2010-12-10 10:27:54 +01:00
|
|
|
/** @file
|
2015-07-01 05:08:29 +02:00
|
|
|
The sample implementation for SMM variable protocol. And this driver
|
|
|
|
|
implements an SMI handler to communicate with the DXE runtime driver
|
2010-12-10 10:27:54 +01:00
|
|
|
to provide variable services.
|
|
|
|
|
|
2012-07-13 07:15:06 +02:00
|
|
|
Caution: This module requires additional review when modified.
|
|
|
|
|
This driver will have external input - variable data and communicate buffer in SMM mode.
|
|
|
|
|
This external input must be validated carefully to avoid security issue like
|
|
|
|
|
buffer overflow, integer overflow.
|
|
|
|
|
|
|
|
|
|
SmmVariableHandler() will receive untrusted input and do basic validation.
|
|
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
|
|
|
|
|
VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
|
2012-07-13 07:15:06 +02:00
|
|
|
SmmVariableGetStatistics() should also do validation based on its own knowledge.
|
|
|
|
|
|
2016-08-30 03:57:59 +02:00
|
|
|
Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
|
2015-07-01 05:08:29 +02:00
|
|
|
This program and the accompanying materials
|
|
|
|
|
are licensed and made available under the terms and conditions of the BSD License
|
|
|
|
|
which accompanies this distribution. The full text of the license may be found at
|
2012-07-13 07:15:06 +02:00
|
|
|
http://opensource.org/licenses/bsd-license.php
|
2010-12-10 10:27:54 +01:00
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
2010-12-10 10:27:54 +01:00
|
|
|
|
|
|
|
|
**/
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2011-02-28 08:31:45 +01:00
|
|
|
#include <Protocol/SmmVariable.h>
|
|
|
|
|
#include <Protocol/SmmFirmwareVolumeBlock.h>
|
2010-12-10 10:27:54 +01:00
|
|
|
#include <Protocol/SmmFaultTolerantWrite.h>
|
2013-05-17 05:49:35 +02:00
|
|
|
#include <Protocol/SmmEndOfDxe.h>
|
2015-01-05 04:38:36 +01:00
|
|
|
#include <Protocol/SmmVarCheck.h>
|
2012-07-13 07:15:06 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
#include <Library/SmmServicesTableLib.h>
|
2015-02-02 15:42:22 +01:00
|
|
|
#include <Library/SmmMemLib.h>
|
2010-12-10 10:27:54 +01:00
|
|
|
|
2011-02-28 08:31:45 +01:00
|
|
|
#include <Guid/SmmVariableCommon.h>
|
2010-12-10 10:27:54 +01:00
|
|
|
#include "Variable.h"
|
|
|
|
|
|
2011-02-28 08:31:45 +01:00
|
|
|
extern VARIABLE_INFO_ENTRY *gVariableInfo;
|
2010-12-10 10:27:54 +01:00
|
|
|
EFI_HANDLE mSmmVariableHandle = NULL;
|
|
|
|
|
EFI_HANDLE mVariableHandle = NULL;
|
|
|
|
|
BOOLEAN mAtRuntime = FALSE;
|
2013-05-07 07:38:32 +02:00
|
|
|
UINT8 *mVariableBufferPayload = NULL;
|
|
|
|
|
UINTN mVariableBufferPayloadSize;
|
2013-05-17 05:49:35 +02:00
|
|
|
extern BOOLEAN mEndOfDxe;
|
2015-08-25 05:01:56 +02:00
|
|
|
extern VAR_CHECK_REQUEST_SOURCE mRequestSource;
|
2013-05-17 05:49:35 +02:00
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
/**
|
|
|
|
|
SecureBoot Hook for SetVariable.
|
|
|
|
|
|
|
|
|
|
@param[in] VariableName Name of Variable to be found.
|
|
|
|
|
@param[in] VendorGuid Variable vendor GUID.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
VOID
|
|
|
|
|
EFIAPI
|
|
|
|
|
SecureBootHook (
|
|
|
|
|
IN CHAR16 *VariableName,
|
|
|
|
|
IN EFI_GUID *VendorGuid
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
return ;
|
|
|
|
|
}
|
|
|
|
|
|
2013-05-17 05:49:35 +02:00
|
|
|
/**
|
|
|
|
|
|
|
|
|
|
This code sets variable in storage blocks (Volatile or Non-Volatile).
|
|
|
|
|
|
|
|
|
|
@param VariableName Name of Variable to be found.
|
|
|
|
|
@param VendorGuid Variable vendor GUID.
|
|
|
|
|
@param Attributes Attribute value of the variable found
|
|
|
|
|
@param DataSize Size of Data found. If size is less than the
|
|
|
|
|
data, this value contains the required size.
|
|
|
|
|
@param Data Data pointer.
|
|
|
|
|
|
|
|
|
|
@return EFI_INVALID_PARAMETER Invalid parameter.
|
|
|
|
|
@return EFI_SUCCESS Set successfully.
|
|
|
|
|
@return EFI_OUT_OF_RESOURCES Resource not enough to set variable.
|
|
|
|
|
@return EFI_NOT_FOUND Not found.
|
|
|
|
|
@return EFI_WRITE_PROTECTED Variable is read-only.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
SmmVariableSetVariable (
|
|
|
|
|
IN CHAR16 *VariableName,
|
|
|
|
|
IN EFI_GUID *VendorGuid,
|
|
|
|
|
IN UINT32 Attributes,
|
|
|
|
|
IN UINTN DataSize,
|
|
|
|
|
IN VOID *Data
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
EFI_STATUS Status;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Disable write protection when the calling SetVariable() through EFI_SMM_VARIABLE_PROTOCOL.
|
|
|
|
|
//
|
2015-08-25 05:01:56 +02:00
|
|
|
mRequestSource = VarCheckFromTrusted;
|
2013-05-17 05:49:35 +02:00
|
|
|
Status = VariableServiceSetVariable (
|
|
|
|
|
VariableName,
|
|
|
|
|
VendorGuid,
|
|
|
|
|
Attributes,
|
|
|
|
|
DataSize,
|
|
|
|
|
Data
|
|
|
|
|
);
|
2015-08-25 05:01:56 +02:00
|
|
|
mRequestSource = VarCheckFromUntrusted;
|
2013-05-17 05:49:35 +02:00
|
|
|
return Status;
|
|
|
|
|
}
|
2013-05-07 07:38:32 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
EFI_SMM_VARIABLE_PROTOCOL gSmmVariable = {
|
|
|
|
|
VariableServiceGetVariable,
|
|
|
|
|
VariableServiceGetNextVariableName,
|
2013-05-17 05:49:35 +02:00
|
|
|
SmmVariableSetVariable,
|
2010-12-10 10:27:54 +01:00
|
|
|
VariableServiceQueryVariableInfo
|
|
|
|
|
};
|
|
|
|
|
|
2015-01-05 04:38:36 +01:00
|
|
|
EDKII_SMM_VAR_CHECK_PROTOCOL mSmmVarCheck = { VarCheckRegisterSetVariableCheckHandler,
|
|
|
|
|
VarCheckVariablePropertySet,
|
|
|
|
|
VarCheckVariablePropertyGet };
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
/**
|
|
|
|
|
Return TRUE if ExitBootServices () has been called.
