // Sanitize some quick values.=0D
+ if (NewPolicy =3D=3D NULL || NewPolicy->Size =3D=3D 0 ||=0D
+ // Structure size should be at least as long as the minumum structur=
e and a NULL string.=0D
+ NewPolicy->Size < sizeof(VARIABLE_POLICY_ENTRY) ||=0D
+ // Check for the known revision.=0D
+ NewPolicy->Version !=3D VARIABLE_POLICY_ENTRY_REVISION) {=0D
+ return FALSE;=0D
+ }=0D
+=0D
+ // Calculate the theoretical end of the structure and make sure=0D
+ // that the structure can fit in memory.=0D
+ Status =3D SafeUintnAdd( (UINTN)NewPolicy, NewPolicy->Size, &EntryEnd );=
=0D
+ if (EFI_ERROR( Status )) {=0D
+ return FALSE;=0D
+ }=0D
+=0D
+ // Check for a valid Max Size.=0D
+ if (NewPolicy->MaxSize =3D=3D 0) {=0D
+ return FALSE;=0D
+ }=0D
+=0D
+ // Check for the valid list of lock policies.=0D
+ if (NewPolicy->LockPolicyType !=3D VARIABLE_POLICY_TYPE_NO_LOCK &&=0D
+ NewPolicy->LockPolicyType !=3D VARIABLE_POLICY_TYPE_LOCK_NOW &&=0D
+ NewPolicy->LockPolicyType !=3D VARIABLE_POLICY_TYPE_LOCK_ON_CREATE &=
&=0D
+ NewPolicy->LockPolicyType !=3D VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STAT=
E)=0D
+ {=0D
+ return FALSE;=0D
+ }=0D
+=0D
+ // If the policy type is VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE, make su=
re that the matching state variable Name=0D
+ // terminates before the OffsetToName for the matching policy variable N=
ame.=0D
+ if (NewPolicy->LockPolicyType =3D=3D VARIABLE_POLICY_TYPE_LOCK_ON_VAR_ST=
ATE) {=0D
+ // Adjust CheckChar to the offset of the LockPolicy->Name.=0D
+ Status =3D SafeUintnAdd( (UINTN)NewPolicy + sizeof(VARIABLE_POLICY_ENT=
RY),=0D
+ sizeof(VARIABLE_LOCK_ON_VAR_STATE_POLICY),=0D
+ (UINTN*)&CheckChar );=0D
+ if (EFI_ERROR( Status ) || EntryEnd <=3D (UINTN)CheckChar) {=0D
+ return FALSE;=0D
+ }=0D
+ while (*CheckChar !=3D CHAR_NULL) {=0D
+ if (EntryEnd <=3D (UINTN)CheckChar) {=0D
+ return FALSE;=0D
+ }=0D
+ CheckChar++;=0D
+ }=0D
+ // At this point we should have either exeeded the structure or be poi=
nting at the last char in LockPolicy->Name.=0D
+ // We should check to make sure that the policy Name comes immediately=
after this charcter.=0D
+ if ((UINTN)++CheckChar !=3D (UINTN)NewPolicy + NewPolicy->OffsetToName=
) {=0D
+ return FALSE;=0D
+ }=0D
+ // If the policy type is any other value, make sure that the LockPolicy =
structure has a zero length.=0D
+ } else {=0D
+ if (NewPolicy->OffsetToName !=3D sizeof(VARIABLE_POLICY_ENTRY)) {=0D
+ return FALSE;=0D
+ }=0D
+ }=0D
+=0D
+ // Check to make sure that the name has a terminating character=0D
+ // before the end of the structure.=0D
+ // We've already checked that the name is within the bounds of the struc=
ture.=0D
+ if (NewPolicy->Size !=3D NewPolicy->OffsetToName) {=0D
+ CheckChar =3D (CHAR16*)((UINTN)NewPolicy + NewPolicy->OffsetToName);=0D
+ WildcardCount =3D 0;=0D
+ while (*CheckChar !=3D CHAR_NULL) {=0D
+ // Make sure there aren't excessive wildcards.=0D
+ if (*CheckChar =3D=3D '#') {=0D
+ WildcardCount++;=0D
+ if (WildcardCount > MATCH_PRIORITY_MIN) {=0D
+ return FALSE;=0D
+ }=0D
+ }=0D
+ // Make sure you're still within the bounds of the policy structure.=
=0D
+ if (EntryEnd <=3D (UINTN)CheckChar) {=0D
+ return FALSE;=0D
+ }=0D
+ CheckChar++;=0D
+ }=0D
+=0D
+ // Finally, we should be pointed at the very last character in Name, s=
o we should be right=0D
+ // up against the end of the structure.=0D
+ if ((UINTN)++CheckChar !=3D EntryEnd) {=0D
+ return FALSE;=0D
+ }=0D
+ }=0D
+=0D
+ return TRUE;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function evaluates a policy and determines whether it matche=
s the target=0D
+ variable. If matched, will also return a value corresponding to the prio=
rity of the match.=0D
+=0D
+ The rules for "best match" are listed in the Variable Policy Spec.=0D
+ Perfect name matches will return 0.=0D
+ Single wildcard characters will return the number of wildcard characters=
.=0D
+ Full namespaces will return MAX_UINT8.=0D
+=0D
+ @param[in] EvalEntry Pointer to the policy entry being evaluate=
d.=0D
+ @param[in] VariableName Same as EFI_SET_VARIABLE.=0D
+ @param[in] VendorGuid Same as EFI_SET_VARIABLE.=0D
+ @param[out] MatchPriority [Optional] On finding a match, this value =
contains the priority of the match.=0D
+ Lower number =3D=3D higher priority. Only =
valid if a match found.=0D
+=0D
+ @retval TRUE Current entry matches the target variable.=0D
+ @retval FALSE Current entry does not match at all.=0D
+=0D
+**/=0D
+STATIC=0D
+BOOLEAN=0D
+EvaluatePolicyMatch (=0D
+ IN CONST VARIABLE_POLICY_ENTRY *EvalEntry,=0D
+ IN CONST CHAR16 *VariableName,=0D
+ IN CONST EFI_GUID *VendorGuid,=0D
+ OUT UINT8 *MatchPriority OPTIONAL=0D
+ )=0D
+{=0D
+ BOOLEAN Result;=0D
+ CHAR16 *PolicyName;=0D
+ UINT8 CalculatedPriority;=0D
+ UINTN Index;=0D
+=0D
+ Result =3D FALSE;=0D
+ CalculatedPriority =3D MATCH_PRIORITY_EXACT;=0D
+=0D
+ // Step 1: If the GUID doesn't match, we're done. No need to evaluate an=
ything else.=0D
+ if (!CompareGuid( &EvalEntry->Namespace, VendorGuid )) {=0D
+ goto Exit;=0D
+ }=0D
+=0D
+ // If the GUID matches, check to see whether there is a Name associated=
=0D
+ // with the policy. If not, this policy matches the entire namespace.=0D
+ // Missing Name is indicated by size being equal to name.=0D
+ if (EvalEntry->Size =3D=3D EvalEntry->OffsetToName) {=0D
+ CalculatedPriority =3D MATCH_PRIORITY_MIN;=0D
+ Result =3D TRUE;=0D
+ goto Exit;=0D
+ }=0D
+=0D
+ // Now that we know the name exists, get it.=0D
+ PolicyName =3D GET_POLICY_NAME( EvalEntry );=0D
+=0D
+ // Evaluate the name against the policy name and check for a match.=0D
+ // Account for any wildcards.=0D
+ Index =3D 0;=0D
+ Result =3D TRUE;=0D
+ // Keep going until the end of both strings.=0D
+ while (PolicyName[Index] !=3D CHAR_NULL || VariableName[Index] !=3D CHAR=
_NULL) {=0D
+ // If we don't have a match...=0D
+ if (PolicyName[Index] !=3D VariableName[Index] || PolicyName[Index] =
=3D=3D '#') {=0D
+ // If this is a numerical wildcard, we can consider=0D
+ // it a match if we alter the priority.=0D
+ if (PolicyName[Index] =3D=3D L'#' &&=0D
+ ((L'0' <=3D VariableName[Index] && VariableName[Index] <=3D L'=
9') ||=0D
+ (L'A' <=3D VariableName[Index] && VariableName[Index] <=3D L'=
F') ||=0D
+ (L'a' <=3D VariableName[Index] && VariableName[Index] <=3D L'=
f'))) {=0D
+ if (CalculatedPriority < MATCH_PRIORITY_MIN) {=0D
+ CalculatedPriority++;=0D
+ }=0D
+ // Otherwise, not a match.=0D
+ } else {=0D
+ Result =3D FALSE;=0D
+ goto Exit;=0D
+ }=0D
+ }=0D
+ Index++;=0D
+ }=0D
+=0D
+Exit:=0D
+ if (Result && MatchPriority !=3D NULL) {=0D
+ *MatchPriority =3D CalculatedPriority;=0D
+ }=0D
+ return Result;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function walks the current policy table and returns a pointe=
r=0D
+ to the best match, if any are found. Leverages EvaluatePolicyMatch() to=
=0D
+ determine "best".=0D
+=0D
+ @param[in] VariableName Same as EFI_SET_VARIABLE.=0D
+ @param[in] VendorGuid Same as EFI_SET_VARIABLE.=0D
+ @param[out] ReturnPriority [Optional] If pointer is provided, return=
the=0D
+ priority of the match. Same as EvaluatePo=
licyMatch().=0D
+ Only valid if a match is returned.=0D
+=0D
+ @retval VARIABLE_POLICY_ENTRY* Best match that was found.=0D
+ @retval NULL No match was found.=0D
+=0D
+**/=0D
+STATIC=0D
+VARIABLE_POLICY_ENTRY*=0D
+GetBestPolicyMatch (=0D
+ IN CONST CHAR16 *VariableName,=0D
+ IN CONST EFI_GUID *VendorGuid,=0D
+ OUT UINT8 *ReturnPriority OPTIONAL=0D
+ )=0D
+{=0D
+ VARIABLE_POLICY_ENTRY *BestResult;=0D
+ VARIABLE_POLICY_ENTRY *CurrentEntry;=0D
+ UINT8 MatchPriority;=0D
+ UINT8 CurrentPriority;=0D
+ UINTN Index;=0D
+=0D
+ BestResult =3D NULL;=0D
+ MatchPriority =3D MATCH_PRIORITY_EXACT;=0D
+=0D
+ // Walk all entries in the table, looking for matches.=0D
+ CurrentEntry =3D (VARIABLE_POLICY_ENTRY*)mPolicyTable;=0D
+ for (Index =3D 0; Index < mCurrentTableCount; Index++) {=0D
+ // Check for a match.=0D
+ if (EvaluatePolicyMatch( CurrentEntry, VariableName, VendorGuid, &Curr=
entPriority )) {=0D
+ // If match is better, take it.=0D
+ if (BestResult =3D=3D NULL || CurrentPriority < MatchPriority) {=0D
+ BestResult =3D CurrentEntry;=0D
+ MatchPriority =3D CurrentPriority;=0D
+ }=0D
+=0D
+ // If you've hit the highest-priority match, can exit now.=0D
+ if (MatchPriority =3D=3D 0) {=0D
+ break;=0D
+ }=0D
+ }=0D
+=0D
+ // If we're still in the loop, move to the next entry.=0D
+ CurrentEntry =3D GET_NEXT_POLICY( CurrentEntry );=0D
+ }=0D
+=0D
+ // If a return priority was requested, return it.=0D
+ if (ReturnPriority !=3D NULL) {=0D
+ *ReturnPriority =3D MatchPriority;=0D
+ }=0D
+=0D
+ return BestResult;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function validates and registers a new policy with=0D
+ the policy enforcement engine.=0D
+=0D
+ @param[in] NewPolicy Pointer to the incoming policy structure.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_INVALID_PARAMETER NewPolicy is NULL or is internally i=
nconsistent.=0D
+ @retval EFI_ALREADY_STARTED An identical matching policy already=
exists.=0D
+ @retval EFI_WRITE_PROTECTED The interface has been locked until =
the next reboot.=0D
+ @retval EFI_UNSUPPORTED Policy enforcement has been disabled=
. No reason to add more policies.=0D
+ @retval EFI_ABORTED A calculation error has prevented th=
is function from completing.=0D
+ @retval EFI_OUT_OF_RESOURCES Cannot grow the table to hold any mo=
re policies.=0D
+ @retval EFI_NOT_READY Library has not yet been initialized=
.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+RegisterVariablePolicy (=0D
+ IN CONST VARIABLE_POLICY_ENTRY *NewPolicy=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ VARIABLE_POLICY_ENTRY *MatchPolicy;=0D
+ UINT8 MatchPriority;=0D
+ UINT32 NewSize;=0D
+ UINT8 *NewTable;=0D
+=0D
+ if (!IsVariablePolicyLibInitialized()) {=0D
+ return EFI_NOT_READY;=0D
+ }=0D
+ if (mInterfaceLocked) {=0D
+ return EFI_WRITE_PROTECTED;=0D
+ }=0D
+=0D
+ if (!IsValidVariablePolicyStructure( NewPolicy )) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // Check to see whether an exact matching policy already exists.=0D
+ MatchPolicy =3D GetBestPolicyMatch( GET_POLICY_NAME( NewPolicy ),=0D
+ &NewPolicy->Namespace,=0D
+ &MatchPriority );=0D
+ if (MatchPolicy !=3D NULL && MatchPriority =3D=3D MATCH_PRIORITY_EXACT) =
{=0D
+ return EFI_ALREADY_STARTED;=0D
+ }=0D
+=0D
+ // If none exists, create it.=0D
+ // If we need more space, allocate that now.=0D
+ Status =3D SafeUint32Add( mCurrentTableUsage, NewPolicy->Size, &NewSize =
);=0D
+ if (EFI_ERROR( Status )) {=0D
+ return EFI_ABORTED;=0D
+ }=0D
+ if (NewSize > mCurrentTableSize) {=0D
+ // Use NewSize to calculate the new table size in units of POLICY_TABL=
E_STEP_SIZE.=0D
+ NewSize =3D (NewSize % POLICY_TABLE_STEP_SIZE) > 0 ?=0D
+ (NewSize / POLICY_TABLE_STEP_SIZE) + 1 :=0D
+ (NewSize / POLICY_TABLE_STEP_SIZE);=0D
+ // Calculate the new table size in absolute bytes.=0D
+ Status =3D SafeUint32Mult( NewSize, POLICY_TABLE_STEP_SIZE, &NewSize )=
;=0D
+ if (EFI_ERROR( Status )) {=0D
+ return EFI_ABORTED;=0D
+ }=0D
+=0D
+ // Reallocate and copy the table.=0D
+ NewTable =3D AllocatePool( NewSize );=0D
+ if (NewTable =3D=3D NULL) {=0D
+ return EFI_OUT_OF_RESOURCES;=0D
+ }=0D
+ CopyMem( NewTable, mPolicyTable, mCurrentTableUsage );=0D
+ mCurrentTableSize =3D NewSize;=0D
+ if (mPolicyTable !=3D NULL) {=0D
+ FreePool( mPolicyTable );=0D
+ }=0D
+ mPolicyTable =3D NewTable;=0D
+ }=0D
+ // Copy the policy into the table.=0D
+ CopyMem( mPolicyTable + mCurrentTableUsage, NewPolicy, NewPolicy->Size )=
;=0D
+ mCurrentTableUsage +=3D NewPolicy->Size;=0D
+ mCurrentTableCount +=3D 1;=0D
+=0D
+ // We're done here.=0D
+=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function checks to see whether the parameters to SetVariable wo=
uld=0D
+ be allowed according to the current variable policies.=0D
+=0D
+ @param[in] VariableName Same as EFI_SET_VARIABLE.=0D
+ @param[in] VendorGuid Same as EFI_SET_VARIABLE.=0D
+ @param[in] Attributes Same as EFI_SET_VARIABLE.=0D
+ @param[in] DataSize Same as EFI_SET_VARIABLE.=0D
+ @param[in] Data Same as EFI_SET_VARIABLE.=0D
+=0D
+ @retval EFI_SUCCESS A matching policy allows this update=
.=0D
+ @retval EFI_SUCCESS There are currently no policies that=
restrict this update.=0D
+ @retval EFI_SUCCESS The protections have been disable un=
til the next reboot.=0D
+ @retval EFI_WRITE_PROTECTED Variable is currently locked.=0D
+ @retval EFI_INVALID_PARAMETER Attributes or size are invalid.=0D
+ @retval EFI_ABORTED A lock policy exists, but an error p=
revented evaluation.=0D
+ @retval EFI_NOT_READY Library has not been initialized.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ValidateSetVariable (=0D
+ IN CHAR16 *VariableName,=0D
+ IN EFI_GUID *VendorGuid,=0D
+ IN UINT32 Attributes,=0D
+ IN UINTN DataSize,=0D
+ IN VOID *Data=0D
+ )=0D
+{=0D
+ BOOLEAN IsDel;=0D
+ VARIABLE_POLICY_ENTRY *ActivePolicy;=0D
+ EFI_STATUS Status;=0D
+ EFI_STATUS ReturnStatus;=0D
+ VARIABLE_LOCK_ON_VAR_STATE_POLICY *StateVarPolicy;=0D
+ CHAR16 *StateVarName;=0D
+ UINTN StateVarSize;=0D
+ UINT8 StateVar;=0D
+=0D
+ ReturnStatus =3D EFI_SUCCESS;=0D
+=0D
+ if (!IsVariablePolicyLibInitialized()) {=0D
+ ReturnStatus =3D EFI_NOT_READY;=0D
+ goto Exit;=0D
+ }=0D
+=0D
+ // Bail if the protections are currently disabled.=0D
+ if (mProtectionDisabled) {=0D
+ ReturnStatus =3D EFI_SUCCESS;=0D
+ goto Exit;=0D
+ }=0D
+=0D
+ // Determine whether this is a delete operation.=0D
+ // If so, it will affect which tests are applied.=0D
+ if ((DataSize =3D=3D 0) && ((Attributes & EFI_VARIABLE_APPEND_WRITE) =3D=
=3D 0)) {=0D
+ IsDel =3D TRUE;=0D
+ } else {=0D
+ IsDel =3D FALSE;=0D
+ }=0D
+=0D
+ // Find an active policy if one exists.=0D
+ ActivePolicy =3D GetBestPolicyMatch( VariableName, VendorGuid, NULL );=0D
+=0D
+ // If we have an active policy, check it against the incoming data.=0D
+ if (ActivePolicy !=3D NULL) {=0D
+ //=0D
+ // Only enforce size and attribute constraints when updating data, not=
deleting.=0D
+ if (!IsDel) {=0D
+ // Check for size constraints.=0D
+ if ((ActivePolicy->MinSize > 0 && DataSize < ActivePolicy->MinSize) =
||=0D
+ (ActivePolicy->MaxSize > 0 && DataSize > ActivePolicy->MaxSize))=
{=0D
+ ReturnStatus =3D EFI_INVALID_PARAMETER;=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - Bad Size. 0x%X <> 0x%X-0x%X\n", __FUN=
CTION__,=0D
+ DataSize, ActivePolicy->MinSize, ActivePolicy->MaxSize ));=
=0D
+ goto Exit;=0D
+ }=0D
+=0D
+ // Check for attribute constraints.=0D
+ if ((ActivePolicy->AttributesMustHave & Attributes) !=3D ActivePolic=
y->AttributesMustHave ||=0D
+ (ActivePolicy->AttributesCantHave & Attributes) !=3D 0) {=0D
+ ReturnStatus =3D EFI_INVALID_PARAMETER;=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - Bad Attributes. 0x%X <> 0x%X:0x%X\n",=
__FUNCTION__,=0D
+ Attributes, ActivePolicy->AttributesMustHave, ActivePolicy=
->AttributesCantHave ));=0D
+ goto Exit;=0D
+ }=0D
+ }=0D
+=0D
+ //=0D
+ // Lock policy check.=0D
+ //=0D
+ // Check for immediate lock.=0D
+ if (ActivePolicy->LockPolicyType =3D=3D VARIABLE_POLICY_TYPE_LOCK_NOW)=
{=0D
+ ReturnStatus =3D EFI_WRITE_PROTECTED;=0D
+ goto Exit;=0D
+ // Check for lock on create.=0D
+ } else if (ActivePolicy->LockPolicyType =3D=3D VARIABLE_POLICY_TYPE_LO=
CK_ON_CREATE) {=0D
+ StateVarSize =3D 0;=0D
+ Status =3D mGetVariableHelper( VariableName,=0D
+ VendorGuid,=0D
+ NULL,=0D
+ &StateVarSize,=0D
+ NULL );=0D
+ if (Status =3D=3D EFI_BUFFER_TOO_SMALL) {=0D
+ ReturnStatus =3D EFI_WRITE_PROTECTED;=0D
+ goto Exit;=0D
+ }=0D
+ // Check for lock on state variable.=0D
+ } else if (ActivePolicy->LockPolicyType =3D=3D VARIABLE_POLICY_TYPE_LO=
CK_ON_VAR_STATE) {=0D
+ StateVarPolicy =3D (VARIABLE_LOCK_ON_VAR_STATE_POLICY*)((UINT8*)Acti=
vePolicy + sizeof(VARIABLE_POLICY_ENTRY));=0D
+ StateVarName =3D (CHAR16*)((UINT8*)StateVarPolicy + sizeof(VARIABLE_=
LOCK_ON_VAR_STATE_POLICY));=0D
+ StateVarSize =3D sizeof(StateVar);=0D
+ Status =3D mGetVariableHelper( StateVarName,=0D
+ &StateVarPolicy->Namespace,=0D
+ NULL,=0D
+ &StateVarSize,=0D
+ &StateVar );=0D
+=0D
+ // If the variable was found, check the state. If matched, this vari=
able is locked.=0D
+ if (!EFI_ERROR( Status )) {=0D
+ if (StateVar =3D=3D StateVarPolicy->Value) {=0D
+ ReturnStatus =3D EFI_WRITE_PROTECTED;=0D
+ goto Exit;=0D
+ }=0D
+ // EFI_NOT_FOUND and EFI_BUFFER_TOO_SMALL indicate that the state do=
esn't match.=0D
+ } else if (Status !=3D EFI_NOT_FOUND && Status !=3D EFI_BUFFER_TOO_S=
MALL) {=0D
+ // We don't know what happened, but it isn't good.=0D
+ ReturnStatus =3D EFI_ABORTED;=0D
+ goto Exit;=0D
+ }=0D
+ }=0D
+ }=0D
+=0D
+Exit:=0D
+ DEBUG(( DEBUG_VERBOSE, "%a - Variable (%g:%s) returning %r.\n", __FUNCTI=
ON__, VendorGuid, VariableName, ReturnStatus ));=0D
+ return ReturnStatus;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function disables the variable policy enforcement. If it's=0D
+ already been called once, will return EFI_ALREADY_STARTED.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_ALREADY_STARTED Has already been called once this boot=
.=0D
+ @retval EFI_WRITE_PROTECTED Interface has been locked until reboot=
.=0D
+ @retval EFI_WRITE_PROTECTED Interface option is disabled by platfo=
rm PCD.=0D
+ @retval EFI_NOT_READY Library has not yet been initialized.=
=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+DisableVariablePolicy (=0D
+ VOID=0D
+ )=0D
+{=0D
+ if (!IsVariablePolicyLibInitialized()) {=0D
+ return EFI_NOT_READY;=0D
+ }=0D
+ if (mProtectionDisabled) {=0D
+ return EFI_ALREADY_STARTED;=0D
+ }=0D
+ if (mInterfaceLocked) {=0D
+ return EFI_WRITE_PROTECTED;=0D
+ }=0D
+ if (!PcdGetBool (PcdAllowVariablePolicyEnforcementDisable)) {=0D
+ return EFI_WRITE_PROTECTED;=0D
+ }=0D
+ mProtectionDisabled =3D TRUE;=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function will dump the entire contents of the variable policy t=
able.=0D
+=0D
+ Similar to GetVariable, the first call can be made with a 0 size and it =
will return=0D
+ the size of the buffer required to hold the entire table.=0D
+=0D
+ @param[out] Policy Pointer to the policy buffer. Can be NULL if Siz=
e is 0.=0D
+ @param[in,out] Size On input, the size of the output buffer. On outp=
ut, the size=0D
+ of the data returned.=0D
+=0D
+ @retval EFI_SUCCESS Policy data is in the output buffer =
and Size has been updated.=0D
+ @retval EFI_INVALID_PARAMETER Size is NULL, or Size is non-zero an=
d Policy is NULL.=0D
+ @retval EFI_BUFFER_TOO_SMALL Size is insufficient to hold policy.=
Size updated with required size.=0D
+ @retval EFI_NOT_READY Library has not yet been initialized=
.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+DumpVariablePolicy (=0D
+ OUT UINT8 *Policy,=0D
+ IN OUT UINT32 *Size=0D
+ )=0D
+{=0D
+ if (!IsVariablePolicyLibInitialized()) {=0D
+ return EFI_NOT_READY;=0D
+ }=0D
+=0D
+ // Check the parameters.=0D
+ if (Size =3D=3D NULL || (*Size > 0 && Policy =3D=3D NULL)) {=0D
+ return EFI_INVALID_PARAMETER;=0D
+ }=0D
+=0D
+ // Make sure the size is sufficient to hold the policy table.=0D
+ if (*Size < mCurrentTableUsage) {=0D
+ *Size =3D mCurrentTableUsage;=0D
+ return EFI_BUFFER_TOO_SMALL;=0D
+ }=0D
+=0D
+ // If we're still here, copy the table and bounce.=0D
+ CopyMem( Policy, mPolicyTable, mCurrentTableUsage );=0D
+ *Size =3D mCurrentTableUsage;=0D
+=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function returns whether or not the policy engine is=0D
+ currently being enforced.=0D
+=0D
+ @retval TRUE=0D
+ @retval FALSE=0D
+ @retval FALSE Library has not yet been initialized.=0D
+=0D
+**/=0D
+BOOLEAN=0D
+EFIAPI=0D
+IsVariablePolicyEnabled (=0D
+ VOID=0D
+ )=0D
+{=0D
+ if (!IsVariablePolicyLibInitialized()) {=0D
+ return FALSE;=0D
+ }=0D
+ return !mProtectionDisabled;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function locks the interface so that no more policy updates=0D
+ can be performed or changes made to the enforcement until the next boot.=
=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_NOT_READY Library has not yet been initialized.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+LockVariablePolicy (=0D
+ VOID=0D
+ )=0D
+{=0D
+ if (!IsVariablePolicyLibInitialized()) {=0D
+ return EFI_NOT_READY;=0D
+ }=0D
+ if (mInterfaceLocked) {=0D
+ return EFI_WRITE_PROTECTED;=0D
+ }=0D
+ mInterfaceLocked =3D TRUE;=0D
+ return EFI_SUCCESS;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This API function returns whether or not the policy interface is locked=
=0D
+ for the remainder of the boot.=0D
+=0D
+ @retval TRUE=0D
+ @retval FALSE=0D
+ @retval FALSE Library has not yet been initialized.=0D
+=0D
+**/=0D
+BOOLEAN=0D
+EFIAPI=0D
+IsVariablePolicyInterfaceLocked (=0D
+ VOID=0D
+ )=0D
+{=0D
+ if (!IsVariablePolicyLibInitialized()) {=0D
+ return FALSE;=0D
+ }=0D
+ return mInterfaceLocked;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function initializes the library and sets=0D
+ up any required internal structures or handlers.=0D
+=0D
+ Also registers the internal pointer for the GetVariable helper.=0D
+=0D
+ @param[in] GetVariableHelper A function pointer matching the EFI_GET_VA=
RIABLE prototype that will be used to=0D
+ check policy criteria that involve the existence of othe=
r variables.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_ALREADY_STARTED The initialize function has been calle=
d more than once without a call to=0D
+ deinitialize.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+InitVariablePolicyLib (=0D
+ IN EFI_GET_VARIABLE GetVariableHelper=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+=0D
+ Status =3D EFI_SUCCESS;=0D
+=0D
+ if (mGetVariableHelper !=3D NULL) {=0D
+ return EFI_ALREADY_STARTED;=0D
+ }=0D
+=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D VariablePolicyExtraInit();=0D
+ }=0D
+=0D
+ if (!EFI_ERROR( Status )) {=0D
+ // Save an internal pointer to the GetVariableHelper.=0D
+ mGetVariableHelper =3D GetVariableHelper;=0D
+=0D
+ // Initialize the global state.=0D
+ mInterfaceLocked =3D FALSE;=0D
+ mProtectionDisabled =3D FALSE;=0D
+ mPolicyTable =3D NULL;=0D
+ mCurrentTableSize =3D 0;=0D
+ mCurrentTableUsage =3D 0;=0D
+ mCurrentTableCount =3D 0;=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function returns whether or not the library is currently ini=
tialized.=0D
+=0D
+ @retval TRUE=0D
+ @retval FALSE=0D
+=0D
+**/=0D
+BOOLEAN=0D
+EFIAPI=0D
+IsVariablePolicyLibInitialized (=0D
+ VOID=0D
+ )=0D
+{=0D
+ return (mGetVariableHelper !=3D NULL);=0D
+}=0D
+=0D
+=0D
+/**=0D
+ This helper function tears down the library.=0D
+=0D
+ Should generally only be used for test harnesses.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_NOT_READY Deinitialize was called without first call=
ing initialize.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+DeinitVariablePolicyLib (=0D
+ VOID=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+=0D
+ Status =3D EFI_SUCCESS;=0D
+=0D
+ if (mGetVariableHelper =3D=3D NULL) {=0D
+ return EFI_NOT_READY;=0D
+ }=0D
+=0D
+ if (!EFI_ERROR( Status )) {=0D
