sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MdeModulePkg/VariablePolicy: Add more granular variable policy querying

Browse Source 
Introduces two new APIs to EDKII_VARIABLE_POLICY_PROTOCOL:
  1. GetVariablePolicyInfo()
  2. GetLockOnVariableStateVariablePolicyInfo()

These allow a caller to retrieve policy information associated with
a UEFI variable given the variable name and vendor GUID.

GetVariablePolicyInfo() - Returns the variable policy applied to the
UEFI variable. If the variable policy is applied toward an individual
UEFI variable, that name can optionally be returned.

GetLockOnVariableStateVariablePolicyInfo() - Returns the Lock on
Variable State policy applied to the UEFI variable. If the Lock on
Variable State policy is applied to a specific variable name, that
name can optionally be returned.

These functions can be useful for a variety of purposes such as
auditing, testing, and functional flows.

Also fixed some variable name typos in code touched by the changes.

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Message-Id: <20231030203112.736-2-mikuback@linux.microsoft.com>
This commit is contained in:
Michael Kubacki
2023-10-30 16:31:09 -04:00
committed by mergify[bot]
parent 8e74629070
commit f3b2187d55
8 changed files with 1062 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
View File

@ -32,23 +32,52 @@ typedef struct _VAR_CHECK_POLICY_COMM_DUMP_PARAMS {
BOOLEAN HasMore; BOOLEAN HasMore;
} VAR_CHECK_POLICY_COMM_DUMP_PARAMS; } VAR_CHECK_POLICY_COMM_DUMP_PARAMS;
typedef union {
VARIABLE_POLICY_ENTRY VariablePolicy;
VARIABLE_LOCK_ON_VAR_STATE_POLICY LockOnVarStatePolicy;
} VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY;
typedef struct _VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS {
EFI_GUID InputVendorGuid;
UINT32 InputVariableNameSize;
UINT32 OutputVariableNameSize;
VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY OutputPolicyEntry;
CHAR16 InputVariableName[1];
} VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS;
#pragma pack(pop) #pragma pack(pop)
#define VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END \
(OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName))
// Make sure that we will hold at least the headers. // Make sure that we will hold at least the headers.
#define VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE MAX((OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + sizeof (VAR_CHECK_POLICY_COMM_HEADER) + EFI_PAGES_TO_SIZE(1)), EFI_PAGES_TO_SIZE(4)) #define VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE MAX((OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + sizeof (VAR_CHECK_POLICY_COMM_HEADER) + EFI_PAGES_TO_SIZE(1)), EFI_PAGES_TO_SIZE(4))
#define VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \ #define VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \
(OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \ (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \
sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \ sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \
sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS))) sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS)))
#define VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \
(OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \
sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \
OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName)))
STATIC_ASSERT ( STATIC_ASSERT (
VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE, VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,
"an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE" "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE"
); );
#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x0001 STATIC_ASSERT (
#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x0002 VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,
#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x0003 "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE"
#define VAR_CHECK_POLICY_COMMAND_DUMP 0x0004 );
#define VAR_CHECK_POLICY_COMMAND_LOCK 0x0005
#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x0001
#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x0002
#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x0003
#define VAR_CHECK_POLICY_COMMAND_DUMP 0x0004
#define VAR_CHECK_POLICY_COMMAND_LOCK 0x0005
#define VAR_CHECK_POLICY_COMMAND_GET_INFO 0x0006
#define VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO 0x0007
#endif // _VAR_CHECK_POLICY_MMI_COMMON_H_ #endif // _VAR_CHECK_POLICY_MMI_COMMON_H_

107
MdeModulePkg/Include/Library/VariablePolicyLib.h
View File

@ -102,6 +102,113 @@ DumpVariablePolicy (
IN OUT UINT32 *Size IN OUT UINT32 *Size
); );
/**
This function will return variable policy information for a UEFI variable with a
registered variable policy.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
@param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariablePolicyVariableName buffer size
needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
guaranteed to be returned if the variable policy variable name
is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
variable policy will be written if a variable name is
registered.
If the variable policy is not associated with a variable name
(e.g. applied to variable vendor namespace) and this parameter
is given, this parameter will not be modified and
VariablePolicyVariableNameBufferSize will be set to zero to
indicate a name was not present.
If the pointer given is not NULL,
VariablePolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A variable policy entry was found and returned successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
is NULL.
@retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
**/
EFI_STATUS
EFIAPI
GetVariablePolicyInfo (
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL,
OUT VARIABLE_POLICY_ENTRY *VariablePolicy,
OUT CHAR16 *VariablePolicyVariableName OPTIONAL
);
/**
This function will return the Lock on Variable State policy information for the policy
associated with the given UEFI variable.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy
search.
@param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the
VariableLockPolicyVariableName buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariableLockPolicyVariableName buffer
size needed, set this value to zero so EFI_BUFFER_TOO_SMALL
is guaranteed to be returned if the variable policy variable
name is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the
variable lock on variable state policy will be written if
a variable name is registered.
If the lock on variable policy is not associated with a
variable name (e.g. applied to variable vendor namespace)
and this parameter is given, this parameter will not be
modified and VariableLockPolicyVariableNameBufferSize will
be set to zero to indicate a name was not present.
If the pointer given is not NULL,
VariableLockPolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned
successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariableLockPolicyVariableName is non-NULL and
VariableLockPolicyVariableNameBufferSize is NULL.
@retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI
variable name and vendor GUID.
**/
EFI_STATUS
EFIAPI
GetLockOnVariableStateVariablePolicyInfo (
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL,
OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy,
OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL
);
/** /**
This API function returns whether or not the policy engine is This API function returns whether or not the policy engine is
currently being enforced. currently being enforced.