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
@retval TRUE If ExitBootServices () has been called.
|
|
|
|
|
**/
|
|
|
|
|
BOOLEAN
|
|
|
|
|
AtRuntime (
|
|
|
|
|
VOID
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
return mAtRuntime;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Initializes a basic mutual exclusion lock.
|
|
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
This function initializes a basic mutual exclusion lock to the released state
|
|
|
|
|
and returns the lock. Each lock provides mutual exclusion access at its task
|
2010-12-10 10:27:54 +01:00
|
|
|
priority level. Since there is no preemption or multiprocessor support in EFI,
|
|
|
|
|
acquiring the lock only consists of raising to the locks TPL.
|
|
|
|
|
If Lock is NULL, then ASSERT().
|
|
|
|
|
If Priority is not a valid TPL value, then ASSERT().
|
|
|
|
|
|
|
|
|
|
@param Lock A pointer to the lock data structure to initialize.
|
|
|
|
|
@param Priority EFI TPL is associated with the lock.
|
|
|
|
|
|
|
|
|
|
@return The lock.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_LOCK *
|
|
|
|
|
InitializeLock (
|
|
|
|
|
IN OUT EFI_LOCK *Lock,
|
|
|
|
|
IN EFI_TPL Priority
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
return Lock;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Acquires lock only at boot time. Simply returns at runtime.
|
|
|
|
|
|
|
|
|
|
This is a temperary function that will be removed when
|
|
|
|
|
EfiAcquireLock() in UefiLib can handle the call in UEFI
|
|
|
|
|
Runtimer driver in RT phase.
|
|
|
|
|
It calls EfiAcquireLock() at boot time, and simply returns
|
|
|
|
|
at runtime.
|
|
|
|
|
|
|
|
|
|
@param Lock A pointer to the lock to acquire.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
VOID
|
|
|
|
|
AcquireLockOnlyAtBootTime (
|
|
|
|
|
IN EFI_LOCK *Lock
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Releases lock only at boot time. Simply returns at runtime.
|
|
|
|
|
|
|
|
|
|
This is a temperary function which will be removed when
|
|
|
|
|
EfiReleaseLock() in UefiLib can handle the call in UEFI
|
|
|
|
|
Runtimer driver in RT phase.
|
|
|
|
|
It calls EfiReleaseLock() at boot time and simply returns
|
|
|
|
|
at runtime.
|
|
|
|
|
|
|
|
|
|
@param Lock A pointer to the lock to release.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
VOID
|
|
|
|
|
ReleaseLockOnlyAtBootTime (
|
|
|
|
|
IN EFI_LOCK *Lock
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2016-10-19 09:01:26 +02:00
|
|
|
Retrieve the SMM Fault Tolerent Write protocol interface.
|
2010-12-10 10:27:54 +01:00
|
|
|
|
|
|
|
|
@param[out] FtwProtocol The interface of SMM Ftw protocol
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS The SMM FTW protocol instance was found and returned in FtwProtocol.
|
|
|
|
|
@retval EFI_NOT_FOUND The SMM FTW protocol instance was not found.
|
|
|
|
|
@retval EFI_INVALID_PARAMETER SarProtocol is NULL.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
GetFtwProtocol (
|
|
|
|
|
OUT VOID **FtwProtocol
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
EFI_STATUS Status;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Locate Smm Fault Tolerent Write protocol
|
|
|
|
|
//
|
|
|
|
|
Status = gSmst->SmmLocateProtocol (
|
2015-07-01 05:08:29 +02:00
|
|
|
&gEfiSmmFaultTolerantWriteProtocolGuid,
|
|
|
|
|
NULL,
|
2010-12-10 10:27:54 +01:00
|
|
|
FtwProtocol
|
|
|
|
|
);
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
2016-10-19 09:01:26 +02:00
|
|
|
Retrieve the SMM FVB protocol interface by HANDLE.
|
2010-12-10 10:27:54 +01:00
|
|
|
|
|
|
|
|
@param[in] FvBlockHandle The handle of SMM FVB protocol that provides services for
|
|
|
|
|
reading, writing, and erasing the target block.
|
|
|
|
|
@param[out] FvBlock The interface of SMM FVB protocol
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS The interface information for the specified protocol was returned.
|
|
|
|
|
@retval EFI_UNSUPPORTED The device does not support the SMM FVB protocol.
|
|
|
|
|
@retval EFI_INVALID_PARAMETER FvBlockHandle is not a valid EFI_HANDLE or FvBlock is NULL.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
GetFvbByHandle (
|
|
|
|
|
IN EFI_HANDLE FvBlockHandle,
|
|
|
|
|
OUT EFI_FIRMWARE_VOLUME_BLOCK_PROTOCOL **FvBlock
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
//
|
|
|
|
|
// To get the SMM FVB protocol interface on the handle
|
|
|
|
|
//
|
|
|
|
|
return gSmst->SmmHandleProtocol (
|
|
|
|
|
FvBlockHandle,
|
|
|
|
|
&gEfiSmmFirmwareVolumeBlockProtocolGuid,
|
|
|
|
|
(VOID **) FvBlock
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Function returns an array of handles that support the SMM FVB protocol
|
2015-07-01 05:08:29 +02:00
|
|
|
in a buffer allocated from pool.
|
2010-12-10 10:27:54 +01:00
|
|
|
|
|
|
|
|
@param[out] NumberHandles The number of handles returned in Buffer.
|
|
|
|
|
@param[out] Buffer A pointer to the buffer to return the requested
|
|
|
|
|
array of handles that support SMM FVB protocol.
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS The array of handles was returned in Buffer, and the number of
|
|
|
|
|
handles in Buffer was returned in NumberHandles.
|
|
|
|
|
@retval EFI_NOT_FOUND No SMM FVB handle was found.
|
|
|
|
|
@retval EFI_OUT_OF_RESOURCES There is not enough pool memory to store the matching results.
|
|
|
|
|
@retval EFI_INVALID_PARAMETER NumberHandles is NULL or Buffer is NULL.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
GetFvbCountAndBuffer (
|
|
|
|
|
OUT UINTN *NumberHandles,
|
|
|
|
|
OUT EFI_HANDLE **Buffer
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
EFI_STATUS Status;
|
|
|
|
|
UINTN BufferSize;
|
|
|
|
|
|
|
|
|
|
if ((NumberHandles == NULL) || (Buffer == NULL)) {
|
|
|
|
|
return EFI_INVALID_PARAMETER;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BufferSize = 0;
|
|
|
|
|
*NumberHandles = 0;
|
|
|
|
|
*Buffer = NULL;
|
|
|
|
|
Status = gSmst->SmmLocateHandle (
|
|
|
|
|
ByProtocol,
|
|
|
|
|
&gEfiSmmFirmwareVolumeBlockProtocolGuid,
|
|
|
|
|
NULL,
|
|
|
|
|
&BufferSize,
|
|
|
|
|
*Buffer
|
|
|
|
|
);
|
|
|
|
|
if (EFI_ERROR(Status) && Status != EFI_BUFFER_TOO_SMALL) {
|
|
|
|
|
return EFI_NOT_FOUND;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*Buffer = AllocatePool (BufferSize);
|
|
|
|
|
if (*Buffer == NULL) {
|
|
|
|
|
return EFI_OUT_OF_RESOURCES;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Status = gSmst->SmmLocateHandle (
|
|
|
|
|
ByProtocol,
|
|
|
|
|
&gEfiSmmFirmwareVolumeBlockProtocolGuid,
|
|
|
|
|
NULL,
|
|
|
|
|
&BufferSize,
|
|
|
|
|
*Buffer
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
*NumberHandles = BufferSize / sizeof(EFI_HANDLE);
|
|
|
|
|
if (EFI_ERROR(Status)) {
|
|
|
|
|
*NumberHandles = 0;
|
2013-05-07 07:38:32 +02:00
|
|
|
FreePool (*Buffer);
|
|
|
|
|
*Buffer = NULL;
|
2010-12-10 10:27:54 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Get the variable statistics information from the information buffer pointed by gVariableInfo.
