[edk2] [PATCH 1/2] PerformancePkg Dp_App: Use Image->FilePath to get name for SMM drivers
This enhancement is to use the FilePath field in the loaded image protocol to find the name of an image as a fallback for when the loaded image device path protocol is not installed on the image handle. This is necessary because the SMM core does not install the loaded image device path protocol, so DP was displaying "Unknown Driver Name" for every SMM driver. Cc: Liming GaoCc: Daryl McDaniel Cc: Jaben Carsey Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng --- PerformancePkg/Dp_App/DpUtilities.c | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/PerformancePkg/Dp_App/DpUtilities.c b/PerformancePkg/Dp_App/DpUtilities.c index ec5a524..b49844a 100644 --- a/PerformancePkg/Dp_App/DpUtilities.c +++ b/PerformancePkg/Dp_App/DpUtilities.c @@ -1,7 +1,7 @@ /** @file Utility functions used by the Dp application. - Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved. + Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved. This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -221,6 +221,9 @@ GetNameFromHandle ( CHAR8 *BestLanguage; EFI_COMPONENT_NAME2_PROTOCOL *ComponentName2; + Image = NULL; + LoadedImageDevicePath = NULL; + DevicePath = NULL; BestLanguage = NULL; PlatformLanguage = NULL; @@ -307,9 +310,13 @@ GetNameFromHandle ( ); if (!EFI_ERROR (Status) && (LoadedImageDevicePath != NULL)) { DevicePath = LoadedImageDevicePath; + } else if (Image != NULL) { +DevicePath = Image->FilePath; + } + if (DevicePath != NULL) { // -// Try to get image GUID from LoadedImageDevicePath protocol +// Try to get image GUID from image DevicePath // NameGuid = NULL; while (!IsDevicePathEndType (DevicePath)) { @@ -356,7 +363,7 @@ GetNameFromHandle ( // // Method 5: Get the name string from image DevicePath // - NameString = ConvertDevicePathToText (LoadedImageDevicePath, TRUE, FALSE); + NameString = ConvertDevicePathToText (DevicePath, TRUE, FALSE); if (NameString != NULL) { StrnCpyS ( mGaugeString, -- 2.7.0.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 0/2] DP: Use Image->FilePath to get name for SMM drivers
This enhancement is to use the FilePath field in the loaded image protocol to find the name of an image as a fallback for when the loaded image device path protocol is not installed on the image handle. This is necessary because the SMM core does not install the loaded image device path protocol, so DP was displaying "Unknown Driver Name" for every SMM driver. Star Zeng (2): PerformancePkg Dp_App: Use Image->FilePath to get name for SMM drivers ShellPkg UefiDpLib: Use Image->FilePath to get name for SMM drivers PerformancePkg/Dp_App/DpUtilities.c | 13 ++--- ShellPkg/Library/UefiDpLib/DpUtilities.c | 14 +++--- 2 files changed, 21 insertions(+), 6 deletions(-) -- 2.7.0.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [Patch] BaseTools: process the files by the priority in BUILDRULEORDER
By the BUILDRULEORDER feature to process files listed in INF [Sources] sections in priority order, if a filename is listed with multiple extensions, the tools will use only the file that matches the first extension in the space separated list. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Yonghong Zhu--- BaseTools/Source/Python/AutoGen/AutoGen.py | 29 - 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/BaseTools/Source/Python/AutoGen/AutoGen.py b/BaseTools/Source/Python/AutoGen/AutoGen.py index abac477..e9f4888 100644 --- a/BaseTools/Source/Python/AutoGen/AutoGen.py +++ b/BaseTools/Source/Python/AutoGen/AutoGen.py @@ -1,9 +1,9 @@ ## @file # Generate AutoGen.h, AutoGen.c and *.depex files # -# Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved. # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at # http://opensource.org/licenses/bsd-license.php # @@ -2739,13 +2739,40 @@ class ModuleAutoGen(AutoGen): # add the file path into search path list for file including if F.Dir not in self.IncludePathList and self.AutoGenVersion >= 0x00010005: self.IncludePathList.insert(0, F.Dir) self._SourceFileList.append(F) + +self._MatchBuildRuleOrder(self._SourceFileList) + +for F in self._SourceFileList: self._ApplyBuildRule(F, TAB_UNKNOWN_FILE) return self._SourceFileList +def _MatchBuildRuleOrder(self, FileList): +Order_Dict = {} +self._GetModuleBuildOption() +for SingleFile in FileList: +if self.BuildRuleOrder and SingleFile.Ext in self.BuildRuleOrder and SingleFile.Ext in self.BuildRules: +key = SingleFile.Path.split(SingleFile.Ext)[0] +if key in Order_Dict: +Order_Dict[key].append(SingleFile.Ext) +else: +Order_Dict[key] = [SingleFile.Ext] + +RemoveList = [] +for F in Order_Dict: +if len(Order_Dict[F]) > 1: +Order_Dict[F].sort(key=lambda i: self.BuildRuleOrder.index(i)) +for Ext in Order_Dict[F][1:]: +RemoveList.append(F + Ext) + +for item in RemoveList: +FileList.remove(item) + +return FileList + ## Return the list of unicode files def _GetUnicodeFileList(self): if self._UnicodeFileList == None: if TAB_UNICODE_FILE in self.FileTypes: self._UnicodeFileList = self.FileTypes[TAB_UNICODE_FILE] -- 2.6.1.windows.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [patch] SecurityPkg: Mark MorLock module deprecated.
