MdeModulePkg Variable: Merge from Auth Variable driver in SecurityPkg

What to do: 1. Merge from Auth Variable driver in SecurityPkg to Variable drive in MdeModulePkg. Then the merged Variable driver in MdeModulePkg will link to AuthVariableLib and TpmMeasurementLib. AuthVariableLibNull and TpmMeasurementLibNull in MdeModulePkg could be used for non auth variable support. AuthVariableLib and DxeTpmMeasurementLib in SecurityPkg may be used for auth variable support. Why to do: 1. Remove code duplication and reduce maintenance effort. After auth variable service separated from Auth Variable driver in SecurityPkg to AuthVariableLib. The remaining code logic of Auth Variable driver in SecurityPkg will be almost same with Variable driver in MdeModulePkg. Now it is to merge them. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <[email protected]> Reviewed-by: Jiewen Yao <[email protected]> Reviewed-by: Liming Gao <[email protected]> git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17765 6f19259b-4bc3-4df7-8a09-765794883524
mdkinney · Jul 1, 2015 · fa0737a · fa0737a
1 parent c88c267
commit fa0737a
Show file tree

Hide file tree

Showing 16 changed files with 2,347 additions and 686 deletions.
diff --git a/MdeModulePkg/Include/Guid/SmmVariableCommon.h b/MdeModulePkg/Include/Guid/SmmVariableCommon.h
@@ -2,12 +2,12 @@
   The file defined some common structures used for communicating between SMM variable module and SMM variable wrapper module.
 
 Copyright (c) 2011 - 2015, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials are licensed and made available under 
-the terms and conditions of the BSD License that accompanies this distribution.  
+This program and the accompanying materials are licensed and made available under
+the terms and conditions of the BSD License that accompanies this distribution.
 The full text of the license may be found at
-http://opensource.org/licenses/bsd-license.php.                                            
+http://opensource.org/licenses/bsd-license.php.
 
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,                     
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 **/
@@ -23,8 +23,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 extern EFI_GUID gSmmVariableWriteGuid;
 
 //
-// This structure is used for SMM variable. the collected statistics data is saved in SMRAM. It can be got from 
-// SMI handler. The communication buffer should be: 
+// This structure is used for SMM variable. the collected statistics data is saved in SMRAM. It can be got from
+// SMI handler. The communication buffer should be:
 // EFI_SMM_COMMUNICATE_HEADER + SMM_VARIABLE_COMMUNICATE_HEADER + payload.
 //
 typedef struct {
@@ -39,26 +39,26 @@ typedef struct {
 #define SMM_VARIABLE_FUNCTION_GET_VARIABLE            1
 //
 // The payload for this function is SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME.
-// 
+//
 #define SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME  2
 //
 // The payload for this function is SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE.
-// 
+//
 #define SMM_VARIABLE_FUNCTION_SET_VARIABLE            3
 //
 // The payload for this function is SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO.
-// 
+//
 #define SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO     4
 //
 // It is a notify event, no extra payload for this function.
-// 
+//
 #define SMM_VARIABLE_FUNCTION_READY_TO_BOOT           5
 //
 // It is a notify event, no extra payload for this function.
-// 
+//
 #define SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE       6
 //
-// The payload for this function is VARIABLE_INFO_ENTRY. The GUID in EFI_SMM_COMMUNICATE_HEADER 
+// The payload for this function is VARIABLE_INFO_ENTRY. The GUID in EFI_SMM_COMMUNICATE_HEADER
 // is gEfiSmmVariableProtocolGuid.
 //
 #define SMM_VARIABLE_FUNCTION_GET_STATISTICS          7
@@ -71,6 +71,8 @@ typedef struct {
 
 #define SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET  10
 
+#define SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE        11
+
 ///
 /// Size of SMM communicate header, without including the payload.
 ///
@@ -88,7 +90,7 @@ typedef struct {
   EFI_GUID    Guid;
   UINTN       DataSize;
   UINTN       NameSize;
-  UINT32      Attributes;  
+  UINT32      Attributes;
   CHAR16      Name[1];
 } SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE;
 
@@ -108,7 +110,7 @@ typedef struct {
   UINT64          MaximumVariableStorageSize;
   UINT64          RemainingVariableStorageSize;
   UINT64          MaximumVariableSize;
-  UINT32          Attributes; 
+  UINT32          Attributes;
 } SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO;
 
 typedef SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE;
@@ -120,4 +122,8 @@ typedef struct {
   CHAR16                        Name[1];
 } SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY;
 