|
|
|
|
|
|
2012-07-13 07:15:06 +02:00
|
|
|
Caution: This function may be invoked at SMM runtime.
|
|
|
|
|
InfoEntry and InfoSize are external input. Care must be taken to make sure not security issue at runtime.
|
|
|
|
|
|
|
|
|
|
@param[in, out] InfoEntry A pointer to the buffer of variable information entry.
|
2015-07-01 05:08:29 +02:00
|
|
|
On input, point to the variable information returned last time. if
|
2012-07-13 07:15:06 +02:00
|
|
|
InfoEntry->VendorGuid is zero, return the first information.
|
|
|
|
|
On output, point to the next variable information.
|
|
|
|
|
@param[in, out] InfoSize On input, the size of the variable information buffer.
|
|
|
|
|
On output, the returned variable information size.
|
2010-12-10 10:27:54 +01:00
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
@retval EFI_SUCCESS The variable information is found and returned successfully.
|
|
|
|
|
@retval EFI_UNSUPPORTED No variable inoformation exists in variable driver. The
|
|
|
|
|
PcdVariableCollectStatistics should be set TRUE to support it.
|
|
|
|
|
@retval EFI_BUFFER_TOO_SMALL The buffer is too small to hold the next variable information.
|
|
|
|
|
@retval EFI_INVALID_PARAMETER Input parameter is invalid.
|
2010-12-10 10:27:54 +01:00
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
SmmVariableGetStatistics (
|
2011-02-28 08:31:45 +01:00
|
|
|
IN OUT VARIABLE_INFO_ENTRY *InfoEntry,
|
2010-12-10 10:27:54 +01:00
|
|
|
IN OUT UINTN *InfoSize
|
|
|
|
|
)
|
|
|
|
|
{
|
2011-02-28 08:31:45 +01:00
|
|
|
VARIABLE_INFO_ENTRY *VariableInfo;
|
2016-12-08 11:16:05 +01:00
|
|
|
UINTN NameSize;
|
2010-12-10 10:27:54 +01:00
|
|
|
UINTN StatisticsInfoSize;
|
|
|
|
|
CHAR16 *InfoName;
|
2016-12-08 11:16:05 +01:00
|
|
|
UINTN InfoNameMaxSize;
|
2013-05-07 07:38:32 +02:00
|
|
|
EFI_GUID VendorGuid;
|
|
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
if (InfoEntry == NULL) {
|
|
|
|
|
return EFI_INVALID_PARAMETER;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
VariableInfo = gVariableInfo;
|
2010-12-10 10:27:54 +01:00
|
|
|
if (VariableInfo == NULL) {
|
|
|
|
|
return EFI_UNSUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-08 11:16:05 +01:00
|
|
|
StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY);
|
2012-07-17 10:07:29 +02:00
|
|
|
if (*InfoSize < StatisticsInfoSize) {
|
2010-12-10 10:27:54 +01:00
|
|
|
*InfoSize = StatisticsInfoSize;
|
|
|
|
|
return EFI_BUFFER_TOO_SMALL;
|
|
|
|
|
}
|
|
|
|
|
InfoName = (CHAR16 *)(InfoEntry + 1);
|
2016-12-08 11:16:05 +01:00
|
|
|
InfoNameMaxSize = (*InfoSize - sizeof (VARIABLE_INFO_ENTRY));
|
2010-12-10 10:27:54 +01:00
|
|
|
|
2013-05-07 07:38:32 +02:00
|
|
|
CopyGuid (&VendorGuid, &InfoEntry->VendorGuid);
|
|
|
|
|
|
2016-08-30 03:57:59 +02:00
|
|
|
if (IsZeroGuid (&VendorGuid)) {
|
2010-12-10 10:27:54 +01:00
|
|
|
//
|
|
|
|
|
// Return the first variable info
|
|
|
|
|
//
|
2016-12-08 11:16:05 +01:00
|
|
|
NameSize = StrSize (VariableInfo->Name);
|
|
|
|
|
StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + NameSize;
|
|
|
|
|
if (*InfoSize < StatisticsInfoSize) {
|
|
|
|
|
*InfoSize = StatisticsInfoSize;
|
|
|
|
|
return EFI_BUFFER_TOO_SMALL;
|
|
|
|
|
}
|
2011-02-28 08:31:45 +01:00
|
|
|
CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
|
2016-12-08 11:16:05 +01:00
|
|
|
CopyMem (InfoName, VariableInfo->Name, NameSize);
|
2010-12-10 10:27:54 +01:00
|
|
|
*InfoSize = StatisticsInfoSize;
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Get the next variable info
|
|
|
|
|
//
|
|
|
|
|
while (VariableInfo != NULL) {
|
2013-05-07 07:38:32 +02:00
|
|
|
if (CompareGuid (&VariableInfo->VendorGuid, &VendorGuid)) {
|
2016-12-08 11:16:05 +01:00
|
|
|
NameSize = StrSize (VariableInfo->Name);
|
|
|
|
|
if (NameSize <= InfoNameMaxSize) {
|
|
|
|
|
if (CompareMem (VariableInfo->Name, InfoName, NameSize) == 0) {
|
2010-12-10 10:27:54 +01:00
|
|
|
//
|
|
|
|
|
// Find the match one
|
|
|
|
|
//
|
|
|
|
|
VariableInfo = VariableInfo->Next;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
VariableInfo = VariableInfo->Next;
|
|
|
|
|
};
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
if (VariableInfo == NULL) {
|
|
|
|
|
*InfoSize = 0;
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Output the new variable info
|
|
|
|
|
//
|
2016-12-08 11:16:05 +01:00
|
|
|
NameSize = StrSize (VariableInfo->Name);
|
|
|
|
|
StatisticsInfoSize = sizeof (VARIABLE_INFO_ENTRY) + NameSize;
|
2010-12-10 10:27:54 +01:00
|
|
|
if (*InfoSize < StatisticsInfoSize) {
|
|
|
|
|
*InfoSize = StatisticsInfoSize;
|
|
|
|
|
return EFI_BUFFER_TOO_SMALL;
|
|
|
|
|
}
|
|
|
|
|
|
2011-02-28 08:31:45 +01:00
|
|
|
CopyMem (InfoEntry, VariableInfo, sizeof (VARIABLE_INFO_ENTRY));
|
2016-12-08 11:16:05 +01:00
|
|
|
CopyMem (InfoName, VariableInfo->Name, NameSize);
|
2010-12-10 10:27:54 +01:00
|
|
|
*InfoSize = StatisticsInfoSize;
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Communication service SMI Handler entry.
|
|
|
|
|
|
|
|
|
|
This SMI handler provides services for the variable wrapper driver.
|
|
|
|
|
|
2012-07-13 07:15:06 +02:00
|
|
|
Caution: This function may receive untrusted input.
|
|
|
|
|
This variable data and communicate buffer are external input, so this function will do basic validation.
|
2015-07-01 05:08:29 +02:00
|
|
|
Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(),
|
|
|
|
|
VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(),
|
2012-07-13 07:15:06 +02:00
|
|
|
SmmVariableGetStatistics() should also do validation based on its own knowledge.