This module only handles MOR lock v1. Now MOR lock V2 solution is published and added in variable driver. So this module can be deprecated. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen"Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf b/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf index a35a01f..1623bd0 100644 --- a/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf +++ b/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf @@ -3,7 +3,10 @@ # # This module will add Variable Hook and allow MemoryOverwriteRequestControlLock variable set only once. # -# Copyright (c) 2015, Intel Corporation. All rights reserved. +# NOTE: This module only handles secure MOR V1 and is deprecated. +# The secure MOR V2 is handled inside of variable driver. +# +# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved. # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [PATCH 10/12] ShellPkg: Add NOOPT target in ShellPkg.dsc
Reviewed-by: Qiu Shumin-Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Hao Wu Sent: Monday, January 18, 2016 1:18 PM To: edk2-devel@lists.01.org; Gao, Liming Cc: Wu, Hao A Subject: [edk2] [PATCH 10/12] ShellPkg: Add NOOPT target in ShellPkg.dsc Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu --- ShellPkg/ShellPkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc index 7e07cfb..b29adb8 100644 --- a/ShellPkg/ShellPkg.dsc +++ b/ShellPkg/ShellPkg.dsc @@ -1,7 +1,7 @@ ## @file # Shell Package # -# Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2007 - 2016, Intel Corporation. All rights +reserved. # #This program and the accompanying materials #are licensed and made available under the terms and conditions of the BSD License @@ -20,7 +20,7 @@ DSC_SPECIFICATION = 0x00010006 OUTPUT_DIRECTORY = Build/Shell SUPPORTED_ARCHITECTURES= IA32|IPF|X64|EBC|ARM|AARCH64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT [LibraryClasses.common] -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [patch] SecurityPkg: Mark MorLock module deprecated.
Jiewen: The patch is good to me. Reviewed-by: Chao ZhangThanks & Best regards Chao Zhang -Original Message- From: Yao, Jiewen Sent: Monday, January 18, 2016 3:37 PM To: edk2-de...@ml01.01.org Cc: Yao, Jiewen; Zhang, Chao B; Zeng, Star Subject: [patch] SecurityPkg: Mark MorLock module deprecated. This module only handles MOR lock v1. Now MOR lock V2 solution is published and added in variable driver. So this module can be deprecated. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf b/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf index a35a01f..1623bd0 100644 --- a/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf +++ b/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.in +++ f @@ -3,7 +3,10 @@ # # This module will add Variable Hook and allow MemoryOverwriteRequestControlLock variable set only once. # -# Copyright (c) 2015, Intel Corporation. All rights reserved. +# NOTE: This module only handles secure MOR V1 and is deprecated. +# The secure MOR V2 is handled inside of variable driver. +# +# Copyright (c) 2015 - 2016, Intel Corporation. All rights +reserved. # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [patch] SecurityPkg: Mark MorLock module deprecated.
On 2016/1/18 15:37, jiewen yao wrote: This module only handles MOR lock v1. Now MOR lock V2 solution is published and added in variable driver. So this module can be deprecated. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen"Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) Reviewed-by: Star Zeng diff --git a/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf b/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf index a35a01f..1623bd0 100644 --- a/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf +++ b/SecurityPkg/Tcg/MemoryOverwriteRequestControlLock/TcgMorLockSmm.inf @@ -3,7 +3,10 @@ # # This module will add Variable Hook and allow MemoryOverwriteRequestControlLock variable set only once. # -# Copyright (c) 2015, Intel Corporation. All rights reserved. +# NOTE: This module only handles secure MOR V1 and is deprecated. +# The secure MOR V2 is handled inside of variable driver. +# +# Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved. # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 09/12] SecurityPkg: Add NOOPT target in SecurityPkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- SecurityPkg/SecurityPkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index 0908b26..0f1fc0f 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -1,7 +1,7 @@ ## @file # Security Module Package for All Architectures. # -# Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved. # (C) Copyright 2015 Hewlett Packard Enterprise Development LP # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -20,7 +20,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY = Build/SecurityPkg SUPPORTED_ARCHITECTURES= IA32|IPF|X64|EBC - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT [LibraryClasses] -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 11/12] SourceLevelDebugPkg: Add NOOPT target in SourceLevelDebugPkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- SourceLevelDebugPkg/SourceLevelDebugPkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SourceLevelDebugPkg/SourceLevelDebugPkg.dsc b/SourceLevelDebugPkg/SourceLevelDebugPkg.dsc index 0dcaea2..bf14ec4 100644 --- a/SourceLevelDebugPkg/SourceLevelDebugPkg.dsc +++ b/SourceLevelDebugPkg/SourceLevelDebugPkg.dsc @@ -1,7 +1,7 @@ ## @file # Source Level Debug Package. # -# Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved. # #This program and the accompanying materials #are licensed and made available under the terms and conditions of the BSD License @@ -25,7 +25,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY = Build/SourceLevelDebugPkg SUPPORTED_ARCHITECTURES= IA32|X64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT [LibraryClasses.common] -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 12/12] UefiCpuPkg: Add NOOPT target in UefiCpuPkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- UefiCpuPkg/UefiCpuPkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/UefiCpuPkg/UefiCpuPkg.dsc b/UefiCpuPkg/UefiCpuPkg.dsc index 4061050..31e60bb 100644 --- a/UefiCpuPkg/UefiCpuPkg.dsc +++ b/UefiCpuPkg/UefiCpuPkg.dsc @@ -1,7 +1,7 @@ ## @file # UefiCpuPkg Package # -# Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved. # # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -20,7 +20,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY = Build/UefiCpu SUPPORTED_ARCHITECTURES= IA32|IPF|X64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT # -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 08/12] PerformancePkg: Add NOOPT target in PerformancePkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- PerformancePkg/PerformancePkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PerformancePkg/PerformancePkg.dsc b/PerformancePkg/PerformancePkg.dsc index d03ea36..ac53c4e 100644 --- a/PerformancePkg/PerformancePkg.dsc +++ b/PerformancePkg/PerformancePkg.dsc @@ -1,7 +1,7 @@ ## @file # Build description file to generate Shell DP application. # -# Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved. +# Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved. # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at @@ -19,7 +19,7 @@ PLATFORM_VERSION = 0.2 OUTPUT_DIRECTORY = Build/PerformancePkg SUPPORTED_ARCHITECTURES= IA32|IPF|X64|EBC - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT [LibraryClasses] -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [patch V2 1/3] MdeModulePkg: Add MorLockSmm to variable driver.
