SecurityPkg Variable: Support the new introduced PcdMaxAuthVariableSize.

1. If PcdMaxAuthVariableSize is set to 0, keep current behavior as is and
PcdMaxVariableSize used.
2. If PcdMaxAuthVariableSize is set to non 0, it will work on
authenticated variables.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17610 6f19259b-4bc3-4df7-8a09-765794883524

1 files changed, 40 insertions, 20 deletions

diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
index 7ecc29b94b..15d053186c 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@@ -2153,7 +2153,7 @@ UpdateVariable (
       // Trying to update NV variable prior to the installation of EFI_VARIABLE_WRITE_ARCH_PROTOCOL

       //

       return EFI_NOT_AVAILABLE_YET;

-    } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) {

+    } else if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) {

       //

       // Trying to update volatile authenticated variable prior to the installation of EFI_VARIABLE_WRITE_ARCH_PROTOCOL

       // The authenticated variable perhaps is not initialized, just return here.

@@ -2190,7 +2190,7 @@ UpdateVariable (
   // as a temporary storage.

   //

   NextVariable = GetEndPointer ((VARIABLE_STORE_HEADER *) ((UINTN) mVariableModuleGlobal->VariableGlobal.VolatileVariableBase));

-  ScratchSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize));

+  ScratchSize = mVariableModuleGlobal->ScratchBufferSize;

   SetMem (NextVariable, ScratchSize, 0xff);

   DataReady = FALSE;

 

@@ -2309,9 +2309,13 @@ UpdateVariable (
         CopyMem (BufferForMerge, (UINT8 *) ((UINTN) Variable->CurrPtr + DataOffset), Variable->CurrPtr->DataSize);

 

         //

-        // Set Max Common Variable Data Size as default MaxDataSize

+        // Set Max Common/Auth Variable Data Size as default MaxDataSize

         //

-        MaxDataSize = PcdGet32 (PcdMaxVariableSize) - DataOffset;

+        if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) {

+          MaxDataSize = mVariableModuleGlobal->MaxAuthVariableSize - DataOffset;

+        } else {

+          MaxDataSize = mVariableModuleGlobal->MaxVariableSize - DataOffset;

+        }

 

         if ((CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&

             ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) ||

@@ -2351,7 +2355,7 @@ UpdateVariable (
         } else {

           //

           // For other Variables, append the new data to the end of existing data.

-          // Max Harware error record variable data size is different from common variable

+          // Max Harware error record variable data size is different from common/auth variable

           //

           if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {

             MaxDataSize = PcdGet32 (PcdMaxHardwareErrorVariableSize) - DataOffset;

@@ -3237,7 +3241,7 @@ VariableServiceSetVariable (
   //

   //  The size of the VariableName, including the Unicode Null in bytes plus

   //  the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize)

-  //  bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others.

+  //  bytes for HwErrRec.

   //

   if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) {

     if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) {

@@ -3249,10 +3253,16 @@ VariableServiceSetVariable (
   } else {

     //

     //  The size of the VariableName, including the Unicode Null in bytes plus

-    //  the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes.

+    //  the DataSize is limited to maximum size of Max(Auth)VariableSize bytes.

     //

-    if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) {

-      return EFI_INVALID_PARAMETER;

+    if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) {

+      if (StrSize (VariableName) + PayloadSize > mVariableModuleGlobal->MaxAuthVariableSize - sizeof (VARIABLE_HEADER)) {

+        return EFI_INVALID_PARAMETER;

+      }

+    } else {

+      if (StrSize (VariableName) + PayloadSize > mVariableModuleGlobal->MaxVariableSize - sizeof (VARIABLE_HEADER)) {

+        return EFI_INVALID_PARAMETER;

+      }

     }

   }

 

@@ -3442,9 +3452,13 @@ VariableServiceQueryVariableInfoInternal (
     }

 

     //

-    // Let *MaximumVariableSize be PcdGet32 (PcdMaxVariableSize) with the exception of the variable header size.

+    // Let *MaximumVariableSize be Max(Auth)VariableSize with the exception of the variable header size.