133
MdeModulePkg/Include/Protocol/VariablePolicy.h
View File

@ -9,7 +9,17 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__ #ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__
#define __EDKII_VARIABLE_POLICY_PROTOCOL__ #define __EDKII_VARIABLE_POLICY_PROTOCOL__
#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000010000 #define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000020000
/*
Rev 0x0000000000010000:
- Initial protocol definition
Rev 0x0000000000020000:
- Add GetVariablePolicyInfo() API
- Add GetLockOnVariableStateVariablePolicyInfo() API
*/
#define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \ #define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \
{ \ { \
@ -141,13 +151,122 @@ EFI_STATUS
VOID VOID
); );
/**
This function will return variable policy information for a UEFI variable with a
registered variable policy.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
@param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariablePolicyVariableName buffer size
needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
guaranteed to be returned if the variable policy variable name
is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
variable policy will be written if a variable name is
registered.
If the variable policy is not associated with a variable name
(e.g. applied to variable vendor namespace) and this parameter
is given, this parameter will not be modified and
VariablePolicyVariableNameBufferSize will be set to zero to
indicate a name was not present.
If the pointer given is not NULL,
VariablePolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A variable policy entry was found and returned successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
is NULL.
@retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
**/
typedef
EFI_STATUS
(EFIAPI *GET_VARIABLE_POLICY_INFO)(
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL,
OUT VARIABLE_POLICY_ENTRY *VariablePolicy,
OUT CHAR16 *VariablePolicyVariableName OPTIONAL
);
/**
This function will return the Lock on Variable State policy information for the policy
associated with the given UEFI variable.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy
search.
@param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the
VariableLockPolicyVariableName buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariableLockPolicyVariableName buffer
size needed, set this value to zero so EFI_BUFFER_TOO_SMALL
is guaranteed to be returned if the variable policy variable
name is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the
variable lock on variable state policy will be written if
a variable name is registered.
If the lock on variable policy is not associated with a
variable name (e.g. applied to variable vendor namespace)
and this parameter is given, this parameter will not be
modified and VariableLockPolicyVariableNameBufferSize will
be set to zero to indicate a name was not present.
If the pointer given is not NULL,
VariableLockPolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned
successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariableLockPolicyVariableName is non-NULL and
VariableLockPolicyVariableNameBufferSize is NULL.
@retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI
variable name and vendor GUID.
**/
typedef
EFI_STATUS
(EFIAPI *GET_LOCK_ON_VARIABLE_STATE_VARIABLE_POLICY_INFO)(
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL,
OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy,
OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL
);
typedef struct { typedef struct {
UINT64 Revision; UINT64 Revision;
DISABLE_VARIABLE_POLICY DisableVariablePolicy; DISABLE_VARIABLE_POLICY DisableVariablePolicy;
IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled; IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;
REGISTER_VARIABLE_POLICY RegisterVariablePolicy; REGISTER_VARIABLE_POLICY RegisterVariablePolicy;
DUMP_VARIABLE_POLICY DumpVariablePolicy; DUMP_VARIABLE_POLICY DumpVariablePolicy;
LOCK_VARIABLE_POLICY LockVariablePolicy; LOCK_VARIABLE_POLICY LockVariablePolicy;
GET_VARIABLE_POLICY_INFO GetVariablePolicyInfo;
GET_LOCK_ON_VARIABLE_STATE_VARIABLE_POLICY_INFO GetLockOnVariableStateVariablePolicyInfo;
} _EDKII_VARIABLE_POLICY_PROTOCOL; } _EDKII_VARIABLE_POLICY_PROTOCOL;
typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL; typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL;