Microsoft published secure MOR implementation at https://msdn.microsoft.com/en-us/library/windows/hardware/mt270973(v=vs.85).aspx with revision 2 update. See URL for tech detail. Previous revision 1 is handled in SecurityPkg\Tcg\ MemoryOverwriteRequestControlLock. But the VarCheck API can not satisfy revision 2 requirement. So we decide include MOR lock control into variable driver directly. This patch add standalone TcgMorLockSmm implementation. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen"Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- .../Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 394 + 1 file changed, 394 insertions(+) create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c new file mode 100644 index 000..dade10a --- /dev/null +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c @@ -0,0 +1,394 @@ +/** @file + TCG MOR (Memory Overwrite Request) Lock Control support (SMM version). + + This module initilizes MemoryOverwriteRequestControlLock variable. + This module adds Variable Hook and check MemoryOverwriteRequestControlLock. + +Copyright (c) 2016, Intel Corporation. All rights reserved. +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include +#include +#include +#include +#include +#include +#include "Variable.h" + +typedef struct { + CHAR16 *VariableName; + EFI_GUID *VendorGuid; +} VARIABLE_TYPE; + +VARIABLE_TYPE mMorVariableType[] = { + {MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, }, + {MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, }, +}; + +#define MOR_LOCK_DATA_UNLOCKED 0x0 +#define MOR_LOCK_DATA_LOCKED_WITHOUT_KEY 0x1 +#define MOR_LOCK_DATA_LOCKED_WITH_KEY0x2 + +#define MOR_LOCK_V1_SIZE 1 +#define MOR_LOCK_V2_KEY_SIZE 8 + +typedef enum { + MorLockStateUnlocked = 0, + MorLockStateLocked = 1, +} MOR_LOCK_STATE; + +UINT8 mMorLockKey[MOR_LOCK_V2_KEY_SIZE]; +BOOLEAN mMorLockKeyEmpty = TRUE; +BOOLEAN mMorLockPassThru = FALSE; +MOR_LOCK_STATE mMorLockState = MorLockStateUnlocked; + +/** + Returns if this is MOR related variable. + + @param VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + + @retval TRUEThe variable is MOR related. + @retval FALSE The variable is NOT MOR related. +**/ +BOOLEAN +IsAnyMorVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + UINTN Index; + + for (Index = 0; Index < sizeof(mMorVariableType)/sizeof(mMorVariableType[0]); Index++) { +if ((StrCmp (VariableName, mMorVariableType[Index].VariableName) == 0) && +(CompareGuid (VendorGuid, mMorVariableType[Index].VendorGuid))) { + return TRUE; +} + } + return FALSE; +} + +/** + Returns if this is MOR lock variable. + + @param VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + + @retval TRUEThe variable is MOR lock variable. + @retval FALSE The variable is NOT MOR lock variable. +**/ +BOOLEAN +IsMorLockVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + if ((StrCmp (VariableName, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME) == 0) && + (CompareGuid (VendorGuid, ))) { +return TRUE; + } + return FALSE; +} + +/** + Set MOR lock variable. + + @param Data MOR Lock variable data. + + @retval EFI_SUCCESSThe firmware has successfully stored the variable and its data as + defined by the Attributes. + @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied, or the + DataSize exceeds the maximum allowed. + @retval EFI_INVALID_PARAMETER VariableName is an empty Unicode string. + @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the variable and its data. + @retval EFI_DEVICE_ERROR The variable could not be saved due to a hardware failure. + @retval EFI_WRITE_PROTECTEDThe variable in question is read-only. + @retval EFI_WRITE_PROTECTEDThe
[edk2] [patch V2 0/3] Add MorLock to variable driver
Microsoft published secure MOR implementation at https://msdn.microsoft.com/en-us/library/windows/hardware/mt270973(v=vs.85).aspx with revision 2 update. This series patches add MOR lock revision 2 to variable driver. jiewen yao (3): MdeModulePkg: Add MorLockSmm to variable driver. MdeModulePkg: Add MorLockDxe to variable driver. MdeModulePkg: Add MorLock to variable driver. .../Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 89 + .../Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 394 + .../Universal/Variable/RuntimeDxe/Variable.c | 60 +++- .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 6 +- .../Universal/Variable/RuntimeDxe/VariableSmm.inf | 6 +- 5 files changed, 552 insertions(+), 3 deletions(-) create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [patch V2 3/3] MdeModulePkg: Add MorLock to variable driver.