+ Status =3D VariablePolicyExtraDeinit();=0D
+ }=0D
+=0D
+ if (!EFI_ERROR( Status )) {=0D
+ mGetVariableHelper =3D NULL;=0D
+ mInterfaceLocked =3D FALSE;=0D
+ mProtectionDisabled =3D FALSE;=0D
+ mCurrentTableSize =3D 0;=0D
+ mCurrentTableUsage =3D 0;=0D
+ mCurrentTableCount =3D 0;=0D
+=0D
+ if (mPolicyTable !=3D NULL) {=0D
+ FreePool( mPolicyTable );=0D
+ mPolicyTable =3D NULL;=0D
+ }=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/=
VariablePolicyUnitTest.c b/MdeModulePkg/Library/VariablePolicyLib/VariableP=
olicyUnitTest/VariablePolicyUnitTest.c
new file mode 100644
index 000000000000..40e946a73814
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variabl=
ePolicyUnitTest.c
@@ -0,0 +1,2452 @@
+/** @file -- VariablePolicyUnitTest.c=0D
+UnitTest for...=0D
+Business logic for Variable Policy enforcement.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#include <stdio.h>=0D
+#include <string.h>=0D
+#include <stdarg.h>=0D
+#include <stddef.h>=0D
+#include <setjmp.h>=0D
+#include <cmocka.h>=0D
+=0D
+#include <Uefi.h>=0D
+#include <Library/PrintLib.h>=0D
+#include <Library/DebugLib.h>=0D
+#include <Library/UnitTestLib.h>=0D
+#include <Library/BaseMemoryLib.h>=0D
+#include <Library/MemoryAllocationLib.h>=0D
+#include <Library/BaseLib.h>=0D
+=0D
+#include <Guid/VariableFormat.h>=0D
+=0D
+#include <Protocol/VariablePolicy.h>=0D
+#include <Library/VariablePolicyLib.h>=0D
+=0D
+#ifndef INTERNAL_UNIT_TEST=0D
+#error Make sure to build thie with INTERNAL_UNIT_TEST enabled! Otherwise,=
some important tests may be skipped!=0D
+#endif=0D
+=0D
+=0D
+#define UNIT_TEST_NAME "UEFI Variable Policy UnitTest"=0D
+#define UNIT_TEST_VERSION "0.5"=0D
+=0D
+///=3D=3D=3D TEST DATA =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+=0D
+#pragma pack(push, 1)=0D
+#define SIMPLE_VARIABLE_POLICY_ENTRY_VAR_NAME_LENGTH 1001 // 1000 char=
acters + terminator.=0D
+#define SIMPLE_VARIABLE_POLICY_ENTRY_VAR_NAME_SIZE (SIMPLE_VARIABLE_POL=
ICY_ENTRY_VAR_NAME_LENGTH * sizeof(CHAR16))=0D
+typedef struct _SIMPLE_VARIABLE_POLICY_ENTRY {=0D
+ VARIABLE_POLICY_ENTRY Header;=0D
+ CHAR16 Name[SIMPLE_VARIABLE_POLICY_ENTRY_VAR_NAME_LEN=
GTH];=0D
+} SIMPLE_VARIABLE_POLICY_ENTRY;=0D
+#define EXPANDED_VARIABLE_POLICY_ENTRY_VAR_NAME_LENGTH 1001 // 1000 ch=
aracters + terminator.=0D
+#define EXPANDED_VARIABLE_POLICY_ENTRY_VAR_NAME_SIZE (EXPANDED_VARIABLE=
_POLICY_ENTRY_VAR_NAME_LENGTH * sizeof(CHAR16))=0D
+typedef struct _EXPANDED_VARIABLE_POLICY_ENTRY {=0D
+ VARIABLE_POLICY_ENTRY Header;=0D
+ VARIABLE_LOCK_ON_VAR_STATE_POLICY StatePolicy;=0D
+ CHAR16 StateName[EXPANDED_VARIABLE_POLICY_E=
NTRY_VAR_NAME_LENGTH];=0D
+ CHAR16 Name[EXPANDED_VARIABLE_POLICY_ENTRY_=
VAR_NAME_LENGTH];=0D
+} EXPANDED_VARIABLE_POLICY_ENTRY;=0D
+#pragma pack(pop)=0D
+=0D
+// {F955BA2D-4A2C-480C-BFD1-3CC522610592}=0D
+#define TEST_GUID_1 { 0xf955ba2d, 0x4a2c, 0x480c, { 0xbf, 0xd1, 0x3c, 0xc5=
, 0x22, 0x61, 0x5, 0x92 } }=0D
+EFI_GUID mTestGuid1 =3D TEST_GUID_1;=0D
+// {2DEA799E-5E73-43B9-870E-C945CE82AF3A}=0D
+#define TEST_GUID_2 { 0x2dea799e, 0x5e73, 0x43b9, { 0x87, 0xe, 0xc9, 0x45,=
0xce, 0x82, 0xaf, 0x3a } }=0D
+EFI_GUID mTestGuid2 =3D TEST_GUID_2;=0D
+// {698A2BFD-A616-482D-B88C-7100BD6682A9}=0D
+#define TEST_GUID_3 { 0x698a2bfd, 0xa616, 0x482d, { 0xb8, 0x8c, 0x71, 0x0,=
0xbd, 0x66, 0x82, 0xa9 } }=0D
+EFI_GUID mTestGuid3 =3D TEST_GUID_3;=0D
+=0D
+#define TEST_VAR_1_NAME L"TestVar1"=0D
+#define TEST_VAR_2_NAME L"TestVar2"=0D
+#define TEST_VAR_3_NAME L"TestVar3"=0D
+=0D
+#define TEST_POLICY_ATTRIBUTES_NULL 0=0D
+#define TEST_POLICY_MIN_SIZE_NULL 0=0D
+#define TEST_POLICY_MAX_SIZE_NULL MAX_UINT32=0D
+=0D
+#define TEST_POLICY_MIN_SIZE_10 10=0D
+#define TEST_POLICY_MAX_SIZE_200 200=0D
+=0D
+#define TEST_300_HASHES_STRING L"####################################=
##############"\=0D
+ "###################################=
###############"\=0D
+ "###################################=
###############"\=0D
+ "###################################=
###############"\=0D
+ "###################################=
###############"\=0D
+ "###################################=
###############"=0D
+=0D
+=0D
+///=3D=3D=3D HELPER FUNCTIONS =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+=0D
+/**=0D
+ Helper function to initialize a VARIABLE_POLICY_ENTRY structure with a N=
ame and StateName.=0D
+=0D
+ Takes care of all the messy packing.=0D
+=0D
+ @param[in,out] Entry=0D
+ @param[in] Name [Optional]=0D
+ @param[in] StateName [Optional]=0D
+=0D
+ @retval TRUE=0D
+ @retval FALSE=0D
+=0D
+**/=0D
+STATIC=0D
+BOOLEAN=0D
+InitExpVarPolicyStrings (=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY *Entry,=0D
+ CHAR16 *Name, OPTIONAL=0D
+ CHAR16 *StateName OPTIONAL=0D
+ )=0D
+{=0D
+ UINTN NameSize;=0D
+ UINTN StateNameSize;=0D
+=0D
+ NameSize =3D Name =3D=3D NULL ? 0 : StrSize( Name );=0D
+ StateNameSize =3D StateName =3D=3D NULL ? 0 : StrSize( StateName );=0D
+=0D
+ if (NameSize > EXPANDED_VARIABLE_POLICY_ENTRY_VAR_NAME_SIZE || NameSize =
MAX_UINT16 ||=0D
+ StateNameSize > EXPANDED_VARIABLE_POLICY_ENTRY_VAR_NAME_SIZE || Stat=
eNameSize > MAX_UINT16) {=0D
+ return FALSE;=0D
+ }=0D
+=0D
+ Entry->Header.OffsetToName =3D sizeof(VARIABLE_POLICY_ENTRY);=0D
+ if (StateName !=3D NULL) {=0D
+ Entry->Header.OffsetToName +=3D (UINT16)sizeof(VARIABLE_LOCK_ON_VAR_ST=
ATE_POLICY) + (UINT16)StateNameSize;=0D
+ }=0D
+ Entry->Header.Size =3D Entry->Header.OffsetToName + (UINT16)NameSize;=0D
+=0D
+ CopyMem( (UINT8*)Entry + Entry->Header.OffsetToName, Name, NameSize );=0D
+ if (StateName !=3D NULL) {=0D
+ CopyMem( (UINT8*)Entry + sizeof(VARIABLE_POLICY_ENTRY) + sizeof(VARIAB=
LE_LOCK_ON_VAR_STATE_POLICY), StateName, StateNameSize );=0D
+ }=0D
+=0D
+ return TRUE;=0D
+}=0D
+=0D
+/**=0D
+ Mocked version of GetVariable, for testing.=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+StubGetVariableNull (=0D
+ IN CHAR16 *VariableName,=0D
+ IN EFI_GUID *VendorGuid,=0D
+ OUT UINT32 *Attributes, OPTIONAL=0D
+ IN OUT UINTN *DataSize,=0D
+ OUT VOID *Data OPTIONAL=0D
+ )=0D
+{=0D
+ UINT32 MockedAttr;=0D
+ UINTN MockedDataSize;=0D
+ VOID *MockedData;=0D
+ EFI_STATUS MockedReturn;=0D
+=0D
+ check_expected_ptr( VariableName );=0D
+ check_expected_ptr( VendorGuid );=0D
+ check_expected_ptr( DataSize );=0D
+=0D
+ MockedAttr =3D (UINT32)mock();=0D
+ MockedDataSize =3D (UINTN)mock();=0D
+ MockedData =3D (VOID*)mock();=0D
+ MockedReturn =3D (EFI_STATUS)mock();=0D
+=0D
+ if (Attributes !=3D NULL) {=0D
+ *Attributes =3D MockedAttr;=0D
+ }=0D
+ if (Data !=3D NULL && !EFI_ERROR(MockedReturn)) {=0D
+ CopyMem( Data, MockedData, MockedDataSize );=0D
+ }=0D
+=0D
+ *DataSize =3D MockedDataSize;=0D
+=0D
+ return MockedReturn;=0D
+}=0D
+=0D
+//=0D
+// Anything you think might be helpful that isn't a test itself.=0D
+//=0D
+=0D
+/**=0D
+ This is a common setup function that will ensure the library is always i=
nitialized=0D
+ with the stubbed GetVariable.=0D
+=0D
+ Not used by all test cases, but by most.=0D
+**/=0D
+STATIC=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+LibInitMocked (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ return EFI_ERROR(InitVariablePolicyLib( StubGetVariableNull )) ? UNIT_TE=
ST_ERROR_PREREQUISITE_NOT_MET : UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Common cleanup function to make sure that the library is always de-initi=
alized prior=0D
+ to the next test case.=0D
+*/=0D
+STATIC=0D
+VOID=0D
+EFIAPI=0D
+LibCleanup (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ DeinitVariablePolicyLib();=0D
+}=0D
+=0D
+=0D
+///=3D=3D=3D TEST CASES =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+=0D
+///=3D=3D=3D=3D=3D ARCHITECTURAL SUITE =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldBeAbleToInitAndDeinitTheLibrary (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ Status =3D InitVariablePolicyLib( StubGetVariableNull );=0D
+ UT_ASSERT_NOT_EFI_ERROR( Status );=0D
+=0D
+ UT_ASSERT_TRUE( IsVariablePolicyLibInitialized() );=0D
+=0D
+ Status =3D DeinitVariablePolicyLib();=0D
+ UT_ASSERT_NOT_EFI_ERROR( Status );=0D
+=0D
+ UT_ASSERT_FALSE( IsVariablePolicyLibInitialized() );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldNotBeAbleToInitializeTheLibraryTwice (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ Status =3D InitVariablePolicyLib( StubGetVariableNull );=0D
+ UT_ASSERT_NOT_EFI_ERROR( Status );=0D
+ Status =3D InitVariablePolicyLib( StubGetVariableNull );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( Status ) );=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldFailDeinitWithoutInit (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ Status =3D DeinitVariablePolicyLib();=0D
+ UT_ASSERT_TRUE( EFI_ERROR( Status ) );=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ApiCommandsShouldNotRespondIfLibIsUninitialized (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY TestPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ UINT8 DummyData[8];=0D
+ UINT32 DummyDataSize =3D sizeof(DummyData);=0D
+=0D
+ // This test should not start with an initialized library.=0D
+=0D
+ // Verify that all API commands fail.=0D
+ UT_ASSERT_TRUE( EFI_ERROR( LockVariablePolicy() ) );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( DisableVariablePolicy() ) );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( RegisterVariablePolicy( &TestPolicy.Header ) =
) );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( DumpVariablePolicy( DummyData, &DummyDataSize=
) ) );=0D
+ UT_ASSERT_FALSE( IsVariablePolicyInterfaceLocked() );=0D
+ UT_ASSERT_FALSE( IsVariablePolicyEnabled() );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS,=
=0D
+ sizeof(DummyData),=0D
+ DummyData ) ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+=0D
+///=3D=3D=3D=3D=3D INTERNAL FUNCTION SUITE =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+=0D
+#ifdef INTERNAL_UNIT_TEST=0D
+=0D
+BOOLEAN=0D
+EvaluatePolicyMatch (=0D
+ IN CONST VARIABLE_POLICY_ENTRY *EvalEntry,=0D
+ IN CONST CHAR16 *VariableName,=0D
+ IN CONST EFI_GUID *VendorGuid,=0D
+ OUT UINT8 *MatchPriority OPTIONAL=0D
+ );=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+PoliciesShouldMatchByNameAndGuid (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY MatchCheckPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ CHAR16 *CheckVar1Name =3D TEST_VAR_1_NAME;=0D
+ CHAR16 *CheckVar2Name =3D TEST_VAR_2_NAME;=0D
+=0D
+ // Make sure that a different name does not match.=0D
+ UT_ASSERT_FALSE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar=
2Name, &mTestGuid1, NULL ) );=0D
+=0D
+ // Make sure that a different GUID does not match.=0D
+ UT_ASSERT_FALSE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar=
1Name, &mTestGuid2, NULL ) );=0D
+=0D
+ // Make sure that the same name and GUID match.=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar1=
Name, &mTestGuid1, NULL ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+WildcardPoliciesShouldMatchDigits (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY MatchCheckPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(L"Wildcard#VarName##"),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ L"Wildcard#VarName##"=0D
+ };=0D
+ CHAR16 *CheckVar1Name =3D L"Wildcard1VarName12";=0D
+ CHAR16 *CheckVar2Name =3D L"Wildcard2VarName34";=0D
+ CHAR16 *CheckVarBName =3D L"WildcardBVarName56";=0D
+ CHAR16 *CheckVarFName =3D L"WildcardFVarName0A";=0D
+ CHAR16 *CheckVarZName =3D L"WildcardZVarName56";=0D
+ CHAR16 *CheckVarLName =3D L"WildcardLVarName56";=0D
+ CHAR16 *CheckVarHName =3D L"Wildcard#VarName56";=0D
+=0D
+ // Make sure that all hexidecimal sets of wildcard numbers match.=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar1=
Name, &mTestGuid1, NULL ) );=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar2=
Name, &mTestGuid1, NULL ) );=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVarB=
Name, &mTestGuid1, NULL ) );=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVarF=
Name, &mTestGuid1, NULL ) );=0D
+=0D
+ // Make sure that the non-number charaters don't match.=0D
+ UT_ASSERT_FALSE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar=
ZName, &mTestGuid1, NULL ) );=0D
+ UT_ASSERT_FALSE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar=
LName, &mTestGuid1, NULL ) );=0D
+=0D
+ // Make sure that '#' signs don't match.=0D
+ UT_ASSERT_FALSE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar=
HName, &mTestGuid1, NULL ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+WildcardPoliciesShouldMatchDigitsAdvanced (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY MatchCheckPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_300_HASHES_STRING),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_300_HASHES_STRING=0D
+ };=0D
+ CHAR16 *CheckShorterString =3D L"01234567890123456789012345678901=
234567890123456789";=0D
+ CHAR16 *CheckValidString =3D L"0123456789012345678901234567890123=
4567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789";=0D
+ CHAR16 *CheckValidHexString =3D L"0123456789012345678901234567890=
12345678901234F6789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "012345678901ABC56789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
5678DEADBEEF789"\=0D
+ "01234ABCDEF123456789012345678901234=
567890123456789";=0D
+ CHAR16 *CheckLongerString =3D L"012345678901234567890123456789012=
34567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789"\=0D
+ "01234567890123456789012345678901234=
567890123456789";=0D
+ UINT8 MatchPriority;=0D
+=0D
+ // Make sure that the shorter and the longer do not match.=0D
+ UT_ASSERT_FALSE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckSho=
rterString, &mTestGuid1, NULL ) );=0D
+ UT_ASSERT_FALSE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckLon=
gerString, &mTestGuid1, NULL ) );=0D
+=0D
+ // Make sure that the valid one matches and has the expected priority.=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVali=
dString, &mTestGuid1, &MatchPriority ) );=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVali=
dHexString, &mTestGuid1, &MatchPriority ) );=0D
+ UT_ASSERT_EQUAL( MatchPriority, MAX_UINT8 );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+WildcardPoliciesShouldMatchNamespaces (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ VARIABLE_POLICY_ENTRY MatchCheckPolicy =3D {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ };=0D
+ CHAR16 *CheckVar1Name =3D L"Wildcard1VarName12";=0D
+ CHAR16 *CheckVar2Name =3D L"Wildcard2VarName34";=0D
+ CHAR16 *CheckVarBName =3D L"WildcardBVarName56";=0D
+ CHAR16 *CheckVarHName =3D L"Wildcard#VarName56";=0D
+=0D
+ // Make sure that all names in the same namespace match.=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy, CheckVar1Name, &=
mTestGuid1, NULL ) );=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy, CheckVar2Name, &=
mTestGuid1, NULL ) );=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy, CheckVarBName, &=
mTestGuid1, NULL ) );=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy, CheckVarHName, &=
mTestGuid1, NULL ) );=0D
+=0D
+ // Make sure that different namespace doesn't match.=0D
+ UT_ASSERT_FALSE( EvaluatePolicyMatch( &MatchCheckPolicy, CheckVar1Name, =
&mTestGuid2, NULL ) );=0D
+=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+MatchPrioritiesShouldFollowRules (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY MatchCheckPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(L"Wildcard1VarName12"),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ L"Wildcard1VarName12"=0D
+ };=0D
+ CHAR16 CheckVar1Name[] =3D L"Wildcard1VarName12";=0D
+ CHAR16 MatchVar1Name[] =3D L"Wildcard1VarName12";=0D
+ CHAR16 MatchVar2Name[] =3D L"Wildcard#VarName12";=0D
+ CHAR16 MatchVar3Name[] =3D L"Wildcard#VarName#2";=0D
+ CHAR16 MatchVar4Name[] =3D L"Wildcard#VarName##";=0D
+ UINT8 MatchPriority;=0D
+=0D
+ // Check with a perfect match.=0D
+ CopyMem( &MatchCheckPolicy.Name, MatchVar1Name, sizeof(MatchVar1Name) );=
=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar1=
Name, &mTestGuid1, &MatchPriority ) );=0D
+ UT_ASSERT_EQUAL( MatchPriority, 0 );=0D
+=0D
+ // Check with progressively lower priority matches.=0D
+ CopyMem( &MatchCheckPolicy.Name, MatchVar2Name, sizeof(MatchVar2Name) );=
=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar1=
Name, &mTestGuid1, &MatchPriority ) );=0D
+ UT_ASSERT_EQUAL( MatchPriority, 1 );=0D
+ CopyMem( &MatchCheckPolicy.Name, MatchVar3Name, sizeof(MatchVar3Name) );=
=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar1=
Name, &mTestGuid1, &MatchPriority ) );=0D
+ UT_ASSERT_EQUAL( MatchPriority, 2 );=0D
+ CopyMem( &MatchCheckPolicy.Name, MatchVar4Name, sizeof(MatchVar4Name) );=
=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar1=
Name, &mTestGuid1, &MatchPriority ) );=0D
+ UT_ASSERT_EQUAL( MatchPriority, 3 );=0D
+=0D
+ // Check against the entire namespace.=0D
+ MatchCheckPolicy.Header.Size =3D sizeof(VARIABLE_POLICY_ENTRY);=0D
+ UT_ASSERT_TRUE( EvaluatePolicyMatch( &MatchCheckPolicy.Header, CheckVar1=
Name, &mTestGuid1, &MatchPriority ) );=0D
+ UT_ASSERT_EQUAL( MatchPriority, MAX_UINT8 );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+#endif // INTERNAL_UNIT_TEST=0D
+=0D
+=0D
+///=3D=3D=3D POLICY MANIPULATION SUITE =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldAllowNamespaceWildcards (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ L""=0D
+ };=0D
+=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldAllowStateVarsForNamespaces (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 1, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, NULL, TEST_V=
AR_2_NAME ) );=0D
+=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectNullPointers (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( NULL ), EFI_INVALID_PARAMETER )=
;=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectBadRevisions (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+=0D
+ ValidationPolicy.Header.Version =3D MAX_UINT32;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectBadSizes (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+=0D
+ ValidationPolicy.Header.Size =3D sizeof(VARIABLE_POLICY_ENTRY) - 2;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectBadOffsets (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 1, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, TEST_VAR_1_N=
AME, TEST_VAR_2_NAME ) );=0D
+=0D
+ // Check for an offset outside the size bounds.=0D
+ ValidationPolicy.Header.OffsetToName =3D ValidationPolicy.Header.Size + =
1;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ // Check for an offset inside the policy header.=0D
+ ValidationPolicy.Header.OffsetToName =3D sizeof(VARIABLE_POLICY_ENTRY) -=
2;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ // Check for an offset inside the state policy header.=0D
+ ValidationPolicy.Header.OffsetToName =3D sizeof(VARIABLE_POLICY_ENTRY) +=
2;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ // Check for a ridiculous offset.=0D
+ ValidationPolicy.Header.OffsetToName =3D MAX_UINT16;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectMissingStateStrings (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 1, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, TEST_VAR_1_N=
AME, TEST_VAR_2_NAME ) );=0D
+=0D
+ // Remove the state string and copy the Name into it's place.=0D
+ // Also adjust the offset.=0D
+ ValidationPolicy.Header.Size =3D sizeof(VARIABLE_POLICY_ENTRY) =
+ sizeof(VARIABLE_LOCK_ON_VAR_STATE_POLICY) + sizeof(TEST_VAR_1_NAME);=0D
+ ValidationPolicy.Header.OffsetToName =3D sizeof(VARIABLE_POLICY_ENTRY) =
+ sizeof(VARIABLE_LOCK_ON_VAR_STATE_POLICY);=0D
+ CopyMem( (UINT8*)&ValidationPolicy + ValidationPolicy.Header.OffsetToNam=
e, TEST_VAR_1_NAME, sizeof(TEST_VAR_1_NAME) );=0D
+=0D
+ // Make sure that this structure fails.=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectStringsMissingNull (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 1, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, TEST_VAR_1_N=
AME, TEST_VAR_2_NAME ) );=0D
+=0D
+ // Removing the NULL from the Name should fail.=0D
+ ValidationPolicy.Header.Size =3D ValidationPolicy.Header.Size - sizeof(C=
HAR16);=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ // Removing the NULL from the State Name is a little trickier.=0D
+ // Copy the Name up one byte.=0D
+ ValidationPolicy.Header.OffsetToName =3D ValidationPolicy.Header.OffsetT=
oName - sizeof(CHAR16);=0D
+ CopyMem( (UINT8*)&ValidationPolicy + ValidationPolicy.Header.OffsetToNam=
e, TEST_VAR_1_NAME, sizeof(TEST_VAR_1_NAME) );=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectMalformedStrings (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 1, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, TEST_VAR_1_N=
AME, TEST_VAR_2_NAME ) );=0D
+=0D
+ // Bisecting the NULL from the Name should fail.=0D
+ ValidationPolicy.Header.Size =3D ValidationPolicy.Header.Size - 1;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ // Bisecting the NULL from the State Name is a little trickier.=0D
+ // Copy the Name up one byte.=0D
+ ValidationPolicy.Header.OffsetToName =3D ValidationPolicy.Header.OffsetT=
oName - 1;=0D
+ CopyMem( (UINT8*)&ValidationPolicy + ValidationPolicy.Header.OffsetToNam=
e, TEST_VAR_1_NAME, sizeof(TEST_VAR_1_NAME) );=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectUnpackedPolicies (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 1, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, TEST_VAR_1_N=
AME, TEST_VAR_2_NAME ) );=0D
+=0D
+ // Increase the size and move the Name out a bit.=0D
+ ValidationPolicy.Header.Size =3D ValidationPolicy.Header.Size + sizeof(C=
HAR16);=0D
+ ValidationPolicy.Header.OffsetToName =3D ValidationPolicy.Header.OffsetT=
oName + sizeof(CHAR16);=0D
+ CopyMem( (UINT8*)&ValidationPolicy + ValidationPolicy.Header.OffsetToNam=
e, TEST_VAR_1_NAME, sizeof(TEST_VAR_1_NAME) );=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ // Reintialize without the state policy and try the same test.=0D
+ ValidationPolicy.Header.LockPolicyType =3D VARIABLE_POLICY_TYPE_NO_LOCK;=
=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, TEST_VAR_1_N=
AME, NULL ) );=0D
+ ValidationPolicy.Header.Size =3D ValidationPolicy.Header.Size + sizeof(C=
HAR16);=0D
+ ValidationPolicy.Header.OffsetToName =3D ValidationPolicy.Header.OffsetT=
oName + sizeof(CHAR16);=0D
+ CopyMem( (UINT8*)&ValidationPolicy + ValidationPolicy.Header.OffsetToNam=
e, TEST_VAR_1_NAME, sizeof(TEST_VAR_1_NAME) );=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectInvalidNameCharacters (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ // EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ // {=0D
+ // VARIABLE_POLICY_ENTRY_REVISION,=0D
+ // 0, // Will be populated by init helper.=0D
+ // 0, // Will be populated by init helper.=0D
+ // TEST_GUID_1,=0D
+ // TEST_POLICY_MIN_SIZE_NULL,=0D
+ // TEST_POLICY_MAX_SIZE_NULL,=0D
+ // TEST_POLICY_ATTRIBUTES_NULL,=0D
+ // TEST_POLICY_ATTRIBUTES_NULL,=0D
+ // VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ // },=0D
+ // {=0D
+ // TEST_GUID_2,=0D
+ // 1, // Value=0D
+ // 0 // Padding=0D
+ // },=0D
+ // L"",=0D
+ // L""=0D
+ // };=0D
+=0D
+ // Currently, there are no known invalid characters.=0D
+ // '#' in LockPolicy->Name are taken as literal.=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectBadPolicyConstraints (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+=0D
+ // Make sure that invalid MAXes are rejected.=0D
+ ValidationPolicy.Header.MaxSize =3D 0;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectUnknownLockPolicies (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+=0D
+ ValidationPolicy.Header.LockPolicyType =3D VARIABLE_POLICY_TYPE_LOCK_ON_=
VAR_STATE + 1;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+ ValidationPolicy.Header.LockPolicyType =3D VARIABLE_POLICY_TYPE_LOCK_ON_=
VAR_STATE + 1;=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectPolicesWithTooManyWildcards (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_300_HASHES_STRING),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_300_HASHES_STRING=0D
+ };=0D
+=0D
+ // 300 Hashes is currently larger than the possible maximum match priori=
ty.=0D
+ UT_ASSERT_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header ), EFI=
_INVALID_PARAMETER );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+RegisterShouldRejectDuplicatePolicies (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+ UT_ASSERT_STATUS_EQUAL( RegisterVariablePolicy( &ValidationPolicy.Header=
), EFI_ALREADY_STARTED );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+MinAndMaxSizePoliciesShouldBeHonored (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_10,=0D
+ TEST_POLICY_MAX_SIZE_200,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[TEST_POLICY_MAX_SIZE_200+1];=0D
+=0D
+=0D
+ // Without a policy, there should be no constraints on variable creation=
.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS,=0D
+ TEST_POLICY_MAX_SIZE_200+1,=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Set a policy to test against.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // With a policy, make sure that sizes outsize the target range fail.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS,=0D
+ TEST_POLICY_MAX_SIZE_200+1,=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ // With a policy, make sure that sizes outsize the target range fail.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS,=0D
+ TEST_POLICY_MIN_SIZE_10-1,=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ // With a policy, make sure a valid variable is still valid.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS,=0D
+ TEST_POLICY_MIN_SIZE_10+1,=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+AttributeMustPoliciesShouldBeHonored (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ VARIABLE_ATTRIBUTE_NV_BS_RT,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[12];=0D
+=0D
+=0D
+ // Without a policy, there should be no constraints on variable creation=
.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Set a policy to test against.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // With a policy, make sure that no attributes fail.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ // With a policy, make sure that some -- but not all -- attributes fail.=
=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ // With a policy, make sure that all attributes pass.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS_RT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // With a policy, make sure that all attributes -- plus some -- pass.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+AttributeCantPoliciesShouldBeHonored (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[12];=0D
+=0D
+=0D
+ // Without a policy, there should be no constraints on variable creation=
.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Set a policy to test against.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // With a policy, make sure that forbidden attributes fail.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_=
WRITE_ACCESS,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ // With a policy, make sure that a mixture of attributes -- including th=
e forbidden -- fail.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ // With a policy, make sure that attributes without the forbidden pass.=
=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS_RT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+VariablesShouldBeDeletableRegardlessOfSize (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_10,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[TEST_POLICY_MAX_SIZE_200+1];=0D
+=0D
+ // Create a policy enforcing a minimum variable size.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // Make sure that a normal set would fail.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS,=0D
+ TEST_POLICY_MIN_SIZE_10-1,=0D
+ DummyData );=0D
+ UT_ASSERT_STATUS_EQUAL( PolicyCheck, EFI_INVALID_PARAMETER );=0D
+=0D
+ // Now make sure that a delete would succeed.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS,=0D
+ 0,=0D
+ NULL );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+LockNowPoliciesShouldBeHonored (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_NOW=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[12];=0D
+=0D
+=0D
+ // Without a policy, there should be no constraints on variable creation=
.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Set a policy to test against.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // With a policy, make sure that writes immediately fail.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+LockOnCreatePoliciesShouldBeHonored (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_CREATE=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[12];=0D
+ UINTN ExpectedDataSize;=0D
+=0D
+=0D
+ // Without a policy, there should be no constraints on variable creation=
.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Set a policy to test against.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // Set consistent expectations on what the calls are looking for.=0D
+ expect_memory_count( StubGetVariableNull, VariableName, TEST_VAR_1_NAME,=
sizeof(TEST_VAR_1_NAME), 2 );=0D
+ expect_memory_count( StubGetVariableNull, VendorGuid, &mTestGuid1, sizeo=
f(mTestGuid1), 2 );=0D
+ ExpectedDataSize =3D 0;=0D
+ expect_memory_count( StubGetVariableNull, DataSize, &ExpectedDataSize, s=
izeof(ExpectedDataSize), 2 );=0D
+=0D
+ // With a policy, make sure that writes still work, since the variable d=
oesn't exist.=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 0 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_NOT_FOUND ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // With a policy, make sure that a call with an "existing" variable fail=
s.=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 10 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_BUFFER_TOO_SMALL ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+LockOnStatePoliciesShouldBeHonored (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 20, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[12];=0D
+ UINT8 ValidationStateVar;=0D
+ UINTN ExpectedDataSize;=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, TEST_VAR_1_N=
AME, TEST_VAR_2_NAME ) );=0D
+=0D
+=0D
+ // Without a policy, there should be no constraints on variable creation=
.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Set a policy to test against.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // Set consistent expectations on what the calls are looking for.=0D
+ expect_memory_count( StubGetVariableNull, VariableName, TEST_VAR_2_NAME,=
sizeof(TEST_VAR_2_NAME), 5 );=0D
+ expect_memory_count( StubGetVariableNull, VendorGuid, &mTestGuid2, sizeo=
f(mTestGuid2), 5 );=0D
+ ExpectedDataSize =3D 1;=0D
+ expect_memory_count( StubGetVariableNull, DataSize, &ExpectedDataSize, s=
izeof(ExpectedDataSize), 5 );=0D
+=0D
+ // With a policy, make sure that writes still work, since the variable d=
oesn't exist.=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 0 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_NOT_FOUND ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // With a policy, make sure that a state variable that's too large doesn=
't lock the variable.=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 10 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_BUFFER_TOO_SMALL ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // With a policy, check a state variable with the wrong value.=0D
+ ValidationStateVar =3D 0;=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, sizeof(ValidationStateVar) ); // S=
ize=0D
+ will_return( StubGetVariableNull, &ValidationStateVar ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_SUCCESS ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // With a policy, check a state variable with another wrong value.=0D
+ ValidationStateVar =3D 10;=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, sizeof(ValidationStateVar) ); // S=
ize=0D
+ will_return( StubGetVariableNull, &ValidationStateVar ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_SUCCESS ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // With a policy, make sure that a call with a correct state variable fa=
ils.=0D
+ ValidationStateVar =3D 20;=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, sizeof(ValidationStateVar) ); // S=
ize=0D
+ will_return( StubGetVariableNull, &ValidationStateVar ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_SUCCESS ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+LockOnStatePoliciesShouldApplyToNamespaces (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 20, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[12];=0D
+ UINT8 ValidationStateVar;=0D
+ UINTN ExpectedDataSize;=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, NULL, TEST_V=
AR_2_NAME ) );=0D
+=0D
+=0D
+ // Without a policy, there should be no constraints on variable creation=
.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_3_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Set a policy to test against.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // Set consistent expectations on what the calls are looking for.=0D
+ expect_memory_count( StubGetVariableNull, VariableName, TEST_VAR_2_NAME,=
sizeof(TEST_VAR_2_NAME), 4 );=0D
+ expect_memory_count( StubGetVariableNull, VendorGuid, &mTestGuid2, sizeo=
f(mTestGuid2), 4 );=0D
+ ExpectedDataSize =3D 1;=0D
+ expect_memory_count( StubGetVariableNull, DataSize, &ExpectedDataSize, s=
izeof(ExpectedDataSize), 4 );=0D
+=0D
+ // With a policy, make sure that writes still work, since the variable d=
oesn't exist.=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 0 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_NOT_FOUND ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 0 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_NOT_FOUND ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_3_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // With a policy, make sure that a call with a correct state variable fa=
ils.=0D
+ ValidationStateVar =3D 20;=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, sizeof(ValidationStateVar) ); // S=
ize=0D
+ will_return( StubGetVariableNull, &ValidationStateVar ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_SUCCESS ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, sizeof(ValidationStateVar) ); // S=
ize=0D
+ will_return( StubGetVariableNull, &ValidationStateVar ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_SUCCESS ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_3_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+LockOnStateShouldHandleErrorsGracefully (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ EXPANDED_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ 0, // Will be populated by init helper.=0D
+ 0, // Will be populated by init helper.=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=0D
+ },=0D
+ {=0D
+ TEST_GUID_2,=0D
+ 20, // Value=0D
+ 0 // Padding=0D
+ },=0D
+ L"",=0D
+ L""=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[12];=0D
+ UT_ASSERT_TRUE( InitExpVarPolicyStrings( &ValidationPolicy, TEST_VAR_1_N=
AME, TEST_VAR_2_NAME ) );=0D
+=0D
+=0D
+ // Without a policy, there should be no constraints on variable creation=
.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Set a policy to test against.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // Configure the stub to not care about parameters. We're testing errors=
.=0D
+ expect_any_always( StubGetVariableNull, VariableName );=0D
+ expect_any_always( StubGetVariableNull, VendorGuid );=0D
+ expect_any_always( StubGetVariableNull, DataSize );=0D
+=0D
+ // With a policy, make sure that writes still work, since the variable d=
oesn't exist.=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 0 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_NOT_FOUND ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Verify that state variables that are the wrong size won't lock the va=
riable.=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 0 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_BUFFER_TOO_SMALL ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Verify that unexpected errors default to locked.=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 0 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_UNSUPPORTED ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ will_return( StubGetVariableNull, TEST_POLICY_ATTRIBUTES_NULL ); // A=
ttributes=0D
+ will_return( StubGetVariableNull, 0 ); // S=
ize=0D
+ will_return( StubGetVariableNull, NULL ); // D=
ataPtr=0D
+ will_return( StubGetVariableNull, EFI_NOT_READY ); // S=
tatus=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+BestMatchPriorityShouldBeObeyed (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY ValidationPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(L"Wild12Card34Placeholder"),=
=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ L"Wild12Card34Placeholder"=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[70];=0D
+ CHAR16 *PolicyName =3D (CHAR16*)((UINT8*)&ValidationPolicy + sizeof=
(VARIABLE_POLICY_ENTRY));=0D
+ UINTN PolicyNameSize =3D sizeof(L"Wild12Card34Placeholder");=0D
+ CHAR16 *FourWildcards =3D L"Wild##Card##Placeholder";=0D
+ CHAR16 *ThreeWildcards =3D L"Wild##Card#4Placeholder";=0D
+ CHAR16 *TwoWildcards =3D L"Wild##Card34Placeholder";=0D
+ CHAR16 *OneWildcard =3D L"Wild#2Card34Placeholder";=0D
+ CHAR16 *NoWildcards =3D L"Wild12Card34Placeholder";=0D
+=0D
+ // Create all of the policies from least restrictive to most restrictive=
.=0D
+ // NoWildcards should be the most restrictive.=0D
+ ValidationPolicy.Header.MaxSize =3D 60;=0D
+ ValidationPolicy.Header.Size =3D ValidationPolicy.Header.OffsetToName;=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+ ValidationPolicy.Header.Size +=3D (UINT16)PolicyNameSize;=0D
+ ValidationPolicy.Header.MaxSize =3D 50;=0D
+ CopyMem( PolicyName, FourWildcards, PolicyNameSize );=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+ ValidationPolicy.Header.MaxSize =3D 40;=0D
+ CopyMem( PolicyName, ThreeWildcards, PolicyNameSize );=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+ ValidationPolicy.Header.MaxSize =3D 30;=0D
+ CopyMem( PolicyName, TwoWildcards, PolicyNameSize );=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+ ValidationPolicy.Header.MaxSize =3D 20;=0D
+ CopyMem( PolicyName, OneWildcard, PolicyNameSize );=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+ ValidationPolicy.Header.MaxSize =3D 10;=0D
+ CopyMem( PolicyName, NoWildcards, PolicyNameSize );=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &ValidationPolicy.Heade=
r ) );=0D
+=0D
+ // Verify that variables only matching the namespace have the most flexi=
ble policy.=0D
+ PolicyCheck =3D ValidateSetVariable( L"ArbitraryName",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 65,=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+ PolicyCheck =3D ValidateSetVariable( L"ArbitraryName",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 55,=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ // Verify that variables matching increasing characters get increasing p=
olicy restrictions.=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild77Card77Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 55,=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild77Card77Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 45,=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild77Card74Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 45,=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild77Card74Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 35,=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild77Card34Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 35,=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild77Card34Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 25,=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild72Card34Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 25,=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild72Card34Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 15,=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild12Card34Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 15,=0D
+ DummyData );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( PolicyCheck ) );=0D
+ PolicyCheck =3D ValidateSetVariable( L"Wild12Card34Placeholder",=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_BS_RT_AT,=0D
+ 5,=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+=0D
+///=3D=3D=3D POLICY UTILITY SUITE =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldBeAbleToLockInterface (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY TestPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_NULL,=0D
+ TEST_POLICY_MAX_SIZE_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+=0D
+ // Make sure it's not already locked.=0D
+ UT_ASSERT_FALSE( IsVariablePolicyInterfaceLocked() );=0D
+ // Lock it.=0D
+ UT_ASSERT_NOT_EFI_ERROR( LockVariablePolicy() );=0D
+ // Verify that it's locked.=0D
+ UT_ASSERT_TRUE( IsVariablePolicyInterfaceLocked() );=0D
+=0D
+ // Verify that all state-changing commands fail.=0D
+ UT_ASSERT_TRUE( EFI_ERROR( LockVariablePolicy() ) );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( DisableVariablePolicy() ) );=0D
+ UT_ASSERT_TRUE( EFI_ERROR( RegisterVariablePolicy( &TestPolicy.Header ) =
) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldBeAbleToDisablePolicyEnforcement (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY TestPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_10,=0D
+ TEST_POLICY_MAX_SIZE_200,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT8 DummyData[TEST_POLICY_MIN_SIZE_10-1];=0D
+=0D
+ // Make sure that the policy enforcement is currently enabled.=0D
+ UT_ASSERT_TRUE( IsVariablePolicyEnabled() );=0D
+ // Add a policy before it's disabled.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &TestPolicy.Header ) );=
=0D
+ // Disable the policy enforcement.=0D
+ UT_ASSERT_NOT_EFI_ERROR( DisableVariablePolicy() );=0D
+ // Make sure that the policy enforcement is currently disabled.=0D
+ UT_ASSERT_FALSE( IsVariablePolicyEnabled() );=0D
+=0D
+ // Check to make sure that a policy violation still passes.=0D
+ PolicyCheck =3D ValidateSetVariable( TEST_VAR_1_NAME,=0D
+ &mTestGuid1,=0D
+ VARIABLE_ATTRIBUTE_NV_BS,=0D
+ sizeof(DummyData),=0D
+ DummyData );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldNotBeAbleToDisablePoliciesTwice (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ // Make sure that the policy enforcement is currently enabled.=0D
+ UT_ASSERT_TRUE( IsVariablePolicyEnabled() );=0D
+ // Disable the policy enforcement.=0D
+ UT_ASSERT_NOT_EFI_ERROR( DisableVariablePolicy() );=0D
+ // Make sure that the policy enforcement is currently disabled.=0D
+ UT_ASSERT_FALSE( IsVariablePolicyEnabled() );=0D
+ // Try to disable again and verify failure.=0D
+ UT_ASSERT_TRUE( EFI_ERROR( DisableVariablePolicy() ) );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldBeAbleToAddNewPoliciesAfterDisabled (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY TestPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_10,=0D
+ TEST_POLICY_MAX_SIZE_200,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+=0D
+ // Make sure that the policy enforcement is currently enabled.=0D
+ UT_ASSERT_TRUE( IsVariablePolicyEnabled() );=0D
+ // Disable the policy enforcement.=0D
+ UT_ASSERT_NOT_EFI_ERROR( DisableVariablePolicy() );=0D
+=0D
+ // Make sure that new policy creation still works, it just won't be enfo=
rced.=0D
+ PolicyCheck =3D RegisterVariablePolicy( &TestPolicy.Header );=0D
+ UT_ASSERT_NOT_EFI_ERROR( PolicyCheck );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldBeAbleToLockAfterDisabled (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ // Make sure that the policy enforcement is currently enabled.=0D
+ UT_ASSERT_TRUE( IsVariablePolicyEnabled() );=0D
+ // Disable the policy enforcement.=0D
+ UT_ASSERT_NOT_EFI_ERROR( DisableVariablePolicy() );=0D
+=0D
+ // Make sure that we can lock in this state.=0D
+ UT_ASSERT_FALSE( IsVariablePolicyInterfaceLocked() );=0D
+ UT_ASSERT_NOT_EFI_ERROR( LockVariablePolicy() );=0D
+ UT_ASSERT_TRUE( IsVariablePolicyInterfaceLocked() );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldBeAbleToDumpThePolicyTable (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY TestPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_10,=0D
+ TEST_POLICY_MAX_SIZE_200,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT32 DumpSize;=0D
+ UINT32 BufferSize;=0D
+ VOID *DumpBuffer;=0D
+=0D
+ // For good measure, test some parameter validation.=0D
+ UT_ASSERT_STATUS_EQUAL( DumpVariablePolicy( NULL, NULL ), EFI_INVALID_PA=
RAMETER );=0D
+ DumpSize =3D 10;=0D
+ UT_ASSERT_STATUS_EQUAL( DumpVariablePolicy( NULL, &DumpSize ), EFI_INVAL=
ID_PARAMETER );=0D
+=0D
+ // Now for the actual test case.=0D
+=0D
+ // Allocate a buffer to hold the output.=0D
+ BufferSize =3D sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME);=
=0D
+ DumpBuffer =3D AllocatePool( BufferSize );=0D
+ UT_ASSERT_NOT_EQUAL( DumpBuffer, NULL );=0D
+=0D
+ // Verify that the current table size is 0.=0D
+ DumpSize =3D BufferSize;=0D
+ UT_ASSERT_NOT_EFI_ERROR( DumpVariablePolicy( DumpBuffer, &DumpSize ) );=
=0D
+ UT_ASSERT_EQUAL( DumpSize, 0 );=0D
+=0D
+ // Now, set a new policy.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &TestPolicy.Header ) );=
=0D
+=0D
+ // Make sure that the new return is non-zero and fails as expected.=0D
+ DumpSize =3D 0;=0D
+ PolicyCheck =3D DumpVariablePolicy( NULL, &DumpSize );=0D
+ UT_ASSERT_STATUS_EQUAL( PolicyCheck, EFI_BUFFER_TOO_SMALL );=0D
