Add Secure MOR implementation.

Add a new module MemoryOverwriteRequestControlLock to register VarCheck handler to enforce MorLock Policy. Only SMM version is added because MOR is only supported in SMM variable case. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com> Reviewed-by: "Chao Zhang" <chao.b.zhang@intel.com> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@18092 6f19259b-4bc3-4df7-8a09-765794883524
2015-07-28 07:20:58 +00:00
parent 5c61c5cfc8
commit 70c7664cd3
9 changed files with 605 additions and 0 deletions
--- a/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLock.h
+++ b/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLock.h
@ -0,0 +1,137 @@
+/** @file
+   TCG MOR (Memory Overwrite Request) Lock Control Driver header file.
+   
+Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials 
+are licensed and made available under the terms and conditions of the BSD License 
+which accompanies this distribution.  The full text of the license may be found at 
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#ifndef _EFI_TCG_MOR_LOCK_H_
+#define _EFI_TCG_MOR_LOCK_H_
+
+/**
+  This service is a wrapper for the UEFI Runtime Service GetVariable().
+
+  @param  VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String
+  @param  VendorGuid   Unify identifier for vendor.
+  @param  Attributes   Point to memory location to return the attributes of variable. If the point
+                       is NULL, the parameter would be ignored.
+  @param  DataSize     As input, point to the maximum size of return Data-Buffer.
+                       As output, point to the actual size of the returned Data-Buffer.
+  @param  Data         Point to return Data-Buffer.
+
+  @retval  EFI_SUCCESS            The function completed successfully.
+  @retval  EFI_NOT_FOUND          The variable was not found.
+  @retval  EFI_BUFFER_TOO_SMALL   The DataSize is too small for the result. DataSize has
+                                  been updated with the size needed to complete the request.
+  @retval  EFI_INVALID_PARAMETER  VariableName is NULL.
+  @retval  EFI_INVALID_PARAMETER  VendorGuid is NULL.
+  @retval  EFI_INVALID_PARAMETER  DataSize is NULL.
+  @retval  EFI_INVALID_PARAMETER  The DataSize is not too small and Data is NULL.
+  @retval  EFI_DEVICE_ERROR       The variable could not be retrieved due to a hardware error.
+  @retval  EFI_SECURITY_VIOLATION The variable could not be retrieved due to an authentication failure.
+**/
+EFI_STATUS
+EFIAPI
+InternalGetVariable (
+  IN      CHAR16                   *VariableName,
+  IN      EFI_GUID                 *VendorGuid,
+  OUT     UINT32                   *Attributes OPTIONAL,
+  IN OUT  UINTN                    *DataSize,
+  OUT     VOID                     *Data
+  );
+
+/**
+  This service is a wrapper for the UEFI Runtime Service SetVariable()
+
+  @param  VariableName the name of the vendor's variable, as a
+                       Null-Terminated Unicode String
+  @param  VendorGuid   Unify identifier for vendor.
+  @param  Attributes   Point to memory location to return the attributes of variable. If the point
+                       is NULL, the parameter would be ignored.
+  @param  DataSize     The size in bytes of Data-Buffer.
+  @param  Data         Point to the content of the variable.
+
+  @retval  EFI_SUCCESS            The firmware has successfully stored the variable and its data as
+                                  defined by the Attributes.
+  @retval  EFI_INVALID_PARAMETER  An invalid combination of attribute bits was supplied, or the
+                                  DataSize exceeds the maximum allowed.
+  @retval  EFI_INVALID_PARAMETER  VariableName is an empty Unicode string.
+  @retval  EFI_OUT_OF_RESOURCES   Not enough storage is available to hold the variable and its data.
+  @retval  EFI_DEVICE_ERROR       The variable could not be saved due to a hardware failure.
+  @retval  EFI_WRITE_PROTECTED    The variable in question is read-only.
+  @retval  EFI_WRITE_PROTECTED    The variable in question cannot be deleted.
+  @retval  EFI_SECURITY_VIOLATION The variable could not be written due to EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
+                                  set but the AuthInfo does NOT pass the validation check carried
+                                  out by the firmware.
+  @retval  EFI_NOT_FOUND          The variable trying to be updated or deleted was not found.
+
+**/
+EFI_STATUS
+EFIAPI
+InternalSetVariable (
+  IN CHAR16                       *VariableName,
+  IN EFI_GUID                     *VendorGuid,
+  IN UINT32                       Attributes,
+  IN UINTN                        DataSize,
+  IN VOID                         *Data
+  );
+
+/**
+  This service is a checker handler for the UEFI Runtime Service SetVariable()
+
+  @param  VariableName the name of the vendor's variable, as a
+                       Null-Terminated Unicode String
+  @param  VendorGuid   Unify identifier for vendor.
+  @param  Attributes   Point to memory location to return the attributes of variable. If the point
+                       is NULL, the parameter would be ignored.
+  @param  DataSize     The size in bytes of Data-Buffer.
+  @param  Data         Point to the content of the variable.
+
+  @retval  EFI_SUCCESS            The firmware has successfully stored the variable and its data as
+                                  defined by the Attributes.
+  @retval  EFI_INVALID_PARAMETER  An invalid combination of attribute bits was supplied, or the
+                                  DataSize exceeds the maximum allowed.
+  @retval  EFI_INVALID_PARAMETER  VariableName is an empty Unicode string.
+  @retval  EFI_OUT_OF_RESOURCES   Not enough storage is available to hold the variable and its data.
+  @retval  EFI_DEVICE_ERROR       The variable could not be saved due to a hardware failure.
+  @retval  EFI_WRITE_PROTECTED    The variable in question is read-only.
+  @retval  EFI_WRITE_PROTECTED    The variable in question cannot be deleted.
+  @retval  EFI_SECURITY_VIOLATION The variable could not be written due to EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS
+                                  set but the AuthInfo does NOT pass the validation check carried
+                                  out by the firmware.
+  @retval  EFI_NOT_FOUND          The variable trying to be updated or deleted was not found.
+
+**/
+EFI_STATUS
+EFIAPI
+SetVariableCheckHandlerMor (
+  IN CHAR16     *VariableName,
+  IN EFI_GUID   *VendorGuid,
+  IN UINT32     Attributes,
+  IN UINTN      DataSize,
+  IN VOID       *Data
+  );
+
+/**
+  Entry Point for MOR Lock Control driver.
+
+  @param[in] ImageHandle  Image handle of this driver.
+  @param[in] SystemTable  A Pointer to the EFI System Table.
+
+  @retval EFI_SUCEESS     
+  @return Others          Some error occurs.
+**/
+EFI_STATUS
+EFIAPI
+MorLockDriverInit (
+  VOID
+  );
+
+#endif