174
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
View File

@ -76,14 +76,20 @@ VarCheckPolicyLibMmiHandler (
VOID *InternalCommBuffer; VOID *InternalCommBuffer;
EFI_STATUS Status; EFI_STATUS Status;
EFI_STATUS SubCommandStatus; EFI_STATUS SubCommandStatus;
VAR_CHECK_POLICY_COMM_HEADER *PolicyCommmHeader; VAR_CHECK_POLICY_COMM_HEADER *PolicyCommHeader;
VAR_CHECK_POLICY_COMM_HEADER *InternalPolicyCommmHeader; VAR_CHECK_POLICY_COMM_HEADER *InternalPolicyCommHeader;
VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *IsEnabledParams; VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *IsEnabledParams;
VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsIn; VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsIn;
VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsOut; VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsOut;
VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *GetInfoParamsInternal;
VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *GetInfoParamsExternal;
CHAR16 *InternalCopyOfOutputVariableName;
CHAR16 *ExternalCopyOfOutputVariableName;
UINT8 *DumpInputBuffer; UINT8 *DumpInputBuffer;
UINT8 *DumpOutputBuffer; UINT8 *DumpOutputBuffer;
UINTN AllowedOutputVariableNameSize;
UINTN DumpTotalPages; UINTN DumpTotalPages;
UINTN LocalSize;
VARIABLE_POLICY_ENTRY *PolicyEntry; VARIABLE_POLICY_ENTRY *PolicyEntry;
UINTN ExpectedSize; UINTN ExpectedSize;
UINT32 TempSize; UINT32 TempSize;
@ -122,21 +128,21 @@ VarCheckPolicyLibMmiHandler (
// //
InternalCommBuffer = &mSecurityEvalBuffer[0]; InternalCommBuffer = &mSecurityEvalBuffer[0];
CopyMem (InternalCommBuffer, CommBuffer, InternalCommBufferSize); CopyMem (InternalCommBuffer, CommBuffer, InternalCommBufferSize);
PolicyCommmHeader = CommBuffer; PolicyCommHeader = CommBuffer;
InternalPolicyCommmHeader = InternalCommBuffer; InternalPolicyCommHeader = InternalCommBuffer;
// Check the revision and the signature of the comm header. // Check the revision and the signature of the comm header.
if ((InternalPolicyCommmHeader->Signature != VAR_CHECK_POLICY_COMM_SIG) || if ((InternalPolicyCommHeader->Signature != VAR_CHECK_POLICY_COMM_SIG) ||
(InternalPolicyCommmHeader->Revision != VAR_CHECK_POLICY_COMM_REVISION)) (InternalPolicyCommHeader->Revision != VAR_CHECK_POLICY_COMM_REVISION))
{ {
DEBUG ((DEBUG_INFO, "%a - Signature or revision are incorrect!\n", __func__)); DEBUG ((DEBUG_INFO, "%a - Signature or revision are incorrect!\n", __func__));
// We have verified the buffer is not null and have enough size to hold Result field. // We have verified the buffer is not null and have enough size to hold Result field.
PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
return EFI_SUCCESS; return EFI_SUCCESS;
} }
// If we're in the middle of a paginated dump and any other command is sent, // If we're in the middle of a paginated dump and any other command is sent,
// pagination cache must be cleared. // pagination cache must be cleared.
if ((mPaginationCache != NULL) && (InternalPolicyCommmHeader->Command != mCurrentPaginationCommand)) { if ((mPaginationCache != NULL) && (InternalPolicyCommHeader->Command != mCurrentPaginationCommand)) {
FreePool (mPaginationCache); FreePool (mPaginationCache);
mPaginationCache = NULL; mPaginationCache = NULL;
mPaginationCacheSize = 0; mPaginationCacheSize = 0;
@ -146,10 +152,10 @@ VarCheckPolicyLibMmiHandler (
// //
// Now we can process the command as it was sent. // Now we can process the command as it was sent.
// //
PolicyCommmHeader->Result = EFI_ABORTED; // Set a default return for incomplete commands. PolicyCommHeader->Result = EFI_ABORTED; // Set a default return for incomplete commands.
switch (InternalPolicyCommmHeader->Command) { switch (InternalPolicyCommHeader->Command) {
case VAR_CHECK_POLICY_COMMAND_DISABLE: case VAR_CHECK_POLICY_COMMAND_DISABLE:
PolicyCommmHeader->Result = DisableVariablePolicy (); PolicyCommHeader->Result = DisableVariablePolicy ();
break; break;
case VAR_CHECK_POLICY_COMMAND_IS_ENABLED: case VAR_CHECK_POLICY_COMMAND_IS_ENABLED:
@ -158,14 +164,14 @@ VarCheckPolicyLibMmiHandler (
ExpectedSize += sizeof (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS); ExpectedSize += sizeof (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS);
if (InternalCommBufferSize < ExpectedSize) { if (InternalCommBufferSize < ExpectedSize) {
DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize)); DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize));
PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break; break;
} }
// Now that we know we've got a valid size, we can fill in the rest of the data. // Now that we know we've got a valid size, we can fill in the rest of the data.
IsEnabledParams = (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *)((UINT8 *)CommBuffer + sizeof (VAR_CHECK_POLICY_COMM_HEADER)); IsEnabledParams = (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *)((UINT8 *)CommBuffer + sizeof (VAR_CHECK_POLICY_COMM_HEADER));
IsEnabledParams->State = IsVariablePolicyEnabled (); IsEnabledParams->State = IsVariablePolicyEnabled ();
PolicyCommmHeader->Result = EFI_SUCCESS; PolicyCommHeader->Result = EFI_SUCCESS;
break; break;
case VAR_CHECK_POLICY_COMMAND_REGISTER: case VAR_CHECK_POLICY_COMMAND_REGISTER:
@ -174,7 +180,7 @@ VarCheckPolicyLibMmiHandler (
ExpectedSize += sizeof (VARIABLE_POLICY_ENTRY); ExpectedSize += sizeof (VARIABLE_POLICY_ENTRY);
if (InternalCommBufferSize < ExpectedSize) { if (InternalCommBufferSize < ExpectedSize) {
DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize)); DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize));
PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break; break;
} }
@ -187,11 +193,11 @@ VarCheckPolicyLibMmiHandler (
(InternalCommBufferSize < ExpectedSize)) (InternalCommBufferSize < ExpectedSize))
{ {
DEBUG ((DEBUG_INFO, "%a - Bad policy entry contents!\n", __func__)); DEBUG ((DEBUG_INFO, "%a - Bad policy entry contents!\n", __func__));
PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break; break;
} }
PolicyCommmHeader->Result = RegisterVariablePolicy (PolicyEntry); PolicyCommHeader->Result = RegisterVariablePolicy (PolicyEntry);
break; break;
case VAR_CHECK_POLICY_COMMAND_DUMP: case VAR_CHECK_POLICY_COMMAND_DUMP:
@ -200,13 +206,13 @@ VarCheckPolicyLibMmiHandler (
ExpectedSize += sizeof (VAR_CHECK_POLICY_COMM_DUMP_PARAMS) + VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE; ExpectedSize += sizeof (VAR_CHECK_POLICY_COMM_DUMP_PARAMS) + VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE;