This patch adds MorLock function to Variable main function. It also updates corresponding INF file to pass build. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen"Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- .../Universal/Variable/RuntimeDxe/Variable.c | 60 +- .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 6 ++- .../Universal/Variable/RuntimeDxe/VariableSmm.inf | 6 ++- 3 files changed, 69 insertions(+), 3 deletions(-) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c index 2dc3038..5e39d44 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c @@ -16,7 +16,7 @@ VariableServiceSetVariable() should also check authenticate data to avoid buffer overflow, integer overflow. It should also check attribute to avoid authentication bypass. -Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved. +Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved. (C) Copyright 2015 Hewlett Packard Enterprise Development LP This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License @@ -112,6 +112,43 @@ SecureBootHook ( ); /** + Initialization for MOR Lock Control. + + @retval EFI_SUCEESS MorLock initialization success. + @return Others Some error occurs. +**/ +EFI_STATUS +MorLockInit ( + VOID + ); + +/** + This service is an MOR/MorLock checker handler for the SetVariable(). + + @param VariableName the name of the vendor's variable, as a + Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + @param Attributes Point to memory location to return the attributes of variable. If the point + is NULL, the parameter would be ignored. + @param DataSize The size in bytes of Data-Buffer. + @param Data Point to the content of the variable. + + @retval EFI_SUCCESSThe MOR/MorLock check pass, and Variable driver can store the variable data. + @retval EFI_INVALID_PARAMETER The MOR/MorLock data or data size or attributes is not allowed for MOR variable. + @retval EFI_ACCESS_DENIED The MOR/MorLock is locked. + @retval EFI_ALREADY_STARTEDThe MorLock variable is handled inside this function. + Variable driver can just return EFI_SUCCESS. +**/ +EFI_STATUS +SetVariableCheckHandlerMor ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN UINT32 Attributes, + IN UINTN DataSize, + IN VOID *Data + ); + +/** Routine used to track statistical information about variable usage. The data is stored in the EFI system table so it can be accessed later. VariableInfo.efi can dump out the table. Only Boot Services variable @@ -3192,6 +3229,21 @@ VariableServiceSetVariable ( } } + // + // Special Handling for MOR Lock variable. + // + Status = SetVariableCheckHandlerMor (VariableName, VendorGuid, Attributes, PayloadSize, (VOID *) ((UINTN) Data + DataSize - PayloadSize)); + if (Status == EFI_ALREADY_STARTED) { +// +// EFI_ALREADY_STARTED means the SetVariable() action is handled inside of SetVariableCheckHandlerMor(). +// Variable driver can just return SUCCESS. +// +return EFI_SUCCESS; + } + if (EFI_ERROR (Status)) { +return Status; + } + Status = VarCheckLibSetVariableCheck (VariableName, VendorGuid, Attributes, PayloadSize, (VOID *) ((UINTN) Data + DataSize - PayloadSize), mRequestSource); if (EFI_ERROR (Status)) { return Status; @@ -3966,6 +4018,12 @@ VariableWriteServiceInitialize ( } ReleaseLockOnlyAtBootTime (>VariableGlobal.VariableServicesLock); + + // + // Initialize MOR Lock variable. + // + MorLockInit (); + return Status; } diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 62c1568..da9b8bb 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -9,7 +9,7 @@ # This external input must be validated carefully to avoid security issues such as # buffer overflow or integer overflow. # -# Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved. # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at @@ -42,6 +42,7 @@ VariableDxe.c Variable.h Measurement.c + TcgMorLockDxe.c VarCheck.c VariableExLib.c @@ -95,6
[edk2] [patch V2 2/3] MdeModulePkg: Add MorLockDxe to variable driver.
Per secure MOR implementation document, it is not proper to add MOR lock in non-SMM version, because DXE version can not provide protection. This patch add standalone TcgMorLockDxe implementation. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen"Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- .../Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 89 ++ 1 file changed, 89 insertions(+) create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c new file mode 100644 index 000..501d1a0 --- /dev/null +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -0,0 +1,89 @@ +/** @file + TCG MOR (Memory Overwrite Request) Lock Control support (DXE version). + + This module clears MemoryOverwriteRequestControlLock variable to indicate + MOR lock control unsupported. + +Copyright (c) 2016, Intel Corporation. All rights reserved. +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include +#include +#include +#include +#include +#include +#include "Variable.h" + +extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock; + +/** + This service is an MOR/MorLock checker handler for the SetVariable(). + + @param VariableName the name of the vendor's variable, as a + Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + @param Attributes Point to memory location to return the attributes of variable. If the point + is NULL, the parameter would be ignored. + @param DataSize The size in bytes of Data-Buffer. + @param Data Point to the content of the variable. + + @retval EFI_SUCCESSThe MOR/MorLock check pass, and Variable driver can store the variable data. + @retval EFI_INVALID_PARAMETER The MOR/MorLock data or data size or attributes is not