+ UT_ASSERT_EQUAL( DumpSize, BufferSize );=0D
+=0D
+ // Now verify that we can fetch the dump.=0D
+ DumpSize =3D BufferSize;=0D
+ UT_ASSERT_NOT_EFI_ERROR( DumpVariablePolicy( DumpBuffer, &DumpSize ) );=
=0D
+ UT_ASSERT_EQUAL( DumpSize, BufferSize );=0D
+ UT_ASSERT_MEM_EQUAL( &TestPolicy, DumpBuffer, BufferSize );=0D
+=0D
+ // Always put away your toys.=0D
+ FreePool( DumpBuffer );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+/**=0D
+ Test Case=0D
+*/=0D
+UNIT_TEST_STATUS=0D
+EFIAPI=0D
+ShouldBeAbleToDumpThePolicyTableAfterDisabled (=0D
+ IN UNIT_TEST_CONTEXT Context=0D
+ )=0D
+{=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY TestPolicy =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_1_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_1,=0D
+ TEST_POLICY_MIN_SIZE_10,=0D
+ TEST_POLICY_MAX_SIZE_200,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_1_NAME=0D
+ };=0D
+ SIMPLE_VARIABLE_POLICY_ENTRY TestPolicy2 =3D {=0D
+ {=0D
+ VARIABLE_POLICY_ENTRY_REVISION,=0D
+ sizeof(VARIABLE_POLICY_ENTRY) + sizeof(TEST_VAR_2_NAME),=0D
+ sizeof(VARIABLE_POLICY_ENTRY),=0D
+ TEST_GUID_2,=0D
+ TEST_POLICY_MIN_SIZE_10,=0D
+ TEST_POLICY_MAX_SIZE_200,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ TEST_POLICY_ATTRIBUTES_NULL,=0D
+ VARIABLE_POLICY_TYPE_NO_LOCK=0D
+ },=0D
+ TEST_VAR_2_NAME=0D
+ };=0D
+ EFI_STATUS PolicyCheck;=0D
+ UINT32 DumpSize;=0D
+ VOID *DumpBuffer;=0D
+=0D
+ DumpBuffer =3D NULL;=0D
+ DumpSize =3D 0;=0D
+=0D
+ // Register a new policy.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &TestPolicy.Header ) );=
=0D
+ // Make sure that we can dump the policy.=0D
+ PolicyCheck =3D DumpVariablePolicy( DumpBuffer, &DumpSize );=0D
+ UT_ASSERT_STATUS_EQUAL( PolicyCheck, EFI_BUFFER_TOO_SMALL );=0D
+ DumpBuffer =3D AllocatePool( DumpSize );=0D
+ UT_ASSERT_NOT_EFI_ERROR( DumpVariablePolicy( DumpBuffer, &DumpSize ) );=
=0D
+ UT_ASSERT_MEM_EQUAL( DumpBuffer, &TestPolicy, DumpSize );=0D
+=0D
+ // Clean up from this step.=0D
+ FreePool( DumpBuffer );=0D
+ DumpBuffer =3D NULL;=0D
+ DumpSize =3D 0;=0D
+=0D
+ // Now disable the engine.=0D
+ DisableVariablePolicy();=0D
+=0D
+ // Now register a new policy and make sure that both can be dumped.=0D
+ UT_ASSERT_NOT_EFI_ERROR( RegisterVariablePolicy( &TestPolicy2.Header ) )=
;=0D
+ // Make sure that we can dump the policy.=0D
+ PolicyCheck =3D DumpVariablePolicy( DumpBuffer, &DumpSize );=0D
+ UT_ASSERT_STATUS_EQUAL( PolicyCheck, EFI_BUFFER_TOO_SMALL );=0D
+ DumpBuffer =3D AllocatePool( DumpSize );=0D
+ UT_ASSERT_NOT_EFI_ERROR( DumpVariablePolicy( DumpBuffer, &DumpSize ) );=
=0D
+=0D
+ // Finally, make sure that both policies are in the dump.=0D
+ UT_ASSERT_MEM_EQUAL( DumpBuffer, &TestPolicy, TestPolicy.Header.Size );=
=0D
+ UT_ASSERT_MEM_EQUAL( (UINT8*)DumpBuffer + TestPolicy.Header.Size,=0D
+ &TestPolicy2,=0D
+ TestPolicy2.Header.Size );=0D
+=0D
+ // Always put away your toys.=0D
+ FreePool( DumpBuffer );=0D
+=0D
+ return UNIT_TEST_PASSED;=0D
+}=0D
+=0D
+=0D
+///=3D=3D=3D TEST ENGINE =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0D
+=0D
+/**=0D
+ SampleUnitTestApp=0D
+=0D
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.=
=0D
+ @param[in] SystemTable A pointer to the EFI System Table.=0D
+=0D
+ @retval EFI_SUCCESS The entry point executed successfully.=0D
+ @retval other Some error occured when executing this entry poi=
nt.=0D
+=0D
+**/=0D
+int=0D
+main (=0D
+ )=0D
+{=0D
+ EFI_STATUS Status;=0D
+ UNIT_TEST_FRAMEWORK_HANDLE Framework =3D NULL;=0D
+ UNIT_TEST_SUITE_HANDLE ArchTests;=0D
+ UNIT_TEST_SUITE_HANDLE PolicyTests;=0D
+ UNIT_TEST_SUITE_HANDLE UtilityTests;=0D
+#ifdef INTERNAL_UNIT_TEST=0D
+ UNIT_TEST_SUITE_HANDLE InternalTests;=0D
+#endif // INTERNAL_UNIT_TEST=0D
+=0D
+ DEBUG(( DEBUG_INFO, "%a v%a\n", UNIT_TEST_NAME, UNIT_TEST_VERSION ));=0D
+=0D
+ //=0D
+ // Start setting up the test framework for running the tests.=0D
+ //=0D
+ Status =3D InitUnitTestFramework( &Framework, UNIT_TEST_NAME, gEfiCaller=
BaseName, UNIT_TEST_VERSION );=0D
+ if (EFI_ERROR( Status ))=0D
+ {=0D
+ DEBUG((DEBUG_ERROR, "Failed in InitUnitTestFramework. Status =3D %r\n"=
, Status));=0D
+ goto EXIT;=0D
+ }=0D
+=0D
+=0D
+ //=0D
+ // Add all test suites and tests.=0D
+ //=0D
+ Status =3D CreateUnitTestSuite( &ArchTests, Framework, "Variable Policy =
Architectural Tests", "VarPolicy.Arch", NULL, NULL );=0D
+ if (EFI_ERROR( Status ))=0D
+ {=0D
+ DEBUG((DEBUG_ERROR, "Failed in CreateUnitTestSuite for ArchTests\n"));=
=0D
+ Status =3D EFI_OUT_OF_RESOURCES;=0D
+ goto EXIT;=0D
+ }=0D
+ AddTestCase( ArchTests,=0D
+ "Deinitialization should fail if not previously initialize=
d", "VarPolicy.Arch.OnlyDeinit",=0D
+ ShouldFailDeinitWithoutInit, NULL, NULL, NULL );=0D
+ AddTestCase( ArchTests,=0D
+ "Initialization followed by deinitialization should succee=
d", "VarPolicy.Arch.InitDeinit",=0D
+ ShouldBeAbleToInitAndDeinitTheLibrary, NULL, NULL, NULL );=
=0D
+ AddTestCase( ArchTests,=0D
+ "The initialization function fail if called twice without =
a deinit", "VarPolicy.Arch.InitTwice",=0D
+ ShouldNotBeAbleToInitializeTheLibraryTwice, NULL, LibClean=
up, NULL );=0D
+ AddTestCase( ArchTests,=0D
+ "API functions should be unavailable until library is init=
ialized", "VarPolicy.Arch.UninitApiOff",=0D
+ ApiCommandsShouldNotRespondIfLibIsUninitialized, NULL, Lib=
Cleanup, NULL );=0D
+=0D
+#ifdef INTERNAL_UNIT_TEST=0D
+ Status =3D CreateUnitTestSuite( &InternalTests, Framework, "Variable Pol=
icy Internal Tests", "VarPolicy.Internal", NULL, NULL );=0D
+ if (EFI_ERROR( Status ))=0D
+ {=0D
+ DEBUG((DEBUG_ERROR, "Failed in CreateUnitTestSuite for InternalTests\n=
"));=0D
+ Status =3D EFI_OUT_OF_RESOURCES;=0D
+ goto EXIT;=0D
+ }=0D
+ AddTestCase( InternalTests,=0D
+ "Policy matching should use name and GUID", "VarPolicy.Int=
ernal.NameGuid",=0D
+ PoliciesShouldMatchByNameAndGuid, LibInitMocked, LibCleanu=
p, NULL );=0D
+ AddTestCase( InternalTests,=0D
+ "# sign wildcards should match digits", "VarPolicy.Interna=
l.WildDigits",=0D
+ WildcardPoliciesShouldMatchDigits, LibInitMocked, LibClean=
up, NULL );=0D
+ AddTestCase( InternalTests,=0D
+ "Digit wildcards should check edge cases", "VarPolicy.Inte=
rnal.WildDigitsAdvanced",=0D
+ WildcardPoliciesShouldMatchDigitsAdvanced, LibInitMocked, =
LibCleanup, NULL );=0D
+ AddTestCase( InternalTests,=0D
+ "Empty names should match an entire namespace", "VarPolicy=
.Internal.WildNamespace",=0D
+ WildcardPoliciesShouldMatchNamespaces, LibInitMocked, LibC=
leanup, NULL );=0D
+ AddTestCase( InternalTests,=0D
+ "Match priority should weight correctly based on wildcards=
", "VarPolicy.Internal.Priorities",=0D
+ MatchPrioritiesShouldFollowRules, LibInitMocked, LibCleanu=
p, NULL );=0D
+#endif // INTERNAL_UNIT_TEST=0D
+=0D
+ Status =3D CreateUnitTestSuite( &PolicyTests, Framework, "Variable Polic=
y Manipulation Tests", "VarPolicy.Policy", NULL, NULL );=0D
+ if (EFI_ERROR( Status ))=0D
+ {=0D
+ DEBUG((DEBUG_ERROR, "Failed in CreateUnitTestSuite for PolicyTests\n")=
);=0D
+ Status =3D EFI_OUT_OF_RESOURCES;=0D
+ goto EXIT;=0D
+ }=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldAllowNamespaceWildcards", "VarPolicy.Policy=
.AllowNamespace",=0D
+ RegisterShouldAllowNamespaceWildcards, LibInitMocked, LibC=
leanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldAllowStateVarsForNamespaces", "VarPolicy.Po=
licy.AllowStateNamespace",=0D
+ RegisterShouldAllowStateVarsForNamespaces, LibInitMocked, =
LibCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectNullPointers", "VarPolicy.Policy.Null=
Pointers",=0D
+ RegisterShouldRejectNullPointers, LibInitMocked, LibCleanu=
p, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectBadRevisions", "VarPolicy.Policy.BadR=
evisions",=0D
+ RegisterShouldRejectBadRevisions, LibInitMocked, LibCleanu=
p, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectBadSizes", "VarPolicy.Policy.BadSizes=
",=0D
+ RegisterShouldRejectBadSizes, LibInitMocked, LibCleanup, N=
ULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectBadOffsets", "VarPolicy.Policy.BadOff=
sets",=0D
+ RegisterShouldRejectBadOffsets, LibInitMocked, LibCleanup,=
NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectMissingStateStrings", "VarPolicy.Poli=
cy.MissingStateString",=0D
+ RegisterShouldRejectMissingStateStrings, LibInitMocked, Li=
bCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectStringsMissingNull", "VarPolicy.Polic=
y.MissingNull",=0D
+ RegisterShouldRejectStringsMissingNull, LibInitMocked, Lib=
Cleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectMalformedStrings", "VarPolicy.Policy.=
MalformedStrings",=0D
+ RegisterShouldRejectMalformedStrings, LibInitMocked, LibCl=
eanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectUnpackedPolicies", "VarPolicy.Policy.=
PolicyPacking",=0D
+ RegisterShouldRejectUnpackedPolicies, LibInitMocked, LibCl=
eanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectInvalidNameCharacters", "VarPolicy.Po=
licy.InvalidCharacters",=0D
+ RegisterShouldRejectInvalidNameCharacters, LibInitMocked, =
LibCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectBadPolicyConstraints", "VarPolicy.Pol=
icy.BadConstraints",=0D
+ RegisterShouldRejectBadPolicyConstraints, LibInitMocked, L=
ibCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectUnknownLockPolicies", "VarPolicy.Poli=
cy.BadLocks",=0D
+ RegisterShouldRejectUnknownLockPolicies, LibInitMocked, Li=
bCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectPolicesWithTooManyWildcards", "VarPol=
icy.Policy.TooManyWildcards",=0D
+ RegisterShouldRejectPolicesWithTooManyWildcards, LibInitMo=
cked, LibCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "RegisterShouldRejectDuplicatePolicies", "VarPolicy.Policy=
.DuplicatePolicies",=0D
+ RegisterShouldRejectDuplicatePolicies, LibInitMocked, LibC=
leanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "Variables that exceed min or max sizes should be rejected=
", "VarPolicy.Policy.MinMax",=0D
+ MinAndMaxSizePoliciesShouldBeHonored, LibInitMocked, LibCl=
eanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "AttributeMustPoliciesShouldBeHonored", "VarPolicy.Policy.=
AttrMust",=0D
+ AttributeMustPoliciesShouldBeHonored, LibInitMocked, LibCl=
eanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "AttributeCantPoliciesShouldBeHonored", "VarPolicy.Policy.=
AttrCant",=0D
+ AttributeCantPoliciesShouldBeHonored, LibInitMocked, LibCl=
eanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "VariablesShouldBeDeletableRegardlessOfSize", "VarPolicy.P=
olicy.DeleteIgnoreSize",=0D
+ VariablesShouldBeDeletableRegardlessOfSize, LibInitMocked,=
LibCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "LockNowPoliciesShouldBeHonored", "VarPolicy.Policy.VARIAB=
LE_POLICY_TYPE_LOCK_NOW",=0D
+ LockNowPoliciesShouldBeHonored, LibInitMocked, LibCleanup,=
NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "LockOnCreatePoliciesShouldBeHonored", "VarPolicy.Policy.V=
ARIABLE_POLICY_TYPE_LOCK_ON_CREATE",=0D
+ LockOnCreatePoliciesShouldBeHonored, LibInitMocked, LibCle=
anup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "LockOnStatePoliciesShouldBeHonored", "VarPolicy.Policy.Lo=
ckState",=0D
+ LockOnStatePoliciesShouldBeHonored, LibInitMocked, LibClea=
nup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "LockOnStatePoliciesShouldApplyToNamespaces", "VarPolicy.P=
olicy.NamespaceLockState",=0D
+ LockOnStatePoliciesShouldApplyToNamespaces, LibInitMocked,=
LibCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "LockOnStateShouldHandleErrorsGracefully", "VarPolicy.Poli=
cy.LockStateErrors",=0D
+ LockOnStateShouldHandleErrorsGracefully, LibInitMocked, Li=
bCleanup, NULL );=0D
+ AddTestCase( PolicyTests,=0D
+ "BestMatchPriorityShouldBeObeyed", "VarPolicy.Policy.BestM=
atch",=0D
+ BestMatchPriorityShouldBeObeyed, LibInitMocked, LibCleanup=
, NULL );=0D
+=0D
+ Status =3D CreateUnitTestSuite( &UtilityTests, Framework, "Variable Poli=
cy Utility Tests", "VarPolicy.Utility", NULL, NULL );=0D
+ if (EFI_ERROR( Status ))=0D
+ {=0D
+ DEBUG((DEBUG_ERROR, "Failed in CreateUnitTestSuite for UtilityTests\n"=
));=0D
+ Status =3D EFI_OUT_OF_RESOURCES;=0D
+ goto EXIT;=0D
+ }=0D
+ AddTestCase( UtilityTests,=0D
+ "API commands that change state should not respond after i=
nterface is locked", "VarPolicy.Utility.InterfaceLock",=0D
+ ShouldBeAbleToLockInterface, LibInitMocked, LibCleanup, NU=
LL );=0D
+ AddTestCase( UtilityTests,=0D
+ "All policies should pass once enforcement is disabled", "=
VarPolicy.Utility.DisableEnforcement",=0D
+ ShouldBeAbleToDisablePolicyEnforcement, LibInitMocked, Lib=
Cleanup, NULL );=0D
+ AddTestCase( UtilityTests,=0D
+ "Disabling enforcement twice should produce an error", "Va=
rPolicy.Utility.DisableEnforcementTwice",=0D
+ ShouldNotBeAbleToDisablePoliciesTwice, LibInitMocked, LibC=
leanup, NULL );=0D
+ AddTestCase( UtilityTests,=0D
+ "ShouldBeAbleToAddNewPoliciesAfterDisabled", "VarPolicy.Ut=
ility.AddAfterDisable",=0D
+ ShouldBeAbleToAddNewPoliciesAfterDisabled, LibInitMocked, =
LibCleanup, NULL );=0D
+ AddTestCase( UtilityTests,=0D
+ "ShouldBeAbleToLockAfterDisabled", "VarPolicy.Utility.Lock=
AfterDisable",=0D
+ ShouldBeAbleToLockAfterDisabled, LibInitMocked, LibCleanup=
, NULL );=0D
+ AddTestCase( UtilityTests,=0D
+ "Should be able to dump the policy table", "VarPolicy.Util=
ity.DumpTable",=0D
+ ShouldBeAbleToDumpThePolicyTable, LibInitMocked, LibCleanu=
p, NULL );=0D
+ AddTestCase( UtilityTests,=0D
+ "ShouldBeAbleToDumpThePolicyTableAfterDisabled", "VarPolic=
y.Utility.DumpTableAfterDisable",=0D
+ ShouldBeAbleToDumpThePolicyTableAfterDisabled, LibInitMock=
ed, LibCleanup, NULL );=0D
+=0D
+=0D
+ //=0D
+ // Execute the tests.=0D
+ //=0D
+ Status =3D RunAllTestSuites( Framework );=0D
+=0D
+EXIT:=0D
+ if (Framework !=3D NULL)=0D
+ {=0D
+ FreeUnitTestFramework( Framework );=0D
+ }=0D
+=0D
+ return Status;=0D
+}=0D
diff --git a/MdeModulePkg/Include/Library/VariablePolicyLib.h b/MdeModulePk=
g/Include/Library/VariablePolicyLib.h
new file mode 100644
index 000000000000..efd1840112ec
--- /dev/null
+++ b/MdeModulePkg/Include/Library/VariablePolicyLib.h
@@ -0,0 +1,207 @@
+/** @file -- VariablePolicyLib.h=0D
+Business logic for Variable Policy enforcement.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+=0D
+**/=0D
+=0D
+#ifndef _VARIABLE_POLICY_LIB_H_=0D
+#define _VARIABLE_POLICY_LIB_H_=0D
+=0D
+#include <Protocol/VariablePolicy.h>=0D
+=0D
+/**=0D
+ This API function validates and registers a new policy with=0D
+ the policy enforcement engine.=0D
+=0D
+ @param[in] NewPolicy Pointer to the incoming policy structure.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_INVALID_PARAMETER NewPolicy is NULL or is internally i=
nconsistent.=0D
+ @retval EFI_ALREADY_STARTED An identical matching policy already=
exists.=0D
+ @retval EFI_WRITE_PROTECTED The interface has been locked until =
the next reboot.=0D
+ @retval EFI_UNSUPPORTED Policy enforcement has been disabled=
. No reason to add more policies.=0D
+ @retval EFI_ABORTED A calculation error has prevented th=
is function from completing.=0D
+ @retval EFI_OUT_OF_RESOURCES Cannot grow the table to hold any mo=
re policies.=0D
+ @retval EFI_NOT_READY Library has not yet been initialized=
.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+RegisterVariablePolicy (=0D
+ IN CONST VARIABLE_POLICY_ENTRY *NewPolicy=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This API function checks to see whether the parameters to SetVariable wo=
uld=0D
+ be allowed according to the current variable policies.=0D
+=0D
+ @param[in] VariableName Same as EFI_SET_VARIABLE.=0D
+ @param[in] VendorGuid Same as EFI_SET_VARIABLE.=0D
+ @param[in] Attributes Same as EFI_SET_VARIABLE.=0D
+ @param[in] DataSize Same as EFI_SET_VARIABLE.=0D
+ @param[in] Data Same as EFI_SET_VARIABLE.=0D
+=0D
+ @retval EFI_SUCCESS A matching policy allows this update=
.=0D
+ @retval EFI_SUCCESS There are currently no policies that=
restrict this update.=0D
+ @retval EFI_SUCCESS The protections have been disable un=
til the next reboot.=0D
+ @retval EFI_WRITE_PROTECTED Variable is currently locked.=0D
+ @retval EFI_INVALID_PARAMETER Attributes or size are invalid.=0D
+ @retval EFI_ABORTED A lock policy exists, but an error p=
revented evaluation.=0D
+ @retval EFI_NOT_READY Library has not been initialized.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+ValidateSetVariable (=0D
+ IN CHAR16 *VariableName,=0D
+ IN EFI_GUID *VendorGuid,=0D
+ IN UINT32 Attributes,=0D
+ IN UINTN DataSize,=0D
+ IN VOID *Data=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This API function disables the variable policy enforcement. If it's=0D
+ already been called once, will return EFI_ALREADY_STARTED.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_ALREADY_STARTED Has already been called once this boot=
.=0D
+ @retval EFI_WRITE_PROTECTED Interface has been locked until reboot=
.=0D
+ @retval EFI_WRITE_PROTECTED Interface option is disabled by platfo=
rm PCD.=0D
+ @retval EFI_NOT_READY Library has not yet been initialized.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+DisableVariablePolicy (=0D
+ VOID=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This API function will dump the entire contents of the variable policy t=
able.=0D
+=0D
+ Similar to GetVariable, the first call can be made with a 0 size and it =
will return=0D
+ the size of the buffer required to hold the entire table.=0D
+=0D
+ @param[out] Policy Pointer to the policy buffer. Can be NULL if Siz=
e is 0.=0D
+ @param[in,out] Size On input, the size of the output buffer. On outp=
ut, the size=0D
+ of the data returned.=0D
+=0D
+ @retval EFI_SUCCESS Policy data is in the output buffer =
and Size has been updated.=0D
+ @retval EFI_INVALID_PARAMETER Size is NULL, or Size is non-zero an=
d Policy is NULL.=0D
+ @retval EFI_BUFFER_TOO_SMALL Size is insufficient to hold policy.=
Size updated with required size.=0D
+ @retval EFI_NOT_READY Library has not yet been initialized=
.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+DumpVariablePolicy (=0D
+ OUT UINT8 *Policy,=0D
+ IN OUT UINT32 *Size=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This API function returns whether or not the policy engine is=0D
+ currently being enforced.=0D
+=0D
+ @retval TRUE=0D
+ @retval FALSE=0D
+ @retval FALSE Library has not yet been initialized.=0D
+=0D
+**/=0D
+BOOLEAN=0D
+EFIAPI=0D
+IsVariablePolicyEnabled (=0D
+ VOID=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This API function locks the interface so that no more policy updates=0D
+ can be performed or changes made to the enforcement until the next boot.=
=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_NOT_READY Library has not yet been initialized.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+LockVariablePolicy (=0D
+ VOID=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This API function returns whether or not the policy interface is locked=
=0D
+ for the remainder of the boot.=0D
+=0D
+ @retval TRUE=0D
+ @retval FALSE=0D
+ @retval FALSE Library has not yet been initialized.=0D
+=0D
+**/=0D
+BOOLEAN=0D
+EFIAPI=0D
+IsVariablePolicyInterfaceLocked (=0D
+ VOID=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This helper function initializes the library and sets=0D
+ up any required internal structures or handlers.=0D
+=0D
+ Also registers the internal pointer for the GetVariable helper.=0D
+=0D
+ @param[in] GetVariableHelper A function pointer matching the EFI_GET_VA=
RIABLE prototype that will be used to=0D
+ check policy criteria that involve the existence of othe=
r variables.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_ALREADY_STARTED The initialize function has been calle=
d more than once without a call to=0D
+ deinitialize.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+InitVariablePolicyLib (=0D
+ IN EFI_GET_VARIABLE GetVariableHelper=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This helper function returns whether or not the library is currently ini=
tialized.=0D
+=0D
+ @retval TRUE=0D
+ @retval FALSE=0D
+=0D
+**/=0D
+BOOLEAN=0D
+EFIAPI=0D
+IsVariablePolicyLibInitialized (=0D
+ VOID=0D
+ );=0D
+=0D
+=0D
+/**=0D
+ This helper function tears down the library.=0D
+=0D
+ Should generally only be used for test harnesses.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_NOT_READY Deinitialize was called without first call=
ing initialize.=0D
+=0D
+**/=0D
+EFI_STATUS=0D
+EFIAPI=0D
+DeinitVariablePolicyLib (=0D
+ VOID=0D
+ );=0D
+=0D
+=0D
+#endif // _VARIABLE_POLICY_LIB_H_=0D
diff --git a/MdeModulePkg/Library/VariablePolicyLib/ReadMe.md b/MdeModulePk=
g/Library/VariablePolicyLib/ReadMe.md
new file mode 100644
index 000000000000..9e87b2e25f7d
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/ReadMe.md
@@ -0,0 +1,410 @@
+---=0D
+title: UEFI Variable Policy Whitepaper=0D
+version: 1.0=0D
+copyright: Copyright (c) Microsoft Corporation.=0D
+---=0D
+=0D
+# UEFI Variable Policy=0D
+=0D
+## Summary=0D
+=0D
+UEFI Variable Policy spec aims to describe the DXE protocol interface=0D
+which allows enforcing certain rules on certain UEFI variables. The=0D
+protocol allows communication with the Variable Policy Engine which=0D
+performs the policy enforcement.=0D
+=0D
+The Variable Policy is comprised of a set of policy entries which=0D
+describe, per UEFI variable (identified by namespace GUID and variable=0D
+name) the following rules:=0D
+=0D
+- Required variable attributes=0D
+- Prohibited variable attributes=0D
+- Minimum variable size=0D
+- Maximum variable size=0D
+- Locking:=0D
+ - Locking "immediately"=0D
+ - Locking on creation=0D
+ - Locking based on a state of another variable=0D
+=0D
+The spec assumes that the Variable Policy Engine runs in a trusted=0D
+enclave, potentially off the main CPU that runs UEFI. For that reason,=0D
+it is assumed that the Variable Policy Engine has no concept of UEFI=0D
+events, and that the communication from the DXE driver to the trusted=0D
+enclave is proprietary.=0D
+=0D
+At power-on, the Variable Policy Engine is:=0D
+=0D
+- Enabled -- present policy entries are evaluated on variable access=0D
+ calls.=0D
+- Unlocked -- new policy entries can be registered.=0D
+=0D
+Policy is expected to be clear on power-on. Policy is volatile and not=0D
+preserved across system reset.=0D
+=0D
+## DXE Protocol=0D
+=0D
+```h=0D
+typedef struct {=0D
+ UINT64 Revision;=0D
+ DISABLE_VARIABLE_POLICY DisableVariablePolicy;=0D
+ IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;=0D
+ REGISTER_VARIABLE_POLICY RegisterVariablePolicy;=0D
+ DUMP_VARIABLE_POLICY DumpVariablePolicy;=0D
+ LOCK_VARIABLE_POLICY LockVariablePolicy;=0D
+} _VARIABLE_POLICY_PROTOCOL;=0D
+=0D
+typedef _VARIABLE_POLICY_PROTOCOL VARIABLE_POLICY_PROTOCOL;=0D
+=0D
+extern EFI_GUID gVariablePolicyProtocolGuid;=0D
+```=0D
+=0D
+```text=0D
+## Include/Protocol/VariablePolicy.h=0D
+ gVariablePolicyProtocolGuid =3D { 0x81D1675C, 0x86F6, 0x48DF, { 0xBD, 0x=
95, 0x9A, 0x6E, 0x4F, 0x09, 0x25, 0xC3 } }=0D
+```=0D
