SecurityPkg: AuthVariableLib: Revert UserPhysicalPresent feature from AuthVariableLib

Physical Presence state reporting is constrained by physical presence caching in variable driver. For example, reporting must be prior to Physical Presence caching. Physical Presence state becomes constant rather than instant after caching. Therefore, PlatformSecureLib is responsible for reporting Physical Presence state in expected way.

This reverts commit 90fa53213ec458b5c4f8851c09aeb3de977531e5.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
(cherry picked from commit 76bfc7e3ea136412808ad4cf54471c651bdec464)

3 files changed, 4 insertions, 12 deletions

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 0dd62b0741..1f9ba15384 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -928,7 +928,7 @@ ProcessVarWithPk (
   }

 

   Del = FALSE;

-  if ((InCustomMode() && mUserPhysicalPresent) || (mPlatformMode == SETUP_MODE && !IsPk)) {

+  if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {

     Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);

     PayloadSize = DataSize - AUTHINFO2_SIZE (Data);

     if (PayloadSize == 0) {

@@ -1046,7 +1046,7 @@ ProcessVarWithKek (
   }

 

   Status = EFI_SUCCESS;

-  if (mPlatformMode == USER_MODE && !(InCustomMode() && mUserPhysicalPresent)) {

+  if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {

     //

     // Time-based, verify against X509 Cert KEK.

     //

@@ -1201,7 +1201,7 @@ ProcessVariable (
              &OrgVariableInfo

              );

 

-  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && mUserPhysicalPresent) {

+  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) {

     //

     // Allow the delete operation of common authenticated variable at user physical presence.

     //

@@ -1219,7 +1219,7 @@ ProcessVariable (
     return Status;

   }

 

-  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !mUserPhysicalPresent) {

+  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {

     //

     // This variable is protected, only physical present user could modify its value.

     //

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index 4d6915bcaa..add05c21cc 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -125,7 +125,6 @@ extern UINT8    *mCertDbStore;
 extern UINT32   mMaxCertDbSize;

 extern UINT32   mPlatformMode;

 extern UINT8    mVendorKeyState;

-extern BOOLEAN  mUserPhysicalPresent;

 

 extern VOID     *mHashCtx;

 

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index 69eac134cb..00ec1710fc 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -35,7 +35,6 @@ UINT8    *mCertDbStore;
 UINT32   mMaxCertDbSize;

 UINT32   mPlatformMode;

 UINT8    mVendorKeyState;

-BOOLEAN  mUserPhysicalPresent;

 

 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};

 

@@ -408,12 +407,6 @@ AuthVariableLibInitialize (
   AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;

   AuthVarLibContextOut->AddressPointerCount = sizeof (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);

 

-  //

-  // Cache UserPhysicalPresent State. 

-  // Platform should report PhysicalPresent before this point

-  //

-  mUserPhysicalPresent = UserPhysicalPresent();

-

   return Status;

 }