allowed for MOR variable. + @retval EFI_ACCESS_DENIED The MOR/MorLock is locked. + @retval EFI_ALREADY_STARTEDThe MorLock variable is handled inside this function. + Variable driver can just return EFI_SUCCESS. +**/ +EFI_STATUS +SetVariableCheckHandlerMor ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN UINT32 Attributes, + IN UINTN DataSize, + IN VOID *Data + ) +{ + // + // Just let it pass. No need provide protection for DXE version. + // + return EFI_SUCCESS; +} + +/** + Initialization for MOR Lock Control. + + @retval EFI_SUCEESS MorLock initialization success. + @return Others Some error occurs. +**/ +EFI_STATUS +MorLockInit ( + VOID + ) +{ + // + // Always clear variable to report unsupported to OS. + // The reason is that the DXE version is not proper to provide *protection*. + // BIOS should use SMM version variable driver to provide such capability. + // + VariableServiceSetVariable ( +MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, +, +EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, +0, +NULL +); + + // + // Need set this variable to be read-only to prevent other module set it. + // + VariableLockRequestToLock (, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, ); + return EFI_SUCCESS; +} -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 05/12] MdePkg: Add NOOPT target in MdePkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- MdePkg/MdePkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/MdePkg/MdePkg.dsc b/MdePkg/MdePkg.dsc index 473df4d..1880b3b 100644 --- a/MdePkg/MdePkg.dsc +++ b/MdePkg/MdePkg.dsc @@ -1,7 +1,7 @@ ## @file # EFI/PI MdePkg Package # -# Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved. # Portions copyright (c) 2008 - 2009, Apple Inc. All rights reserved. # #This program and the accompanying materials @@ -21,7 +21,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY = Build/Mde SUPPORTED_ARCHITECTURES= IA32|IPF|X64|EBC|ARM|AARCH64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT [PcdsFeatureFlag] -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 00/12] Add NOOPT target in package DSC files
Add NOOPT option in BUILD_TARGETS within package DSC files. Hao Wu (12): CryptoPkg: Add NOOPT target in CryptoPkg.dsc IntelFrameworkModulePkg: Add NOOPT target in IntelFrameworkModulePkg.dsc IntelFrameworkPkg: Add NOOPT target in IntelFrameworkPkg.dsc MdeModulePkg: Add NOOPT target in MdeModulePkg.dsc MdePkg: Add NOOPT target in MdePkg.dsc NetworkPkg: Add NOOPT target in NetworkPkg.dsc PcAtChipsetPkg: Add NOOPT target in PcAtChipsetPkg.dsc PerformancePkg: Add NOOPT target in PerformancePkg.dsc SecurityPkg: Add NOOPT target in SecurityPkg.dsc ShellPkg: Add NOOPT target in ShellPkg.dsc SourceLevelDebugPkg: Add NOOPT target in SourceLevelDebugPkg.dsc UefiCpuPkg: Add NOOPT target in UefiCpuPkg.dsc CryptoPkg/CryptoPkg.dsc | 4 ++-- IntelFrameworkModulePkg/IntelFrameworkModulePkg.dsc | 4 ++-- IntelFrameworkPkg/IntelFrameworkPkg.dsc | 4 ++-- MdeModulePkg/MdeModulePkg.dsc | 4 ++-- MdePkg/MdePkg.dsc | 4 ++-- NetworkPkg/NetworkPkg.dsc | 4 ++-- PcAtChipsetPkg/PcAtChipsetPkg.dsc | 4 ++-- PerformancePkg/PerformancePkg.dsc | 4 ++-- SecurityPkg/SecurityPkg.dsc | 4 ++-- ShellPkg/ShellPkg.dsc | 4 ++-- SourceLevelDebugPkg/SourceLevelDebugPkg.dsc | 4 ++-- UefiCpuPkg/UefiCpuPkg.dsc | 4 ++-- 12 files changed, 24 insertions(+), 24 deletions(-) -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 07/12] PcAtChipsetPkg: Add NOOPT target in PcAtChipsetPkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- PcAtChipsetPkg/PcAtChipsetPkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PcAtChipsetPkg/PcAtChipsetPkg.dsc b/PcAtChipsetPkg/PcAtChipsetPkg.dsc index 152f5f6..71b3a6e 100644 --- a/PcAtChipsetPkg/PcAtChipsetPkg.dsc +++ b/PcAtChipsetPkg/PcAtChipsetPkg.dsc @@ -1,7 +1,7 @@ ## @file # PC/AT Chipset Package # -# Copyright (c) 2007 - 2014, Intel Corporation. All rights reserved. +# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved. # # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License @@ -20,7 +20,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY = Build/PcAtChipset SUPPORTED_ARCHITECTURES= IA32|X64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT [LibraryClasses] -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 10/12] ShellPkg: Add NOOPT target in ShellPkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- ShellPkg/ShellPkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc index 7e07cfb..b29adb8 100644 --- a/ShellPkg/ShellPkg.dsc +++ b/ShellPkg/ShellPkg.dsc @@ -1,7 +1,7 @@ ## @file # Shell Package # -# Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved. # #This program and the accompanying materials #are licensed and made available under the terms and conditions of the BSD License @@ -20,7 +20,7 @@ DSC_SPECIFICATION = 0x00010006 OUTPUT_DIRECTORY = Build/Shell SUPPORTED_ARCHITECTURES= IA32|IPF|X64|EBC|ARM|AARCH64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT [LibraryClasses.common] -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 06/12] NetworkPkg: Add NOOPT target in NetworkPkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- NetworkPkg/NetworkPkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/NetworkPkg/NetworkPkg.dsc b/NetworkPkg/NetworkPkg.dsc index 39224f3..0695dc1 100644 --- a/NetworkPkg/NetworkPkg.dsc +++ b/NetworkPkg/NetworkPkg.dsc @@ -2,7 +2,7 @@ # UEFI 2.4 Network Module Package for All Architectures # # (C) Copyright 2014 Hewlett-Packard Development Company, L.P. -# Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved. # #This program and the accompanying materials #are licensed and