SecurityPkg: AuthVariableLib: Cache UserPhysicalPresent in AuthVariableLib

AuthVariableLib is updated to cache the UserPhysicalPresent state to global variable. This avoids calling PlatformSecureLib during runtime and makes PhysicalPresent state consistent during one boot. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang <chao.b.zhang@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> Reviewed-by: Star Zeng <star.zeng@intel.com>
2016-06-27 11:10:07 +08:00 · 2016-06-27 11:10:07 +08:00 · 90fa53213e
parent 6b5677e1bb
commit 90fa53213e
3 changed files with 12 additions and 4 deletions
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@ -931,7 +931,7 @@ ProcessVarWithPk (
  // Init state of Del. State may change due to secure check
  //
  Del = FALSE;
-  if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {
+  if ((InCustomMode() && mUserPhysicalPresent) || (mPlatformMode == SETUP_MODE && !IsPk)) {
    Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
    PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
    if (PayloadSize == 0) {
@ -1049,7 +1049,7 @@ ProcessVarWithKek (
  }

  Status = EFI_SUCCESS;
-  if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {
+  if (mPlatformMode == USER_MODE && !(InCustomMode() && mUserPhysicalPresent)) {
    //
    // Time-based, verify against X509 Cert KEK.
    //
@ -1204,7 +1204,7 @@ ProcessVariable (
             &OrgVariableInfo
             );

-  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) {
+  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && mUserPhysicalPresent) {
    //
    // Allow the delete operation of common authenticated variable at user physical presence.
    //
@ -1222,7 +1222,7 @@ ProcessVariable (
    return Status;
  }

-  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {
+  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !mUserPhysicalPresent) {
    //
    // This variable is protected, only physical present user could modify its value.
    //
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@ -128,6 +128,7 @@ extern UINT8    *mCertDbStore;
 extern UINT32   mMaxCertDbSize;
 extern UINT32   mPlatformMode;
 extern UINT8    mVendorKeyState;
+extern BOOLEAN  mUserPhysicalPresent;

 extern VOID     *mHashCtx;

--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@ -35,6 +35,7 @@ UINT8    *mCertDbStore;
 UINT32   mMaxCertDbSize;
 UINT32   mPlatformMode;
 UINT8    mVendorKeyState;
+BOOLEAN  mUserPhysicalPresent;

 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};

@ -435,6 +436,12 @@ AuthVariableLibInitialize (
  AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
  AuthVarLibContextOut->AddressPointerCount = sizeof (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);

+  //
+  // Cache UserPhysicalPresent State. 
+  // Platform should report PhysicalPresent before this point
+  //
+  mUserPhysicalPresent = UserPhysicalPresent();
+
  return Status;
 }