MdeModulePkg: Change TCG MOR variables to use VariablePolicy

https://bugzilla.tianocore.org/show_bug.cgi?id=2522

These were previously using VarLock, which is
being deprecated.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
This commit is contained in:
Bret Barkelew
2020-11-09 14:45:21 +08:00
committed by mergify[bot]
parent 28f4616fde
commit 98ee0c68a2
4 changed files with 82 additions and 25 deletions

View File

@@ -5,6 +5,7 @@
MOR lock control unsupported.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
Copyright (c) Microsoft Corporation.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
@@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Library/BaseMemoryLib.h>
#include "Variable.h"
extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock;
#include <Protocol/VariablePolicy.h>
#include <Library/VariablePolicyHelperLib.h>
/**
This service is an MOR/MorLock checker handler for the SetVariable().
@@ -77,11 +79,6 @@ MorLockInit (
NULL // Data
);
//
// Need set this variable to be read-only to prevent other module set it.
//
VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);
//
// The MOR variable can effectively improve platform security only when the
// MorLock variable protects the MOR variable. In turn MorLock cannot be made
@@ -99,11 +96,6 @@ MorLockInit (
0, // DataSize
NULL // Data
);
VariableLockRequestToLock (
&mVariableLock,
MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
&gEfiMemoryOverwriteControlDataGuid
);
return EFI_SUCCESS;
}
@@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe (
VOID
)
{
//
// Do nothing.
//
EFI_STATUS Status;
EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
// First, we obviously need to locate the VariablePolicy protocol.
Status = gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL, (VOID**)&VariablePolicy );
if (EFI_ERROR( Status )) {
DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %r\n", __FUNCTION__, Status ));
return;
}
// If we're successful, go ahead and set the policies to protect the target variables.
Status = RegisterBasicVariablePolicy( VariablePolicy,
&gEfiMemoryOverwriteRequestControlLockGuid,
MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
VARIABLE_POLICY_NO_MIN_SIZE,
VARIABLE_POLICY_NO_MAX_SIZE,
VARIABLE_POLICY_NO_MUST_ATTR,
VARIABLE_POLICY_NO_CANT_ATTR,
VARIABLE_POLICY_TYPE_LOCK_NOW );
if (EFI_ERROR( Status )) {
DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));
}
Status = RegisterBasicVariablePolicy( VariablePolicy,
&gEfiMemoryOverwriteControlDataGuid,
MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
VARIABLE_POLICY_NO_MIN_SIZE,
VARIABLE_POLICY_NO_MAX_SIZE,
VARIABLE_POLICY_NO_MUST_ATTR,
VARIABLE_POLICY_NO_CANT_ATTR,
VARIABLE_POLICY_TYPE_LOCK_NOW );
if (EFI_ERROR( Status )) {
DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));
}
return;
}