[edk2-devel] [PATCH v1 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface

Kun Qin Wed, 04 May 2022 11:04:57 -0700

From: Kun Qin <ku...@microsoft.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911


This patch provides an abstracted interface for platform to implement PK
variable related protection interface, which is designed to be used when
PK variable is about to be changed by UEFI firmware.

This change also provided a variable policy based library implementation
to accomodate platforms that supports variable policy for variable
protections.

Cc: Jiewen Yao <jiewen....@intel.com>
Cc: Jian J Wang <jian.j.w...@intel.com>
Cc: Min Xu <min.m...@intel.com>

Signed-off-by: Kun Qin <kun....@microsoft.com>
---
 
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
   | 51 ++++++++++++++++++++
 SecurityPkg/Include/Library/PlatformPKProtectionLib.h                          
           | 31 ++++++++++++
 
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
 | 36 ++++++++++++++
 SecurityPkg/SecurityPkg.dec                                                    
           |  5 ++
 SecurityPkg/SecurityPkg.dsc                                                    
           |  2 +
 5 files changed, 125 insertions(+)

diff --git 
a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
 
b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
new file mode 100644
index 000000000000..a2649242246f
--- /dev/null
+++ 
b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
@@ -0,0 +1,51 @@
+/** @file
+  Provides an abstracted interface for configuring PK related variable 
protection.
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Uefi.h>
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/DebugLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+
+/**
+  Disable any applicable protection against variable 'PK'. The implementation
+  of this interface is platform specific, depending on the protection 
techniques
+  used per platform.
+
+  Note: It is the platform's responsibility to conduct cautious operation after
+        disabling this protection.
+
+  @retval     EFI_SUCCESS             State has been successfully updated.
+  @retval     Others                  Error returned from implementation 
specific
+                                      underying APIs.
+
+**/
+EFI_STATUS
+EFIAPI
+DisablePKProtection (
+  VOID
+  )
+{
+  EFI_STATUS                      Status;
+  EDKII_VARIABLE_POLICY_PROTOCOL  *VariablePolicy;
+
+  DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__));
+
+  // IMPORTANT NOTE: This operation is sticky and leaves variable protections 
disabled.
+  //                  The system *MUST* be reset after performing this 
operation.
+  Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID 
**)&VariablePolicy);
+  if (!EFI_ERROR (Status)) {
+    Status = VariablePolicy->DisableVariablePolicy ();
+    // EFI_ALREADY_STARTED means that everything is currently disabled.
+    // This should be considered SUCCESS.
+    if (Status == EFI_ALREADY_STARTED) {
+      Status = EFI_SUCCESS;
+    }
+  }
+
+  return Status;
+}
diff --git a/SecurityPkg/Include/Library/PlatformPKProtectionLib.h 
b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h
new file mode 100644
index 000000000000..3586a47b77c2
--- /dev/null
+++ b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h
@@ -0,0 +1,31 @@
+/** @file
+  Provides an abstracted interface for configuring PK related variable 
protection.
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef PLATFORM_PK_PROTECTION_LIB_H_
+#define PLATFORM_PK_PROTECTION_LIB_H_
+
+/**
+  Disable any applicable protection against variable 'PK'. The implementation
+  of this interface is platform specific, depending on the protection 
techniques
+  used per platform.
+
+  Note: It is the platform's responsibility to conduct cautious operation after
+        disabling this protection.
+
+  @retval     EFI_SUCCESS             State has been successfully updated.
+  @retval     Others                  Error returned from implementation 
specific
+                                      underying APIs.
+
+**/
+EFI_STATUS
+EFIAPI
+DisablePKProtection (
+  VOID
+  );
+
+#endif
diff --git 
a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
 
b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
new file mode 100644
index 000000000000..df42ce06c019
--- /dev/null
+++ 
b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
@@ -0,0 +1,36 @@
+## @file
+#  Provides an abstracted interface for configuring PK related variable 
protection.
+#
+#  Copyright (c) Microsoft Corporation.
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = PlatformPKProtectionLibVarPolicy
+  FILE_GUID                      = AE0C5992-526C-4518-93BA-3C2611B801E0
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = PlatformPKProtectionLib|DXE_DRIVER 
DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the 
build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64 AARCH64
+#
+
+[Sources]
+  PlatformPKProtectionLibVarPolicy.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  DebugLib
+  UefiBootServicesTableLib
+
+[Protocols]
+  gEdkiiVariablePolicyProtocolGuid
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 9f7a032d60d5..b8fb1964dcf3 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -99,6 +99,11 @@ [LibraryClasses]
   ## @libraryclass  Provides support to enroll Secure Boot keys.
   #
   
SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h
+
+  ## @libraryclass  Provides support to manage variable 'PK' related 
protections.
+  #
+  PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h
+
 [Guids]
   ## Security package token space guid.
   # Include/Guid/SecurityPkgTokenSpace.h
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 73a93c2285b1..5029cd29aff4 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -71,6 +71,7 @@ [LibraryClasses]
   
TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
   
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
   
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+  
PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
   
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
 
 [LibraryClasses.ARM, LibraryClasses.AARCH64]
@@ -253,6 +254,7 @@ [Components]
   #
   SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
   SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
+  
SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
 
   #
   # Other
-- 
2.34.1.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89509): https://edk2.groups.io/g/devel/message/89509
Mute This Topic: https://groups.io/mt/90893930/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH v1 02/11] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface

Reply via email to