MdeModulePkg: Change TCG MOR variables to use VariablePolicy

https://bugzilla.tianocore.org/show_bug.cgi?id=2522

These were previously using VarLock, which is
being deprecated.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>

MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c

@@ -5,6 +5,7 @@
   MOR lock control unsupported.
 
 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -17,7 +18,8 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/BaseMemoryLib.h>
 #include "Variable.h"
 
-extern EDKII_VARIABLE_LOCK_PROTOCOL     mVariableLock;
+#include <Protocol/VariablePolicy.h>
+#include <Library/VariablePolicyHelperLib.h>
 
 /**
   This service is an MOR/MorLock checker handler for the SetVariable().
@@ -77,11 +79,6 @@ MorLockInit (
     NULL                                        // Data
     );
 
-  //
-  // Need set this variable to be read-only to prevent other module set it.
-  //
-  VariableLockRequestToLock (&mVariableLock, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid);
-
   //
   // The MOR variable can effectively improve platform security only when the
   // MorLock variable protects the MOR variable. In turn MorLock cannot be made
@@ -99,11 +96,6 @@ MorLockInit (
     0,                                      // DataSize
     NULL                                    // Data
     );
-  VariableLockRequestToLock (
-    &mVariableLock,
-    MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
-    &gEfiMemoryOverwriteControlDataGuid
-    );
 
   return EFI_SUCCESS;
 }
@@ -118,7 +110,39 @@ MorLockInitAtEndOfDxe (
   VOID
   )
 {
-  //
+  EFI_STATUS                        Status;
-  // Do nothing.
+  EDKII_VARIABLE_POLICY_PROTOCOL    *VariablePolicy;
-  //
+
+  // First, we obviously need to locate the VariablePolicy protocol.
+  Status = gBS->LocateProtocol( &gEdkiiVariablePolicyProtocolGuid, NULL, (VOID**)&VariablePolicy );
+  if (EFI_ERROR( Status )) {
+    DEBUG(( DEBUG_ERROR, "%a - Could not locate VariablePolicy protocol! %r\n", __FUNCTION__, Status ));
+    return;
+  }
+
+  // If we're successful, go ahead and set the policies to protect the target variables.
+  Status = RegisterBasicVariablePolicy( VariablePolicy,
+                                        &gEfiMemoryOverwriteRequestControlLockGuid,
+                                        MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
+                                        VARIABLE_POLICY_NO_MIN_SIZE,
+                                        VARIABLE_POLICY_NO_MAX_SIZE,
+                                        VARIABLE_POLICY_NO_MUST_ATTR,
+                                        VARIABLE_POLICY_NO_CANT_ATTR,
+                                        VARIABLE_POLICY_TYPE_LOCK_NOW );
+  if (EFI_ERROR( Status )) {
+    DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));
+  }
+  Status = RegisterBasicVariablePolicy( VariablePolicy,
+                                        &gEfiMemoryOverwriteControlDataGuid,
+                                        MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
+                                        VARIABLE_POLICY_NO_MIN_SIZE,
+                                        VARIABLE_POLICY_NO_MAX_SIZE,
+                                        VARIABLE_POLICY_NO_MUST_ATTR,
+                                        VARIABLE_POLICY_NO_CANT_ATTR,
+                                        VARIABLE_POLICY_TYPE_LOCK_NOW );
+  if (EFI_ERROR( Status )) {
+    DEBUG(( DEBUG_ERROR, "%a - Could not lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));
+  }
+
+  return;
 }

MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c

@@ -19,7 +19,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "Variable.h"
 