if (InternalCommBufferSize < ExpectedSize) { if (InternalCommBufferSize < ExpectedSize) {
DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize)); DEBUG ((DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __func__, InternalCommBufferSize, ExpectedSize));
PolicyCommmHeader->Result = EFI_INVALID_PARAMETER; PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break; break;
} }
// Now that we know we've got a valid size, we can fill in the rest of the data. // Now that we know we've got a valid size, we can fill in the rest of the data.
DumpParamsIn = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(InternalPolicyCommmHeader + 1); DumpParamsIn = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(InternalPolicyCommHeader + 1);
DumpParamsOut = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(PolicyCommmHeader + 1); DumpParamsOut = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS *)(PolicyCommHeader + 1);
// If we're requesting the first page, initialize the cache and get the sizes. // If we're requesting the first page, initialize the cache and get the sizes.
if (DumpParamsIn->PageRequested == 0) { if (DumpParamsIn->PageRequested == 0) {
@ -289,17 +295,131 @@ VarCheckPolicyLibMmiHandler (
} }
// There's currently no use for this, but it shouldn't be hard to implement. // There's currently no use for this, but it shouldn't be hard to implement.
PolicyCommmHeader->Result = SubCommandStatus; PolicyCommHeader->Result = SubCommandStatus;
break; break;
case VAR_CHECK_POLICY_COMMAND_LOCK: case VAR_CHECK_POLICY_COMMAND_LOCK:
PolicyCommmHeader->Result = LockVariablePolicy (); PolicyCommHeader->Result = LockVariablePolicy ();
break;
case VAR_CHECK_POLICY_COMMAND_GET_INFO:
case VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO:
ExpectedSize += VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END + VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE;
if (InternalCommBufferSize < ExpectedSize) {
PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break;
}
GetInfoParamsInternal = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(InternalPolicyCommHeader + 1);
GetInfoParamsExternal = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(PolicyCommHeader + 1);
SubCommandStatus = SafeUintnSub (
VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE,
GetInfoParamsInternal->InputVariableNameSize,
&AllowedOutputVariableNameSize
);
if (EFI_ERROR (SubCommandStatus)) {
PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break;
}
if (GetInfoParamsInternal->OutputVariableNameSize > 0) {
SubCommandStatus = SafeUintnAdd (
((UINTN)GetInfoParamsInternal + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END),
(UINTN)GetInfoParamsInternal->InputVariableNameSize,
(UINTN *)&InternalCopyOfOutputVariableName
);
if (EFI_ERROR (SubCommandStatus)) {
PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break;
}
} else {
InternalCopyOfOutputVariableName = NULL;
}
ZeroMem (&GetInfoParamsInternal->OutputPolicyEntry, sizeof (GetInfoParamsInternal->OutputPolicyEntry));
ZeroMem (&GetInfoParamsExternal->OutputPolicyEntry, sizeof (GetInfoParamsExternal->OutputPolicyEntry));
LocalSize = (UINTN)GetInfoParamsInternal->OutputVariableNameSize;
if (InternalPolicyCommHeader->Command == VAR_CHECK_POLICY_COMMAND_GET_INFO) {
SubCommandStatus = GetVariablePolicyInfo (
GetInfoParamsInternal->InputVariableName,
&GetInfoParamsInternal->InputVendorGuid,
&LocalSize,
&GetInfoParamsInternal->OutputPolicyEntry.VariablePolicy,
InternalCopyOfOutputVariableName
);
} else if (InternalPolicyCommHeader->Command == VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO) {
SubCommandStatus = GetLockOnVariableStateVariablePolicyInfo (
GetInfoParamsInternal->InputVariableName,
&GetInfoParamsInternal->InputVendorGuid,
&LocalSize,
&GetInfoParamsInternal->OutputPolicyEntry.LockOnVarStatePolicy,
InternalCopyOfOutputVariableName
);
} else {
PolicyCommHeader->Result = EFI_INVALID_PARAMETER;
break;
}
if (EFI_ERROR (SubCommandStatus) && (SubCommandStatus != EFI_BUFFER_TOO_SMALL)) {
PolicyCommHeader->Result = SubCommandStatus;
break;
}
if (EFI_ERROR (SafeUintnToUint32 (LocalSize, &GetInfoParamsInternal->OutputVariableNameSize))) {
PolicyCommHeader->Result = EFI_BAD_BUFFER_SIZE;
break;
}
ASSERT (sizeof (GetInfoParamsInternal->OutputPolicyEntry) == sizeof (GetInfoParamsExternal->OutputPolicyEntry));
CopyMem (
&GetInfoParamsExternal->OutputPolicyEntry,
&GetInfoParamsInternal->OutputPolicyEntry,
sizeof (GetInfoParamsExternal->OutputPolicyEntry)
);
GetInfoParamsExternal->OutputVariableNameSize = GetInfoParamsInternal->OutputVariableNameSize;
if (SubCommandStatus == EFI_BUFFER_TOO_SMALL) {
PolicyCommHeader->Result = EFI_BUFFER_TOO_SMALL;
break;
}
SubCommandStatus = SafeUintnAdd (
((UINTN)GetInfoParamsExternal + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END),
(UINTN)GetInfoParamsInternal->InputVariableNameSize,
(UINTN *)&ExternalCopyOfOutputVariableName
);
if (EFI_ERROR (SubCommandStatus)) {
PolicyCommHeader->Result = EFI_BAD_BUFFER_SIZE;
break;
}
if (GetInfoParamsInternal->OutputVariableNameSize > 0) {
SubCommandStatus = StrnCpyS (
ExternalCopyOfOutputVariableName,
AllowedOutputVariableNameSize,
InternalCopyOfOutputVariableName,
(UINTN)GetInfoParamsInternal->OutputVariableNameSize
);
ASSERT_EFI_ERROR (SubCommandStatus);
} else {
// The comm buffer should always have the space for the variable policy output
// variable name. Fill it with NULL chars if a variable name is not present so
// it has a consistent value in the case of variable name absence.
SetMem (ExternalCopyOfOutputVariableName, AllowedOutputVariableNameSize, CHAR_NULL);
}
PolicyCommHeader->Result = SubCommandStatus;
break; break;
default: default:
// Mark unknown requested command as EFI_UNSUPPORTED. // Mark unknown requested command as EFI_UNSUPPORTED.
DEBUG ((DEBUG_INFO, "%a - Invalid command requested! %d\n", __func__, PolicyCommmHeader->Command)); DEBUG ((DEBUG_INFO, "%a - Invalid command requested! %d\n", __func__, PolicyCommHeader->Command));
PolicyCommmHeader->Result = EFI_UNSUPPORTED; PolicyCommHeader->Result = EFI_UNSUPPORTED;
break; break;
} }
@ -307,8 +427,8 @@ VarCheckPolicyLibMmiHandler (
DEBUG_VERBOSE, DEBUG_VERBOSE,
"%a - Command %d returning %r.\n", "%a - Command %d returning %r.\n",
__func__, __func__,
PolicyCommmHeader->Command, PolicyCommHeader->Command,
PolicyCommmHeader->Result PolicyCommHeader->Result
)); ));
return Status; return Status;