+=0D
+### DisableVariablePolicy=0D
+=0D
+Function prototype:=0D
+=0D
+```c=0D
+EFI_STATUS=0D
+EFIAPI=0D
+DisableVariablePolicy (=0D
+ VOID=0D
+ );=0D
+```=0D
+=0D
+`DisableVariablePolicy` call disables the Variable Policy Engine, so=0D
+that the present policy entries are no longer taken into account on=0D
+variable access calls. This call effectively turns off the variable=0D
+policy verification for this boot. This also disables UEFI=0D
+Authenticated Variable protections including Secure Boot.=0D
+`DisableVariablePolicy` can only be called once during boot. If called=0D
+more than once, it will return `EFI_ALREADY_STARTED`. Note, this process=0D
+is irreversible until the next system reset -- there is no=0D
+"EnablePolicy" protocol function.=0D
+=0D
+_IMPORTANT NOTE:_ It is strongly recommended that VariablePolicy *NEVER*=0D
+be disabled in "normal, production boot conditions". It is expected to alw=
ays=0D
+be enforced. The most likely reasons to disable are for Manufacturing and=
=0D
+Refurbishing scenarios. If in doubt, leave the `gEfiMdeModulePkgTokenSpace=
Guid.PcdAllowVariablePolicyEnforcementDisable`=0D
+PCD set to `FALSE` and VariablePolicy will always be enabled.=0D
+=0D
+### IsVariablePolicyEnabled=0D
+=0D
+Function prototype:=0D
+=0D
+```c=0D
+EFI_STATUS=0D
+EFIAPI=0D
+IsVariablePolicyEnabled (=0D
+ OUT BOOLEAN *State=0D
+ );=0D
+```=0D
+=0D
+`IsVariablePolicyEnabled` accepts a pointer to a Boolean in which it=0D
+will store `TRUE` if Variable Policy Engine is enabled, or `FALSE` if=0D
+Variable Policy Engine is disabled. The function returns `EFI_SUCCESS`.=0D
+=0D
+### RegisterVariablePolicy=0D
+=0D
+Function prototype:=0D
+=0D
+```c=0D
+EFI_STATUS=0D
+EFIAPI=0D
+RegisterVariablePolicy (=0D
+ IN CONST VARIABLE_POLICY_ENTRY *PolicyEntry=0D
+ );=0D
+```=0D
+=0D
+`RegisterVariablePolicy` call accepts a pointer to a policy entry=0D
+structure and returns the status of policy registration. If the=0D
+Variable Policy Engine is not locked and the policy structures are=0D
+valid, the function will return `EFI_SUCCESS`. If the Variable Policy=0D
+Engine is locked, `RegisterVariablePolicy` call will return=0D
+`EFI_WRITE_PROTECTED` and will not register the policy entry. Bulk=0D
+registration is not supported at this time due to the requirements=0D
+around error handling on each policy registration.=0D
+=0D
+Upon successful registration of a policy entry, Variable Policy Engine=0D
+will then evaluate this entry on subsequent variable access calls (as=0D
+long as Variable Policy Engine hasn't been disabled).=0D
+=0D
+### DumpVariablePolicy=0D
+=0D
+Function prototype:=0D
+=0D
+```c=0D
+EFI_STATUS=0D
+EFIAPI=0D
+DumpVariablePolicy (=0D
+ OUT UINT8 *Policy,=0D
+ IN OUT UINT32 *Size=0D
+ );=0D
+```=0D
+=0D
+`DumpVariablePolicy` call accepts a pointer to a buffer and a pointer to=0D
+the size of the buffer as parameters and returns the status of placing=0D
+the policy into the buffer. On first call to `DumpVariablePolicy` one=0D
+should pass `NULL` as the buffer and a pointer to 0 as the `Size` variable=
=0D
+and `DumpVariablePolicy` will return `EFI_BUFFER_TOO_SMALL` and will=0D
+populate the `Size` parameter with the size of the needed buffer to=0D
+store the policy. This way, the caller can allocate the buffer of=0D
+correct size and call `DumpVariablePolicy` again. The function will=0D
+populate the buffer with policy and return `EFI_SUCCESS`.=0D
+=0D
+### LockVariablePolicy=0D
+=0D
+Function prototype:=0D
+=0D
+```c=0D
+EFI_STATUS=0D
+EFIAPI=0D
+LockVariablePolicy (=0D
+ VOID=0D
+ );=0D
+```=0D
+=0D
+`LockVariablePolicy` locks the Variable Policy Engine, i.e. prevents any=0D
+new policy entries from getting registered in this boot=0D
+(`RegisterVariablePolicy` calls will fail with `EFI_WRITE_PROTECTED`=0D
+status code returned).=0D
+=0D
+## Policy Structure=0D
+=0D
+The structure below is meant for the DXE protocol calling interface,=0D
+when communicating to the Variable Policy Engine, thus the pragma pack=0D
+directive. How these policies are stored in memory is up to the=0D
+implementation.=0D
+=0D
+```c=0D
+#pragma pack(1)=0D
+typedef struct {=0D
+ UINT32 Version;=0D
+ UINT16 Size;=0D
+ UINT16 OffsetToName;=0D
+ EFI_GUID Namespace;=0D
+ UINT32 MinSize;=0D
+ UINT32 MaxSize;=0D
+ UINT32 AttributesMustHave;=0D
+ UINT32 AttributesCantHave;=0D
+ UINT8 LockPolicyType;=0D
+ UINT8 Reserved[3];=0D
+ // UINT8 LockPolicy[]; // Variable Length Field=0D
+ // CHAR16 Name[]; // Variable Length Field=0D
+} VARIABLE_POLICY_ENTRY;=0D
+```=0D
+=0D
+The struct `VARIABLE_POLICY_ENTRY` above describes the layout for a policy=
=0D
+entry. The first element, `Size`, is the size of the policy entry, then=0D
+followed by `OffsetToName` -- the number of bytes from the beginning of=0D
+the struct to the name of the UEFI variable targeted by the policy=0D
+entry. The name can contain wildcards to match more than one variable,=0D
+more on this in the Wildcards section. The rest of the struct elements=0D
+are self-explanatory.=0D
+=0D
+```cpp=0D
+#define VARIABLE_POLICY_TYPE_NO_LOCK 0=0D
+#define VARIABLE_POLICY_TYPE_LOCK_NOW 1=0D
+#define VARIABLE_POLICY_TYPE_LOCK_ON_CREATE 2=0D
+#define VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE 3=0D
+```=0D
+=0D
+`LockPolicyType` can have the following values:=0D
+=0D
+- `VARIABLE_POLICY_TYPE_NO_LOCK` -- means that no variable locking is pe=
rformed. However,=0D
+ the attribute and size constraints are still enforced. LockPolicy=0D
+ field is size 0.=0D
+- `VARIABLE_POLICY_TYPE_LOCK_NOW` -- means that the variable starts bein=
g locked=0D
+ immediately after policy entry registration. If the variable doesn't=0D
+ exist at this point, being LockedNow means it cannot be created on=0D
+ this boot. LockPolicy field is size 0.=0D
+- `VARIABLE_POLICY_TYPE_LOCK_ON_CREATE` -- means that the variable start=
s being locked=0D
+ after it is created. This allows for variable creation and=0D
+ protection after LockVariablePolicy() function has been called. The=0D
+ LockPolicy field is size 0.=0D
+- `VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE` -- means that the Variable Po=
licy Engine will=0D
+ examine the state/contents of another variable to determine if the=0D
+ variable referenced in the policy entry is locked.=0D
+=0D
+```c=0D
+typedef struct {=0D
+ EFI_GUID Namespace;=0D
+ UINT8 Value;=0D
+ UINT8 Reserved;=0D
+ // CHAR16 Name[]; // Variable Length Field=0D
+} VARIABLE_LOCK_ON_VAR_STATE_POLICY;=0D
+```=0D
+=0D
+If `LockPolicyType` is `VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE`, then the =
final element in the=0D
+policy entry struct is of type `VARIABLE_LOCK_ON_VAR_STATE_POLICY`, which=
=0D
+lists the namespace GUID, name (no wildcards here), and value of the=0D
+variable which state determines the locking of the variable referenced=0D
+in the policy entry. The "locking" variable must be 1 byte in terms of=0D
+payload size. If the Referenced variable contents match the Value of the=0D
+`VARIABLE_LOCK_ON_VAR_STATE_POLICY` structure, the lock will be considered=
=0D
+active and the target variable will be locked. If the Reference variable=0D
+does not exist (ie. returns `EFI_NOT_FOUND`), this policy will be=0D
+considered inactive.=0D
+=0D
+## Variable Name Wildcards=0D
+=0D
+Two types of wildcards can be used in the UEFI variable name field in a=0D
+policy entry:=0D
+=0D
+1. If the Name is a zero-length array (easily checked by comparing=0D
+ fields `Size` and `OffsetToName` -- if they're the same, then the=0D
+ `Name` is zero-length), then all variables in the namespace specified=
=0D
+ by the provided GUID are targeted by the policy entry.=0D
+2. Character "#" in the `Name` corresponds to one numeric character=0D
+ (0-9, A-F, a-f). For example, string "Boot####" in the `Name`=0D
+ field of the policy entry will make it so that the policy entry will=0D
+ target variables named "Boot0001", "Boot0002", etc.=0D
+=0D
+Given the above two types of wildcards, one variable can be targeted by=0D
+more than one policy entry, thus there is a need to establish the=0D
+precedence rule: a more specific match is applied. When a variable=0D
+access operation is performed, Variable Policy Engine should first check=0D
+the variable being accessed against the policy entries without=0D
+wildcards, then with 1 wildcard, then with 2 wildcards, etc., followed=0D
+in the end by policy entries that match the whole namespace. One can=0D
+still imagine a situation where two policy entries with the same number=0D
+of wildcards match the same variable -- for example, policy entries with=0D
+Names "Boot00##" and "Boot##01" will both match variable "Boot0001".=0D
+Such situation can (and should) be avoided by designing mutually=0D
+exclusive Name strings with wildcards, however, if it occurs, then the=0D
+policy entry that was registered first will be used. After the most=0D
+specific match is selected, all other policies are ignored.=0D
+=0D
+## Available Testing=0D
+=0D
+This functionality is current supported by two kinds of tests: there is a =
host-based=0D
+unit test for the core business logic (this test accompanies the `Variable=
PolicyLib`=0D
+implementation that lives in `MdeModulePkg/Library`) and there is a functi=
onal test=0D
+for the protocol and its interfaces (this test lives in the `MdeModulePkg/=
Test/ShellTest`=0D
+directory).=0D
+=0D
+### Host-Based Unit Test=0D
+=0D
+This test:=0D
+=0D
+`MdeModulePkg\Library\VariablePolicyLib\VariablePolicyUnitTest\VariablePol=
icyUnitTest.inf`=0D
+=0D
+can be run as part of the Host-Based Unit Testing infrastructure provided =
by EDK2=0D
+PyTools (documented elsewhere). It will test all internal guarantees and i=
s=0D
+where you will find test cases for most of the policy matching and securit=
y of the=0D
+Variable Policy Engine.=0D
+=0D
+### Shell-Based Functional Test=0D
+=0D
+This test -- [Variable Policy Functional Unit Test](https://github.com/mic=
rosoft/mu_plus/tree/release/202005/UefiTestingPkg/FunctionalSystemTests/Var=
PolicyUnitTestApp) -- can be built as a=0D
+UEFI Shell application and run to validate that the Variable Policy Engine=
=0D
+is correctly installed and enforcing policies on the target system.=0D
+=0D
+NOTE: This test _must_ be run prior to calling `DisableVariablePolicy` for=
all=0D
+test cases to pass. For this reason, it is recommended to run this on a te=
st-built=0D
+FW for complete results, and then again on a production-built FW for relea=
se=0D
+results.=0D
+=0D
+## Use Cases=0D
+=0D
+The below examples are hypothetical scenarios based on real-world requirem=
ents=0D
+that demonstrate how Variable Policies could be constructed to solve vario=
us=0D
+problems.=0D
+=0D
+### UEFI Setup Variables (Example 1)=0D
+=0D
+Variables containing values of the setup options exposed via UEFI=0D
+menu (setup variables). These would be locked based on a state of=0D
+another variable, "ReadyToBoot", which would be set to 1 at the=0D
+ReadyToBoot event. Thus, the policy for the setup variables would be=0D
+of type `LockOnVarState`, with the "ReadyToBoot" listed as the name of=0D
+the variable, appropriate GUID listed as the namespace, and 1 as=0D
+value. Entry into the trusted UEFI menu app doesn't signal=0D
+ReadyToBoot, but booting to any device does, and the setup variables=0D
+are write-protected. The "ReadyToBoot" variable would need to be=0D
+locked-on-create. *(THIS IS ESSENTIALLY LOCK ON EVENT, BUT SINCE THE=0D
+POLICY ENGINE IS NOT IN THE UEFI ENVIRONMENT VARIABLES ARE USED)*=0D
+=0D
+For example, "AllowPXEBoot" variable locked by "ReadyToBoot" variable.=0D
+=0D
+(NOTE: In the below example, the emphasized fields ('Namespace', 'Value', =
and 'Name')=0D
+are members of the `VARIABLE_LOCK_ON_VAR_STATE_POLICY` structure.)=0D
+=0D
+Size | ...=0D
+---- | ---=0D
+OffsetToName | ...=0D
+NameSpace | ...=0D
+MinSize | ...=0D
+MaxSize | ...=0D
+AttributesMustHave | ...=0D
+AttributesCantHave | ...=0D
+LockPolicyType | `VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE`=0D
+_Namespace_ | ...=0D
+_Value_ | 1=0D
+_Name_ | "ReadyToBoot"=0D
+//Name | "AllowPXEBoot"=0D
+=0D
+### Manufacturing VPD (Example 2)=0D
+=0D
+Manufacturing Variable Provisioning Data (VPD) is stored in=0D
+variables and is created while in Manufacturing (MFG) Mode. In MFG=0D
+Mode Variable Policy Engine is disabled, thus these VPD variables=0D
+can be created. These variables are locked with lock policy type=0D
+`LockNow`, so that these variables can't be tampered with in Customer=0D
+Mode. To overwrite or clear VPD, the device would need to MFG mode,=0D
+which is standard practice for refurbishing/remanufacturing=0D
+scenarios.=0D
+=0D
+Example: "DisplayPanelCalibration" variable...=0D
+=0D
+Size | ...=0D
+---- | ---=0D
+OffsetToName | ...=0D
+NameSpace | ...=0D
+MinSize | ...=0D
+MaxSize | ...=0D
+AttributesMustHave | ...=0D
+AttributesCantHave | ...=0D
+LockPolicyType | `VARIABLE_POLICY_TYPE_LOCK_NOW`=0D
+// Name | "DisplayPanelCalibration"=0D
+=0D
+### 3rd Party Calibration Data (Example 3)=0D
+=0D
+Bluetooth pre-pairing variables are locked-on-create because these=0D
+get created by an OS application when Variable Policy is in effect.=0D
+=0D
+Example: "KeyboardBTPairing" variable=0D
+=0D
+Size | ...=0D
+---- | ---=0D
+OffsetToName | ...=0D
+NameSpace | ...=0D
+MinSize | ...=0D
+MaxSize | ...=0D
+AttributesMustHave | ...=0D
+AttributesCantHave | ...=0D
+LockPolicyType | `VARIABLE_POLICY_TYPE_LOCK_ON_CREATE`=0D
+// Name | "KeyboardBTPairing"=0D
+=0D
+### Software-based Variable Policy (Example 4)=0D
+=0D
+Example: "Boot####" variables (a name string with wildcards that=0D
+will match variables "Boot0000" to "BootFFFF") locked by "LockBootOrder"=0D
+variable.=0D
+=0D
+Size | ...=0D
+---- | ---=0D
+OffsetToName | ...=0D
+NameSpace | ...=0D
+MinSize | ...=0D
+MaxSize | ...=0D
+AttributesMustHave | ...=0D
+AttributesCantHave | ...=0D
+LockPolicyType | `VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE`=0D
+_Namespace_ | ...=0D
+_Value_ | 1=0D
+_Name_ | "LockBootOrder"=0D
+//Name | "Boot####"=0D
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf b=
/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
new file mode 100644
index 000000000000..f35826a4b9d7
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
@@ -0,0 +1,49 @@
+## @file VariablePolicyLib.inf=0D
+# Business logic for Variable Policy enforcement.=0D
+#=0D
+##=0D
+# Copyright (c) Microsoft Corporation.=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+##=0D
+=0D
+=0D
+[Defines]=0D
+ INF_VERSION =3D 0x00010017=0D
+ BASE_NAME =3D VariablePolicyLib=0D
+ FILE_GUID =3D E9ECD342-159A-4F24-9FDF-65724027C594=0D
+ VERSION_STRING =3D 1.0=0D
+ MODULE_TYPE =3D DXE_DRIVER=0D
+ LIBRARY_CLASS =3D VariablePolicyLib|DXE_DRIVER DXE_SMM_DRIVER MM_S=
TANDALONE=0D
+=0D
+#=0D
+# The following information is for reference only and not required by the =
build tools.=0D
+#=0D
+# VALID_ARCHITECTURES =3D ANY=0D
+#=0D
+=0D
+=0D
+[Sources]=0D
+ VariablePolicyLib.c=0D
+ VariablePolicyExtraInitNull.c=0D
+=0D
+=0D
+[Packages]=0D
+ MdePkg/MdePkg.dec=0D
+ MdeModulePkg/MdeModulePkg.dec=0D
+=0D
+=0D
+[LibraryClasses]=0D
+ DebugLib=0D
+ BaseMemoryLib=0D
+ MemoryAllocationLib=0D
+ SafeIntLib=0D
+ PcdLib=0D
+=0D
+=0D
+[Pcd]=0D
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable =
## CONSUMES=0D
+=0D
+=0D
+[BuildOptions]=0D
+ MSFT:NOOPT_*_*_CC_FLAGS =3D -DINTERNAL_UNIT_TEST=0D
+ GCC:NOOPT_*_*_CC_FLAGS =3D -DINTERNAL_UNIT_TEST=0D
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni b=
/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
new file mode 100644
index 000000000000..2227ec427828
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
@@ -0,0 +1,12 @@
+// /** @file=0D
+// VariablePolicyLib.uni=0D
+//=0D
+// Copyright (c) Microsoft Corporation.=0D
+// SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+//=0D
+// **/=0D
+=0D
+=0D
+#string STR_MODULE_ABSTRACT #language en-US "Library containin=
g the business logic for the VariablePolicy engine"=0D
+=0D
+#string STR_MODULE_DESCRIPTION #language en-US "Library containin=
g the business logic for the VariablePolicy engine"=0D
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntim=
eDxe.inf b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeD=
xe.inf
new file mode 100644
index 000000000000..8b8365741864
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
@@ -0,0 +1,51 @@
+## @file VariablePolicyLibRuntimeDxe.inf=0D
+# Business logic for Variable Policy enforcement.=0D
+# This instance is specifically for RuntimeDxe and contains=0D
+# extra routines to register for VirtualAddressChangeEvents.=0D
+#=0D
+# Copyright (c) Microsoft Corporation.=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+##=0D
+=0D
+=0D
+[Defines]=0D
+ INF_VERSION =3D 0x00010017=0D
+ BASE_NAME =3D VariablePolicyLibRuntimeDxe=0D
+ FILE_GUID =3D 205F7F0E-8EAC-4914-8390-1B90DD7E2A27=0D
+ VERSION_STRING =3D 1.0=0D
+ MODULE_TYPE =3D DXE_RUNTIME_DRIVER=0D
+ LIBRARY_CLASS =3D VariablePolicyLib|DXE_RUNTIME_DRIVER=0D
+=0D
+#=0D
+# The following information is for reference only and not required by the =
build tools.=0D
+#=0D
+# VALID_ARCHITECTURES =3D ANY=0D
+#=0D
+=0D
+=0D
+[Sources]=0D
+ VariablePolicyLib.c=0D
+ VariablePolicyExtraInitRuntimeDxe.c=0D
+=0D
+=0D
+[Packages]=0D
+ MdePkg/MdePkg.dec=0D
+ MdeModulePkg/MdeModulePkg.dec=0D
+=0D
+=0D
+[LibraryClasses]=0D
+ DebugLib=0D
+ BaseMemoryLib=0D
+ MemoryAllocationLib=0D
+ SafeIntLib=0D
+ UefiBootServicesTableLib=0D
+ UefiRuntimeServicesTableLib=0D
+ PcdLib=0D
+=0D
+=0D
+[Pcd]=0D
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable =
## CONSUMES=0D
+=0D
+=0D
+[Guids]=0D
+ gEfiEventVirtualAddressChangeGuid=0D
diff --git a/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/=
VariablePolicyUnitTest.inf b/MdeModulePkg/Library/VariablePolicyLib/Variabl=
ePolicyUnitTest/VariablePolicyUnitTest.inf
new file mode 100644
index 000000000000..06489f21d604
--- /dev/null
+++ b/MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variabl=
ePolicyUnitTest.inf
@@ -0,0 +1,45 @@
+## @file VariablePolicyUnitTest.inf=0D
+# UnitTest for...=0D
+# Business logic for Variable Policy enforcement.=0D
+#=0D
+# Copyright (c) Microsoft Corporation.=0D
+# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+##=0D
+=0D
+=0D
+[Defines]=0D
+ INF_VERSION =3D 0x00010006=0D
+ BASE_NAME =3D VariablePolicyUnitTest=0D
+ FILE_GUID =3D 1200A2E4-D756-418C-9768-528C2D181A98=
=0D
+ MODULE_TYPE =3D HOST_APPLICATION=0D
+ VERSION_STRING =3D 1.0=0D
+=0D
+#=0D
+# The following information is for reference only and not required by the =
build tools.=0D
+#=0D
+# VALID_ARCHITECTURES =3D IA32 X64 ARM AARCH64=0D
+#=0D
+=0D
+[Sources]=0D
+ VariablePolicyUnitTest.c=0D
+=0D
+=0D
+[Packages]=0D
+ MdePkg/MdePkg.dec=0D
+ MdeModulePkg/MdeModulePkg.dec=0D
+ UnitTestFrameworkPkg/UnitTestFrameworkPkg.dec=0D
+=0D
+=0D
+[LibraryClasses]=0D
+ BaseLib=0D
+ DebugLib=0D
+ UnitTestLib=0D
+ PrintLib=0D
+ VariablePolicyLib=0D
+ BaseMemoryLib=0D
+ MemoryAllocationLib=0D
+=0D
+=0D
+[BuildOptions]=0D
+ MSFT:NOOPT_*_*_CC_FLAGS =3D -DINTERNAL_UNIT_TEST=0D
+ GCC:NOOPT_*_*_CC_FLAGS =3D -DINTERNAL_UNIT_TEST=0D
diff --git a/MdeModulePkg/MdeModulePkg.ci.yaml b/MdeModulePkg/MdeModulePkg.=
ci.yaml
index 1a7e955185d8..20d53fc5a5fa 100644
--- a/MdeModulePkg/MdeModulePkg.ci.yaml
+++ b/MdeModulePkg/MdeModulePkg.ci.yaml
@@ -104,7 +104,9 @@
"FVMAIN",=0D
"VARCHECKPCD",=0D
"Getxx",=0D
- "lzturbo"=0D
+ "lzturbo",=0D
+ "musthave",=0D
+ "canthave"=0D
],=0D
"AdditionalIncludePaths": [] # Additional paths to spell check rel=
ative to package root (wildcards supported)=0D
}=0D
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 82aecc40d9a9..51c7057bfd1b 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -31,6 +31,9 @@ [LibraryClasses]
## @libraryclass Defines a set of methods to reset whole system.=0D
ResetSystemLib|Include/Library/ResetSystemLib.h=0D
=0D
+ ## @libraryclass Business logic for storing and testing variable polic=
ies=0D
+ VariablePolicyLib|Include/Library/VariablePolicyLib.h=0D
+=0D
## @libraryclass Defines a set of helper functions for resetting the s=
ystem.=0D
ResetUtilityLib|Include/Library/ResetUtilityLib.h=0D
=0D
diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc
index 25aea3e2a481..14b6ed536962 100644
--- a/MdeModulePkg/MdeModulePkg.dsc
+++ b/MdeModulePkg/MdeModulePkg.dsc
@@ -3,6 +3,7 @@
#=0D
# (C) Copyright 2014 Hewlett-Packard Development Company, L.P.<BR>=0D
# Copyright (c) 2007 - 2019, Intel Corporation. All rights reserved.<BR>=0D
+# Copyright (c) Microsoft Corporation.=0D
#=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
@@ -58,6 +59,7 @@ [LibraryClasses]
DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf=0D
DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableL=
ib.inf=0D
UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManag=
erLib.inf=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ib.inf=0D
#=0D
# Generic Modules=0D
#=0D
@@ -129,6 +131,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf=0D
LockBoxLib|MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxDxeLib.inf=0D
CapsuleLib|MdeModulePkg/Library/DxeCapsuleLibFmp/DxeRuntimeCapsuleLib.in=
f=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL=
ibRuntimeDxe.inf=0D
=0D
[LibraryClasses.common.SMM_CORE]=0D
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf=0D
@@ -306,6 +309,8 @@ [Components]
MdeModulePkg/Library/BootLogoLib/BootLogoLib.inf=0D
MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf=0D
MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf=0D
+ MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf=0D
+ MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf=0D
MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf=0D
MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf=0D
MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf=0D
diff --git a/MdeModulePkg/Test/MdeModulePkgHostTest.dsc b/MdeModulePkg/Test=
/MdeModulePkgHostTest.dsc
index 72a119db4568..095e613f1be1 100644
--- a/MdeModulePkg/Test/MdeModulePkgHostTest.dsc
+++ b/MdeModulePkg/Test/MdeModulePkgHostTest.dsc
@@ -19,12 +19,23 @@ [Defines]
=0D
!include UnitTestFrameworkPkg/UnitTestFrameworkPkgHost.dsc.inc=0D
=0D
+[LibraryClasses]=0D
+ SafeIntLib|MdePkg/Library/BaseSafeIntLib/BaseSafeIntLib.inf=0D
+=0D
[Components]=0D
MdeModulePkg/Library/DxeResetSystemLib/UnitTest/MockUefiRuntimeServicesT=
ableLib.inf=0D
=0D
#=0D
# Build MdeModulePkg HOST_APPLICATION Tests=0D
#=0D
+ MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo=
licyUnitTest.inf {=0D
+ <LibraryClasses>=0D
+ VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePol=
icyLib.inf=0D
+=0D
+ <PcdsFixedAtBuild>=0D
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisa=
ble|TRUE=0D
+ }=0D
+=0D
MdeModulePkg/Library/DxeResetSystemLib/UnitTest/DxeResetSystemLibUnitTes=
tHost.inf {=0D
<LibraryClasses>=0D
ResetSystemLib|MdeModulePkg/Library/DxeResetSystemLib/DxeResetSystem=
Lib.inf=0D
--=20
2.28.0.windows.1


