MdeModulePkg: Allow VariablePolicy state to delete protected variables

https://bugzilla.tianocore.org/show_bug.cgi?id=2522 TcgMorLockSmm provides special protections for the TCG MOR variables. This will check IsVariablePolicyEnabled() before enforcing them to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Hao A Wu <hao.a.wu@intel.com> Cc: Liming Gao <liming.gao@intel.com> Cc: Bret Barkelew <brbarkel@microsoft.com> Signed-off-by: Bret Barkelew <brbarkel@microsoft.com> Reviewed-by: Dandan Bi <dandan.bi@intel.com> Acked-by: Jian J Wang <jian.j.wang@intel.com>
2025-04-08 17:05:09 +02:00 · 2020-11-09 14:45:19 +08:00 · 2020-11-09 14:45:19 +08:00 · e176bafc9d
commit e176bafc9d
parent b6490426e3
2 changed files with 12 additions and 0 deletions
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
@ -5,6 +5,7 @@
  This module adds Variable Hook and check MemoryOverwriteRequestControlLock.

 Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) Microsoft Corporation.
 SPDX-License-Identifier: BSD-2-Clause-Patent

 **/
@ -17,6 +18,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Library/BaseMemoryLib.h>
 #include "Variable.h"

+#include <Protocol/VariablePolicy.h>
+
+#include <Library/VariablePolicyLib.h>
+
 typedef struct {
  CHAR16                                 *VariableName;
  EFI_GUID                               *VendorGuid;
@ -341,6 +346,11 @@ SetVariableCheckHandlerMor (
    return EFI_SUCCESS;
  }

+  // Permit deletion when policy is disabled.
+  if (!IsVariablePolicyEnabled() && ((Attributes == 0) || (DataSize == 0))) {
+    return EFI_SUCCESS;
+  }
+
  //
  // MorLock variable
  //
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
@ -20,6 +20,7 @@
 #
 # Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
 # Copyright (c) 2018, Linaro, Ltd. All rights reserved.<BR>
+# Copyright (c) Microsoft Corporation.
 # SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@ -74,6 +75,7 @@
  StandaloneMmDriverEntryPoint
  SynchronizationLib
  VarCheckLib
+  VariablePolicyLib

 [Protocols]
  gEfiSmmFirmwareVolumeBlockProtocolGuid        ## CONSUMES