304
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
View File

@ -8,6 +8,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Uefi.h> #include <Uefi.h>
#include <Library/BaseLib.h>
#include <Library/SafeIntLib.h> #include <Library/SafeIntLib.h>
#include <Library/MemoryAllocationLib.h> #include <Library/MemoryAllocationLib.h>
#include <Library/BaseMemoryLib.h> #include <Library/BaseMemoryLib.h>
@ -684,6 +685,309 @@ DumpVariablePolicy (
return EFI_SUCCESS; return EFI_SUCCESS;
} }
/**
This function will return variable policy information for a UEFI variable with a
registered variable policy.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
@param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariablePolicyVariableName buffer size
needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
guaranteed to be returned if the variable policy variable name
is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
variable policy will be written if a variable name is
registered.
If the variable policy is not associated with a variable name
(e.g. applied to variable vendor namespace) and this parameter
is given, this parameter will not be modified and
VariablePolicyVariableNameBufferSize will be set to zero to
indicate a name was not present.
If the pointer given is not NULL,
VariablePolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A variable policy entry was found and returned successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
is NULL.
@retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
**/
EFI_STATUS
EFIAPI
GetVariablePolicyInfo (
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariablePolicyVariableNameBufferSize OPTIONAL,
OUT VARIABLE_POLICY_ENTRY *VariablePolicy,
OUT CHAR16 *VariablePolicyVariableName OPTIONAL
)
{
EFI_STATUS Status;
UINT8 MatchPriority;
UINTN LocalVariablePolicyVariableNameBufferSize;
UINTN RequiredVariablePolicyVariableNameBufferSize;
VARIABLE_POLICY_ENTRY *MatchPolicy;
Status = EFI_SUCCESS;
if (!IsVariablePolicyLibInitialized ()) {
return EFI_NOT_READY;
}
if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) {
return EFI_INVALID_PARAMETER;
}
MatchPolicy = GetBestPolicyMatch (
VariableName,
VendorGuid,
&MatchPriority
);
if (MatchPolicy != NULL) {
CopyMem (VariablePolicy, MatchPolicy, sizeof (*VariablePolicy));
if (VariablePolicyVariableNameBufferSize == NULL) {
if (VariablePolicyVariableName != NULL) {
return EFI_INVALID_PARAMETER;
}
return Status;
}
if (MatchPolicy->Size != MatchPolicy->OffsetToName) {
if (MatchPolicy->Size < MatchPolicy->OffsetToName) {
ASSERT (MatchPolicy->Size > MatchPolicy->OffsetToName);
return EFI_BAD_BUFFER_SIZE;
}
RequiredVariablePolicyVariableNameBufferSize = (UINTN)(MatchPolicy->Size - MatchPolicy->OffsetToName);
ASSERT (RequiredVariablePolicyVariableNameBufferSize > 0);
if (*VariablePolicyVariableNameBufferSize < RequiredVariablePolicyVariableNameBufferSize) {
// Let the caller get the size needed to hold the policy variable name
*VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize;
return EFI_BUFFER_TOO_SMALL;
}
if (VariablePolicyVariableName == NULL) {
// If the policy variable name size given is valid, then a valid policy variable name buffer should be provided
*VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize;
return EFI_INVALID_PARAMETER;
}
LocalVariablePolicyVariableNameBufferSize = *VariablePolicyVariableNameBufferSize;
// Actual string size should match expected string size
if (
((StrnLenS (GET_POLICY_NAME (MatchPolicy), RequiredVariablePolicyVariableNameBufferSize) + 1) * sizeof (CHAR16))
!= RequiredVariablePolicyVariableNameBufferSize)
{
ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE);
return EFI_BAD_BUFFER_SIZE;
}
*VariablePolicyVariableNameBufferSize = RequiredVariablePolicyVariableNameBufferSize;
Status = StrnCpyS (
VariablePolicyVariableName,
LocalVariablePolicyVariableNameBufferSize / sizeof (CHAR16),
GET_POLICY_NAME (MatchPolicy),
RequiredVariablePolicyVariableNameBufferSize / sizeof (CHAR16)
);
ASSERT_EFI_ERROR (Status);
} else {
// A variable policy variable name is not present. Return values according to interface.
*VariablePolicyVariableNameBufferSize = 0;
}
return Status;
}
return EFI_NOT_FOUND;
}
/**
This function will return the Lock on Variable State policy information for the policy
associated with the given UEFI variable.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy
search.
@param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the
VariableLockPolicyVariableName buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariableLockPolicyVariableName buffer
size needed, set this value to zero so EFI_BUFFER_TOO_SMALL
is guaranteed to be returned if the variable policy variable
name is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the
variable lock on variable state policy will be written if
