diff options
author | Zhang, Chao B <chao.b.zhang@intel.com> | 2016-06-27 11:10:07 +0800 |
---|---|---|
committer | Hao Wu <hao.a.wu@intel.com> | 2016-07-07 15:01:47 +0800 |
commit | 92fd5da3ddd3f29855ef54a9c6971eb2d58c7c8e (patch) | |
tree | 3dd6f712ef6f2d8e58003101bc55facd38898902 /SecurityPkg/Library | |
parent | eb7d1a38b2f81ce19d90e287fdfd4bdf2dc26726 (diff) | |
download | edk2-platforms-92fd5da3ddd3f29855ef54a9c6971eb2d58c7c8e.tar.xz |
SecurityPkg: AuthVariableLib: Cache UserPhysicalPresent in AuthVariableLib
AuthVariableLib is updated to cache the UserPhysicalPresent state to global variable. This avoids calling PlatformSecureLib during runtime and makes PhysicalPresent state consistent during one boot.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
(cherry picked from commit 90fa53213ec458b5c4f8851c09aeb3de977531e5)
Diffstat (limited to 'SecurityPkg/Library')
-rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthService.c | 8 | ||||
-rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h | 1 | ||||
-rw-r--r-- | SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 7 |
3 files changed, 12 insertions, 4 deletions
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 1f9ba15384..0dd62b0741 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -928,7 +928,7 @@ ProcessVarWithPk ( }
Del = FALSE;
- if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {
+ if ((InCustomMode() && mUserPhysicalPresent) || (mPlatformMode == SETUP_MODE && !IsPk)) {
Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
if (PayloadSize == 0) {
@@ -1046,7 +1046,7 @@ ProcessVarWithKek ( }
Status = EFI_SUCCESS;
- if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {
+ if (mPlatformMode == USER_MODE && !(InCustomMode() && mUserPhysicalPresent)) {
//
// Time-based, verify against X509 Cert KEK.
//
@@ -1201,7 +1201,7 @@ ProcessVariable ( &OrgVariableInfo
);
- if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) {
+ if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && mUserPhysicalPresent) {
//
// Allow the delete operation of common authenticated variable at user physical presence.
//
@@ -1219,7 +1219,7 @@ ProcessVariable ( return Status;
}
- if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {
+ if (NeedPhysicallyPresent (VariableName, VendorGuid) && !mUserPhysicalPresent) {
//
// This variable is protected, only physical present user could modify its value.
//
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h index add05c21cc..4d6915bcaa 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h @@ -125,6 +125,7 @@ extern UINT8 *mCertDbStore; extern UINT32 mMaxCertDbSize;
extern UINT32 mPlatformMode;
extern UINT8 mVendorKeyState;
+extern BOOLEAN mUserPhysicalPresent;
extern VOID *mHashCtx;
diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index 00ec1710fc..69eac134cb 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -35,6 +35,7 @@ UINT8 *mCertDbStore; UINT32 mMaxCertDbSize;
UINT32 mPlatformMode;
UINT8 mVendorKeyState;
+BOOLEAN mUserPhysicalPresent;
EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};
@@ -407,6 +408,12 @@ AuthVariableLibInitialize ( AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
AuthVarLibContextOut->AddressPointerCount = sizeof (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);
+ //
+ // Cache UserPhysicalPresent State.
+ // Platform should report PhysicalPresent before this point
+ //
+ mUserPhysicalPresent = UserPhysicalPresent();
+
return Status;
}
|