[PATCH v7 01/14] MdeModulePkg: Define the VariablePolicy protocol interface

Bret Barkelew
 

https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522

VariablePolicy is an updated interface to
replace VarLock and VarCheckProtocol.

Add the VariablePolicy protocol interface
header and add to the MdeModulePkg.dec file.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Include/Protocol/VariablePolicy.h | 157 ++++++++++++++++++++
MdeModulePkg/MdeModulePkg.dec | 14 +-
MdeModulePkg/MdeModulePkg.uni | 7 +
3 files changed, 177 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Include/Protocol/VariablePolicy.h b/MdeModulePkg/=
Include/Protocol/VariablePolicy.h
new file mode 100644
index 000000000000..8226c187a77b
--- /dev/null
+++ b/MdeModulePkg/Include/Protocol/VariablePolicy.h
@@ -0,0 +1,157 @@
+/** @file -- VariablePolicy.h=0D
+=0D
+This protocol allows communication with Variable Policy Engine.=0D
+=0D
+Copyright (c) Microsoft Corporation.=0D
+SPDX-License-Identifier: BSD-2-Clause-Patent=0D
+**/=0D
+=0D
+#ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__=0D
+#define __EDKII_VARIABLE_POLICY_PROTOCOL__=0D
+=0D
+#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000010000=0D
+=0D
+#define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \=0D
+ { \=0D
+ 0x81D1675C, 0x86F6, 0x48DF, { 0xBD, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25=
, 0xC3 } \=0D
+ }=0D
+=0D
+#define VARIABLE_POLICY_ENTRY_REVISION 0x00010000=0D
+=0D
+#pragma pack(push, 1)=0D
+typedef struct {=0D
+ UINT32 Version;=0D
+ UINT16 Size;=0D
+ UINT16 OffsetToName;=0D
+ EFI_GUID Namespace;=0D
+ UINT32 MinSize;=0D
+ UINT32 MaxSize;=0D
+ UINT32 AttributesMustHave;=0D
+ UINT32 AttributesCantHave;=0D
+ UINT8 LockPolicyType;=0D
+ UINT8 Padding[3];=0D
+ // UINT8 LockPolicy[]; // Variable Length Field=0D
+ // CHAR16 Name[] // Variable Length Field=0D
+} VARIABLE_POLICY_ENTRY;=0D
+=0D
+#define VARIABLE_POLICY_NO_MIN_SIZE 0=0D
+#define VARIABLE_POLICY_NO_MAX_SIZE MAX_UINT32=0D
+#define VARIABLE_POLICY_NO_MUST_ATTR 0=0D
+#define VARIABLE_POLICY_NO_CANT_ATTR 0=0D
+=0D
+#define VARIABLE_POLICY_TYPE_NO_LOCK 0=0D
+#define VARIABLE_POLICY_TYPE_LOCK_NOW 1=0D
+#define VARIABLE_POLICY_TYPE_LOCK_ON_CREATE 2=0D
+#define VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE 3=0D
+=0D
+typedef struct {=0D
+ EFI_GUID Namespace;=0D
+ UINT8 Value;=0D
+ UINT8 Padding;=0D
+ // CHAR16 Name[]; // Variable Length Field=0D
+} VARIABLE_LOCK_ON_VAR_STATE_POLICY;=0D
+#pragma pack(pop)=0D
+=0D
+/**=0D
+ This API function disables the variable policy enforcement. If it's=0D
+ already been called once, will return EFI_ALREADY_STARTED.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_ALREADY_STARTED Has already been called once this boot=
.=0D
+ @retval EFI_WRITE_PROTECTED Interface has been locked until reboot=
.=0D
+ @retval EFI_WRITE_PROTECTED Interface option is disabled by platfo=
rm PCD.=0D
+=0D
+**/=0D
+typedef=0D
+EFI_STATUS=0D
+(EFIAPI *DISABLE_VARIABLE_POLICY)(=0D
+ VOID=0D
+ );=0D
+=0D
+/**=0D
+ This API function returns whether or not the policy engine is=0D
+ currently being enforced.=0D
+=0D
+ @param[out] State Pointer to a return value for whether the poli=
cy enforcement=0D
+ is currently enabled.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval Others An error has prevented this command from compl=
eting.=0D
+=0D
+**/=0D
+typedef=0D
+EFI_STATUS=0D
+(EFIAPI *IS_VARIABLE_POLICY_ENABLED)(=0D
+ OUT BOOLEAN *State=0D
+ );=0D
+=0D
+/**=0D
+ This API function validates and registers a new policy with=0D
+ the policy enforcement engine.=0D
+=0D
+ @param[in] NewPolicy Pointer to the incoming policy structure.=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval EFI_INVALID_PARAMETER NewPolicy is NULL or is internally i=
nconsistent.=0D
+ @retval EFI_ALREADY_STARTED An identical matching policy already=
exists.=0D
+ @retval EFI_WRITE_PROTECTED The interface has been locked until =
the next reboot.=0D
+ @retval EFI_ABORTED A calculation error has prevented th=
is function from completing.=0D
+ @retval EFI_OUT_OF_RESOURCES Cannot grow the table to hold any mo=
re policies.=0D
+=0D
+**/=0D
+typedef=0D
+EFI_STATUS=0D
+(EFIAPI *REGISTER_VARIABLE_POLICY)(=0D
+ IN CONST VARIABLE_POLICY_ENTRY *PolicyEntry=0D
+ );=0D
+=0D
+/**=0D
+ This API function will dump the entire contents of the variable policy t=
able.=0D
+=0D
+ Similar to GetVariable, the first call can be made with a 0 size and it =
will return=0D
+ the size of the buffer required to hold the entire table.=0D
+=0D
+ @param[out] Policy Pointer to the policy buffer. Can be NULL if Siz=
e is 0.=0D
+ @param[in,out] Size On input, the size of the output buffer. On outp=
ut, the size=0D
+ of the data returned.=0D
+=0D
+ @retval EFI_SUCCESS Policy data is in the output buffer =
and Size has been updated.=0D
+ @retval EFI_INVALID_PARAMETER Size is NULL, or Size is non-zero an=
d Policy is NULL.=0D
+ @retval EFI_BUFFER_TOO_SMALL Size is insufficient to hold policy.=
Size updated with required size.=0D
+=0D
+**/=0D
+typedef=0D
+EFI_STATUS=0D
+(EFIAPI *DUMP_VARIABLE_POLICY)(=0D
+ IN OUT UINT8 *Policy,=0D
+ IN OUT UINT32 *Size=0D
+ );=0D
+=0D
+/**=0D
+ This API function locks the interface so that no more policy updates=0D
+ can be performed or changes made to the enforcement until the next boot.=
=0D
+=0D
+ @retval EFI_SUCCESS=0D
+ @retval Others An error has prevented this command from compl=
eting.=0D
+=0D
+**/=0D
+typedef=0D
+EFI_STATUS=0D
+(EFIAPI *LOCK_VARIABLE_POLICY)(=0D
+ VOID=0D
+ );=0D
+=0D
+typedef struct {=0D
+ UINT64 Revision;=0D
+ DISABLE_VARIABLE_POLICY DisableVariablePolicy;=0D
+ IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;=0D
+ REGISTER_VARIABLE_POLICY RegisterVariablePolicy;=0D
+ DUMP_VARIABLE_POLICY DumpVariablePolicy;=0D
+ LOCK_VARIABLE_POLICY LockVariablePolicy;=0D
+} _EDKII_VARIABLE_POLICY_PROTOCOL;=0D
+=0D
+typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL;=0D
+=0D
+extern EFI_GUID gEdkiiVariablePolicyProtocolGuid;=0D
+=0D
+#endif=0D
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index cb30a7975849..82aecc40d9a9 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -8,7 +8,7 @@
# Copyright (c) 2016, Linaro Ltd. All rights reserved.<BR>=0D
# (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP<BR>=
=0D
# Copyright (c) 2017, AMD Incorporated. All rights reserved.<BR>=0D
-# Copyright (c) 2016, Microsoft Corporation<BR>=0D
+# Copyright (c) Microsoft Corporation.<BR>=0D
# SPDX-License-Identifier: BSD-2-Clause-Patent=0D
#=0D
##=0D
@@ -627,6 +627,9 @@ [Protocols]
# 0x80000006 | Incorrect error code provided.=0D
#=0D
=0D
+ ## Include/Protocol/VariablePolicy.h=0D
+ gEdkiiVariablePolicyProtocolGuid =3D { 0x81D1675C, 0x86F6, 0x48DF, { 0xB=
D, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25, 0xC3 } }=0D
+=0D
[PcdsFeatureFlag]=0D
## Indicates if the platform can support update capsule across a system =
reset.<BR><BR>=0D
# TRUE - Supports update capsule across a system reset.<BR>=0D
@@ -1119,6 +1122,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
# @Prompt Variable storage size.=0D
gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x10000|UINT32|0x300=
00005=0D
=0D
+ ## Toggle for whether the VariablePolicy engine should allow disabling.=
=0D
+ # The engine is enabled at power-on, but the interface allows the platfo=
rm to=0D
+ # disable enforcement for servicing flexibility. If this PCD is disabled=
, it will block the ability to=0D
+ # disable the enforcement and VariablePolicy enforcement will always be =
ON.=0D
+ # TRUE - VariablePolicy can be disabled by request through the interfa=
ce (until interface is locked)=0D
+ # FALSE - VariablePolicy interface will not accept requests to disable=
and is ALWAYS ON=0D
+ # @Prompt Allow VariablePolicy enforcement to be disabled.=0D
+ gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|=
FALSE|BOOLEAN|0x30000020=0D
+=0D
## FFS filename to find the ACPI tables.=0D
# @Prompt FFS name of ACPI tables storage.=0D
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiTableStorageFile|{ 0x25, 0x4e, 0x3=
7, 0x7e, 0x01, 0x8e, 0xee, 0x4f, 0x87, 0xf2, 0x39, 0xc, 0x23, 0xc6, 0x6, 0x=
cd }|VOID*|0x30000016=0D
diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni
index b8c867379a86..40884c57a460 100644
--- a/MdeModulePkg/MdeModulePkg.uni
+++ b/MdeModulePkg/MdeModulePkg.uni
@@ -129,6 +129,13 @@
=0D
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdVariableStoreSize_HELP #lan=
guage en-US "The size of volatile buffer. This buffer is used to store VOLA=
TILE attribute variables."=0D
=0D
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme=
ntDisable_PROMPT #language en-US "Allow VariablePolicy enforcement to be d=
isabled."=0D
+=0D
+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme=
ntDisable_HELP #language en-US "If this PCD is disabled, it will block the=
ability to<BR>\n"=0D
+ =
"disable the enforcement and VariablePolicy=
enforcement will always be ON.<BR>\n"=0D
+ =
"TRUE - VariablePolicy can be disabled by r=
equest through the interface (until interface is locked)<BR>\n"=0D
+ =
"FALSE - VariablePolicy interface will not =
accept requests to disable and is ALWAYS ON<BR>\n"=0D
+=0D
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_PROMPT =
#language en-US "FFS name of ACPI tables storage"=0D
=0D
#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_HELP #=
language en-US "FFS filename to find the ACPI tables."=0D
--=20
2.28.0.windows.1


[PATCH v7 00/14] Add the VariablePolicy feature

Bret Barkelew
 

The 14 patches in this series add the VariablePolicy feature to the core,
deprecate Edk2VarLock (while adding a compatibility layer to reduce code
churn), and integrate the VariablePolicy libraries and protocols into
Variable Services.

Since the integration requires multiple changes, including adding libraries,
a protocol, an SMI communication handler, and VariableServices integration,
the patches are broken up by individual library additions and then a final
integration. Security-sensitive changes like bypassing Authenticated
Variable enforcement are also broken out into individual patches so that
attention can be called directly to them.

Platform porting instructions are described in this wiki entry:
https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables#platform-porting

Discussion of the feature can be found in multiple places throughout
the last year on the RFC channel, staging branches, and in devel.

Most recently, this subject was discussed in this thread:
https://edk2.groups.io/g/devel/message/53712
(the code branches shared in that discussion are now out of date, but the
whitepapers and discussion are relevant).

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
Cc: Andrew Fish <afish@apple.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>

v7 changes:
* Address comments from Dandan about security of the MM handler
* Add readme
* Fix bug around hex characters in BOOT####, etc
* Add additional testing for hex characters
* Add additional testing for authenticated variables

v6 changes:
* Fix an issue with uninitialized Status in InitVariablePolicyLib() and DeinitVariablePolicyLib()
* Fix GCC building in shell-based functional test
* Rebase on latest origin/master

v5 changes:
* Fix the CONST mismatch in VariablePolicy.h and VariablePolicySmmDxe.c
* Fix EFIAPI mismatches in the functional unittest
* Rebase on latest origin/master

v4 changes:
* Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from platforms
* Rebase on master
* Migrate to new MmCommunicate2 protocol
* Fix an oversight in the default return value for InitMmCommonCommBuffer
* Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume variables

V3 changes:
* Address all non-unittest issues with ECC
* Make additional style changes
* Include section name in hunk headers in "ini-style" files
* Remove requirement for the EdkiiPiSmmCommunicationsRegionTable driver
(now allocates its own buffer)
* Change names from VARIABLE_POLICY_PROTOCOL and gVariablePolicyProtocolGuid
to EDKII_VARIABLE_POLICY_PROTOCOL and gEdkiiVariablePolicyProtocolGuid
* Fix GCC warning about initializing externs
* Add UNI strings for new PCD
* Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg
* Reorder patches according to Liming's feedback about adding to platforms
before changing variable driver

V2 changes:
* Fixed implementation for RuntimeDxe
* Add PCD to block DisableVariablePolicy
* Fix the DumpVariablePolicy pagination in SMM


Bret Barkelew (14):
MdeModulePkg: Define the VariablePolicy protocol interface
MdeModulePkg: Define the VariablePolicyLib
MdeModulePkg: Define the VariablePolicyHelperLib
MdeModulePkg: Define the VarCheckPolicyLib and SMM interface
OvmfPkg: Add VariablePolicy engine to OvmfPkg platform
EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform
ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform
UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform
MdeModulePkg: Connect VariablePolicy business logic to
VariableServices
MdeModulePkg: Allow VariablePolicy state to delete protected variables
SecurityPkg: Allow VariablePolicy state to delete authenticated
variables
MdeModulePkg: Change TCG MOR variables to use VariablePolicy
MdeModulePkg: Drop VarLock from RuntimeDxe variable driver
MdeModulePkg: Add a shell-based functional test for VariablePolicy

MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c | 345 +++
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c | 396 ++++
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c | 46 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDxe.c | 85 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c | 830 +++++++
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.c | 2452 ++++++++++++++++++++
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestApp.c | 2226 ++++++++++++++++++
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 60 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c | 49 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 53 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c | 71 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c | 642 +++++
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 14 +
SecurityPkg/Library/AuthVariableLib/AuthService.c | 22 +-
ArmVirtPkg/ArmVirt.dsc.inc | 4 +
EmulatorPkg/EmulatorPkg.dsc | 3 +
MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | 54 +
MdeModulePkg/Include/Library/VariablePolicyHelperLib.h | 164 ++
MdeModulePkg/Include/Library/VariablePolicyLib.h | 207 ++
MdeModulePkg/Include/Protocol/VariablePolicy.h | 157 ++
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf | 42 +
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni | 12 +
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf | 35 +
MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni | 12 +
MdeModulePkg/Library/VariablePolicyLib/ReadMe.md | 410 ++++
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf | 49 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni | 12 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf | 51 +
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.inf | 45 +
MdeModulePkg/MdeModulePkg.ci.yaml | 8 +-
MdeModulePkg/MdeModulePkg.dec | 26 +-
MdeModulePkg/MdeModulePkg.dsc | 9 +
MdeModulePkg/MdeModulePkg.uni | 7 +
MdeModulePkg/Test/MdeModulePkgHostTest.dsc | 11 +
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md | 55 +
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestApp.inf | 47 +
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyTestAuthVar.h | 128 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 5 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 4 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf | 11 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 4 +
OvmfPkg/OvmfPkgIa32.dsc | 5 +
OvmfPkg/OvmfPkgIa32X64.dsc | 5 +
OvmfPkg/OvmfPkgX64.dsc | 5 +
OvmfPkg/OvmfXen.dsc | 4 +
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 +
UefiPayloadPkg/UefiPayloadPkgIa32.dsc | 4 +
UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 4 +
49 files changed, 8865 insertions(+), 79 deletions(-)
create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDxe.c
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.c
create mode 100644 MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestApp.c
create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c
create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
create mode 100644 MdeModulePkg/Include/Library/VariablePolicyHelperLib.h
create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h
create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h
create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/ReadMe.md
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.inf
create mode 100644 MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md
create mode 100644 MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestApp.inf
create mode 100644 MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyTestAuthVar.h

--
2.28.0.windows.1


Re: [PATCH EDK2 v2 1/1] SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

Yao, Jiewen
 

HI Wenyi
Thank you very much to take time to reproduce.

I am particular interested in below:
"As PE file is modified, function PeCoffLoaderGetImageInfo will return error, so I have to remove it so that for loop can be tested in DxeImageVerificationHandler."

By design, the PeCoffLib should catch illegal PE/COFF image and return error. (even it cannot catch all, it should catch most ones).
Other PE/COFF parser may rely on the checker in PeCoffLib and *no need* to duplicate all checkers.
As such, DxeImageVerificationLib (and other PeCoff consumer) just need checks what has passed the check in PeCoffLib.

I don’t think you should remove the checker. If people can remove the checker, I am sure the rest code will be vulnerable, according to the current design.
Could you please to create a case that bypass all checks in PeCoffLib, then run into DxeImageVerificationLib and cause the problem? That would be more valuable for us.

Thank you
Yao Jiewen

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of wenyi,xie
via groups.io
Sent: Friday, August 28, 2020 11:18 AM
To: Laszlo Ersek <lersek@redhat.com>; Wang, Jian J <jian.j.wang@intel.com>;
devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
Cc: songdongkuang@huawei.com; Mathews, John <john.mathews@intel.com>
Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

Hi,Laszlo and everyone,

These days I tried to reproduce the issue,and made some progress. I think
there are two way to cause overflow from a mathematical point of view,
1.As Laszlo analysed before, if WinCertificate->dwLength is large enough, close
to MAX_UINT32, then (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-
dwLength)) will cause overflow.
2.(WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength)) is good,
OffSet is good, but OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate->dwLength)) cause overflow.

Here I choose the second way to reproduce the issue, I choose a PE file and sign
it with my own db certificate. Then I use binary edit tool to modify the PE file like
below,

1.change SecDataDir->Size from 0x5F8 to 0xFFFF1FFF
2.change WinCertificate->dwLength from 0x5F1 to 0xFFFF1FFE
SecDataDir->VirtualAddress in my PE is 0xe000 and no need to change.

As PE file is modified, function PeCoffLoaderGetImageInfo will return error, so I
have to remove it so that for loop can be tested in DxeImageVerificationHandler.
The log is as below,

SecDataDir->VirtualAddress=0xE000, SecDataDir->Size=0xFFFF1FFF.
(First Loop)
OffSet=0xE000.
WinCertificate->dwLength=0xFFFF1FFE, ALIGN_SIZE (WinCertificate-
dwLength)=0x2.
(Second Loop)
OffSet=0x0.
WinCertificate->dwLength=0x5A4D, ALIGN_SIZE (WinCertificate-
dwLength)=0x3.
(Third Loop)
OffSet=0x5A50.
WinCertificate->dwLength=0x9024, ALIGN_SIZE (WinCertificate-
dwLength)=0x4.
(Forth Loop)
OffSet=0xEA78.
WinCertificate->dwLength=0xAFAFAFAF, ALIGN_SIZE (WinCertificate-
dwLength)=0x1.
(Fifth Loop)
OffSet=0xAFB09A28.

As I modify SecDataDir->Size and WinCertificate->dwLength, so in first loop the
condition check whether the Security Data Directory has enough room left for
"WinCertificate->dwLength" is ok.

if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof
(WIN_CERTIFICATE) ||
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate-
dwLength) {
break;
}

In the beginning of second loop, WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate->dwLength) is 0xFFFF2000, offset is 0xE000

OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))

Offset now is 0 and overflow happens. So even if my PE only have one signature,
the for loop is still going untill exception happens.


I can't reproduce the issue using the first way, because if WinCertificate-
dwLength is close to MAX_UINT32, it means SecDataDir->Size should also close
to MAX_UINT32, or the condition check
"(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate-
dwLength" will break. But if SecDataDir->Size is very large, SecDataDir-
VirtualAddress have to be smaller than 8 bytes,
because SecDataDir->VirtualAddress + SecDataDir->Size < MAX_UINT32.
SecDataDir->VirtualAddress is the beginning address of the signature, and before
SecDataDir->VirtualAddress is the content of origin PE file, I think it's impossible
that the size of PE file is only 8 bytes.

As I changed the one line code in DxeImageVerificationHandler to reproduce the
issue, I'm not sure whether it's ok.

Thanks
Wenyi

On 2020/8/19 17:26, Laszlo Ersek wrote:
On 08/18/20 17:18, Mathews, John wrote:
I dug up the original report details. This was noted as a concern during a
source code inspection. There was no demonstration of how it might be
triggered.