a variable name is registered.
If the lock on variable policy is not associated with a
variable name (e.g. applied to variable vendor namespace)
and this parameter is given, this parameter will not be
modified and VariableLockPolicyVariableNameBufferSize will
be set to zero to indicate a name was not present.
If the pointer given is not NULL,
VariableLockPolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned
successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariableLockPolicyVariableName is non-NULL and
VariableLockPolicyVariableNameBufferSize is NULL.
@retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI
variable name and vendor GUID.
**/
EFI_STATUS
EFIAPI
GetLockOnVariableStateVariablePolicyInfo (
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariableLockPolicyVariableNameBufferSize OPTIONAL,
OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy,
OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL
)
{
EFI_STATUS Status;
UINT8 MatchPriority;
UINTN RequiredVariablePolicyVariableNameBufferSize;
UINTN RequiredVariableLockPolicyVariableNameBufferSize;
UINTN LocalVariablePolicyLockVariableNameBufferSize;
UINTN LockOnVarStatePolicyEndOffset;
CHAR16 *LocalVariableLockPolicyVariableName;
VARIABLE_LOCK_ON_VAR_STATE_POLICY *LocalLockOnVarStatePolicy;
VARIABLE_POLICY_ENTRY *MatchPolicy;
Status = EFI_SUCCESS;
if (!IsVariablePolicyLibInitialized ()) {
return EFI_NOT_READY;
}
if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) {
return EFI_INVALID_PARAMETER;
}
MatchPolicy = GetBestPolicyMatch (
VariableName,
VendorGuid,
&MatchPriority
);
if (MatchPolicy != NULL) {
if (MatchPolicy->LockPolicyType != VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE) {
return EFI_NOT_FOUND;
}
Status = SafeUintnAdd (
sizeof (VARIABLE_POLICY_ENTRY),
sizeof (VARIABLE_LOCK_ON_VAR_STATE_POLICY),
&LockOnVarStatePolicyEndOffset
);
if (EFI_ERROR (Status) || (LockOnVarStatePolicyEndOffset > (UINTN)MatchPolicy->Size)) {
return EFI_BAD_BUFFER_SIZE;
}
LocalLockOnVarStatePolicy = (VARIABLE_LOCK_ON_VAR_STATE_POLICY *)(MatchPolicy + 1);
CopyMem (VariablePolicy, LocalLockOnVarStatePolicy, sizeof (*LocalLockOnVarStatePolicy));
if ((VariableLockPolicyVariableNameBufferSize == NULL)) {
if (VariableLockPolicyVariableName != NULL) {
return EFI_INVALID_PARAMETER;
}
return Status;
}
// The name offset should be less than or equal to the total policy size.
if (MatchPolicy->Size < MatchPolicy->OffsetToName) {
return EFI_BAD_BUFFER_SIZE;
}
RequiredVariablePolicyVariableNameBufferSize = (UINTN)(MatchPolicy->Size - MatchPolicy->OffsetToName);
RequiredVariableLockPolicyVariableNameBufferSize = MatchPolicy->Size -
(LockOnVarStatePolicyEndOffset + RequiredVariablePolicyVariableNameBufferSize);
LocalVariablePolicyLockVariableNameBufferSize = *VariableLockPolicyVariableNameBufferSize;
*VariableLockPolicyVariableNameBufferSize = RequiredVariableLockPolicyVariableNameBufferSize;
if (LocalVariablePolicyLockVariableNameBufferSize < RequiredVariableLockPolicyVariableNameBufferSize) {
// Let the caller get the size needed to hold the policy variable name
return EFI_BUFFER_TOO_SMALL;
}
if (VariableLockPolicyVariableName == NULL) {
// If the policy variable name size given is valid, then a valid policy variable name buffer should be provided
return EFI_INVALID_PARAMETER;
}
if (RequiredVariableLockPolicyVariableNameBufferSize == 0) {
return Status;
}
LocalVariableLockPolicyVariableName = (CHAR16 *)((UINT8 *)LocalLockOnVarStatePolicy + sizeof (*LocalLockOnVarStatePolicy));
*VariableLockPolicyVariableNameBufferSize = RequiredVariableLockPolicyVariableNameBufferSize;
// Actual string size should match expected string size (if a variable name is present)
if (
(RequiredVariablePolicyVariableNameBufferSize > 0) &&
(((StrnLenS (GET_POLICY_NAME (MatchPolicy), RequiredVariablePolicyVariableNameBufferSize) + 1) * sizeof (CHAR16)) !=
RequiredVariablePolicyVariableNameBufferSize))
{
ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE);
return EFI_BAD_BUFFER_SIZE;
}
// Actual string size should match expected string size (if here, variable lock variable name is present)
if (
((StrnLenS (LocalVariableLockPolicyVariableName, RequiredVariableLockPolicyVariableNameBufferSize) + 1) * sizeof (CHAR16)) !=
RequiredVariableLockPolicyVariableNameBufferSize)
{
ASSERT_EFI_ERROR (EFI_BAD_BUFFER_SIZE);
return EFI_BAD_BUFFER_SIZE;
}
Status = StrnCpyS (
VariableLockPolicyVariableName,
LocalVariablePolicyLockVariableNameBufferSize / sizeof (CHAR16),
LocalVariableLockPolicyVariableName,
RequiredVariableLockPolicyVariableNameBufferSize / sizeof (CHAR16)
);
ASSERT_EFI_ERROR (Status);
return Status;
}
return EFI_NOT_FOUND;
}
/** /**
This API function returns whether or not the policy engine is This API function returns whether or not the policy engine is
currently being enforced. currently being enforced.