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
@param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister().
|
|
|
|
|
@param[in] RegisterContext Points to an optional handler context which was specified when the
|
|
|
|
|
handler was registered.
|
|
|
|
|
@param[in, out] CommBuffer A pointer to a collection of data in memory that will
|
|
|
|
|
be conveyed from a non-SMM environment into an SMM environment.
|
|
|
|
|
@param[in, out] CommBufferSize The size of the CommBuffer.
|
|
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
@retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers
|
2010-12-10 10:27:54 +01:00
|
|
|
should still be called.
|
2015-07-01 05:08:29 +02:00
|
|
|
@retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should
|
2010-12-10 10:27:54 +01:00
|
|
|
still be called.
|
2015-07-01 05:08:29 +02:00
|
|
|
@retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still
|
2010-12-10 10:27:54 +01:00
|
|
|
be called.
|
|
|
|
|
@retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced.
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
SmmVariableHandler (
|
|
|
|
|
IN EFI_HANDLE DispatchHandle,
|
|
|
|
|
IN CONST VOID *RegisterContext,
|
|
|
|
|
IN OUT VOID *CommBuffer,
|
|
|
|
|
IN OUT UINTN *CommBufferSize
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
EFI_STATUS Status;
|
|
|
|
|
SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader;
|
|
|
|
|
SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader;
|
|
|
|
|
SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *GetNextVariableName;
|
|
|
|
|
SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo;
|
2015-07-01 05:08:29 +02:00
|
|
|
SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *GetPayloadSize;
|
2011-02-28 08:31:45 +01:00
|
|
|
VARIABLE_INFO_ENTRY *VariableInfo;
|
2013-05-17 05:49:35 +02:00
|
|
|
SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock;
|
2015-01-05 04:38:36 +01:00
|
|
|
SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty;
|
2010-12-10 10:27:54 +01:00
|
|
|
UINTN InfoSize;
|
2013-04-25 12:49:45 +02:00
|
|
|
UINTN NameBufferSize;
|
2013-05-07 07:38:32 +02:00
|
|
|
UINTN CommBufferPayloadSize;
|
2013-05-21 04:22:02 +02:00
|
|
|
UINTN TempCommBufferSize;
|
2010-12-10 10:27:54 +01:00
|
|
|
|
2012-07-13 07:15:06 +02:00
|
|
|
//
|
|
|
|
|
// If input is invalid, stop processing this SMI
|
|
|
|
|
//
|
|
|
|
|
if (CommBuffer == NULL || CommBufferSize == NULL) {
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2013-05-21 04:22:02 +02:00
|
|
|
TempCommBufferSize = *CommBufferSize;
|
|
|
|
|
|
|
|
|
|
if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) {
|
2013-05-07 07:38:32 +02:00
|
|
|
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n"));
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
2013-05-21 04:22:02 +02:00
|
|
|
CommBufferPayloadSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
|
2013-05-07 07:38:32 +02:00
|
|
|
if (CommBufferPayloadSize > mVariableBufferPayloadSize) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n"));
|
2012-07-13 07:15:06 +02:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2015-02-02 15:42:22 +01:00
|
|
|
if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) {
|
2013-05-07 07:38:32 +02:00
|
|
|
DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n"));
|
2012-07-13 07:15:06 +02:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
2010-12-10 10:27:54 +01:00
|
|
|
|
|
|
|
|
SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer;
|
|
|
|
|
switch (SmmVariableFunctionHeader->Function) {
|
|
|
|
|
case SMM_VARIABLE_FUNCTION_GET_VARIABLE:
|
2013-05-07 07:38:32 +02:00
|
|
|
if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n"));
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
//
|
|
|
|
|
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
|
|
|
|
|
//
|
|
|
|
|
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
|
|
|
|
|
SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
|
2013-04-25 12:49:45 +02:00
|
|
|
if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
|
|
|
|
|
((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
|
|
|
|
|
//
|
|
|
|
|
// Prevent InfoSize overflow happen
|
|
|
|
|
//
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
2015-07-01 05:08:29 +02:00
|
|
|
InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
|
2012-07-13 07:15:06 +02:00
|
|
|
+ SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// SMRAM range check already covered before
|
|
|
|
|
//
|
2013-05-07 07:38:32 +02:00
|
|
|
if (InfoSize > CommBufferPayloadSize) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n"));
|
2012-07-13 07:15:06 +02:00
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
|
MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
Variable\RuntimeDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmVariableHandler():
Under "case SMM_VARIABLE_FUNCTION_GET_VARIABLE:",
'SmmVariableHeader->NameSize' can be a potential cross boundary access of
the 'CommBuffer' (controlled external input) during speculative execution.
This cross boundary access is later used as the index to access array
'SmmVariableHeader->Name' by code:
"SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1]"
One can observe which part of the content within array was brought into
cache to possibly reveal the value of 'SmmVariableHeader->NameSize'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there are 2 similar cases under
"case SMM_VARIABLE_FUNCTION_SET_VARIABLE:" and
"case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:" as well.
This commits also handles them.
Also, under "case SMM_VARIABLE_FUNCTION_SET_VARIABLE:",
'(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize' points to
the 'CommBuffer' (with some offset) and then passed as parameter 'Data' to
function VariableServiceSetVariable().
Within function VariableServiceSetVariable(), there is a sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor for the data pointed by 'Data'.
If this check is speculatively bypassed, potential cross-boundary data
access for 'Data' is possible to be revealed via the below function calls
sequence during speculative execution:
AuthVariableLibProcessVariable()
ProcessVarWithPk() or ProcessVarWithKek()
Within function ProcessVarWithPk() or ProcessVarWithKek(), for the code
"PayloadSize = DataSize - AUTHINFO2_SIZE (Data);", 'AUTHINFO2_SIZE (Data)'
can be a cross boundary access during speculative execution.
Then, 'PayloadSize' is possible to be revealed by the function call
sequence:
AuthServiceInternalUpdateVariableWithTimeStamp()
mAuthVarLibContextIn->UpdateVariable()
VariableExLibUpdateVariable()
UpdateVariable()
CopyMem()
Hence, this commit adds a AsmLfence() after the sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor upon 'Data' within function
VariableServiceSetVariable() to prevent the speculative execution.
Also, please note that the change made within function
VariableServiceSetVariable() will affect DXE as well. However, since we
only focuses on the SMM codes, the commit will introduce a new module
internal function called VariableLoadFence() to handle this. This internal
function will have 2 implementations (1 for SMM, 1 for DXE). For the SMM
implementation, it is a wrapper to call the AsmLfence() API; for the DXE
implementation, it is empty.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2018-09-13 09:47:10 +02:00
|
|
|
//
|
|
|
|
|
// The MemoryLoadFence() call here is to ensure the previous range/content
|
|
|
|
|
// checks for the CommBuffer have been completed before the subsequent
|
|
|
|
|
// consumption of the CommBuffer content.
|
|
|
|
|
//
|
|
|
|
|
MemoryLoadFence ();
|
2013-04-25 12:49:45 +02:00
|
|
|
if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
|
|
|
|
|
//
|
|
|
|
|
// Make sure VariableName is A Null-terminated string.