" There is an integer overflow vulnerability in the
DxeImageVerificationHandler function when
parsing the PE files attribute certificate table. In cases where WinCertificate-
dwLength is
sufficiently large, it's possible to overflow Offset back to 0 causing an endless
loop."

The recommendation was to add stricter checking of "Offset" and the
embedded length fields of certificate data
before using them.
Thanks for checking!

Laszlo




-----Original Message-----
From: Laszlo Ersek <lersek@redhat.com>
Sent: Tuesday, August 18, 2020 1:59 AM
To: Wang, Jian J <jian.j.wang@intel.com>; devel@edk2.groups.io; Yao,
Jiewen <jiewen.yao@intel.com>; xiewenyi2@huawei.com
Cc: huangming23@huawei.com; songdongkuang@huawei.com; Mathews,
John <john.mathews@intel.com>
Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

On 08/18/20 04:10, Wang, Jian J wrote:
Laszlo,

My apologies for the slow response. I'm not the original reporter but
just the BZ submitter. And I didn't do deep analysis to this issue.
The issues was reported from one internal team. Add John in loop to see if
he knows more about it or not.

My superficial understanding on such issue is that, if there's
"potential" issue in theory and hard to reproduce, it's still worthy
of using an alternative way to replace the original implementation
with no "potential" issue at all. Maybe we don't have to prove old way is
something wrong but must prove that the new way is really safe.

I agree, thanks.

It would be nice to hear more from the internal team about the originally
reported (even if hard-to-trigger) issue.

Thanks!
Laszlo


Regards,
Jian

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo
Ersek
Sent: Tuesday, August 18, 2020 12:53 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io;
xiewenyi2@huawei.com; Wang, Jian J <jian.j.wang@intel.com>
Cc: huangming23@huawei.com; songdongkuang@huawei.com
Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

Hi Jiewen,

On 08/14/20 10:53, Yao, Jiewen wrote:
To Jiewen,
Sorry, I don't have environment to reproduce the issue.
Please help me understand, if you don’t have environment to
reproduce the
issue, how do you guarantee that your patch does fix the problem and
we don’t have any other vulnerabilities?

The original bug report in
<https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is seriously
lacking. It does not go into detail about the alleged integer overflow.
It does not quote the code, does not explain the control flow, does
not identify the exact edk2 commit at which the vulnerability exists.

The bug report also does not offer a reproducer.

Additionally, the exact statement that the bug report does make,
namely

it's possible to overflow Offset back to 0 causing an endless loop

is wrong (as far as I can tell anyway). It is not "OffSet" that can
be overflowed to zero, but the *addend* that is added to OffSet can
be overflowed to zero. Therefore the infinite loop will arise because
OffSet remains stuck at its present value, and not because OffSet
will be re-set to zero.

For the reasons, we can only speculate as to what the actual problem
is, unless Jian decides to join the discussion and clarifies what he
had in mind originally.

My understanding (or even "reconstruction") of the vulnerability is
described above, and in the patches that I proposed.

We can write a patch based on code analysis. It's possible to
identify integer overflows based on code analysis, and it's possible
to verify the correctness of fixes by code review. Obviously testing
is always good, but many times, constructing reproducers for such
issues that were found by code review, is difficult and time
consuming. We can say that we don't fix vulnerabilities without
reproducers, or we can say that we make an effort to fix them even if
all we have is code analysis (and not a reproducer).

So the above paragraph concerns "correctness". Regarding
"completeness", I guarantee you that this patch does not fix *all*
problems related to PE parsing. (See the other BZ tickets.) It does
fix *one* issue with PE parsing. We can say that we try to fix such
issues gradually (give different CVE numbers to different issues, and
address them one at a time), or we can say that we rewrite PE parsing
from the ground up.
(BTW: I have seriously attempted that in the past, and I gave up,
because the PE format is FUBAR.)

In summary:

- the problem statement is unclear,

- it seems like there is indeed an integer overflow problem in the
SecDataDir parsing loop, but it's uncertain whether the bug reporter
had exactly that in mind

- PE parsing is guaranteed to have other vulnerabilities elsewhere in
edk2, but I'm currently unaware of other such issues in
DxeImageVerificationLib specifically

- even if there are other such problems (in DxeImageVerificationLib
or elswehere), fixing this bug that we know about is likely
worthwhile

- for many such bugs, constructing a reproducer is difficult and time
consuming; code analysis, and *regression-testing* are frequently the
only tools we have. That doesn't mean we should ignore this class of bugs.

(Fixing integer overflows retro-actively is more difficult than
writing overflow-free code in the first place, but that ship has
sailed; so we can only fight these bugs incrementally now, unless we
can rewrite PE parsing with a new data structure from the ground up.
Again I tried that and gave up, because the spec is not public, and
what I did manage to learn about PE, showed that it was insanely
over-engineered. I'm not saying that other binary / executable
formats are better, of course.)

Please check out my patches (inlined elsewhere in this thread), and
comment whether you'd like me to post them to the list as a
standalone series.

Jian: it wouldn't hurt if you commented as well.

Thanks
Laszlo

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
wenyi,xie
via groups.io
Sent: Friday, August 14, 2020 3:54 PM
To: Laszlo Ersek <lersek@redhat.com>; devel@edk2.groups.io; Yao,
Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
Cc: huangming23@huawei.com; songdongkuang@huawei.com
Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

To Laszlo,
Thank you for your detailed description, I agree with what you
analyzed and
I'm
OK with your patches, it's
correct and much simpler.

To Jiewen,
Sorry, I don't have environment to reproduce the issue.

Thanks
Wenyi

On 2020/8/14 2:50, Laszlo Ersek wrote:
On 08/13/20 13:55, Wenyi Xie wrote:
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2215

There is an integer overflow vulnerability in
DxeImageVerificationHandler function when parsing the PE files
attribute certificate table. In cases where
WinCertificate->dwLength is sufficiently large, it's possible to
overflow Offset back to 0 causing an endless loop.

Check offset inbetween VirtualAddress and VirtualAddress + Size.
Using SafeintLib to do offset addition with result check.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
---

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
|
1 +

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
|
1 +

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
|
111 +++++++++++---------
3 files changed, 63 insertions(+), 50 deletions(-)

diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
index 1e1a639857e0..a7ac4830b3d4 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
@@ -53,6 +53,7 @@ [LibraryClasses]
SecurityManagementLib
PeCoffLib
TpmMeasurementLib
+ SafeIntLib

[Protocols]
gEfiFirmwareVolume2ProtocolGuid ## SOMETIMES_CONSUMES
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
index 17955ff9774c..060273917d5d 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
@@ -23,6 +23,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DevicePathLib.h> #include
<Library/SecurityManagementLib.h> #include <Library/PeCoffLib.h>
+#include <Library/SafeIntLib.h>
#include <Protocol/FirmwareVolume2.h> #include
<Protocol/DevicePath.h> #include <Protocol/BlockIo.h> diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
index 36b87e16d53d..dbc03e28c05b 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
@@ -1658,6 +1658,10 @@ DxeImageVerificationHandler (
EFI_STATUS HashStatus;
EFI_STATUS DbStatus;
BOOLEAN IsFound;
+ UINT32 AlignedLength;
+ UINT32 Result;
+ EFI_STATUS AddStatus;
+ BOOLEAN IsAuthDataAssigned;

SignatureList = NULL;
SignatureListSize = 0;
@@ -1667,6 +1671,7 @@ DxeImageVerificationHandler (
Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
IsVerified = FALSE;
IsFound = FALSE;
+ Result = 0;

//
// Check the image type and get policy setting.
@@ -1850,9 +1855,10 @@ DxeImageVerificationHandler (
// The first certificate starts at offset
(SecDataDir->VirtualAddress) from
the
start of the file.
//
for (OffSet = SecDataDir->VirtualAddress;
- OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
- OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength))) {
+ (OffSet >= SecDataDir->VirtualAddress) && (OffSet <
+ (SecDataDir-
VirtualAddress + SecDataDir->Size));) {
+ IsAuthDataAssigned = FALSE;
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+ AlignedLength = WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength);

I disagree with this patch.

The primary reason for my disagreement is that the bug report
<https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is
inexact, and so this patch tries to fix the wrong thing.

With edk2 master at commit 65904cdbb33c, it is *not* possible to
overflow the OffSet variable to zero with "WinCertificate->dwLength"
*purely*, and cause an endless loop. Note that we have (at commit
65904cdbb33c):

for (OffSet = SecDataDir->VirtualAddress;
OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength))) {
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
<= sizeof
(WIN_CERTIFICATE) ||
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
WinCertificate-
dwLength) {
break;
}

The last sub-condition checks whether the Security Data Directory
has enough room left for "WinCertificate->dwLength". If not, then
we break out of the loop.

If we *do* have enough room, that is:

(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) >=
WinCertificate-
dwLength

then we have (by adding OffSet to both sides):

SecDataDir->VirtualAddress + SecDataDir->Size >= OffSet +
WinCertificate- dwLength

The left hand side is a known-good UINT32, and so incrementing
OffSet (a
UINT32) *solely* by "WinCertificate->dwLength" (also a UINT32)
does not cause an overflow.

Instead, the problem is with the alignment. The "if" statement
checks whether we have enough room for "dwLength", but then
"OffSet" is advanced by "dwLength" *aligned up* to the next
multiple of 8. And that may indeed cause various overflows.

Now, the main problem with the present patch is that it does not
fix one of those overflows. Namely, consider that "dwLength" is
very close to
MAX_UINT32 (or even think it's exactly MAX_UINT32). Then aligning
it up to the next multiple of 8 will yield 0. In other words,
"AlignedLength"
will be zero.

And when that happens, there's going to be an infinite loop just
the
same: "OffSet" will not be zero, but it will be *stuck*. The
SafeUint32Add() call at the bottom will succeed, but it will not
change the value of "OffSet".

More at the bottom.


if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
<= sizeof
(WIN_CERTIFICATE) ||
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
<
WinCertificate->dwLength) {
break;
@@ -1872,6 +1878,8 @@ DxeImageVerificationHandler (
}
AuthData = PkcsCertData->CertData;
AuthDataSize = PkcsCertData->Hdr.dwLength -
sizeof(PkcsCertData-
Hdr);
+ IsAuthDataAssigned = TRUE;
+ HashStatus = HashPeImageByType (AuthData, AuthDataSize);
} else if (WinCertificate->wCertificateType ==
WIN_CERT_TYPE_EFI_GUID)
{
//
// The certificate is formatted as
WIN_CERTIFICATE_UEFI_GUID which
is
described in UEFI Spec.
@@ -1880,72 +1888,75 @@ DxeImageVerificationHandler (
if (WinCertUefiGuid->Hdr.dwLength <=
OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {
break;
}
- if (!CompareGuid (&WinCertUefiGuid->CertType,
&gEfiCertPkcs7Guid))
{
- continue;
+ if (CompareGuid (&WinCertUefiGuid->CertType,
+ &gEfiCertPkcs7Guid))
{
+ AuthData = WinCertUefiGuid->CertData;
+ AuthDataSize = WinCertUefiGuid->Hdr.dwLength -
OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);
+ IsAuthDataAssigned = TRUE;
+ HashStatus = HashPeImageByType (AuthData, AuthDataSize);
}
- AuthData = WinCertUefiGuid->CertData;
- AuthDataSize = WinCertUefiGuid->Hdr.dwLength -
OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);
} else {
if (WinCertificate->dwLength < sizeof (WIN_CERTIFICATE)) {
break;
}
- continue;
}

- HashStatus = HashPeImageByType (AuthData, AuthDataSize);
- if (EFI_ERROR (HashStatus)) {
- continue;
- }
-
- //
- // Check the digital signature against the revoked certificate in
forbidden
database (dbx).
- //
- if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
- IsVerified = FALSE;
- break;
- }
-
- //
- // Check the digital signature against the valid certificate in
allowed
database (db).
- //
- if (!IsVerified) {
- if (IsAllowedByDb (AuthData, AuthDataSize)) {
- IsVerified = TRUE;
+ if (IsAuthDataAssigned && !EFI_ERROR (HashStatus)) {
+ //
+ // Check the digital signature against the revoked
+ certificate in
forbidden
database (dbx).
+ //
+ if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
+ IsVerified = FALSE;
+ break;
}
- }

- //
- // Check the image's hash value.
- //
- DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE1,
- mImageDigest,
- &mCertType,
- mImageDigestSize,
- &IsFound
- );
- if (EFI_ERROR (DbStatus) || IsFound) {
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
signed
but %s
hash of image is found in DBX.\n", mHashTypeStr));
- IsVerified = FALSE;
- break;
- }
+ //
+ // Check the digital signature against the valid
+ certificate in allowed
database (db).
+ //
+ if (!IsVerified) {
+ if (IsAllowedByDb (AuthData, AuthDataSize)) {
+ IsVerified = TRUE;
+ }
+ }

- if (!IsVerified) {
+ //
+ // Check the image's hash value.
+ //
DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE,
+ EFI_IMAGE_SECURITY_DATABASE1,
mImageDigest,
&mCertType,
mImageDigestSize,
&IsFound
);
- if (!EFI_ERROR (DbStatus) && IsFound) {
- IsVerified = TRUE;
- } else {
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
signed
but
signature is not allowed by DB and %s hash of image is not found in
DB/DBX.\n",
mHashTypeStr));
+ if (EFI_ERROR (DbStatus) || IsFound) {
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
+ signed
but %s hash of image is found in DBX.\n", mHashTypeStr));
+ IsVerified = FALSE;
+ break;
}
+
+ if (!IsVerified) {
+ DbStatus = IsSignatureFoundInDatabase (
+ EFI_IMAGE_SECURITY_DATABASE,
+ mImageDigest,
+ &mCertType,
+ mImageDigestSize,
+ &IsFound
+ );
+ if (!EFI_ERROR (DbStatus) && IsFound) {
+ IsVerified = TRUE;
+ } else {
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
+ signed
but
signature is not allowed by DB and %s hash of image is not found in
DB/DBX.\n",
mHashTypeStr));
+ }
+ }
+ }
+
+ AddStatus = SafeUint32Add (OffSet, AlignedLength, &Result);
+ if (EFI_ERROR (AddStatus)) {
+ break;
}
+ OffSet = Result;
}

if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size))
{
There are other (smaller) reasons why I dislike this patch:

- The "IsAuthDataAssigned" variable is superfluous; we could use
the existent "AuthData" variable (with a NULL-check and a
NULL-assignment) similarly.

- The patch complicates / reorganizes the control flow needlessly.
This complication originates from placing the checked "OffSet"
increment at the bottom of the loop, which then requires the
removal of all the "continue" statements. But we don't need to
check-and-increment at the bottom. We can keep the increment
inside the "for" statement, only extend the *existent* room check
(which I've quoted) to take the alignment into account as well. If
there is enough room for the alignment in the security data
directory, then that guarantees there won't be a UINT32 overflow
either.

All in all, I'm proposing the following three patches instead. The
first two patches are preparation, the last patch is the fix.

Patch#1:

From 11af0a104d34d39bf1b1aab256428ae4edbddd77 Mon Sep 17
00:00:00
2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 13 Aug 2020 19:11:39 +0200
Subject: [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract
SecDataDirEnd, SecDataDirLeft

The following two quantities:

SecDataDir->VirtualAddress + SecDataDir->Size
SecDataDir->VirtualAddress + SecDataDir->Size - OffSet

are used multiple times in DxeImageVerificationHandler().
Introduce helper variables for them: "SecDataDirEnd" and
"SecDataDirLeft", respectively.
This saves us multiple calculations and significantly simplifies the code.

Note that all three summands above have type UINT32, therefore
the new variables are also of type UINT32.

This patch does not change behavior.

(Note that the code already handles the case when the

SecDataDir->VirtualAddress + SecDataDir->Size

UINT32 addition overflows -- namely, in that case, the
certificate loop is never entered, and the corruption check right
after the loop fires.)

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c |
12
++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
index 36b87e16d53d..8761980c88aa 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
@@ -1652,6 +1652,8 @@ DxeImageVerificationHandler (
UINT8 *AuthData;
UINTN AuthDataSize;
EFI_IMAGE_DATA_DIRECTORY *SecDataDir;
+ UINT32 SecDataDirEnd;
+ UINT32 SecDataDirLeft;
UINT32 OffSet;
CHAR16 *NameStr;
RETURN_STATUS PeCoffStatus;
@@ -1849,12 +1851,14 @@ DxeImageVerificationHandler (
// "Attribute Certificate Table".
// The first certificate starts at offset
(SecDataDir->VirtualAddress) from
the
start of the file.
//
+ SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size;
for (OffSet = SecDataDir->VirtualAddress;
- OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
+ OffSet < SecDataDirEnd;
OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength))) {
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
- if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <=
sizeof
(WIN_CERTIFICATE) ||
- (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
WinCertificate->dwLength) {
+ SecDataDirLeft = SecDataDirEnd - OffSet;
+ if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
+ SecDataDirLeft < WinCertificate->dwLength) {
break;
}

@@ -1948,7 +1952,7 @@ DxeImageVerificationHandler (
}
}

- if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size))
{
+ if (OffSet != SecDataDirEnd) {
//
// The Size in Certificate Table or the attribute
certificate table is
corrupted.
//
--
2.19.1.3.g30247aa5d201
Patch#2:

From 72012c065a53582f7df695e7b9730c45f49226c6 Mon Sep 17
00:00:00
2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 13 Aug 2020 19:19:06 +0200
Subject: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign
WinCertificate after size check

Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check
only guards the de-referencing of the "WinCertificate" pointer.
It does not guard the calculation of hte pointer itself:

WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);

This is wrong; if we don't know for sure that we have enough room
for a WIN_CERTIFICATE, then even creating such a pointer, not
just de-referencing it, may invoke undefined behavior.

Move the pointer calculation after the size check.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c |
8
+++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
index 8761980c88aa..461ed7cfb5ac 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
@@ -1855,10 +1855,12 @@ DxeImageVerificationHandler (
for (OffSet = SecDataDir->VirtualAddress;
OffSet < SecDataDirEnd;
OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength))) {
- WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
SecDataDirLeft = SecDataDirEnd - OffSet;
- if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
- SecDataDirLeft < WinCertificate->dwLength) {
+ if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) {
+ break;
+ }
+ WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+ if (SecDataDirLeft < WinCertificate->dwLength) {
break;
}

--
2.19.1.3.g30247aa5d201
Patch#3:

From 0bbba15b84f8f9f2cdc770a89f418aaec6cfb31e Mon Sep 17
00:00:00
2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 13 Aug 2020 19:34:33 +0200
Subject: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch
alignment
overflow (CVE-2019-14562)

The DxeImageVerificationHandler() function currently checks
whether "SecDataDir" has enough room for
"WinCertificate->dwLength". However,
for
advancing "OffSet", "WinCertificate->dwLength" is aligned to the
next multiple of 8. If "WinCertificate->dwLength" is large
enough, the alignment will return 0, and "OffSet" will be stuck at the
same value.

Check whether "SecDataDir" has room left for both
"WinCertificate->dwLength" and the alignment.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c |
4
+++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
index 461ed7cfb5ac..e38eb981b7a0 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
@@ -1860,7 +1860,9 @@ DxeImageVerificationHandler (
break;
}
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
- if (SecDataDirLeft < WinCertificate->dwLength) {
+ if (SecDataDirLeft < WinCertificate->dwLength ||
+ (SecDataDirLeft - WinCertificate->dwLength <
+ ALIGN_SIZE (WinCertificate->dwLength))) {
break;
}

--
2.19.1.3.g30247aa5d201
If Wenyi and the reviewers are OK with these patches, I can submit
them as a standalone patch series.

Note that I do not have any reproducer for the issue; the best
testing that I could offer would be some light-weight Secure Boot
regression tests.

Thanks
Laszlo


.



.


Re: [PATCH EDK2 v2 1/1] SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

wenyi,xie
 

Hi,Laszlo and everyone,

These days I tried to reproduce the issue,and made some progress. I think there are two way to cause overflow from a mathematical point of view,
1.As Laszlo analysed before, if WinCertificate->dwLength is large enough, close to MAX_UINT32, then (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength)) will cause overflow.
2.(WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength)) is good, OffSet is good, but OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength)) cause overflow.

Here I choose the second way to reproduce the issue, I choose a PE file and sign it with my own db certificate. Then I use binary edit tool to modify the PE file like below,

1.change SecDataDir->Size from 0x5F8 to 0xFFFF1FFF
2.change WinCertificate->dwLength from 0x5F1 to 0xFFFF1FFE
SecDataDir->VirtualAddress in my PE is 0xe000 and no need to change.

As PE file is modified, function PeCoffLoaderGetImageInfo will return error, so I have to remove it so that for loop can be tested in DxeImageVerificationHandler.
The log is as below,

SecDataDir->VirtualAddress=0xE000, SecDataDir->Size=0xFFFF1FFF.
(First Loop)
OffSet=0xE000.
WinCertificate->dwLength=0xFFFF1FFE, ALIGN_SIZE (WinCertificate->dwLength)=0x2.
(Second Loop)
OffSet=0x0.
WinCertificate->dwLength=0x5A4D, ALIGN_SIZE (WinCertificate->dwLength)=0x3.
(Third Loop)
OffSet=0x5A50.
WinCertificate->dwLength=0x9024, ALIGN_SIZE (WinCertificate->dwLength)=0x4.
(Forth Loop)
OffSet=0xEA78.
WinCertificate->dwLength=0xAFAFAFAF, ALIGN_SIZE (WinCertificate->dwLength)=0x1.
(Fifth Loop)
OffSet=0xAFB09A28.

As I modify SecDataDir->Size and WinCertificate->dwLength, so in first loop the condition check whether the Security Data Directory has enough room left for "WinCertificate->dwLength" is ok.

if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof (WIN_CERTIFICATE) ||
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength) {
break;
}

In the beginning of second loop, WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength) is 0xFFFF2000, offset is 0xE000

OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate->dwLength))

Offset now is 0 and overflow happens. So even if my PE only have one signature, the for loop is still going untill exception happens.


I can't reproduce the issue using the first way, because if WinCertificate->dwLength is close to MAX_UINT32, it means SecDataDir->Size should also close to MAX_UINT32, or the condition check
"(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) < WinCertificate->dwLength" will break. But if SecDataDir->Size is very large, SecDataDir->VirtualAddress have to be smaller than 8 bytes,
because SecDataDir->VirtualAddress + SecDataDir->Size < MAX_UINT32.
SecDataDir->VirtualAddress is the beginning address of the signature, and before SecDataDir->VirtualAddress is the content of origin PE file, I think it's impossible that the size of PE file is only 8 bytes.

As I changed the one line code in DxeImageVerificationHandler to reproduce the issue, I'm not sure whether it's ok.

Thanks
Wenyi

On 2020/8/19 17:26, Laszlo Ersek wrote:
On 08/18/20 17:18, Mathews, John wrote:
I dug up the original report details. This was noted as a concern during a source code inspection. There was no demonstration of how it might be triggered.

" There is an integer overflow vulnerability in the DxeImageVerificationHandler function when
parsing the PE files attribute certificate table. In cases where WinCertificate->dwLength is
sufficiently large, it's possible to overflow Offset back to 0 causing an endless loop."

The recommendation was to add stricter checking of "Offset" and the embedded length fields of certificate data
before using them.
Thanks for checking!

Laszlo




-----Original Message-----
From: Laszlo Ersek <lersek@redhat.com>
Sent: Tuesday, August 18, 2020 1:59 AM
To: Wang, Jian J <jian.j.wang@intel.com>; devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>; xiewenyi2@huawei.com
Cc: huangming23@huawei.com; songdongkuang@huawei.com; Mathews, John <john.mathews@intel.com>
Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1] SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

On 08/18/20 04:10, Wang, Jian J wrote:
Laszlo,

My apologies for the slow response. I'm not the original reporter but
just the BZ submitter. And I didn't do deep analysis to this issue.
The issues was reported from one internal team. Add John in loop to see if he knows more about it or not.

My superficial understanding on such issue is that, if there's
"potential" issue in theory and hard to reproduce, it's still worthy
of using an alternative way to replace the original implementation
with no "potential" issue at all. Maybe we don't have to prove old way is something wrong but must prove that the new way is really safe.
I agree, thanks.

It would be nice to hear more from the internal team about the originally reported (even if hard-to-trigger) issue.

Thanks!
Laszlo


Regards,
Jian

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Laszlo
Ersek
Sent: Tuesday, August 18, 2020 12:53 AM
To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io;
xiewenyi2@huawei.com; Wang, Jian J <jian.j.wang@intel.com>
Cc: huangming23@huawei.com; songdongkuang@huawei.com
Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

Hi Jiewen,

On 08/14/20 10:53, Yao, Jiewen wrote:
To Jiewen,
Sorry, I don't have environment to reproduce the issue.
Please help me understand, if you don’t have environment to
reproduce the
issue, how do you guarantee that your patch does fix the problem and
we don’t have any other vulnerabilities?

The original bug report in
<https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is seriously
lacking. It does not go into detail about the alleged integer overflow.
It does not quote the code, does not explain the control flow, does
not identify the exact edk2 commit at which the vulnerability exists.

The bug report also does not offer a reproducer.

Additionally, the exact statement that the bug report does make,
namely

it's possible to overflow Offset back to 0 causing an endless loop

is wrong (as far as I can tell anyway). It is not "OffSet" that can
be overflowed to zero, but the *addend* that is added to OffSet can
be overflowed to zero. Therefore the infinite loop will arise because
OffSet remains stuck at its present value, and not because OffSet
will be re-set to zero.