1
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
View File

@ -32,6 +32,7 @@
[LibraryClasses] [LibraryClasses]
BaseLib
DebugLib DebugLib
BaseMemoryLib BaseMemoryLib
MemoryAllocationLib MemoryAllocationLib

4
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
View File

@ -33,7 +33,9 @@ EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol = {
ProtocolIsVariablePolicyEnabled, ProtocolIsVariablePolicyEnabled,
RegisterVariablePolicy, RegisterVariablePolicy,
DumpVariablePolicy, DumpVariablePolicy,
LockVariablePolicy LockVariablePolicy,
GetVariablePolicyInfo,
GetLockOnVariableStateVariablePolicyInfo
}; };
EDKII_VAR_CHECK_PROTOCOL mVarCheck = { EDKII_VAR_CHECK_PROTOCOL mVarCheck = {
VarCheckRegisterSetVariableCheckHandler, VarCheckRegisterSetVariableCheckHandler,

346
MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
View File

@ -410,6 +410,338 @@ ProtocolLockVariablePolicy (
return (EFI_ERROR (Status)) ? Status : PolicyHeader->Result; return (EFI_ERROR (Status)) ? Status : PolicyHeader->Result;
} }
/**
Internal implementation to retrieve variable information for a given UEFI variable that is shared
between different policy types.
Currently, the two policy structure types supported (and all that is defined) are VARIABLE_POLICY_ENTRY
and VARIABLE_LOCK_ON_VAR_STATE_POLICY.
@param[in] Command The command value to use in the communicate call.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
@param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariablePolicyVariableName buffer size
needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
guaranteed to be returned if the variable policy variable name
is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
variable policy will be written if a variable name is
registered.
If the variable policy is not associated with a variable name
(e.g. applied to variable vendor namespace) and this parameter
is given, this parameter will not be modified and
VariablePolicyVariableNameBufferSize will be set to zero to
indicate a name was not present.
If the pointer given is not NULL,
VariablePolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A variable policy entry was found and returned successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
is NULL. It can also be returned if the Command value provided is invalid.
@retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
**/
STATIC
EFI_STATUS
InternalProtocolGetVariablePolicyInfo (
IN UINT32 Command,
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariablePolicyVariableNameBufferSize, OPTIONAL
OUT VOID *VariablePolicy,
OUT CHAR16 *VariablePolicyVariableName OPTIONAL
)
{
EFI_STATUS Status;
CHAR16 *OutputVariableName;
EFI_MM_COMMUNICATE_HEADER *CommHeader;
VAR_CHECK_POLICY_COMM_HEADER *PolicyHeader;
VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *CommandParams;
UINTN AllowedOutputVariableNameSize;
UINTN BufferSize;
UINTN VariableNameSize;
if ((VariableName == NULL) || (VendorGuid == NULL) || (VariablePolicy == NULL)) {
return EFI_INVALID_PARAMETER;
}
switch (Command) {
case VAR_CHECK_POLICY_COMMAND_GET_INFO:
case VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO:
break;
default:
return EFI_INVALID_PARAMETER;
}
AcquireLockOnlyAtBootTime (&mMmCommunicationLock);
VariableNameSize = StrnSizeS (
VariableName,
(VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE - VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END)
);
if (VariableNameSize >= (VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE - VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END)) {
Status = EFI_INVALID_PARAMETER;
goto Done;
}
if ((VariablePolicyVariableName != NULL) && (VariablePolicyVariableNameBufferSize == NULL)) {
return EFI_INVALID_PARAMETER;
goto Done;
}
BufferSize = mMmCommunicationBufferSize;
CommHeader = mMmCommunicationBuffer;
Status = SafeUintnSub (
VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE,
VariableNameSize,
&AllowedOutputVariableNameSize
);
if (EFI_ERROR (Status)) {
Status = EFI_INVALID_PARAMETER;
goto Done;
}
if (VariablePolicyVariableNameBufferSize != NULL) {
AllowedOutputVariableNameSize = MIN (AllowedOutputVariableNameSize, *VariablePolicyVariableNameBufferSize);
} else {
AllowedOutputVariableNameSize = 0;
}
PolicyHeader = (VAR_CHECK_POLICY_COMM_HEADER *)&CommHeader->Data;
CommandParams = (VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS *)(PolicyHeader + 1);
CopyGuid (&CommHeader->HeaderGuid, &gVarCheckPolicyLibMmiHandlerGuid);
CommHeader->MessageLength = BufferSize - OFFSET_OF (EFI_MM_COMMUNICATE_HEADER, Data);
PolicyHeader->Signature = VAR_CHECK_POLICY_COMM_SIG;
PolicyHeader->Revision = VAR_CHECK_POLICY_COMM_REVISION;
PolicyHeader->Command = Command;
ZeroMem ((VOID *)&CommandParams->OutputPolicyEntry, sizeof (CommandParams->OutputPolicyEntry));
CopyGuid (&CommandParams->InputVendorGuid, VendorGuid);
Status = SafeUintnToUint32 (VariableNameSize, &CommandParams->InputVariableNameSize);
if (EFI_ERROR (Status)) {
Status = EFI_INVALID_PARAMETER;
goto Done;
}
Status = SafeUintnToUint32 (AllowedOutputVariableNameSize, &CommandParams->OutputVariableNameSize);
if (EFI_ERROR (Status)) {
Status = EFI_INVALID_PARAMETER;
goto Done;
}
if (AllowedOutputVariableNameSize > 0) {
Status = StrnCpyS (
CommandParams->InputVariableName,
AllowedOutputVariableNameSize / sizeof (CHAR16),
VariableName,
(UINTN)CommandParams->InputVariableNameSize / sizeof (CHAR16)
);
ASSERT_EFI_ERROR (Status);
}
Status = InternalMmCommunicate (CommHeader, &BufferSize);
if (Status == EFI_SUCCESS) {
CopyMem (
VariablePolicy,
(VOID *)&CommandParams->OutputPolicyEntry,
(Command == VAR_CHECK_POLICY_COMMAND_GET_INFO) ?
sizeof (CommandParams->OutputPolicyEntry.VariablePolicy) :
sizeof (CommandParams->OutputPolicyEntry.LockOnVarStatePolicy)
);
if (VariablePolicyVariableNameBufferSize == NULL) {
if (VariablePolicyVariableName != NULL) {
Status = EFI_INVALID_PARAMETER;
}
goto Done;
}
if (PolicyHeader->Result == EFI_BUFFER_TOO_SMALL) {
*VariablePolicyVariableNameBufferSize = (UINTN)CommandParams->OutputVariableNameSize;
goto Done;
}
if (PolicyHeader->Result == EFI_SUCCESS) {
if (CommandParams->OutputVariableNameSize > 0) {
Status = SafeUintnAdd (
((UINTN)CommandParams + VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END),
(UINTN)CommandParams->InputVariableNameSize,
(UINTN *)&OutputVariableName
);
if (EFI_ERROR (Status)) {
Status = EFI_BAD_BUFFER_SIZE;
goto Done;
}
Status = StrnCpyS (
VariablePolicyVariableName,
*VariablePolicyVariableNameBufferSize / sizeof (CHAR16),
OutputVariableName,
(UINTN)CommandParams->OutputVariableNameSize
);
ASSERT_EFI_ERROR (Status);