|
|
|
|
|
//
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
Status = VariableServiceGetVariable (
|
|
|
|
|
SmmVariableHeader->Name,
|
|
|
|
|
&SmmVariableHeader->Guid,
|
|
|
|
|
&SmmVariableHeader->Attributes,
|
|
|
|
|
&SmmVariableHeader->DataSize,
|
|
|
|
|
(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
|
|
|
|
|
);
|
2013-05-07 07:38:32 +02:00
|
|
|
CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
|
2010-12-10 10:27:54 +01:00
|
|
|
break;
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME:
|
2013-05-07 07:38:32 +02:00
|
|
|
if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n"));
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
//
|
|
|
|
|
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
|
|
|
|
|
//
|
|
|
|
|
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
|
|
|
|
|
GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload;
|
2013-04-25 12:49:45 +02:00
|
|
|
if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) {
|
|
|
|
|
//
|
|
|
|
|
// Prevent InfoSize overflow happen
|
|
|
|
|
//
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
2012-07-13 07:15:06 +02:00
|
|
|
InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// SMRAM range check already covered before
|
|
|
|
|
//
|
2013-05-07 07:38:32 +02:00
|
|
|
if (InfoSize > CommBufferPayloadSize) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n"));
|
2012-07-13 07:15:06 +02:00
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
|
2013-05-07 07:38:32 +02:00
|
|
|
NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name);
|
2013-04-25 12:49:45 +02:00
|
|
|
if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') {
|
|
|
|
|
//
|
|
|
|
|
// Make sure input VariableName is A Null-terminated string.
|
|
|
|
|
//
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
Status = VariableServiceGetNextVariableName (
|
|
|
|
|
&GetNextVariableName->NameSize,
|
|
|
|
|
GetNextVariableName->Name,
|
|
|
|
|
&GetNextVariableName->Guid
|
|
|
|
|
);
|
2013-05-07 07:38:32 +02:00
|
|
|
CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
|
2010-12-10 10:27:54 +01:00
|
|
|
break;
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
case SMM_VARIABLE_FUNCTION_SET_VARIABLE:
|
2013-05-07 07:38:32 +02:00
|
|
|
if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n"));
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
//
|
|
|
|
|
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
|
|
|
|
|
//
|
|
|
|
|
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
|
|
|
|
|
SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload;
|
2013-04-25 12:49:45 +02:00
|
|
|
if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) ||
|
|
|
|
|
((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) {
|
|
|
|
|
//
|
|
|
|
|
// Prevent InfoSize overflow happen
|
|
|
|
|
//
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
2013-04-19 03:35:02 +02:00
|
|
|
InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)
|
|
|
|
|
+ SmmVariableHeader->DataSize + SmmVariableHeader->NameSize;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// SMRAM range check already covered before
|
|
|
|
|
// Data buffer should not contain SMM range
|
|
|
|
|
//
|
2013-05-07 07:38:32 +02:00
|
|
|
if (InfoSize > CommBufferPayloadSize) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n"));
|
2013-04-19 03:35:02 +02:00
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
|
MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
Variable\RuntimeDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmVariableHandler():
Under "case SMM_VARIABLE_FUNCTION_GET_VARIABLE:",
'SmmVariableHeader->NameSize' can be a potential cross boundary access of
the 'CommBuffer' (controlled external input) during speculative execution.
This cross boundary access is later used as the index to access array
'SmmVariableHeader->Name' by code:
"SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1]"
One can observe which part of the content within array was brought into
cache to possibly reveal the value of 'SmmVariableHeader->NameSize'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there are 2 similar cases under
"case SMM_VARIABLE_FUNCTION_SET_VARIABLE:" and
"case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:" as well.
This commits also handles them.
Also, under "case SMM_VARIABLE_FUNCTION_SET_VARIABLE:",
'(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize' points to
the 'CommBuffer' (with some offset) and then passed as parameter 'Data' to
function VariableServiceSetVariable().
Within function VariableServiceSetVariable(), there is a sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor for the data pointed by 'Data'.
If this check is speculatively bypassed, potential cross-boundary data
access for 'Data' is possible to be revealed via the below function calls
sequence during speculative execution:
AuthVariableLibProcessVariable()
ProcessVarWithPk() or ProcessVarWithKek()
Within function ProcessVarWithPk() or ProcessVarWithKek(), for the code
"PayloadSize = DataSize - AUTHINFO2_SIZE (Data);", 'AUTHINFO2_SIZE (Data)'
can be a cross boundary access during speculative execution.
Then, 'PayloadSize' is possible to be revealed by the function call
sequence:
AuthServiceInternalUpdateVariableWithTimeStamp()
mAuthVarLibContextIn->UpdateVariable()
VariableExLibUpdateVariable()
UpdateVariable()
CopyMem()
Hence, this commit adds a AsmLfence() after the sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor upon 'Data' within function
VariableServiceSetVariable() to prevent the speculative execution.
Also, please note that the change made within function
VariableServiceSetVariable() will affect DXE as well. However, since we
only focuses on the SMM codes, the commit will introduce a new module
internal function called VariableLoadFence() to handle this. This internal
function will have 2 implementations (1 for SMM, 1 for DXE). For the SMM
implementation, it is a wrapper to call the AsmLfence() API; for the DXE
implementation, it is empty.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2018-09-13 09:47:10 +02:00
|
|
|
//
|
|
|
|
|
// The MemoryLoadFence() call here is to ensure the previous range/content
|
|
|
|
|
// checks for the CommBuffer have been completed before the subsequent
|
|
|
|
|
// consumption of the CommBuffer content.
|
|
|
|
|
//
|
|
|
|
|
MemoryLoadFence ();
|
2013-04-25 12:49:45 +02:00
|
|
|
if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') {
|
|
|
|
|
//
|
|
|
|
|
// Make sure VariableName is A Null-terminated string.
|
|
|
|
|
//
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
Status = VariableServiceSetVariable (
|
|
|
|
|
SmmVariableHeader->Name,
|
|
|
|
|
&SmmVariableHeader->Guid,
|
|
|
|
|
SmmVariableHeader->Attributes,
|
|
|
|
|
SmmVariableHeader->DataSize,
|
|
|
|
|
(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize
|
|
|
|
|
);
|
|
|
|
|
break;
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO:
|
2013-05-07 07:38:32 +02:00
|
|
|
if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n"));
|
|
|
|
|
return EFI_SUCCESS;
|
2012-07-13 07:15:06 +02:00
|
|
|
}
|
2013-05-07 07:38:32 +02:00
|
|
|
QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data;
|
2012-07-13 07:15:06 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
Status = VariableServiceQueryVariableInfo (
|
|
|
|
|
QueryVariableInfo->Attributes,
|
|
|
|
|
&QueryVariableInfo->MaximumVariableStorageSize,
|
|
|
|
|
&QueryVariableInfo->RemainingVariableStorageSize,
|
|
|
|
|
&QueryVariableInfo->MaximumVariableSize
|
|
|
|
|
);
|
|
|
|
|
break;
|
|
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
case SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE:
|
|
|
|
|
if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE)) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "GetPayloadSize: SMM communication buffer size invalid!\n"));
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
GetPayloadSize = (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *) SmmVariableFunctionHeader->Data;
|
|
|
|
|
GetPayloadSize->VariablePayloadSize = mVariableBufferPayloadSize;
|
|
|
|
|
Status = EFI_SUCCESS;
|
|
|
|
|
break;
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
case SMM_VARIABLE_FUNCTION_READY_TO_BOOT:
|
2012-07-17 10:21:42 +02:00
|
|
|
if (AtRuntime()) {
|
|
|
|
|
Status = EFI_UNSUPPORTED;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-08-25 05:01:56 +02:00
|
|
|
if (!mEndOfDxe) {
|
2017-09-30 16:39:48 +02:00
|
|
|
MorLockInitAtEndOfDxe ();
|
2015-08-25 05:01:56 +02:00
|
|
|
mEndOfDxe = TRUE;
|
|
|
|
|
VarCheckLibInitializeAtEndOfDxe (NULL);
|
|
|
|
|
//
|
|
|
|
|
// The initialization for variable quota.
