From: Bret Barkelew <brbar...@microsoft.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2522
These were previously using VarLock, which is
being deprecated.
Cc: Jian J Wang <jian.j.w...@intel.com>
Cc: Hao A Wu <hao.a...@intel.com>
Cc: Liming Gao <liming....@intel.com>
Cc: Bret Barkelew <brbar...@microsoft.com>
Signed-off-by: Michael Kubacki <michael.kuba...@microsoft.com>
---
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 56
+++++++++++++++-----
MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 56
++++++++++++++++----
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 2 +
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 1 +
4 files changed, 90 insertions(+), 25 deletions(-)
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
index e7accf4ed806..32328aebe0dd 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
@@ -5,6 +5,7 @@
MOR lock control unsupported.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.<BR>
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/BaseMemoryLib.h>
#include "Variable.h"
-extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;
+#include <Protocol/VariablePolicy.h>
+#include <Library/VariablePolicyHelperLib.h>
/**
This service is an MOR/MorLock checker handler for the SetVariable().
@@ -77,11 +79,6 @@ MorLockInit (
NULL // Data
);
- //
- // Need set this variable to be read-only to prevent other module set it.
- //
- VariableLockRequestToLock (&mVariableLock,
MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
&gEfiMemoryOverwriteRequestControlLockGuid);
-
//
// The MOR variable can effectively improve platform security only when the
// MorLock variable protects the MOR variable. In turn MorLock cannot be made
@@ -99,11 +96,6 @@ MorLockInit (
0, // DataSize
NULL // Data
);
- VariableLockRequestToLock (
- &mVariableLock,
- MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
- &gEfiMemoryOverwriteControlDataGuid
- );
return EFI_SUCCESS;
}
@@ -118,7 +110,43 @@ MorLockInitAtEndOfDxe (
VOID
)
{
- //
- // Do nothing.
- //
+ EFI_STATUS Status;
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
+
+ // First, we obviously need to locate the VariablePolicy protocol.
+ Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID
**) &VariablePolicy);
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol!
%r\n", __FUNCTION__, Status));
+ return;
+ }
+
+ // If we're successful, go ahead and set the policies to protect the target
variables.
+ Status = RegisterBasicVariablePolicy (
+ VariablePolicy,
+ &gEfiMemoryOverwriteRequestControlLockGuid,
+ MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a - Could not lock variable %s! %r\n",
__FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status));
+ }
+ Status = RegisterBasicVariablePolicy (
+ VariablePolicy,
+ &gEfiMemoryOverwriteControlDataGuid,
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW
+ );
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a - Could not lock variable %s! %r\n",
__FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status));
+ }
+
+ return;
}
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
index 7a6c19b1fa96..2634d8179a75 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include "Variable.h"
#include <Protocol/VariablePolicy.h>
-
+#include <Library/VariablePolicyHelperLib.h>
#include <Library/VariablePolicyLib.h>
typedef struct {
@@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe (
{
UINTN MorSize;
EFI_STATUS MorStatus;
+ EFI_STATUS Status;
+ VARIABLE_POLICY_ENTRY *NewPolicy;
if (!mMorLockInitializationRequired) {
//
@@ -494,11 +496,27 @@ MorLockInitAtEndOfDxe (
// The MOR variable is absent; the platform firmware does not support it.
// Lock the variable so that no other module may create it.
//
- VariableLockRequestToLock (
- NULL, // This
- MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
- &gEfiMemoryOverwriteControlDataGuid
- );
+ NewPolicy = NULL;
+ Status = CreateBasicVariablePolicy (
+ &gEfiMemoryOverwriteControlDataGuid,
+ MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW,
+ &NewPolicy
+ );
+ if (!EFI_ERROR (Status)) {
+ Status = RegisterVariablePolicy (NewPolicy);
+ }
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n",
__FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status));
+ ASSERT_EFI_ERROR (Status);
+ }
+ if (NewPolicy != NULL) {
+ FreePool (NewPolicy);
+ }
//
// Delete the MOR Control Lock variable too (should it exists for some
@@ -514,9 +532,25 @@ MorLockInitAtEndOfDxe (
);
mMorLockPassThru = FALSE;
- VariableLockRequestToLock (
- NULL, // This
- MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
- &gEfiMemoryOverwriteRequestControlLockGuid
- );
+ NewPolicy = NULL;
+ Status = CreateBasicVariablePolicy (
+ &gEfiMemoryOverwriteRequestControlLockGuid,
+ MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
+ VARIABLE_POLICY_NO_MIN_SIZE,
+ VARIABLE_POLICY_NO_MAX_SIZE,
+ VARIABLE_POLICY_NO_MUST_ATTR,
+ VARIABLE_POLICY_NO_CANT_ATTR,
+ VARIABLE_POLICY_TYPE_LOCK_NOW,
+ &NewPolicy
+ );
+ if (!EFI_ERROR (Status)) {
+ Status = RegisterVariablePolicy (NewPolicy);
+ }
+ if (EFI_ERROR (Status)) {
+ DEBUG ((DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n",
__FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status));
+ ASSERT_EFI_ERROR (Status);
+ }
+ if (NewPolicy != NULL) {
+ FreePool (NewPolicy);
+ }
}
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
index 08153006aa48..af2c51327e21 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
@@ -71,6 +71,7 @@ [LibraryClasses]
AuthVariableLib
VarCheckLib
VariablePolicyLib
+ VariablePolicyHelperLib
[Protocols]
gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES
@@ -80,6 +81,7 @@ [Protocols]
gEfiVariableWriteArchProtocolGuid ## PRODUCES
gEfiVariableArchProtocolGuid ## PRODUCES
gEdkiiVariableLockProtocolGuid ## PRODUCES
+ gEdkiiVariablePolicyProtocolGuid ## CONSUMES
gEdkiiVarCheckProtocolGuid ## PRODUCES
[Guids]
diff --git
a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
index 2db05238e406..2e1387541a88 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@@ -76,6 +76,7 @@ [LibraryClasses]
SynchronizationLib
VarCheckLib
VariablePolicyLib
+ VariablePolicyHelperLib
[Protocols]
gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES
--
2.16.3.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#60082): https://edk2.groups.io/g/devel/message/60082
Mute This Topic: https://groups.io/mt/74387429/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