made available under the terms and conditions of the BSD License @@ -21,7 +21,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY = Build/NetworkPkg SUPPORTED_ARCHITECTURES= IA32|IPF|X64|EBC|ARM|AARCH64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT [LibraryClasses] -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 01/12] CryptoPkg: Add NOOPT target in CryptoPkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- CryptoPkg/CryptoPkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc index fdd0431..5ae0e67 100644 --- a/CryptoPkg/CryptoPkg.dsc +++ b/CryptoPkg/CryptoPkg.dsc @@ -1,7 +1,7 @@ ## @file # Cryptographic Library Package for UEFI Security Implementation. # -# Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved. +# Copyright (c) 2009 - 2016, Intel Corporation. All rights reserved. # This program and the accompanying materials # are licensed and made available under the terms and conditions of the BSD License # which accompanies this distribution. The full text of the license may be found at @@ -24,7 +24,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY = Build/CryptoPkg SUPPORTED_ARCHITECTURES= IA32|X64|IPF|ARM|AARCH64 - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] [PATCH 02/12] IntelFrameworkModulePkg: Add NOOPT target in IntelFrameworkModulePkg.dsc
Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Hao Wu--- IntelFrameworkModulePkg/IntelFrameworkModulePkg.dsc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/IntelFrameworkModulePkg/IntelFrameworkModulePkg.dsc b/IntelFrameworkModulePkg/IntelFrameworkModulePkg.dsc index b4adab1..b5b0af7 100644 --- a/IntelFrameworkModulePkg/IntelFrameworkModulePkg.dsc +++ b/IntelFrameworkModulePkg/IntelFrameworkModulePkg.dsc @@ -3,7 +3,7 @@ # # This file is used to build all modules in IntelFrameworkModulePkg. # -#Copyright (c) 2007 - 2015, Intel Corporation. All rights reserved. +#Copyright (c) 2007 - 2016, Intel Corporation. All rights reserved. #This program and the accompanying materials are licensed and made available under #the terms and conditions of the BSD License that accompanies this distribution. #The full text of the license may be found at @@ -26,7 +26,7 @@ DSC_SPECIFICATION = 0x00010005 OUTPUT_DIRECTORY = Build/IntelFrameworkModuleAll SUPPORTED_ARCHITECTURES= IA32|IPF|X64|EBC|ARM - BUILD_TARGETS = DEBUG|RELEASE + BUILD_TARGETS = DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER = DEFAULT -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] This text was added by using code
Yes. I also take Star's feedback to separate DXE version from SMM version. V2 patch will be sent soon. Thank you Yao Jiewen -Original Message- From: Ni, Ruiyu Sent: Monday, January 18, 2016 10:27 AM To: Yao, Jiewen; edk2-de...@ml01.01.org Cc: Yao, Jiewen; Zeng, Star; Zhang, Chao B Subject: This text was added by using code Jiewen, Could you please remove the "EFIAPI" for SetVariableCheckHandlerMor()? Regards, Ray -Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of jiewen yao Sent: Friday, January 15, 2016 2:24 PM To: edk2-de...@ml01.01.org Cc: Yao, Jiewen; Zeng, Star ; Zhang, Chao B Subject: [edk2] [patch 2/2] MdeModulePkg: Include MorLock check into variable driver. Microsoft published secure MOR implementation at https://msdn.microsoft.com/en-us/library/windows/hardware/mt270973(v=vs.85).aspx with revision 2 update. See URL for tech detail. Previous revision 1 is handled in SecurityPkg\Tcg\ MemoryOverwriteRequestControlLock. But the VarCheck API can not satisfy revision 2 requirement. So we decide include MOR lock control into variable driver directly. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- .../Universal/Variable/RuntimeDxe/TcgMorLock.c | 404 + .../Universal/Variable/RuntimeDxe/Variable.c | 60 +++ .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 4 + .../Universal/Variable/RuntimeDxe/VariableSmm.inf | 4 + 4 files changed, 472 insertions(+) create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLock.c diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLock.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLock.c new file mode 100644 index 000..087e85a --- /dev/null +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLock.c @@ -0,0 +1,404 @@ +/** @file + TCG MOR (Memory Overwrite Request) Lock Control support. + + This module initilizes MemoryOverwriteRequestControlLock variable. + This module adds Variable Hook and check MemoryOverwriteRequestControlLock. + +Copyright (c) 2016, Intel Corporation. All rights reserved. This +program and the accompanying materials are licensed and made available +under the terms and conditions of the BSD License which accompanies +this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include +#include #include + +#include +#include +#include +#include "Variable.h" + +typedef struct { + CHAR16 *VariableName; + EFI_GUID *VendorGuid; +} VARIABLE_TYPE; + +VARIABLE_TYPE mMorVariableType[] = { + {MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, }, + {MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, +}, +}; + +#define MOR_LOCK_DATA_UNLOCKED 0x0 +#define MOR_LOCK_DATA_LOCKED_WITHOUT_KEY 0x1 +#define MOR_LOCK_DATA_LOCKED_WITH_KEY0x2 + +#define MOR_LOCK_V1_SIZE 1 +#define MOR_LOCK_V2_KEY_SIZE 8 + +typedef enum { + MorLockStateUnlocked = 0, + MorLockStateLocked = 1, +} MOR_LOCK_STATE; + +UINT8 mMorLockKey[MOR_LOCK_V2_KEY_SIZE]; +BOOLEAN mMorLockKeyEmpty = TRUE; +BOOLEAN mMorLockPassThru = FALSE; +MOR_LOCK_STATE mMorLockState = MorLockStateUnlocked; + +/** + Returns if this is MOR related variable. + + @param VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + + @retval TRUEThe variable is MOR related. + @retval FALSE The variable is NOT MOR related. +**/ +BOOLEAN +IsAnyMorVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + UINTN Index; + + for (Index = 0; Index < sizeof(mMorVariableType)/sizeof(mMorVariableType[0]); Index++) { +if ((StrCmp (VariableName, mMorVariableType[Index].VariableName) == 0) && +(CompareGuid (VendorGuid, mMorVariableType[Index].VendorGuid))) { + return TRUE; +} + } + return FALSE; +} + +/** + Returns if this is MOR lock variable. + + @param VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + + @retval TRUEThe variable is MOR lock variable. + @retval FALSE The variable is NOT MOR lock variable. +**/ +BOOLEAN +IsMorLockVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + if ((StrCmp (VariableName,