|
|
|
|
|
//
|
|
|
|
|
InitializeVariableQuota ();
|
|
|
|
|
}
|
2010-12-10 10:27:54 +01:00
|
|
|
ReclaimForOS ();
|
|
|
|
|
Status = EFI_SUCCESS;
|
|
|
|
|
break;
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE:
|
|
|
|
|
mAtRuntime = TRUE;
|
|
|
|
|
Status = EFI_SUCCESS;
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case SMM_VARIABLE_FUNCTION_GET_STATISTICS:
|
2011-02-28 08:31:45 +01:00
|
|
|
VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data;
|
2013-05-21 04:22:02 +02:00
|
|
|
InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
|
2012-07-13 07:15:06 +02:00
|
|
|
|
|
|
|
|
//
|
2015-07-01 05:08:29 +02:00
|
|
|
// Do not need to check SmmVariableFunctionHeader->Data in SMRAM here.
|
|
|
|
|
// It is covered by previous CommBuffer check
|
2012-07-13 07:15:06 +02:00
|
|
|
//
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2016-12-09 07:47:03 +01:00
|
|
|
//
|
|
|
|
|
// Do not need to check CommBufferSize buffer as it should point to SMRAM
|
|
|
|
|
// that was used by SMM core to cache CommSize from SmmCommunication protocol.
|
|
|
|
|
//
|
2012-07-13 07:15:06 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
Status = SmmVariableGetStatistics (VariableInfo, &InfoSize);
|
2012-12-12 15:12:49 +01:00
|
|
|
*CommBufferSize = InfoSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE;
|
2010-12-10 10:27:54 +01:00
|
|
|
break;
|
|
|
|
|
|
2013-05-17 05:49:35 +02:00
|
|
|
case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE:
|
2013-05-20 09:04:56 +02:00
|
|
|
if (mEndOfDxe) {
|
2013-05-17 05:49:35 +02:00
|
|
|
Status = EFI_ACCESS_DENIED;
|
2013-05-20 09:04:56 +02:00
|
|
|
} else {
|
|
|
|
|
VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data;
|
|
|
|
|
Status = VariableLockRequestToLock (
|
|
|
|
|
NULL,
|
|
|
|
|
VariableToLock->Name,
|
|
|
|
|
&VariableToLock->Guid
|
|
|
|
|
);
|
2013-05-17 05:49:35 +02:00
|
|
|
}
|
|
|
|
|
break;
|
2015-01-05 04:38:36 +01:00
|
|
|
case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET:
|
|
|
|
|
if (mEndOfDxe) {
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
} else {
|
|
|
|
|
CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) SmmVariableFunctionHeader->Data;
|
|
|
|
|
Status = VarCheckVariablePropertySet (
|
|
|
|
|
CommVariableProperty->Name,
|
|
|
|
|
&CommVariableProperty->Guid,
|
|
|
|
|
&CommVariableProperty->VariableProperty
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:
|
|
|
|
|
if (CommBufferPayloadSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: SMM communication buffer size invalid!\n"));
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
//
|
|
|
|
|
// Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload.
|
|
|
|
|
//
|
|
|
|
|
CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize);
|
|
|
|
|
CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) mVariableBufferPayload;
|
|
|
|
|
if ((UINTN) (~0) - CommVariableProperty->NameSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) {
|
|
|
|
|
//
|
|
|
|
|
// Prevent InfoSize overflow happen
|
|
|
|
|
//
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + CommVariableProperty->NameSize;
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// SMRAM range check already covered before
|
|
|
|
|
//
|
|
|
|
|
if (InfoSize > CommBufferPayloadSize) {
|
|
|
|
|
DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: Data size exceed communication buffer size limit!\n"));
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
|
MdeModulePkg/Variable: [CVE-2017-5753] Fix bounds check bypass
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1194
Speculative execution is used by processor to avoid having to wait for
data to arrive from memory, or for previous operations to finish, the
processor may speculate as to what will be executed.
If the speculation is incorrect, the speculatively executed instructions
might leave hints such as which memory locations have been brought into
cache. Malicious actors can use the bounds check bypass method (code
gadgets with controlled external inputs) to infer data values that have
been used in speculative operations to reveal secrets which should not
otherwise be accessed.
This commit will focus on the SMI handler(s) registered within the
Variable\RuntimeDxe driver and insert AsmLfence API to mitigate the
bounds check bypass issue.
For SMI handler SmmVariableHandler():
Under "case SMM_VARIABLE_FUNCTION_GET_VARIABLE:",
'SmmVariableHeader->NameSize' can be a potential cross boundary access of
the 'CommBuffer' (controlled external input) during speculative execution.
This cross boundary access is later used as the index to access array
'SmmVariableHeader->Name' by code:
"SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1]"
One can observe which part of the content within array was brought into
cache to possibly reveal the value of 'SmmVariableHeader->NameSize'.
Hence, this commit adds a AsmLfence() after the boundary/range checks of
'CommBuffer' to prevent the speculative execution.
And there are 2 similar cases under
"case SMM_VARIABLE_FUNCTION_SET_VARIABLE:" and
"case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET:" as well.
This commits also handles them.
Also, under "case SMM_VARIABLE_FUNCTION_SET_VARIABLE:",
'(UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize' points to
the 'CommBuffer' (with some offset) and then passed as parameter 'Data' to
function VariableServiceSetVariable().
Within function VariableServiceSetVariable(), there is a sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor for the data pointed by 'Data'.
If this check is speculatively bypassed, potential cross-boundary data
access for 'Data' is possible to be revealed via the below function calls
sequence during speculative execution:
AuthVariableLibProcessVariable()
ProcessVarWithPk() or ProcessVarWithKek()
Within function ProcessVarWithPk() or ProcessVarWithKek(), for the code
"PayloadSize = DataSize - AUTHINFO2_SIZE (Data);", 'AUTHINFO2_SIZE (Data)'
can be a cross boundary access during speculative execution.
Then, 'PayloadSize' is possible to be revealed by the function call
sequence:
AuthServiceInternalUpdateVariableWithTimeStamp()
mAuthVarLibContextIn->UpdateVariable()
VariableExLibUpdateVariable()
UpdateVariable()
CopyMem()
Hence, this commit adds a AsmLfence() after the sanity check for
EFI_VARIABLE_AUTHENTICATION_2 descriptor upon 'Data' within function
VariableServiceSetVariable() to prevent the speculative execution.
Also, please note that the change made within function
VariableServiceSetVariable() will affect DXE as well. However, since we
only focuses on the SMM codes, the commit will introduce a new module
internal function called VariableLoadFence() to handle this. This internal
function will have 2 implementations (1 for SMM, 1 for DXE). For the SMM
implementation, it is a wrapper to call the AsmLfence() API; for the DXE
implementation, it is empty.
