From d6bee54c45b32546f19209f571d2ce59ed42bc23 Mon Sep 17 00:00:00 2001 From: Kun Qin Date: Mon, 11 Apr 2022 15:07:34 -0700 Subject: [PATCH] SecurityPkg: PlatformPKProtectionLib: Added PK protection interface REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911 This patch provides an abstracted interface for platform to implement PK variable related protection interface, which is designed to be used when PK variable is about to be changed by UEFI firmware. This change also provided a variable policy based library implementation to accomodate platforms that supports variable policy for variable protections. Cc: Jiewen Yao Cc: Jian J Wang Cc: Min Xu Signed-off-by: Kun Qin Reviewed-by: Jiewen Yao Acked-by: Michael Kubacki --- .../Include/Library/PlatformPKProtectionLib.h | 31 +++++++++++ .../PlatformPKProtectionLibVarPolicy.c | 51 +++++++++++++++++++ .../PlatformPKProtectionLibVarPolicy.inf | 36 +++++++++++++ SecurityPkg/SecurityPkg.dec | 5 ++ SecurityPkg/SecurityPkg.dsc | 2 + 5 files changed, 125 insertions(+) create mode 100644 SecurityPkg/Include/Library/PlatformPKProtectionLib.h create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c create mode 100644 SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf diff --git a/SecurityPkg/Include/Library/PlatformPKProtectionLib.h b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h new file mode 100644 index 0000000000..3586a47b77 --- /dev/null +++ b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h @@ -0,0 +1,31 @@ +/** @file + Provides an abstracted interface for configuring PK related variable protection. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef PLATFORM_PK_PROTECTION_LIB_H_ +#define PLATFORM_PK_PROTECTION_LIB_H_ + +/** + Disable any applicable protection against variable 'PK'. The implementation + of this interface is platform specific, depending on the protection techniques + used per platform. + + Note: It is the platform's responsibility to conduct cautious operation after + disabling this protection. + + @retval EFI_SUCCESS State has been successfully updated. + @retval Others Error returned from implementation specific + underying APIs. + +**/ +EFI_STATUS +EFIAPI +DisablePKProtection ( + VOID + ); + +#endif diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c new file mode 100644 index 0000000000..a264924224 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c @@ -0,0 +1,51 @@ +/** @file + Provides an abstracted interface for configuring PK related variable protection. + + Copyright (c) Microsoft Corporation. + SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ +#include +#include + +#include +#include + +/** + Disable any applicable protection against variable 'PK'. The implementation + of this interface is platform specific, depending on the protection techniques + used per platform. + + Note: It is the platform's responsibility to conduct cautious operation after + disabling this protection. + + @retval EFI_SUCCESS State has been successfully updated. + @retval Others Error returned from implementation specific + underying APIs. + +**/ +EFI_STATUS +EFIAPI +DisablePKProtection ( + VOID + ) +{ + EFI_STATUS Status; + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy; + + DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__)); + + // IMPORTANT NOTE: This operation is sticky and leaves variable protections disabled. + // The system *MUST* be reset after performing this operation. + Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy); + if (!EFI_ERROR (Status)) { + Status = VariablePolicy->DisableVariablePolicy (); + // EFI_ALREADY_STARTED means that everything is currently disabled. + // This should be considered SUCCESS. + if (Status == EFI_ALREADY_STARTED) { + Status = EFI_SUCCESS; + } + } + + return Status; +} diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf new file mode 100644 index 0000000000..df42ce06c0 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf @@ -0,0 +1,36 @@ +## @file +# Provides an abstracted interface for configuring PK related variable protection. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = PlatformPKProtectionLibVarPolicy + FILE_GUID = AE0C5992-526C-4518-93BA-3C2611B801E0 + MODULE_TYPE = DXE_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = PlatformPKProtectionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION + +# +# The following information is for reference only and not required by the build tools. +# +# VALID_ARCHITECTURES = IA32 X64 AARCH64 +# + +[Sources] + PlatformPKProtectionLibVarPolicy.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + SecurityPkg/SecurityPkg.dec + +[LibraryClasses] + DebugLib + UefiBootServicesTableLib + +[Protocols] + gEdkiiVariablePolicyProtocolGuid diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 0ee75efc1a..7ecf9565d9 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -99,6 +99,11 @@ ## @libraryclass Provides support to enroll Secure Boot keys. # SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h + + ## @libraryclass Provides support to manage variable 'PK' related protections. + # + PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h + [Guids] ## Security package token space guid. # Include/Guid/SecurityPkgTokenSpace.h diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index d883747474..f48187650f 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -71,6 +71,7 @@ TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf TdxLib|MdePkg/Library/TdxLib/TdxLib.inf @@ -261,6 +262,7 @@ # SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf + SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf # # Other