-#endif // _SMM_VARIABLE_COMMON_H_
+typedef struct {
+  UINTN                         VariablePayloadSize;
+} SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE;
+
+#endif // _SMM_VARIABLE_COMMON_H_
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Measurement.c
@@ -0,0 +1,255 @@
+/** @file
+  Measure TrEE required variable.
+
+Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD License
+which accompanies this distribution.  The full text of the license may be found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <PiDxe.h>
+#include <Guid/ImageAuthentication.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Protocol/TrEEProtocol.h>
+
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseLib.h>
+#include <Library/TpmMeasurementLib.h>
+
+typedef struct {
+  CHAR16                                 *VariableName;
+  EFI_GUID                               *VendorGuid;
+} VARIABLE_TYPE;
+
+VARIABLE_TYPE  mVariableType[] = {
+  {EFI_SECURE_BOOT_MODE_NAME,    &gEfiGlobalVariableGuid},
+  {EFI_PLATFORM_KEY_NAME,        &gEfiGlobalVariableGuid},
+  {EFI_KEY_EXCHANGE_KEY_NAME,    &gEfiGlobalVariableGuid},
+  {EFI_IMAGE_SECURITY_DATABASE,  &gEfiImageSecurityDatabaseGuid},
+  {EFI_IMAGE_SECURITY_DATABASE1, &gEfiImageSecurityDatabaseGuid},
+};
+
+/**
+  This function will return if this variable is SecureBootPolicy Variable.
+
+  @param[in]  VariableName      A Null-terminated string that is the name of the vendor's variable.
+  @param[in]  VendorGuid        A unique identifier for the vendor.
+
+  @retval TRUE  This is SecureBootPolicy Variable
+  @retval FALSE This is not SecureBootPolicy Variable
+**/
+BOOLEAN
+IsSecureBootPolicyVariable (
+  IN CHAR16                                 *VariableName,
+  IN EFI_GUID                               *VendorGuid
+  )
+{
+  UINTN   Index;
+
+  for (Index = 0; Index < sizeof(mVariableType)/sizeof(mVariableType[0]); Index++) {
+    if ((StrCmp (VariableName, mVariableType[Index].VariableName) == 0) &&
+        (CompareGuid (VendorGuid, mVariableType[Index].VendorGuid))) {
+      return TRUE;
+    }
+  }
+  return FALSE;
+}
+
+/**
+  Measure and log an EFI variable, and extend the measurement result into a specific PCR.
+
+  @param[in]  VarName           A Null-terminated string that is the name of the vendor's variable.
+  @param[in]  VendorGuid        A unique identifier for the vendor.
+  @param[in]  VarData           The content of the variable data.
+  @param[in]  VarSize           The size of the variable data.
+
+  @retval EFI_SUCCESS           Operation completed successfully.
+  @retval EFI_OUT_OF_RESOURCES  Out of memory.
+  @retval EFI_DEVICE_ERROR      The operation was unsuccessful.
+
+**/
+EFI_STATUS
+EFIAPI
+MeasureVariable (
+  IN      CHAR16                    *VarName,
+  IN      EFI_GUID                  *VendorGuid,
+  IN      VOID                      *VarData,
+  IN      UINTN                     VarSize
+  )
+{
+  EFI_STATUS                        Status;
+  UINTN                             VarNameLength;
+  EFI_VARIABLE_DATA_TREE            *VarLog;
+  UINT32                            VarLogSize;
+
+  ASSERT ((VarSize == 0 && VarData == NULL) || (VarSize != 0 && VarData != NULL));
+
+  VarNameLength      = StrLen (VarName);
+  VarLogSize = (UINT32)(sizeof (*VarLog) + VarNameLength * sizeof (*VarName) + VarSize
+                        - sizeof (VarLog->UnicodeName) - sizeof (VarLog->VariableData));
+
+  VarLog = (EFI_VARIABLE_DATA_TREE *) AllocateZeroPool (VarLogSize);
+  if (VarLog == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  CopyMem (&VarLog->VariableName, VendorGuid, sizeof(VarLog->VariableName));
+  VarLog->UnicodeNameLength  = VarNameLength;
+  VarLog->VariableDataLength = VarSize;
+  CopyMem (
+     VarLog->UnicodeName,
+     VarName,
+     VarNameLength * sizeof (*VarName)
+     );
+  if (VarSize != 0) {
+    CopyMem (
+       (CHAR16 *)VarLog->UnicodeName + VarNameLength,
+       VarData,
+       VarSize
+       );
+  }
+
+  DEBUG ((EFI_D_INFO, "AuthVariableDxe: MeasureVariable (Pcr - %x, EventType - %x, ", (UINTN)7, (UINTN)EV_EFI_VARIABLE_AUTHORITY));
+  DEBUG ((EFI_D_INFO, "VariableName - %s, VendorGuid - %g)\n", VarName, VendorGuid));