A more detailed explanation of the purpose of commit is under the
'Bounds check bypass mitigation' section of the below link:
https://software.intel.com/security-software-guidance/insights/host-firmware-speculative-execution-side-channel-mitigation
And the document at:
https://software.intel.com/security-software-guidance/api-app/sites/default/files/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Regression-tested-by: Laszlo Ersek <lersek@redhat.com>
2018-09-13 09:47:10 +02:00
|
|
|
//
|
|
|
|
|
// The MemoryLoadFence() call here is to ensure the previous range/content
|
|
|
|
|
// checks for the CommBuffer have been completed before the subsequent
|
|
|
|
|
// consumption of the CommBuffer content.
|
|
|
|
|
//
|
|
|
|
|
MemoryLoadFence ();
|
2015-01-05 04:38:36 +01:00
|
|
|
if (CommVariableProperty->NameSize < sizeof (CHAR16) || CommVariableProperty->Name[CommVariableProperty->NameSize/sizeof (CHAR16) - 1] != L'\0') {
|
|
|
|
|
//
|
|
|
|
|
// Make sure VariableName is A Null-terminated string.
|
|
|
|
|
//
|
|
|
|
|
Status = EFI_ACCESS_DENIED;
|
|
|
|
|
goto EXIT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Status = VarCheckVariablePropertyGet (
|
|
|
|
|
CommVariableProperty->Name,
|
|
|
|
|
&CommVariableProperty->Guid,
|
|
|
|
|
&CommVariableProperty->VariableProperty
|
|
|
|
|
);
|
|
|
|
|
CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize);
|
|
|
|
|
break;
|
2013-05-17 05:49:35 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
default:
|
|
|
|
|
Status = EFI_UNSUPPORTED;
|
|
|
|
|
}
|
|
|
|
|
|
2012-07-13 07:15:06 +02:00
|
|
|
EXIT:
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
SmmVariableFunctionHeader->ReturnStatus = Status;
|
|
|
|
|
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2013-05-17 05:49:35 +02:00
|
|
|
/**
|
|
|
|
|
SMM END_OF_DXE protocol notification event handler.
|
|
|
|
|
|
|
|
|
|
@param Protocol Points to the protocol's unique identifier
|
|
|
|
|
@param Interface Points to the interface instance
|
|
|
|
|
@param Handle The handle on which the interface was installed
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS SmmEndOfDxeCallback runs successfully
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
SmmEndOfDxeCallback (
|
|
|
|
|
IN CONST EFI_GUID *Protocol,
|
|
|
|
|
IN VOID *Interface,
|
|
|
|
|
IN EFI_HANDLE Handle
|
|
|
|
|
)
|
|
|
|
|
{
|
2015-08-25 05:01:56 +02:00
|
|
|
DEBUG ((EFI_D_INFO, "[Variable]SMM_END_OF_DXE is signaled\n"));
|
2017-09-30 16:39:48 +02:00
|
|
|
MorLockInitAtEndOfDxe ();
|
2013-05-17 05:49:35 +02:00
|
|
|
mEndOfDxe = TRUE;
|
2015-08-25 05:01:56 +02:00
|
|
|
VarCheckLibInitializeAtEndOfDxe (NULL);
|
2015-01-27 09:42:47 +01:00
|
|
|
//
|
|
|
|
|
// The initialization for variable quota.
|
|
|
|
|
//
|
|
|
|
|
InitializeVariableQuota ();
|
2015-02-02 10:30:34 +01:00
|
|
|
if (PcdGetBool (PcdReclaimVariableSpaceAtEndOfDxe)) {
|
|
|
|
|
ReclaimForOS ();
|
|
|
|
|
}
|
2015-08-25 05:01:56 +02:00
|
|
|
|
2013-05-17 05:49:35 +02:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
2010-12-10 10:27:54 +01:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
SMM Fault Tolerant Write protocol notification event handler.
|
|
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
Non-Volatile variable write may needs FTW protocol to reclaim when
|
2010-12-10 10:27:54 +01:00
|
|
|
writting variable.
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
@param Protocol Points to the protocol's unique identifier
|
|
|
|
|
@param Interface Points to the interface instance
|
|
|
|
|
@param Handle The handle on which the interface was installed
|
|
|
|
|
|
|
|
|
|
@retval EFI_SUCCESS SmmEventCallback runs successfully
|
|
|
|
|
@retval EFI_NOT_FOUND The Fvb protocol for variable is not found.
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
SmmFtwNotificationEvent (
|
|
|
|
|
IN CONST EFI_GUID *Protocol,
|
|
|
|
|
IN VOID *Interface,
|
|
|
|
|
IN EFI_HANDLE Handle
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
EFI_STATUS Status;
|
|
|
|
|
EFI_SMM_FIRMWARE_VOLUME_BLOCK_PROTOCOL *FvbProtocol;
|
|
|
|
|
EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL *FtwProtocol;
|
|
|
|
|
EFI_PHYSICAL_ADDRESS NvStorageVariableBase;
|
2013-07-11 10:15:47 +02:00
|
|
|
UINTN FtwMaxBlockSize;
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
if (mVariableModuleGlobal->FvbInstance != NULL) {
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Ensure SMM FTW protocol is installed.
|
|
|
|
|
//
|
2010-12-11 12:17:47 +01:00
|
|
|
Status = GetFtwProtocol ((VOID **)&FtwProtocol);
|
2010-12-10 10:27:54 +01:00
|
|
|
if (EFI_ERROR (Status)) {
|
|
|
|
|
return Status;
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-11 10:15:47 +02:00
|
|
|
Status = FtwProtocol->GetMaxBlockSize (FtwProtocol, &FtwMaxBlockSize);
|
|
|
|
|
if (!EFI_ERROR (Status)) {
|
|
|
|
|
ASSERT (PcdGet32 (PcdFlashNvStorageVariableSize) <= FtwMaxBlockSize);
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
//
|
|
|
|
|
// Find the proper FVB protocol for variable.
|
|
|
|
|
//
|
|
|
|
|
NvStorageVariableBase = (EFI_PHYSICAL_ADDRESS) PcdGet64 (PcdFlashNvStorageVariableBase64);
|
|
|
|
|
if (NvStorageVariableBase == 0) {
|
|
|
|
|
NvStorageVariableBase = (EFI_PHYSICAL_ADDRESS) PcdGet32 (PcdFlashNvStorageVariableBase);
|
|
|
|
|
}
|
|
|
|
|
Status = GetFvbInfoByAddress (NvStorageVariableBase, NULL, &FvbProtocol);
|
|
|
|
|
if (EFI_ERROR (Status)) {
|
|
|
|
|
return EFI_NOT_FOUND;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mVariableModuleGlobal->FvbInstance = FvbProtocol;
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
Status = VariableWriteServiceInitialize ();
|
2015-07-01 05:08:29 +02:00
|
|
|
if (EFI_ERROR (Status)) {
|
|
|
|
|
DEBUG ((DEBUG_ERROR, "Variable write service initialization failed. Status = %r\n", Status));
|
|
|
|
|
}
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
//
|
|
|
|
|
// Notify the variable wrapper driver the variable write service is ready
|
|
|
|
|
//
|
|
|
|
|
Status = gBS->InstallProtocolInterface (
|
|
|
|
|
&mSmmVariableHandle,
|
2011-02-28 08:31:45 +01:00
|
|
|
&gSmmVariableWriteGuid,
|
2010-12-10 10:27:54 +01:00
|
|
|
EFI_NATIVE_INTERFACE,
|
|
|
|
|
NULL
|
|
|
|
|
);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
Variable Driver main entry point. The Variable driver places the 4 EFI
|
2015-07-01 05:08:29 +02:00
|
|
|
runtime services in the EFI System Table and installs arch protocols
|
2011-02-28 08:31:45 +01:00
|
|
|
for variable read and write services being available. It also registers
|
2010-12-10 10:27:54 +01:00
|
|
|
a notification function for an EVT_SIGNAL_VIRTUAL_ADDRESS_CHANGE event.
|
|
|
|
|
|
2015-07-01 05:08:29 +02:00
|
|
|
@param[in] ImageHandle The firmware allocated handle for the EFI image.
|
2010-12-10 10:27:54 +01:00
|
|
|
@param[in] SystemTable A pointer to the EFI System Table.