     //

-    *MaximumVariableSize = PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER);

+    if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) {

+      *MaximumVariableSize = mVariableModuleGlobal->MaxAuthVariableSize - sizeof (VARIABLE_HEADER);

+    } else {

+      *MaximumVariableSize = mVariableModuleGlobal->MaxVariableSize - sizeof (VARIABLE_HEADER);

+    }

   }

 

   //

@@ -3636,11 +3650,13 @@ ReclaimForOS(
   }

 

   RemainingHwErrVariableSpace = PcdGet32 (PcdHwErrStorageSize) - mVariableModuleGlobal->HwErrVariableTotalSize;

+

   //

   // Check if the free area is below a threshold.

   //

-  if ((RemainingCommonRuntimeVariableSpace < PcdGet32 (PcdMaxVariableSize))

-    || ((PcdGet32 (PcdHwErrStorageSize) != 0) &&

+  if (((RemainingCommonRuntimeVariableSpace < mVariableModuleGlobal->MaxVariableSize) ||

+       (RemainingCommonRuntimeVariableSpace < mVariableModuleGlobal->MaxAuthVariableSize)) ||

+      ((PcdGet32 (PcdHwErrStorageSize) != 0) &&

        (RemainingHwErrVariableSpace < PcdGet32 (PcdMaxHardwareErrorVariableSize)))){

     Status = Reclaim (

             mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase,

@@ -3767,17 +3783,17 @@ InitNonVolatileVariableStore (
   // Note that in EdkII variable driver implementation, Hardware Error Record type variable

   // is stored with common variable in the same NV region. So the platform integrator should

   // ensure that the value of PcdHwErrStorageSize is less than the value of

-  // VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)).

+  // (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)).

   //

   ASSERT (HwErrStorageSize < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)));

   //

   // Ensure that the value of PcdMaxUserNvVariableSpaceSize is less than the value of

-  // VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)) - PcdGet32 (PcdHwErrStorageSize).

+  // (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)) - PcdGet32 (PcdHwErrStorageSize).

   //

   ASSERT (MaxUserNvVariableSpaceSize < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER) - HwErrStorageSize));

   //

   // Ensure that the value of PcdBoottimeReservedNvVariableSpaceSize is less than the value of

-  // VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)) - PcdGet32 (PcdHwErrStorageSize).

+  // (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)) - PcdGet32 (PcdHwErrStorageSize).

   //

   ASSERT (BoottimeReservedNvVariableSpaceSize < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER) - HwErrStorageSize));

 

@@ -3788,9 +3804,12 @@ InitNonVolatileVariableStore (
   DEBUG ((EFI_D_INFO, "Variable driver common space: 0x%x 0x%x 0x%x\n", mVariableModuleGlobal->CommonVariableSpace, mVariableModuleGlobal->CommonMaxUserVariableSpace, mVariableModuleGlobal->CommonRuntimeVariableSpace));

 

   //

-  // The max variable or hardware error variable size should be < variable store size.

+  // The max NV variable size should be < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)).

   //

-  ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength);

+  ASSERT (MAX_NV_VARIABLE_SIZE < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)));

+

+  mVariableModuleGlobal->MaxVariableSize = PcdGet32 (PcdMaxVariableSize);

+  mVariableModuleGlobal->MaxAuthVariableSize = ((PcdGet32 (PcdMaxAuthVariableSize) != 0) ? PcdGet32 (PcdMaxAuthVariableSize) : mVariableModuleGlobal->MaxVariableSize);

 

   //

   // Parse non-volatile variable data and get last variable offset.

@@ -3963,7 +3982,7 @@ VariableWriteServiceInitialize (
   //

   // Authenticated variable initialize.

   //

-  Status = AutenticatedVariableServiceInitialize ();

+  Status = AutenticatedVariableServiceInitialize (mVariableModuleGlobal->MaxAuthVariableSize - sizeof (VARIABLE_HEADER));

 

   return Status;

 }

@@ -4019,7 +4038,8 @@ VariableCommonInitialize (
   //

   // Allocate memory for volatile variable store, note that there is a scratch space to store scratch data.

   //

-  ScratchSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize));

+  ScratchSize = MAX_NV_VARIABLE_SIZE;

+  mVariableModuleGlobal->ScratchBufferSize = ScratchSize;

   VolatileVariableStore = AllocateRuntimePool (PcdGet32 (PcdVariableStoreSize) + ScratchSize);

   if (VolatileVariableStore == NULL) {

     if (mVariableModuleGlobal->VariableGlobal.HobVariableBase != 0) {