Re: [edk2] [patch V2 0/3] Add MorLock to variable driver
Comments below: -Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of Zeng, Star Sent: Monday, January 18, 2016 3:23 PM To: Yao, Jiewen; edk2-de...@ml01.01.org Subject: Re: [edk2] [patch V2 0/3] Add MorLock to variable driver On 2016/1/18 14:51, jiewen yao wrote: > Microsoft published secure MOR implementation at > https://msdn.microsoft.com/en-us/library/windows/hardware/mt270973(v=v > s.85).aspx > with revision 2 update. > This series patches add MOR lock revision 2 to variable driver. > > jiewen yao (3): >MdeModulePkg: Add MorLockSmm to variable driver. >MdeModulePkg: Add MorLockDxe to variable driver. >MdeModulePkg: Add MorLock to variable driver. > > .../Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 89 + > .../Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 394 > + > .../Universal/Variable/RuntimeDxe/Variable.c | 60 +++- > .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 6 +- > .../Universal/Variable/RuntimeDxe/VariableSmm.inf | 6 +- > 5 files changed, 552 insertions(+), 3 deletions(-) > create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c > create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c > Reviewed-by: Star ZengOnly minor comments below 1. About the inf changes in [[patch V2 3/3]. + gEfiMemoryOverwriteControlDataGuid## PRODUCES ## Variable:L"MemoryOverwriteRequestControl" should be CONSUMES? [Jiewen] Yes, good catch. I will update it when I check in. + gEfiMemoryOverwriteRequestControlLockGuid ## CONSUMES ## Variable:L"MemoryOverwriteRequestControlLock" + should be PRODUCES? [Jiewen] Yes, good catch. I will update it when I check in. 2. Should SecurityPkg\Tcg\MemoryOverwriteRequestControlLock be removed or indicated to be deprecated or commented with more information to say it only supports MOR lock revision 1? [Jiewen] Yes, good idea. I will send another patch to indicate it is deprecated. Thanks, Star ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [patch V2 2/3] MdeModulePkg: Add MorLockDxe to variable driver.
Jiewen: The patch is good to me. Reviewed-by: Chao ZhangThanks & Best regards Chao Zhang -Original Message- From: Yao, Jiewen Sent: Monday, January 18, 2016 2:52 PM To: edk2-de...@ml01.01.org Cc: Yao, Jiewen; Zhang, Chao B; Zeng, Star Subject: [patch V2 2/3] MdeModulePkg: Add MorLockDxe to variable driver. Per secure MOR implementation document, it is not proper to add MOR lock in non-SMM version, because DXE version can not provide protection. This patch add standalone TcgMorLockDxe implementation. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- .../Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 89 ++ 1 file changed, 89 insertions(+) create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c new file mode 100644 index 000..501d1a0 --- /dev/null +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c @@ -0,0 +1,89 @@ +/** @file + TCG MOR (Memory Overwrite Request) Lock Control support (DXE version). + + This module clears MemoryOverwriteRequestControlLock variable to + indicate MOR lock control unsupported. + +Copyright (c) 2016, Intel Corporation. All rights reserved. This +program and the accompanying materials are licensed and made available +under the terms and conditions of the BSD License which accompanies +this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include +#include #include + +#include +#include +#include +#include "Variable.h" + +extern EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock; + +/** + This service is an MOR/MorLock checker handler for the SetVariable(). + + @param VariableName the name of the vendor's variable, as a + Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + @param Attributes Point to memory location to return the attributes of variable. If the point + is NULL, the parameter would be ignored. + @param DataSize The size in bytes of Data-Buffer. + @param Data Point to the content of the variable. + + @retval EFI_SUCCESSThe MOR/MorLock check pass, and Variable driver can store the variable data. + @retval EFI_INVALID_PARAMETER The MOR/MorLock data or data size or attributes is not allowed for MOR variable. + @retval EFI_ACCESS_DENIED The MOR/MorLock is locked. + @retval EFI_ALREADY_STARTEDThe MorLock variable is handled inside this function. + Variable driver can just return EFI_SUCCESS. +**/ +EFI_STATUS +SetVariableCheckHandlerMor ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + IN UINT32 Attributes, + IN UINTN DataSize, + IN VOID *Data + ) +{ + // + // Just let it pass. No need provide protection for DXE version. + // + return EFI_SUCCESS; +} + +/** + Initialization for MOR Lock Control. + + @retval EFI_SUCEESS MorLock initialization success. + @return Others Some error occurs. +**/ +EFI_STATUS +MorLockInit ( + VOID + ) +{ + // + // Always clear variable to report unsupported to OS. + // The reason is that the DXE version is not proper to provide *protection*. + // BIOS should use SMM version variable driver to provide such capability. + // + VariableServiceSetVariable ( +MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, +, +EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, +0, +NULL +); + + // + // Need set this variable to be read-only to prevent other module set it. + // + VariableLockRequestToLock (, +MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, +); + return EFI_SUCCESS; +} -- 1.9.5.msysgit.0 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Re: [edk2] [Patch 0/2] Fix IpSec SPD and SAD mapping issue when SPD updated