+
+  Status = TpmMeasureAndLogData (
+             7,
+             EV_EFI_VARIABLE_DRIVER_CONFIG,
+             VarLog,
+             VarLogSize,
+             VarLog,
+             VarLogSize
+             );
+  FreePool (VarLog);
+  return Status;
+}
+
+/**
+  Returns the status whether get the variable success. The function retrieves
+  variable  through the UEFI Runtime Service GetVariable().  The
+  returned buffer is allocated using AllocatePool().  The caller is responsible
+  for freeing this buffer with FreePool().
+
+  This API is only invoked in boot time. It may NOT be invoked at runtime.
+
+  @param[in]  Name  The pointer to a Null-terminated Unicode string.
+  @param[in]  Guid  The pointer to an EFI_GUID structure
+  @param[out] Value The buffer point saved the variable info.
+  @param[out] Size  The buffer size of the variable.
+
+  @return EFI_OUT_OF_RESOURCES      Allocate buffer failed.
+  @return EFI_SUCCESS               Find the specified variable.
+  @return Others Errors             Return errors from call to gRT->GetVariable.
+
+**/
+EFI_STATUS
+InternalGetVariable (
+  IN CONST CHAR16    *Name,
+  IN CONST EFI_GUID  *Guid,
+  OUT VOID           **Value,
+  OUT UINTN          *Size
+  )
+{
+  EFI_STATUS  Status;
+  UINTN       BufferSize;
+
+  //
+  // Try to get the variable size.
+  //
+  BufferSize = 0;
+  *Value     = NULL;
+  if (Size != NULL) {
+    *Size  = 0;
+  }
+
+  Status = gRT->GetVariable ((CHAR16 *) Name, (EFI_GUID *) Guid, NULL, &BufferSize, *Value);
+  if (Status != EFI_BUFFER_TOO_SMALL) {
+    return Status;
+  }
+
+  //
+  // Allocate buffer to get the variable.
+  //
+  *Value = AllocatePool (BufferSize);
+  ASSERT (*Value != NULL);
+  if (*Value == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  //
+  // Get the variable data.
+  //
+  Status = gRT->GetVariable ((CHAR16 *) Name, (EFI_GUID *) Guid, NULL, &BufferSize, *Value);
+  if (EFI_ERROR (Status)) {
+    FreePool(*Value);
+    *Value = NULL;
+  }
+
+  if (Size != NULL) {
+    *Size = BufferSize;
+  }
+
+  return Status;
+}
+
+/**
+  SecureBoot Hook for SetVariable.
+
+  @param[in] VariableName                 Name of Variable to be found.
+  @param[in] VendorGuid                   Variable vendor GUID.
+
+**/
+VOID
+EFIAPI
+SecureBootHook (
+  IN CHAR16                                 *VariableName,
+  IN EFI_GUID                               *VendorGuid
+  )
+{
+  EFI_STATUS                        Status;
+  UINTN                             VariableDataSize;
+  VOID                              *VariableData;
+
+  if (!IsSecureBootPolicyVariable (VariableName, VendorGuid)) {
+    return ;
+  }
+
+  //
+  // We should NOT use Data and DataSize here,because it may include signature,
+  // or is just partial with append attributes, or is deleted.
+  // We should GetVariable again, to get full variable content.
+  //
+  Status = InternalGetVariable (
+             VariableName,
+             VendorGuid,
+             &VariableData,
+             &VariableDataSize
+             );
+  if (EFI_ERROR (Status)) {
+    VariableData     = NULL;
+    VariableDataSize = 0;
+  }
+
+  Status = MeasureVariable (
+             VariableName,
+             VendorGuid,
+             VariableData,
+             VariableDataSize
+             );
+  DEBUG ((EFI_D_INFO, "MeasureBootPolicyVariable - %r\n", Status));
+
+  if (VariableData != NULL) {
+    FreePool (VariableData);
+  }
+
+  return ;
+}
diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/Reclaim.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/Reclaim.c
@@ -1,9 +1,8 @@
 /** @file
-  
   Handles non-volatile variable store garbage collection, using FTW
   (Fault Tolerant Write) protocol.
 
-Copyright (c) 2006 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2015, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials
 are licensed and made available under the terms and conditions of the BSD License
 which accompanies this distribution.  The full text of the license may be found at
@@ -50,7 +49,7 @@ GetLbaAndOffsetByAddress (
   Fvb     = NULL;
   *Lba    = (EFI_LBA) (-1);
   *Offset = 0;
-  
+
   //
   // Get the proper FVB protocol.
   //