 #include <Protocol/VariablePolicy.h>
-
+#include <Library/VariablePolicyHelperLib.h>
 #include <Library/VariablePolicyLib.h>
 
 typedef struct {
@@ -422,6 +422,8 @@ MorLockInitAtEndOfDxe (
 {
   UINTN      MorSize;
   EFI_STATUS MorStatus;
+  EFI_STATUS              Status;
+  VARIABLE_POLICY_ENTRY   *NewPolicy;
 
   if (!mMorLockInitializationRequired) {
     //
@@ -494,11 +496,25 @@ MorLockInitAtEndOfDxe (
   // The MOR variable is absent; the platform firmware does not support it.
   // Lock the variable so that no other module may create it.
   //
-  VariableLockRequestToLock (
+  NewPolicy = NULL;
-    NULL,                                   // This
+  Status = CreateBasicVariablePolicy( &gEfiMemoryOverwriteControlDataGuid,
-    MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
+                                      MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME,
-    &gEfiMemoryOverwriteControlDataGuid
+                                      VARIABLE_POLICY_NO_MIN_SIZE,
-    );
+                                      VARIABLE_POLICY_NO_MAX_SIZE,
+                                      VARIABLE_POLICY_NO_MUST_ATTR,
+                                      VARIABLE_POLICY_NO_CANT_ATTR,
+                                      VARIABLE_POLICY_TYPE_LOCK_NOW,
+                                      &NewPolicy );
+  if (!EFI_ERROR( Status )) {
+    Status = RegisterVariablePolicy( NewPolicy );
+  }
+  if (EFI_ERROR( Status )) {
+    DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, Status ));
+    ASSERT_EFI_ERROR( Status );
+  }
+  if (NewPolicy != NULL) {
+    FreePool( NewPolicy );
+  }
 
   //
   // Delete the MOR Control Lock variable too (should it exists for some
@@ -514,9 +530,23 @@ MorLockInitAtEndOfDxe (
     );
   mMorLockPassThru = FALSE;
 
-  VariableLockRequestToLock (
+  NewPolicy = NULL;
-    NULL,                                       // This
+  Status = CreateBasicVariablePolicy( &gEfiMemoryOverwriteRequestControlLockGuid,
-    MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
+                                      MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME,
-    &gEfiMemoryOverwriteRequestControlLockGuid
+                                      VARIABLE_POLICY_NO_MIN_SIZE,
-    );
+                                      VARIABLE_POLICY_NO_MAX_SIZE,
+                                      VARIABLE_POLICY_NO_MUST_ATTR,
+                                      VARIABLE_POLICY_NO_CANT_ATTR,
+                                      VARIABLE_POLICY_TYPE_LOCK_NOW,
+                                      &NewPolicy );
+  if (!EFI_ERROR( Status )) {
+    Status = RegisterVariablePolicy( NewPolicy );
+  }
+  if (EFI_ERROR( Status )) {
+    DEBUG(( DEBUG_ERROR, "%a - Failed to lock variable %s! %r\n", __FUNCTION__, MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, Status ));
+    ASSERT_EFI_ERROR( Status );
+  }
+  if (NewPolicy != NULL) {
+    FreePool( NewPolicy );
+  }
 }

MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf

@@ -71,6 +71,7 @@
   AuthVariableLib
   VarCheckLib
   VariablePolicyLib
+  VariablePolicyHelperLib
 
 [Protocols]
   gEfiFirmwareVolumeBlockProtocolGuid           ## CONSUMES
@@ -80,6 +81,7 @@
   gEfiVariableWriteArchProtocolGuid             ## PRODUCES
   gEfiVariableArchProtocolGuid                  ## PRODUCES
   gEdkiiVariableLockProtocolGuid                ## PRODUCES
+  gEdkiiVariablePolicyProtocolGuid              ## CONSUMES
   gEdkiiVarCheckProtocolGuid                    ## PRODUCES
 
 [Guids]

MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf

@@ -76,6 +76,7 @@
   SynchronizationLib
   VarCheckLib
   VariablePolicyLib
+  VariablePolicyHelperLib
 
 [Protocols]
   gEfiSmmFirmwareVolumeBlockProtocolGuid        ## CONSUMES