The patch is good to me. Reviewed-by: Fu Siyuan-Original Message- From: Wu, Jiaxin Sent: Monday, January 11, 2016 4:44 PM To: edk2-devel@lists.01.org Cc: Ye, Ting ; Fu, Siyuan Subject: [Patch 0/2] Fix IpSec SPD and SAD mapping issue when SPD updated The serial patches are used to fix the IpSec SPD and SAD mapping issue when SPD updated by IPSecConfig tool. The problem is divided into two parts: One is SPD SetData policy, and the other is edit policy which mainly triggered by IPSecConfig tool. Cc: Ye Ting Cc: Fu Siyuan Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Jiaxin Wu Jiaxin Wu (2): NetworkPkg: Fix IpSec SPD and SAD mapping issue when SPD is updated NetworkPkg: Fix SPD entry edit policy issue in IPSecConfig. .../Application/IpsecConfig/PolicyEntryOperation.c | 41 ++--- NetworkPkg/IpSecDxe/IpSecConfigImpl.c | 68 +++--- 2 files changed, 64 insertions(+), 45 deletions(-) -- 1.9.5.msysgit.1 ___ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
[edk2] This text was added by using code
Jiewen, Could you please remove the "EFIAPI" for SetVariableCheckHandlerMor()? Regards, Ray -Original Message- From: edk2-devel [mailto:edk2-devel-boun...@lists.01.org] On Behalf Of jiewen yao Sent: Friday, January 15, 2016 2:24 PM To: edk2-de...@ml01.01.org Cc: Yao, Jiewen; Zeng, Star ; Zhang, Chao B Subject: [edk2] [patch 2/2] MdeModulePkg: Include MorLock check into variable driver. Microsoft published secure MOR implementation at https://msdn.microsoft.com/en-us/library/windows/hardware/mt270973(v=vs.85).aspx with revision 2 update. See URL for tech detail. Previous revision 1 is handled in SecurityPkg\Tcg\ MemoryOverwriteRequestControlLock. But the VarCheck API can not satisfy revision 2 requirement. So we decide include MOR lock control into variable driver directly. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: "Yao, Jiewen" Cc: "Zhang, Chao B" Cc: "Zeng, Star" --- .../Universal/Variable/RuntimeDxe/TcgMorLock.c | 404 + .../Universal/Variable/RuntimeDxe/Variable.c | 60 +++ .../Variable/RuntimeDxe/VariableRuntimeDxe.inf | 4 + .../Universal/Variable/RuntimeDxe/VariableSmm.inf | 4 + 4 files changed, 472 insertions(+) create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLock.c diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLock.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLock.c new file mode 100644 index 000..087e85a --- /dev/null +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLock.c @@ -0,0 +1,404 @@ +/** @file + TCG MOR (Memory Overwrite Request) Lock Control support. + + This module initilizes MemoryOverwriteRequestControlLock variable. + This module adds Variable Hook and check MemoryOverwriteRequestControlLock. + +Copyright (c) 2016, Intel Corporation. All rights reserved. +This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#include +#include +#include +#include +#include +#include +#include "Variable.h" + +typedef struct { + CHAR16 *VariableName; + EFI_GUID *VendorGuid; +} VARIABLE_TYPE; + +VARIABLE_TYPE mMorVariableType[] = { + {MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, }, + {MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, }, +}; + +#define MOR_LOCK_DATA_UNLOCKED 0x0 +#define MOR_LOCK_DATA_LOCKED_WITHOUT_KEY 0x1 +#define MOR_LOCK_DATA_LOCKED_WITH_KEY0x2 + +#define MOR_LOCK_V1_SIZE 1 +#define MOR_LOCK_V2_KEY_SIZE 8 + +typedef enum { + MorLockStateUnlocked = 0, + MorLockStateLocked = 1, +} MOR_LOCK_STATE; + +UINT8 mMorLockKey[MOR_LOCK_V2_KEY_SIZE]; +BOOLEAN mMorLockKeyEmpty = TRUE; +BOOLEAN mMorLockPassThru = FALSE; +MOR_LOCK_STATE mMorLockState = MorLockStateUnlocked; + +/** + Returns if this is MOR related variable. + + @param VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + + @retval TRUEThe variable is MOR related. + @retval FALSE The variable is NOT MOR related. +**/ +BOOLEAN +IsAnyMorVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + UINTN Index; + + for (Index = 0; Index < sizeof(mMorVariableType)/sizeof(mMorVariableType[0]); Index++) { +if ((StrCmp (VariableName, mMorVariableType[Index].VariableName) == 0) && +(CompareGuid (VendorGuid, mMorVariableType[Index].VendorGuid))) { + return TRUE; +} + } + return FALSE; +} + +/** + Returns if this is MOR lock variable. + + @param VariableName the name of the vendor's variable, it's a Null-Terminated Unicode String + @param VendorGuid Unify identifier for vendor. + + @retval TRUEThe variable is MOR lock variable. + @retval FALSE The variable is NOT MOR lock variable. +**/ +BOOLEAN +IsMorLockVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid + ) +{ + if ((StrCmp (VariableName, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME) == 0) && + (CompareGuid (VendorGuid, ))) { +return TRUE; + } + return FALSE; +} + +/** + Set MOR lock variable. + + @param Data MOR Lock variable data. + + @retval EFI_SUCCESSThe firmware has successfully stored the variable and its data as + defined by