Re: [edk2-devel] [Patch v2 14/28] SecurityPkg: Add null encryption variable libs

Sun, 22 May 2022 07:20:58 -0700 

Judah,

My comments below

> -----Original Message-----
> From: Vang, Judah <judah.v...@intel.com>
> Sent: Saturday, April 30, 2022 2:04 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.w...@intel.com>; Yao, Jiewen <jiewen....@intel.com>;
> Mistry, Nishant C <nishant.c.mis...@intel.com>
> Subject: [Patch v2 14/28] SecurityPkg: Add null encryption variable libs
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
> 
> Provide null ecryption variable libraries.
> These will be used by default for platforms that don't
> support protected variable encryption.
> 
> Cc: Jian J Wang <jian.j.w...@intel.com>
> Cc: Jiewen Yao <jiewen....@intel.com>
> Cc: Nishant C Mistry <nishant.c.mis...@intel.com>
> Signed-off-by: Jian J Wang <jian.j.w...@intel.com>
> Signed-off-by: Nishant C Mistry <nishant.c.mis...@intel.com>
> Signed-off-by: Judah Vang <judah.v...@intel.com>
> ---
>  SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |
> 38 +++++++
>  SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c          
> | 107
> ++++++++++++++++++++
>  SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni |
> 16 +++
>  3 files changed, 161 insertions(+)
> 
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> new file mode 100644
> index 000000000000..ff5631b336eb
> --- /dev/null
> +++
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> @@ -0,0 +1,38 @@
> +## @file
> +#  Provides NULL version of encryption variable services.
> +#
> +#  Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.<BR>
> +#
> +#  SPDX-License-Identifier: BSD-2-Clause-Patent
> +#
> +##
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = EncryptionVariableLibNull
> +  MODULE_UNI_FILE                = EncryptionVariableLib.uni
> +  FILE_GUID                      = 3972E6FE-74D5-45C3-A9FB-DB9E5E5C9C17
> +  MODULE_TYPE                    = BASE
> +  VERSION_STRING                 = 1.0
> +  LIBRARY_CLASS                  = EncryptionVariableLib
> +
> +#
> +# The following information is for reference only and not required by the 
> build
> tools.
> +#
> +#  VALID_ARCHITECTURES           = IA32 X64
> +#
> +
> +[Sources]
> +  EncryptionVariable.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  SecurityPkg/SecurityPkg.dec
> +
> +[LibraryClasses]
> +  BaseLib
> +  DebugLib
> +
> +[Guids]
[JianJW] 
No GUID consumed here. Suggest removing this section.

> +
> diff --git 
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> new file mode 100644
> index 000000000000..58a4ae9f4282
> --- /dev/null
> +++ b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> @@ -0,0 +1,107 @@
> +/** @file
> +  The common variable operation routines shared by DXE_RUNTIME variable
> +  module and DXE_SMM variable module.
> +
> +  Caution: This module requires additional review when modified.
> +  This driver will have external input - variable data. They may be input in 
> SMM
> mode.
> +  This external input must be validated carefully to avoid security issue 
> like
> +  buffer overflow, integer overflow.
> +
> +  VariableServiceGetNextVariableName () and
> VariableServiceQueryVariableInfo() are external API.
> +  They need check input parameter.
> +
> +  VariableServiceGetVariable() and VariableServiceSetVariable() are external 
> API
> +  to receive datasize and data buffer. The size should be checked carefully.
> +
> +  VariableServiceSetVariable() should also check authenticate data to avoid
> buffer overflow,
> +  integer overflow. It should also check attribute to avoid authentication 
> bypass.
> +
[JianJW] 
The file header comment seems irrelevant.

> +Copyright (c) 2019 - 2022, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Uefi.h>
> +
> +#include <Library/EncryptionVariableLib.h>
> +#include <Library/DebugLib.h>
> +
> +/**
> +  Encrypt variable data.
> +
> +  Null version.
> +
> +  @param[in, out]   VarEncInfo   Pointer to structure containing detailed
> +                                 information about a variable.
> +
> +  @retval EFI_UNSUPPORTED         Unsupported to encrypt variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +EncryptVariable (
> +  IN OUT VARIABLE_ENCRYPTION_INFO  *VarEncInfo
> +  )
> +{
> +  return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +  Decrypt variable data.
> +
> +  Null version.
> +
> +  @param[in, out]   VarEncInfo   Pointer to structure containing detailed
> +                                 information about a variable.
> +
> +  @retval EFI_UNSUPPORTED         Unsupported to encrypt variable.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +DecryptVariable (
> +  IN OUT VARIABLE_ENCRYPTION_INFO  *VarEncInfo
> +  )
> +{
> +  return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +  Get cipher information.
> +
> +  Null version.
> +
> +  @param[in]   VarEncInfo   Pointer to structure containing detailed
> +                            information about a variable.
> +
> +  @retval EFI_UNSUPPORTED         Unsupported interface.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetCipherDataInfo (
> +  IN VARIABLE_ENCRYPTION_INFO  *VarEncInfo
> +  )
> +{
> +  return EFI_UNSUPPORTED;
> +}
> +
> +/**
> +  Set cipher information for a variable.
> +
> +  Null version.
> +
> +  @param[in]   VarEncInfo   Pointer to structure containing detailed
> +                            information about a variable.
> +
> +  @retval EFI_UNSUPPORTED         If this method is not supported.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +SetCipherDataInfo (
> +  IN VARIABLE_ENCRYPTION_INFO  *VarEncInfo
> +  )
> +{
> +  return EFI_UNSUPPORTED;
> +}
> diff --git
> a/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni
> new file mode 100644
> index 000000000000..856fa201b8df
> --- /dev/null
> +++
> b/SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni
> @@ -0,0 +1,16 @@
> +// /** @file
> +// Provides authenticated variable services.
> +//
> +// Provides authenticated variable services.
> +//
[JianJW] 
The file header is irrelevant.

Regards,
Jian

> +// Copyright (c) 2015 - 2022, Intel Corporation. All rights reserved.<BR>
> +//
> +// SPDX-License-Identifier: BSD-2-Clause-Patent
> +//
> +// **/
> +
> +
> +#string STR_MODULE_ABSTRACT             #language en-US "Provides
> authenticated variable services"
> +
> +#string STR_MODULE_DESCRIPTION          #language en-US "Provides
> authenticated variable services."
> +
> --
> 2.35.1.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89937): https://edk2.groups.io/g/devel/message/89937
Mute This Topic: https://groups.io/mt/90781898/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to