diff options
| author | Bret Barkelew <brbarkel@microsoft.com> | 2020-11-09 14:45:19 +0800 |
|---|---|---|
| committer | mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> | 2020-11-17 01:03:43 +0000 |
| commit | e176bafc9d80c17c5480e3d749a6ff1fdb7e7fab (patch) | |
| tree | 9b524131ca8a03393187b7c72250706c8db7ee28 | |
| parent | b6490426e3208de7d6cbd756276a02e4329cd85a (diff) | |
| download | edk2-e176bafc9d80c17c5480e3d749a6ff1fdb7e7fab.zip edk2-e176bafc9d80c17c5480e3d749a6ff1fdb7e7fab.tar.gz edk2-e176bafc9d80c17c5480e3d749a6ff1fdb7e7fab.tar.bz2 | |
MdeModulePkg: Allow VariablePolicy state to delete protected variables
https://bugzilla.tianocore.org/show_bug.cgi?id=2522
TcgMorLockSmm provides special protections for
the TCG MOR variables. This will check
IsVariablePolicyEnabled() before enforcing
them to allow variable deletion when policy
engine is disabled.
Only allows deletion, not modification.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
| -rw-r--r-- | MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 10 | ||||
| -rw-r--r-- | MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 2 |
2 files changed, 12 insertions, 0 deletions
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c index 6d80eb6..085f820 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -5,6 +5,7 @@ This module adds Variable Hook and check MemoryOverwriteRequestControlLock.
Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include <Library/BaseMemoryLib.h>
#include "Variable.h"
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/VariablePolicyLib.h>
+
typedef struct {
CHAR16 *VariableName;
EFI_GUID *VendorGuid;
@@ -341,6 +346,11 @@ SetVariableCheckHandlerMor ( return EFI_SUCCESS;
}
+ // Permit deletion when policy is disabled.
+ if (!IsVariablePolicyEnabled() && ((Attributes == 0) || (DataSize == 0))) {
+ return EFI_SUCCESS;
+ }
+
//
// MorLock variable
//
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf index 6e17f6c..d8f480b 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf @@ -20,6 +20,7 @@ #
# Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent
#
##
@@ -74,6 +75,7 @@ StandaloneMmDriverEntryPoint
SynchronizationLib
VarCheckLib
+ VariablePolicyLib
[Protocols]
gEfiSmmFirmwareVolumeBlockProtocolGuid ## CONSUMES
|