-----Original Message-----
From: Zhang, Chao B
Sent: Monday, June 27, 2016 3:06 PM
To: [email protected]
Cc: Yao, Jiewen <[email protected]>; Zeng, Star <[email protected]>;
Zhang, Chao B <[email protected]>
Subject: [PATCH] SecurityPkg: AuthVariableLib: Cache UserPhysicalPresent in
AuthVariableLib
AuthVariableLib is updated to cache the UserPhysicalPresent state to global
variable. This avoids calling PlatformSecureLib during runtime and makes
PhysicalPresent state consistent during one boot.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <[email protected]>
---
SecurityPkg/Library/AuthVariableLib/AuthService.c | 8 ++++----
SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h | 1 +
SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 7 +++++++
3 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6e1e284..1d49b6a 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -931,7 +931,7 @@ ProcessVarWithPk (
// Init state of Del. State may change due to secure check
//
Del = FALSE;
- if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode ==
SETUP_MODE && !IsPk)) {
+ if ((InCustomMode() && mUserPhysicalPresent) || (mPlatformMode ==
SETUP_MODE && !IsPk)) {
Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
if (PayloadSize == 0) {
@@ -1049,7 +1049,7 @@ ProcessVarWithKek (
}
Status = EFI_SUCCESS;
- if (mPlatformMode == USER_MODE && !(InCustomMode() &&
UserPhysicalPresent())) {
+ if (mPlatformMode == USER_MODE && !(InCustomMode() &&
mUserPhysicalPresent)) {
//
// Time-based, verify against X509 Cert KEK.
//
@@ -1204,7 +1204,7 @@ ProcessVariable (
&OrgVariableInfo
);
- if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable
(OrgVariableInfo.Attributes, Data, DataSize, Attributes) &&
UserPhysicalPresent()) {
+ if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable
(OrgVariableInfo.Attributes, Data, DataSize, Attributes) &&
mUserPhysicalPresent) {
//
// Allow the delete operation of common authenticated variable at
user physical presence.
//
@@ -1222,7 +1222,7 @@ ProcessVariable (
return Status;
}
- if (NeedPhysicallyPresent (VariableName, VendorGuid)
&& !UserPhysicalPresent()) {
+ if (NeedPhysicallyPresent (VariableName, VendorGuid)
&& !mUserPhysicalPresent) {
//
// This variable is protected, only physical present user could modify its
value.
//
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index e7c4bf0..ac7ea89 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -128,6 +128,7 @@ extern UINT8 *mCertDbStore;
extern UINT32 mMaxCertDbSize;
extern UINT32 mPlatformMode;
extern UINT8 mVendorKeyState;
+extern BOOLEAN mUserPhysicalPresent;
extern VOID *mHashCtx;
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index c4fbb64..dd35a44 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -35,6 +35,7 @@ UINT8 *mCertDbStore;
UINT32 mMaxCertDbSize;
UINT32 mPlatformMode;
UINT8 mVendorKeyState;
+BOOLEAN mUserPhysicalPresent;
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID,
EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID,
EFI_CERT_X509_GUID};
@@ -435,6 +436,12 @@ AuthVariableLibInitialize (
AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
AuthVarLibContextOut->AddressPointerCount = sizeof
(mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);
+ //
+ // Cache UserPhysicalPresent State.
+ // Platform should report PhysicalPresent before this point
+ //
+ mUserPhysicalPresent = UserPhysicalPresent();
+
return Status;
}
--
1.9.5.msysgit.1
