sravan/system76-edk2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
9eb5ccda505917f6ee80284ed6fb5b51aa7152f9
system76-edk2/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c
Kun Qin d6bee54c45 SecurityPkg: PlatformPKProtectionLib: Added PK protection interface 
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3911

This patch provides an abstracted interface for platform to implement PK
variable related protection interface, which is designed to be used when
PK variable is about to be changed by UEFI firmware.

This change also provided a variable policy based library implementation
to accomodate platforms that supports variable policy for variable
protections.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Min Xu <min.m.xu@intel.com>

Signed-off-by: Kun Qin <kun.qin@microsoft.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Acked-by: Michael Kubacki <michael.kubacki@microsoft.com>
2022-07-07 01:07:00 +00:00

52 lines
1.6 KiB
C
Raw Blame History

/** @file
Provides an abstracted interface for configuring PK related variable protection.
Copyright (c) Microsoft Corporation.
SPDX-License-Identifier: BSD-2-Clause-Patent
**/
#include <Uefi.h>
#include <Protocol/VariablePolicy.h>
#include <Library/DebugLib.h>
#include <Library/UefiBootServicesTableLib.h>
/**
Disable any applicable protection against variable 'PK'. The implementation
of this interface is platform specific, depending on the protection techniques
used per platform.
Note: It is the platform's responsibility to conduct cautious operation after
disabling this protection.
@retval EFI_SUCCESS State has been successfully updated.
@retval Others Error returned from implementation specific
underying APIs.
**/
EFI_STATUS
EFIAPI
DisablePKProtection (
VOID
)
{
EFI_STATUS Status;
EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__));
// IMPORTANT NOTE: This operation is sticky and leaves variable protections disabled.
// The system *MUST* be reset after performing this operation.
Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy);
if (!EFI_ERROR (Status)) {
Status = VariablePolicy->DisableVariablePolicy ();
// EFI_ALREADY_STARTED means that everything is currently disabled.
// This should be considered SUCCESS.
if (Status == EFI_ALREADY_STARTED) {
Status = EFI_SUCCESS;
}
}
return Status;
}
Reference in New Issue View Git Blame Copy Permalink