SecurityPkg: AuthVariableLib: Cache UserPhysicalPresent in AuthVariableLib

AuthVariableLib is updated to cache the UserPhysicalPresent state to global variable. This avoids calling PlatformSecureLib during runtime and makes PhysicalPresent state consistent during one boot.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>

3 files changed, 12 insertions, 4 deletions

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c
index 6e1e284801..1d49b6a16e 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
@@ -931,7 +931,7 @@ ProcessVarWithPk (
   // Init state of Del. State may change due to secure check

   //

   Del = FALSE;

-  if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) {

+  if ((InCustomMode() && mUserPhysicalPresent) || (mPlatformMode == SETUP_MODE && !IsPk)) {

     Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);

     PayloadSize = DataSize - AUTHINFO2_SIZE (Data);

     if (PayloadSize == 0) {

@@ -1049,7 +1049,7 @@ ProcessVarWithKek (
   }

 

   Status = EFI_SUCCESS;

-  if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) {

+  if (mPlatformMode == USER_MODE && !(InCustomMode() && mUserPhysicalPresent)) {

     //

     // Time-based, verify against X509 Cert KEK.

     //

@@ -1204,7 +1204,7 @@ ProcessVariable (
              &OrgVariableInfo

              );

 

-  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) {

+  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && mUserPhysicalPresent) {

     //

     // Allow the delete operation of common authenticated variable at user physical presence.

     //

@@ -1222,7 +1222,7 @@ ProcessVariable (
     return Status;

   }

 

-  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) {

+  if (NeedPhysicallyPresent (VariableName, VendorGuid) && !mUserPhysicalPresent) {

     //

     // This variable is protected, only physical present user could modify its value.

     //

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
index e7c4bf043d..ac7ea89a80 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
+++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
@@ -128,6 +128,7 @@ extern UINT8    *mCertDbStore;
 extern UINT32   mMaxCertDbSize;

 extern UINT32   mPlatformMode;

 extern UINT8    mVendorKeyState;

+extern BOOLEAN  mUserPhysicalPresent;

 

 extern VOID     *mHashCtx;

 

diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
index c4fbb649f1..dd35a44409 100644
--- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
+++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
@@ -35,6 +35,7 @@ UINT8    *mCertDbStore;
 UINT32   mMaxCertDbSize;

 UINT32   mPlatformMode;

 UINT8    mVendorKeyState;

+BOOLEAN  mUserPhysicalPresent;

 

 EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID};

 

@@ -435,6 +436,12 @@ AuthVariableLibInitialize (
   AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;

   AuthVarLibContextOut->AddressPointerCount = sizeof (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);

 

+  //

+  // Cache UserPhysicalPresent State. 

+  // Platform should report PhysicalPresent before this point

+  //

+  mUserPhysicalPresent = UserPhysicalPresent();

+

   return Status;

 }