For the reasons, we can only speculate as to what the actual problem
is, unless Jian decides to join the discussion and clarifies what he
had in mind originally.

My understanding (or even "reconstruction") of the vulnerability is
described above, and in the patches that I proposed.

We can write a patch based on code analysis. It's possible to
identify integer overflows based on code analysis, and it's possible
to verify the correctness of fixes by code review. Obviously testing
is always good, but many times, constructing reproducers for such
issues that were found by code review, is difficult and time
consuming. We can say that we don't fix vulnerabilities without
reproducers, or we can say that we make an effort to fix them even if
all we have is code analysis (and not a reproducer).

So the above paragraph concerns "correctness". Regarding
"completeness", I guarantee you that this patch does not fix *all*
problems related to PE parsing. (See the other BZ tickets.) It does
fix *one* issue with PE parsing. We can say that we try to fix such
issues gradually (give different CVE numbers to different issues, and
address them one at a time), or we can say that we rewrite PE parsing from the ground up.
(BTW: I have seriously attempted that in the past, and I gave up,
because the PE format is FUBAR.)

In summary:

- the problem statement is unclear,

- it seems like there is indeed an integer overflow problem in the
SecDataDir parsing loop, but it's uncertain whether the bug reporter
had exactly that in mind

- PE parsing is guaranteed to have other vulnerabilities elsewhere in
edk2, but I'm currently unaware of other such issues in
DxeImageVerificationLib specifically

- even if there are other such problems (in DxeImageVerificationLib
or elswehere), fixing this bug that we know about is likely
worthwhile

- for many such bugs, constructing a reproducer is difficult and time
consuming; code analysis, and *regression-testing* are frequently the
only tools we have. That doesn't mean we should ignore this class of bugs.

(Fixing integer overflows retro-actively is more difficult than
writing overflow-free code in the first place, but that ship has
sailed; so we can only fight these bugs incrementally now, unless we
can rewrite PE parsing with a new data structure from the ground up.
Again I tried that and gave up, because the spec is not public, and
what I did manage to learn about PE, showed that it was insanely
over-engineered. I'm not saying that other binary / executable
formats are better, of course.)

Please check out my patches (inlined elsewhere in this thread), and
comment whether you'd like me to post them to the list as a
standalone series.

Jian: it wouldn't hurt if you commented as well.

Thanks
Laszlo

-----Original Message-----
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of
wenyi,xie
via groups.io
Sent: Friday, August 14, 2020 3:54 PM
To: Laszlo Ersek <lersek@redhat.com>; devel@edk2.groups.io; Yao,
Jiewen <jiewen.yao@intel.com>; Wang, Jian J <jian.j.wang@intel.com>
Cc: huangming23@huawei.com; songdongkuang@huawei.com
Subject: Re: [edk2-devel] [PATCH EDK2 v2 1/1]
SecurityPkg/DxeImageVerificationLib:Enhanced verification of Offset

To Laszlo,
Thank you for your detailed description, I agree with what you
analyzed and
I'm
OK with your patches, it's
correct and much simpler.

To Jiewen,
Sorry, I don't have environment to reproduce the issue.

Thanks
Wenyi

On 2020/8/14 2:50, Laszlo Ersek wrote:
On 08/13/20 13:55, Wenyi Xie wrote:
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2215

There is an integer overflow vulnerability in
DxeImageVerificationHandler function when parsing the PE files
attribute certificate table. In cases where
WinCertificate->dwLength is sufficiently large, it's possible to overflow Offset back to 0 causing an endless loop.

Check offset inbetween VirtualAddress and VirtualAddress + Size.
Using SafeintLib to do offset addition with result check.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
---

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
|
1 +

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
|
1 +

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
|
111 +++++++++++---------
3 files changed, 63 insertions(+), 50 deletions(-)

diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
index 1e1a639857e0..a7ac4830b3d4 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.inf
@@ -53,6 +53,7 @@ [LibraryClasses]
SecurityManagementLib
PeCoffLib
TpmMeasurementLib
+ SafeIntLib

[Protocols]
gEfiFirmwareVolume2ProtocolGuid ## SOMETIMES_CONSUMES
diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
index 17955ff9774c..060273917d5d 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.h
@@ -23,6 +23,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/DevicePathLib.h> #include
<Library/SecurityManagementLib.h> #include <Library/PeCoffLib.h>
+#include <Library/SafeIntLib.h>
#include <Protocol/FirmwareVolume2.h> #include
<Protocol/DevicePath.h> #include <Protocol/BlockIo.h> diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
index 36b87e16d53d..dbc03e28c05b 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
@@ -1658,6 +1658,10 @@ DxeImageVerificationHandler (
EFI_STATUS HashStatus;
EFI_STATUS DbStatus;
BOOLEAN IsFound;
+ UINT32 AlignedLength;
+ UINT32 Result;
+ EFI_STATUS AddStatus;
+ BOOLEAN IsAuthDataAssigned;

SignatureList = NULL;
SignatureListSize = 0;
@@ -1667,6 +1671,7 @@ DxeImageVerificationHandler (
Action = EFI_IMAGE_EXECUTION_AUTH_UNTESTED;
IsVerified = FALSE;
IsFound = FALSE;
+ Result = 0;

//
// Check the image type and get policy setting.
@@ -1850,9 +1855,10 @@ DxeImageVerificationHandler (
// The first certificate starts at offset
(SecDataDir->VirtualAddress) from
the
start of the file.
//
for (OffSet = SecDataDir->VirtualAddress;
- OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
- OffSet += (WinCertificate->dwLength + ALIGN_SIZE (WinCertificate-
dwLength))) {
+ (OffSet >= SecDataDir->VirtualAddress) && (OffSet <
+ (SecDataDir-
VirtualAddress + SecDataDir->Size));) {
+ IsAuthDataAssigned = FALSE;
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+ AlignedLength = WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength);

I disagree with this patch.

The primary reason for my disagreement is that the bug report
<https://bugzilla.tianocore.org/show_bug.cgi?id=2215#c0> is
inexact, and so this patch tries to fix the wrong thing.

With edk2 master at commit 65904cdbb33c, it is *not* possible to
overflow the OffSet variable to zero with "WinCertificate->dwLength"
*purely*, and cause an endless loop. Note that we have (at commit
65904cdbb33c):

for (OffSet = SecDataDir->VirtualAddress;
OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength))) {
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
<= sizeof
(WIN_CERTIFICATE) ||
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
WinCertificate-
dwLength) {
break;
}

The last sub-condition checks whether the Security Data Directory
has enough room left for "WinCertificate->dwLength". If not, then
we break out of the loop.

If we *do* have enough room, that is:

(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) >=
WinCertificate-
dwLength

then we have (by adding OffSet to both sides):

SecDataDir->VirtualAddress + SecDataDir->Size >= OffSet +
WinCertificate- dwLength

The left hand side is a known-good UINT32, and so incrementing
OffSet (a
UINT32) *solely* by "WinCertificate->dwLength" (also a UINT32)
does not cause an overflow.

Instead, the problem is with the alignment. The "if" statement
checks whether we have enough room for "dwLength", but then
"OffSet" is advanced by "dwLength" *aligned up* to the next
multiple of 8. And that may indeed cause various overflows.

Now, the main problem with the present patch is that it does not
fix one of those overflows. Namely, consider that "dwLength" is
very close to
MAX_UINT32 (or even think it's exactly MAX_UINT32). Then aligning
it up to the next multiple of 8 will yield 0. In other words, "AlignedLength"
will be zero.

And when that happens, there's going to be an infinite loop just
the
same: "OffSet" will not be zero, but it will be *stuck*. The
SafeUint32Add() call at the bottom will succeed, but it will not
change the value of "OffSet".

More at the bottom.


if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
<= sizeof
(WIN_CERTIFICATE) ||
(SecDataDir->VirtualAddress + SecDataDir->Size - OffSet)
<
WinCertificate->dwLength) {
break;
@@ -1872,6 +1878,8 @@ DxeImageVerificationHandler (
}
AuthData = PkcsCertData->CertData;
AuthDataSize = PkcsCertData->Hdr.dwLength -
sizeof(PkcsCertData-
Hdr);
+ IsAuthDataAssigned = TRUE;
+ HashStatus = HashPeImageByType (AuthData, AuthDataSize);
} else if (WinCertificate->wCertificateType ==
WIN_CERT_TYPE_EFI_GUID)
{
//
// The certificate is formatted as
WIN_CERTIFICATE_UEFI_GUID which
is
described in UEFI Spec.
@@ -1880,72 +1888,75 @@ DxeImageVerificationHandler (
if (WinCertUefiGuid->Hdr.dwLength <=
OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData)) {
break;
}
- if (!CompareGuid (&WinCertUefiGuid->CertType, &gEfiCertPkcs7Guid))
{
- continue;
+ if (CompareGuid (&WinCertUefiGuid->CertType,
+ &gEfiCertPkcs7Guid))
{
+ AuthData = WinCertUefiGuid->CertData;
+ AuthDataSize = WinCertUefiGuid->Hdr.dwLength -
OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);
+ IsAuthDataAssigned = TRUE;
+ HashStatus = HashPeImageByType (AuthData, AuthDataSize);
}
- AuthData = WinCertUefiGuid->CertData;
- AuthDataSize = WinCertUefiGuid->Hdr.dwLength -
OFFSET_OF(WIN_CERTIFICATE_UEFI_GUID, CertData);
} else {
if (WinCertificate->dwLength < sizeof (WIN_CERTIFICATE)) {
break;
}
- continue;
}

- HashStatus = HashPeImageByType (AuthData, AuthDataSize);
- if (EFI_ERROR (HashStatus)) {
- continue;
- }
-
- //
- // Check the digital signature against the revoked certificate in
forbidden
database (dbx).
- //
- if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
- IsVerified = FALSE;
- break;
- }
-
- //
- // Check the digital signature against the valid certificate in allowed
database (db).
- //
- if (!IsVerified) {
- if (IsAllowedByDb (AuthData, AuthDataSize)) {
- IsVerified = TRUE;
+ if (IsAuthDataAssigned && !EFI_ERROR (HashStatus)) {
+ //
+ // Check the digital signature against the revoked
+ certificate in
forbidden
database (dbx).
+ //
+ if (IsForbiddenByDbx (AuthData, AuthDataSize)) {
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FAILED;
+ IsVerified = FALSE;
+ break;
}
- }

- //
- // Check the image's hash value.
- //
- DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE1,
- mImageDigest,
- &mCertType,
- mImageDigestSize,
- &IsFound
- );
- if (EFI_ERROR (DbStatus) || IsFound) {
- Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed
but %s
hash of image is found in DBX.\n", mHashTypeStr));
- IsVerified = FALSE;
- break;
- }
+ //
+ // Check the digital signature against the valid
+ certificate in allowed
database (db).
+ //
+ if (!IsVerified) {
+ if (IsAllowedByDb (AuthData, AuthDataSize)) {
+ IsVerified = TRUE;
+ }
+ }

- if (!IsVerified) {
+ //
+ // Check the image's hash value.
+ //
DbStatus = IsSignatureFoundInDatabase (
- EFI_IMAGE_SECURITY_DATABASE,
+ EFI_IMAGE_SECURITY_DATABASE1,
mImageDigest,
&mCertType,
mImageDigestSize,
&IsFound
);
- if (!EFI_ERROR (DbStatus) && IsFound) {
- IsVerified = TRUE;
- } else {
- DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is signed
but
signature is not allowed by DB and %s hash of image is not found in
DB/DBX.\n",
mHashTypeStr));
+ if (EFI_ERROR (DbStatus) || IsFound) {
+ Action = EFI_IMAGE_EXECUTION_AUTH_SIG_FOUND;
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
+ signed
but %s hash of image is found in DBX.\n", mHashTypeStr));
+ IsVerified = FALSE;
+ break;
}
+
+ if (!IsVerified) {
+ DbStatus = IsSignatureFoundInDatabase (
+ EFI_IMAGE_SECURITY_DATABASE,
+ mImageDigest,
+ &mCertType,
+ mImageDigestSize,
+ &IsFound
+ );
+ if (!EFI_ERROR (DbStatus) && IsFound) {
+ IsVerified = TRUE;
+ } else {
+ DEBUG ((DEBUG_INFO, "DxeImageVerificationLib: Image is
+ signed
but
signature is not allowed by DB and %s hash of image is not found in
DB/DBX.\n",
mHashTypeStr));
+ }
+ }
+ }
+
+ AddStatus = SafeUint32Add (OffSet, AlignedLength, &Result);
+ if (EFI_ERROR (AddStatus)) {
+ break;
}
+ OffSet = Result;
}

if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size))
{
There are other (smaller) reasons why I dislike this patch:

- The "IsAuthDataAssigned" variable is superfluous; we could use
the existent "AuthData" variable (with a NULL-check and a
NULL-assignment) similarly.

- The patch complicates / reorganizes the control flow needlessly.
This complication originates from placing the checked "OffSet"
increment at the bottom of the loop, which then requires the
removal of all the "continue" statements. But we don't need to
check-and-increment at the bottom. We can keep the increment
inside the "for" statement, only extend the *existent* room check
(which I've quoted) to take the alignment into account as well. If
there is enough room for the alignment in the security data
directory, then that guarantees there won't be a UINT32 overflow either.

All in all, I'm proposing the following three patches instead. The
first two patches are preparation, the last patch is the fix.

Patch#1:

From 11af0a104d34d39bf1b1aab256428ae4edbddd77 Mon Sep 17
00:00:00
2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 13 Aug 2020 19:11:39 +0200
Subject: [PATCH 1/3] SecurityPkg/DxeImageVerificationLib: extract
SecDataDirEnd, SecDataDirLeft

The following two quantities:

SecDataDir->VirtualAddress + SecDataDir->Size
SecDataDir->VirtualAddress + SecDataDir->Size - OffSet

are used multiple times in DxeImageVerificationHandler().
Introduce helper variables for them: "SecDataDirEnd" and "SecDataDirLeft", respectively.
This saves us multiple calculations and significantly simplifies the code.

Note that all three summands above have type UINT32, therefore
the new variables are also of type UINT32.

This patch does not change behavior.

(Note that the code already handles the case when the

SecDataDir->VirtualAddress + SecDataDir->Size

UINT32 addition overflows -- namely, in that case, the
certificate loop is never entered, and the corruption check right
after the loop fires.)

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c |
12
++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)

diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
index 36b87e16d53d..8761980c88aa 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
@@ -1652,6 +1652,8 @@ DxeImageVerificationHandler (
UINT8 *AuthData;
UINTN AuthDataSize;
EFI_IMAGE_DATA_DIRECTORY *SecDataDir;
+ UINT32 SecDataDirEnd;
+ UINT32 SecDataDirLeft;
UINT32 OffSet;
CHAR16 *NameStr;
RETURN_STATUS PeCoffStatus;
@@ -1849,12 +1851,14 @@ DxeImageVerificationHandler (
// "Attribute Certificate Table".
// The first certificate starts at offset
(SecDataDir->VirtualAddress) from
the
start of the file.
//
+ SecDataDirEnd = SecDataDir->VirtualAddress + SecDataDir->Size;
for (OffSet = SecDataDir->VirtualAddress;
- OffSet < (SecDataDir->VirtualAddress + SecDataDir->Size);
+ OffSet < SecDataDirEnd;
OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength))) {
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
- if ((SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <= sizeof
(WIN_CERTIFICATE) ||
- (SecDataDir->VirtualAddress + SecDataDir->Size - OffSet) <
WinCertificate->dwLength) {
+ SecDataDirLeft = SecDataDirEnd - OffSet;
+ if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
+ SecDataDirLeft < WinCertificate->dwLength) {
break;
}

@@ -1948,7 +1952,7 @@ DxeImageVerificationHandler (
}
}

- if (OffSet != (SecDataDir->VirtualAddress + SecDataDir->Size))
{
+ if (OffSet != SecDataDirEnd) {
//
// The Size in Certificate Table or the attribute
certificate table is
corrupted.
//
--
2.19.1.3.g30247aa5d201
Patch#2:

From 72012c065a53582f7df695e7b9730c45f49226c6 Mon Sep 17 00:00:00
2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 13 Aug 2020 19:19:06 +0200
Subject: [PATCH 2/3] SecurityPkg/DxeImageVerificationLib: assign
WinCertificate after size check

Currently the (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) check
only guards the de-referencing of the "WinCertificate" pointer.
It does not guard the calculation of hte pointer itself:

WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);

This is wrong; if we don't know for sure that we have enough room
for a WIN_CERTIFICATE, then even creating such a pointer, not
just de-referencing it, may invoke undefined behavior.

Move the pointer calculation after the size check.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c |
8
+++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
index 8761980c88aa..461ed7cfb5ac 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
@@ -1855,10 +1855,12 @@ DxeImageVerificationHandler (
for (OffSet = SecDataDir->VirtualAddress;
OffSet < SecDataDirEnd;
OffSet += (WinCertificate->dwLength + ALIGN_SIZE
(WinCertificate-
dwLength))) {
- WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
SecDataDirLeft = SecDataDirEnd - OffSet;
- if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE) ||
- SecDataDirLeft < WinCertificate->dwLength) {
+ if (SecDataDirLeft <= sizeof (WIN_CERTIFICATE)) {
+ break;
+ }
+ WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
+ if (SecDataDirLeft < WinCertificate->dwLength) {
break;
}

--
2.19.1.3.g30247aa5d201
Patch#3:

From 0bbba15b84f8f9f2cdc770a89f418aaec6cfb31e Mon Sep 17 00:00:00
2001
From: Laszlo Ersek <lersek@redhat.com>
Date: Thu, 13 Aug 2020 19:34:33 +0200
Subject: [PATCH 3/3] SecurityPkg/DxeImageVerificationLib: catch
alignment
overflow (CVE-2019-14562)

The DxeImageVerificationHandler() function currently checks
whether "SecDataDir" has enough room for
"WinCertificate->dwLength". However,
for
advancing "OffSet", "WinCertificate->dwLength" is aligned to the
next multiple of 8. If "WinCertificate->dwLength" is large
enough, the alignment will return 0, and "OffSet" will be stuck at the same value.

Check whether "SecDataDir" has room left for both
"WinCertificate->dwLength" and the alignment.

Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---

SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c |
4
+++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
index 461ed7cfb5ac..e38eb981b7a0 100644
---
a/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationLib
.c
+++
b/SecurityPkg/Library/DxeImageVerificationLib/DxeImageVerificationL
ib.c
@@ -1860,7 +1860,9 @@ DxeImageVerificationHandler (
break;
}
WinCertificate = (WIN_CERTIFICATE *) (mImageBase + OffSet);
- if (SecDataDirLeft < WinCertificate->dwLength) {
+ if (SecDataDirLeft < WinCertificate->dwLength ||
+ (SecDataDirLeft - WinCertificate->dwLength <
+ ALIGN_SIZE (WinCertificate->dwLength))) {
break;
}

--
2.19.1.3.g30247aa5d201
If Wenyi and the reviewers are OK with these patches, I can submit
them as a standalone patch series.

Note that I do not have any reproducer for the issue; the best
testing that I could offer would be some light-weight Secure Boot
regression tests.

Thanks
Laszlo


.



.


Re: [PATCH v1 1/1] MdePkg: Correcting EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT definition

Andrew Fish
 

Liming,

Sounds like a good thing to get into the stable tag.

Thanks,

Andrew Fish

On Aug 27, 2020, at 5:57 PM, gaoliming <gaoliming@...> wrote:

Paul:
 This is a clear issue. Thanks for your reporting it. I would like to catch
the fix into this stable tag 202008. 
 Reviewed-by: Liming Gao <gaoliming@...>

Thanks
Liming
-----邮件原件-----
发件人: bounce+27952+64705+4905953+8761045@groups.io
<bounce+27952+64705+4905953+8761045@groups.io> 代表 Paul
发送时间: 2020年8月28日 4:41
收件人: devel@edk2.groups.io
抄送: Michael D Kinney <michael.d.kinney@...>; Liming Gao
<gaoliming@...>; Zhiguang Liu <zhiguang.liu@...>
主题: [edk2-devel] [PATCH v1 1/1] MdePkg: Correcting
EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT definition

In Acpi10.h, EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT is defined as 0x10,
but should be 0x02 per the ACPI Specification.

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2937

Cc: Michael D Kinney <michael.d.kinney@...>
Cc: Liming Gao <gaoliming@...>
Cc: Zhiguang Liu <zhiguang.liu@...>
Signed-off-by: Paul G <paul.grimes@...>
---
MdePkg/Include/IndustryStandard/Acpi10.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdePkg/Include/IndustryStandard/Acpi10.h
b/MdePkg/Include/IndustryStandard/Acpi10.h
index fa06eefbb6e6..adeb5ae8c219 100644
--- a/MdePkg/Include/IndustryStandard/Acpi10.h
+++ b/MdePkg/Include/IndustryStandard/Acpi10.h
@@ -358,7 +358,7 @@ typedef struct {
#define EFI_ACPI_DMA_TRANSFER_TYPE_MASK                 0x03


#define   EFI_ACPI_DMA_TRANSFER_TYPE_8_BIT              0x00


#define   EFI_ACPI_DMA_TRANSFER_TYPE_8_BIT_AND_16_BIT   0x01


-#define   EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT             0x10


+#define   EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT             0x02





//


// IO Information


--
2.21.0




Re: [PATCH v1 1/1] MdePkg: Correcting EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT definition

Zhiguang Liu
 

Reviewed-by: Zhiguang Liu <zhiguang.liu@intel.com>

-----Original Message-----
From: Paul <Paul.Grimes@amd.com>
Sent: Friday, August 28, 2020 4:41 AM
To: devel@edk2.groups.io
Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liming Gao
<gaoliming@byosoft.com.cn>; Liu, Zhiguang <zhiguang.liu@intel.com>
Subject: [PATCH v1 1/1] MdePkg: Correcting
EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT definition

In Acpi10.h, EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT is defined as 0x10,
but should be 0x02 per the ACPI Specification.

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2937

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Paul G <paul.grimes@amd.com>
---
MdePkg/Include/IndustryStandard/Acpi10.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdePkg/Include/IndustryStandard/Acpi10.h
b/MdePkg/Include/IndustryStandard/Acpi10.h
index fa06eefbb6e6..adeb5ae8c219 100644
--- a/MdePkg/Include/IndustryStandard/Acpi10.h
+++ b/MdePkg/Include/IndustryStandard/Acpi10.h
@@ -358,7 +358,7 @@ typedef struct {
#define EFI_ACPI_DMA_TRANSFER_TYPE_MASK 0x03

#define EFI_ACPI_DMA_TRANSFER_TYPE_8_BIT 0x00

#define EFI_ACPI_DMA_TRANSFER_TYPE_8_BIT_AND_16_BIT 0x01

-#define EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT 0x10

+#define EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT 0x02



//

// IO Information

--
2.21.0


回复: [edk2-devel] [PATCH v1 1/1] MdePkg: Correcting EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT definition

gaoliming
 

Paul:
This is a clear issue. Thanks for your reporting it. I would like to catch
the fix into this stable tag 202008.
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

Thanks
Liming

-----邮件原件-----
发件人: bounce+27952+64705+4905953+8761045@groups.io
<bounce+27952+64705+4905953+8761045@groups.io> 代表 Paul
发送时间: 2020年8月28日 4:41
收件人: devel@edk2.groups.io
抄送: Michael D Kinney <michael.d.kinney@intel.com>; Liming Gao
<gaoliming@byosoft.com.cn>; Zhiguang Liu <zhiguang.liu@intel.com>
主题: [edk2-devel] [PATCH v1 1/1] MdePkg: Correcting
EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT definition

In Acpi10.h, EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT is defined as 0x10,
but should be 0x02 per the ACPI Specification.

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2937

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Zhiguang Liu <zhiguang.liu@intel.com>
Signed-off-by: Paul G <paul.grimes@amd.com>
---
MdePkg/Include/IndustryStandard/Acpi10.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/MdePkg/Include/IndustryStandard/Acpi10.h
b/MdePkg/Include/IndustryStandard/Acpi10.h
index fa06eefbb6e6..adeb5ae8c219 100644
--- a/MdePkg/Include/IndustryStandard/Acpi10.h
+++ b/MdePkg/Include/IndustryStandard/Acpi10.h
@@ -358,7 +358,7 @@ typedef struct {
#define EFI_ACPI_DMA_TRANSFER_TYPE_MASK 0x03


#define EFI_ACPI_DMA_TRANSFER_TYPE_8_BIT 0x00


#define EFI_ACPI_DMA_TRANSFER_TYPE_8_BIT_AND_16_BIT 0x01


-#define EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT 0x10


+#define EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT 0x02





//


// IO Information


--
2.21.0



[PATCH v1 0/1] Fix for define error in Acpi10.h

Paul
 

This change will update the EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT to
the correct value, according to the ACPI Specification.

REF:https://github.com/paulce06/edk2/tree/implement_acpi10.h_fix

Paul (1):
MdePkg: Correcting EFI_ACPI_DMA_TRANSFER_TYPE_16_BIT definition

MdePkg/Include/IndustryStandard/Acpi10.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--
2.21.0

17641 - 17660 of 82317