From 704b71d7e11f115a3b5b03471d6420a7a70f1585 Mon Sep 17 00:00:00 2001 From: Laszlo Ersek Date: Tue, 10 Oct 2017 13:44:16 +0200 Subject: MdeModulePkg/Variable/RuntimeDxe: delete & lock MOR in the absence of SMM VariableRuntimeDxe deletes and locks the MorLock variable in MorLockInit(), with the argument that any protection provided by MorLock can be circumvented if MorLock can be overwritten by unprivileged code (i.e., outside of SMM). Extend the argument and the logic to the MOR variable, which is supposed to be protected by MorLock. Pass Attributes=0 when deleting MorLock and MOR both. This change was suggested by Star; it is inspired by earlier VariableSmm commit fda8f631edbb ("MdeModulePkg/Variable/RuntimeDxe: delete and lock OS-created MOR variable", 2017-10-03). Cc: Eric Dong Cc: Jiewen Yao Cc: Star Zeng Suggested-by: Star Zeng Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek Reviewed-by: Star Zeng --- .../Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 30 +++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) (limited to 'MdeModulePkg') diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c index 7142e2d..fb4e13a 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -78,15 +78,39 @@ MorLockInit ( VariableServiceSetVariable ( MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid, - EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, - 0, - NULL + 0, // Attributes + 0, // DataSize + NULL // Data ); // // Need set this variable to be read-only to prevent other module set it. // VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid); + + // + // The MOR variable can effectively improve platform security only when the + // MorLock variable protects the MOR variable. In turn MorLock cannot be made + // secure without SMM support in the platform firmware (see above). + // + // Thus, delete the MOR variable, should it exist for any reason (some OSes + // are known to create MOR unintentionally, in an attempt to set it), then + // also lock the MOR variable, in order to prevent other modules from + // creating it. + // + VariableServiceSetVariable ( + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, + &gEfiMemoryOverwriteControlDataGuid, + 0, // Attributes + 0, // DataSize + NULL // Data + ); + VariableLockRequestToLock ( + &mVariableLock, + MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, + &gEfiMemoryOverwriteControlDataGuid + ); + return EFI_SUCCESS; } -- cgit v1.1