*VariablePolicyVariableNameBufferSize = (UINTN)CommandParams->OutputVariableNameSize;
} else {
// A variable policy variable name is not present. Return values according to interface.
*VariablePolicyVariableNameBufferSize = 0;
}
}
}
Done:
ReleaseLockOnlyAtBootTime (&mMmCommunicationLock);
return (EFI_ERROR (Status)) ? Status : PolicyHeader->Result;
}
/**
This function will return variable policy information for a UEFI variable with a
registered variable policy.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy search.
@param[in,out] VariablePolicyVariableNameBufferSize On input, the size, in bytes, of the VariablePolicyVariableName
buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariablePolicyVariableName buffer size
needed, set this value to zero so EFI_BUFFER_TOO_SMALL is
guaranteed to be returned if the variable policy variable name
is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariablePolicyVariableName Pointer to a buffer where the variable name used for the
variable policy will be written if a variable name is
registered.
If the variable policy is not associated with a variable name
(e.g. applied to variable vendor namespace) and this parameter
is given, this parameter will not be modified and
VariablePolicyVariableNameBufferSize will be set to zero to
indicate a name was not present.
If the pointer given is not NULL,
VariablePolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A variable policy entry was found and returned successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariablePolicyVariableName buffer value is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariablePolicyVariableName is non-NULL and VariablePolicyVariableNameBufferSize
is NULL.
@retval EFI_NOT_FOUND A variable policy was not found for the given UEFI variable name and vendor GUID.
**/
STATIC
EFI_STATUS
EFIAPI
ProtocolGetVariablePolicyInfo (
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariablePolicyVariableNameBufferSize, OPTIONAL
OUT VARIABLE_POLICY_ENTRY *VariablePolicy,
OUT CHAR16 *VariablePolicyVariableName OPTIONAL
)
{
return InternalProtocolGetVariablePolicyInfo (
VAR_CHECK_POLICY_COMMAND_GET_INFO,
VariableName,
VendorGuid,
VariablePolicyVariableNameBufferSize,
VariablePolicy,
VariablePolicyVariableName
);
}
/**
This function will return the Lock on Variable State policy information for the policy
associated with the given UEFI variable.
@param[in] VariableName The name of the variable to use for the policy search.
@param[in] VendorGuid The vendor GUID of the variable to use for the policy
search.
@param[in,out] VariableLockPolicyVariableNameBufferSize On input, the size, in bytes, of the
VariableLockPolicyVariableName buffer.
On output, the size, in bytes, needed to store the variable
policy variable name.
If testing for the VariableLockPolicyVariableName buffer
P size needed, set this value to zero so EFI_BUFFER_TOO_SMALL
is guaranteed to be returned if the variable policy variable
name is found.
@param[out] VariablePolicy Pointer to a buffer where the policy entry will be written
if found.
@param[out] VariableLockPolicyVariableName Pointer to a buffer where the variable name used for the
variable lock on variable state policy will be written if
a variable name is registered.
If the lock on variable policy is not associated with a
variable name (e.g. applied to variable vendor namespace)
and this parameter is given, this parameter will not be
modified and VariableLockPolicyVariableNameBufferSize will
be set to zero to indicate a name was not present.
If the pointer given is not NULL,
VariableLockPolicyVariableNameBufferSize must be non-NULL.
@retval EFI_SUCCESS A Lock on Variable State variable policy entry was found and returned
successfully.
@retval EFI_BAD_BUFFER_SIZE An internal buffer size caused a calculation error.
@retval EFI_BUFFER_TOO_SMALL The VariableLockPolicyVariableName buffer is too small for the size needed.
The buffer should now point to the size needed.
@retval EFI_NOT_READY Variable policy has not yet been initialized.
@retval EFI_INVALID_PARAMETER A required pointer argument passed is NULL. This will be returned if
VariableLockPolicyVariableName is non-NULL and
VariableLockPolicyVariableNameBufferSize is NULL.
@retval EFI_NOT_FOUND A Lock on Variable State variable policy was not found for the given UEFI
variable name and vendor GUID.
**/
STATIC
EFI_STATUS
EFIAPI
ProtocolGetLockOnVariableStateVariablePolicyInfo (
IN CONST CHAR16 *VariableName,
IN CONST EFI_GUID *VendorGuid,
IN OUT UINTN *VariableLockPolicyVariableNameBufferSize, OPTIONAL
OUT VARIABLE_LOCK_ON_VAR_STATE_POLICY *VariablePolicy,
OUT CHAR16 *VariableLockPolicyVariableName OPTIONAL
)
{
return InternalProtocolGetVariablePolicyInfo (
VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO,
VariableName,
VendorGuid,
VariableLockPolicyVariableNameBufferSize,
VariablePolicy,
VariableLockPolicyVariableName
);
}
/** /**
This helper function locates the shared comm buffer and assigns it to input pointers. This helper function locates the shared comm buffer and assigns it to input pointers.
@ -514,12 +846,14 @@ VariablePolicySmmDxeMain (
} }
// Configure the VariablePolicy protocol structure. // Configure the VariablePolicy protocol structure.
mVariablePolicyProtocol.Revision = EDKII_VARIABLE_POLICY_PROTOCOL_REVISION; mVariablePolicyProtocol.Revision = EDKII_VARIABLE_POLICY_PROTOCOL_REVISION;
mVariablePolicyProtocol.DisableVariablePolicy = ProtocolDisableVariablePolicy; mVariablePolicyProtocol.DisableVariablePolicy = ProtocolDisableVariablePolicy;
mVariablePolicyProtocol.IsVariablePolicyEnabled = ProtocolIsVariablePolicyEnabled; mVariablePolicyProtocol.IsVariablePolicyEnabled = ProtocolIsVariablePolicyEnabled;
mVariablePolicyProtocol.RegisterVariablePolicy = ProtocolRegisterVariablePolicy; mVariablePolicyProtocol.RegisterVariablePolicy = ProtocolRegisterVariablePolicy;
mVariablePolicyProtocol.DumpVariablePolicy = ProtocolDumpVariablePolicy; mVariablePolicyProtocol.DumpVariablePolicy = ProtocolDumpVariablePolicy;
mVariablePolicyProtocol.LockVariablePolicy = ProtocolLockVariablePolicy; mVariablePolicyProtocol.LockVariablePolicy = ProtocolLockVariablePolicy;
mVariablePolicyProtocol.GetVariablePolicyInfo = ProtocolGetVariablePolicyInfo;
mVariablePolicyProtocol.GetLockOnVariableStateVariablePolicyInfo = ProtocolGetLockOnVariableStateVariablePolicyInfo;
// Register all the protocols and return the status. // Register all the protocols and return the status.
Status = gBS->InstallMultipleProtocolInterfaces ( Status = gBS->InstallMultipleProtocolInterfaces (