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
@retval EFI_SUCCESS Variable service successfully initialized.
|
|
|
|
|
|
|
|
|
|
**/
|
|
|
|
|
EFI_STATUS
|
|
|
|
|
EFIAPI
|
|
|
|
|
VariableServiceInitialize (
|
|
|
|
|
IN EFI_HANDLE ImageHandle,
|
|
|
|
|
IN EFI_SYSTEM_TABLE *SystemTable
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
EFI_STATUS Status;
|
|
|
|
|
EFI_HANDLE VariableHandle;
|
|
|
|
|
VOID *SmmFtwRegistration;
|
2013-05-17 05:49:35 +02:00
|
|
|
VOID *SmmEndOfDxeRegistration;
|
2012-07-13 07:15:06 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
//
|
|
|
|
|
// Variable initialize.
|
|
|
|
|
//
|
|
|
|
|
Status = VariableCommonInitialize ();
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
|
|
|
|
|
|
//
|
|
|
|
|
// Install the Smm Variable Protocol on a new handle.
|
|
|
|
|
//
|
|
|
|
|
VariableHandle = NULL;
|
|
|
|
|
Status = gSmst->SmmInstallProtocolInterface (
|
|
|
|
|
&VariableHandle,
|
|
|
|
|
&gEfiSmmVariableProtocolGuid,
|
|
|
|
|
EFI_NATIVE_INTERFACE,
|
|
|
|
|
&gSmmVariable
|
|
|
|
|
);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
|
|
2015-01-05 04:38:36 +01:00
|
|
|
Status = gSmst->SmmInstallProtocolInterface (
|
|
|
|
|
&VariableHandle,
|
|
|
|
|
&gEdkiiSmmVarCheckProtocolGuid,
|
|
|
|
|
EFI_NATIVE_INTERFACE,
|
|
|
|
|
&mSmmVarCheck
|
|
|
|
|
);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
|
|
MdeModulePkg/Variable/RuntimeDxe: introduce PcdMaxVolatileVariableSize
The variable driver doesn't distinguish "non-volatile non-authenticated"
variables from "volatile non-authenticated" variables, when checking
individual variable sizes against the permitted maximum.
PcdMaxVariableSize covers both kinds.
This prevents volatile non-authenticated variables from carrying large
data between UEFI drivers, despite having no flash impact. One example is
EFI_TLS_CA_CERTIFICATE_VARIABLE, which platforms might want to create as
volatile on every boot: the certificate list can be several hundred KB in
size.
Introduce PcdMaxVolatileVariableSize to represent the limit on individual
volatile non-authenticated variables. The default value is zero, which
makes Variable/RuntimeDxe fall back to PcdMaxVariableSize (i.e. the
current behavior). This is similar to the PcdMaxAuthVariableSize fallback.
Whenever the size limit is enforced, consult MaxVolatileVariableSize as
the last option, after checking
- MaxAuthVariableSize for VARIABLE_ATTRIBUTE_AT_AW,
- and MaxVariableSize for EFI_VARIABLE_NON_VOLATILE.
EFI_VARIABLE_HARDWARE_ERROR_RECORD is always handled separately; it always
takes priority over the three cases listed above.
Introduce the GetMaxVariableSize() helper to consider
PcdMaxVolatileVariableSize, in addition to
GetNonVolatileMaxVariableSize(). GetNonVolatileMaxVariableSize() is
currently called at three sites, and two of those need to start using
GetMaxVariableSize() instead:
- VariableServiceInitialize() [VariableSmm.c]: the SMM comms buffer must
accommodate all kinds of variables,
- VariableCommonInitialize() [Variable.c]: the preallocated scratch space
must also accommodate all kinds of variables,
- InitNonVolatileVariableStore() [Variable.c] can continue using
GetNonVolatileMaxVariableSize().
Don't modify the ReclaimForOS() function as it is specific to non-volatile
variables and should ignore PcdMaxVolatileVariableSize.
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ruiyu Ni <ruiyu.ni@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Gary Lin <glin@suse.com>
Tested-by: Gary Lin <glin@suse.com>
[lersek@redhat.com: set MaxVolatileVariableSize where Star suggested]
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-03-28 15:55:42 +02:00
|
|
|
mVariableBufferPayloadSize = GetMaxVariableSize () +
|
2015-07-01 05:08:29 +02:00
|
|
|
OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - GetVariableHeaderSize ();
|
2013-05-07 07:38:32 +02:00
|
|
|
|
|
|
|
|
Status = gSmst->SmmAllocatePool (
|
|
|
|
|
EfiRuntimeServicesData,
|
|
|
|
|
mVariableBufferPayloadSize,
|
|
|
|
|
(VOID **)&mVariableBufferPayload
|
|
|
|
|
);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
///
|
|
|
|
|
/// Register SMM variable SMI handler
|
|
|
|
|
///
|
|
|
|
|
VariableHandle = NULL;
|
|
|
|
|
Status = gSmst->SmiHandlerRegister (SmmVariableHandler, &gEfiSmmVariableProtocolGuid, &VariableHandle);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
//
|
|
|
|
|
// Notify the variable wrapper driver the variable service is ready
|
|
|
|
|
//
|
|
|
|
|
Status = SystemTable->BootServices->InstallProtocolInterface (
|
|
|
|
|
&mVariableHandle,
|
|
|
|
|
&gEfiSmmVariableProtocolGuid,
|
|
|
|
|
EFI_NATIVE_INTERFACE,
|
|
|
|
|
&gSmmVariable
|
|
|
|
|
);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2013-05-17 05:49:35 +02:00
|
|
|
//
|
|
|
|
|
// Register EFI_SMM_END_OF_DXE_PROTOCOL_GUID notify function.
|
|
|
|
|
//
|
|
|
|
|
Status = gSmst->SmmRegisterProtocolNotify (
|
|
|
|
|
&gEfiSmmEndOfDxeProtocolGuid,
|
|
|
|
|
SmmEndOfDxeCallback,
|
|
|
|
|
&SmmEndOfDxeRegistration
|
|
|
|
|
);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
//
|
|
|
|
|
// Register FtwNotificationEvent () notify function.
|
2015-07-01 05:08:29 +02:00
|
|
|
//
|
2010-12-10 10:27:54 +01:00
|
|
|
Status = gSmst->SmmRegisterProtocolNotify (
|
|
|
|
|
&gEfiSmmFaultTolerantWriteProtocolGuid,
|
|
|
|
|
SmmFtwNotificationEvent,
|
|
|
|
|
&SmmFtwRegistration
|
|
|
|
|
);
|
|
|
|
|
ASSERT_EFI_ERROR (Status);
|
|
|
|
|
|
|
|
|
|
SmmFtwNotificationEvent (NULL, NULL, NULL);
|
2015-07-01 05:08:29 +02:00
|
|
|
|
2010-12-10 10:27:54 +01:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
