diff options
Diffstat (limited to 'SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c')
| -rw-r--r-- | SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c | 65 |
1 files changed, 43 insertions, 22 deletions
diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c index c84a2f62d3..22ded16819 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c @@ -718,17 +718,19 @@ Reclaim ( /**
Find the variable in the specified variable store.
- @param VariableName Name of the variable to be found
- @param VendorGuid Vendor GUID to be found.
- @param PtrTrack Variable Track Pointer structure that contains Variable Information.
+ @param[in] VariableName Name of the variable to be found
+ @param[in] VendorGuid Vendor GUID to be found.
+ @param[in] IgnoreRtAttribute Ignore RUNTIME_ACCESS attribute when searching variable.
+ @param[in, out] PtrTrack Variable Track Pointer structure that contains Variable Information.
- @retval EFI_SUCCESS Variable found successfully
- @retval EFI_NOT_FOUND Variable not found
+ @retval EFI_SUCCESS Variable found successfully
+ @retval EFI_NOT_FOUND Variable not found
**/
EFI_STATUS
FindVariableEx (
IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
+ IN BOOLEAN IgnoreRtAttribute,
IN OUT VARIABLE_POINTER_TRACK *PtrTrack
)
{
@@ -747,7 +749,7 @@ FindVariableEx ( if (PtrTrack->CurrPtr->State == VAR_ADDED ||
PtrTrack->CurrPtr->State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)
) {
- if (!AtRuntime () || ((PtrTrack->CurrPtr->Attributes & EFI_VARIABLE_RUNTIME_ACCESS) != 0)) {
+ if (IgnoreRtAttribute || !AtRuntime () || ((PtrTrack->CurrPtr->Attributes & EFI_VARIABLE_RUNTIME_ACCESS) != 0)) {
if (VariableName[0] == 0) {
if (PtrTrack->CurrPtr->State == (VAR_IN_DELETED_TRANSITION & VAR_ADDED)) {
InDeletedVariable = PtrTrack->CurrPtr;
@@ -783,15 +785,18 @@ FindVariableEx ( This code finds variable in storage blocks of volatile and non-volatile storage areas.
If VariableName is an empty string, then we just return the first
qualified variable without comparing VariableName and VendorGuid.
- Otherwise, VariableName and VendorGuid are compared.
+ If IgnoreRtAttribute is TRUE, then we ignore the EFI_VARIABLE_RUNTIME_ACCESS Attribute
+ when searching existing variable, only VariableName and VendorGuid are compared.
+ Otherwise, variables with EFI_VARIABLE_RUNTIME_ACCESS are not visible at runtime.
- @param VariableName Name of the variable to be found.
- @param VendorGuid Vendor GUID to be found.
- @param PtrTrack VARIABLE_POINTER_TRACK structure for output,
+ @param[in] VariableName Name of the variable to be found.
+ @param[in] VendorGuid Vendor GUID to be found.
+ @param[out] PtrTrack VARIABLE_POINTER_TRACK structure for output,
including the range searched and the target position.
- @param Global Pointer to VARIABLE_GLOBAL structure, including
+ @param[in] Global Pointer to VARIABLE_GLOBAL structure, including
base of volatile variable storage area, base of
NV variable storage area, and a lock.
+ @param[in] IgnoreRtAttribute Ignore RUNTIME_ACCESS attribute when searching variable.
@retval EFI_INVALID_PARAMETER If VariableName is not an empty string, while
VendorGuid is NULL.
@@ -804,7 +809,8 @@ FindVariable ( IN CHAR16 *VariableName,
IN EFI_GUID *VendorGuid,
OUT VARIABLE_POINTER_TRACK *PtrTrack,
- IN VARIABLE_GLOBAL *Global
+ IN VARIABLE_GLOBAL *Global,
+ IN BOOLEAN IgnoreRtAttribute
)
{
EFI_STATUS Status;
@@ -836,7 +842,7 @@ FindVariable ( PtrTrack->EndPtr = GetEndPointer (VariableStoreHeader[Type]);
PtrTrack->Volatile = (BOOLEAN) (Type == VariableStoreTypeVolatile);
- Status = FindVariableEx (VariableName, VendorGuid, PtrTrack);
+ Status = FindVariableEx (VariableName, VendorGuid, IgnoreRtAttribute, PtrTrack);
if (!EFI_ERROR (Status)) {
return Status;
}
@@ -1238,7 +1244,7 @@ AutoUpdateLangVariable ( // Update Lang if PlatformLang is already set
// Update PlatformLang if Lang is already set
//
- Status = FindVariable (L"PlatformLang", &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
+ Status = FindVariable (L"PlatformLang", &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
if (!EFI_ERROR (Status)) {
//
// Update Lang
@@ -1247,7 +1253,7 @@ AutoUpdateLangVariable ( Data = GetVariableDataPtr (Variable.CurrPtr);
DataSize = Variable.CurrPtr->DataSize;
} else {
- Status = FindVariable (L"Lang", &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
+ Status = FindVariable (L"Lang", &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
if (!EFI_ERROR (Status)) {
//
// Update PlatformLang
@@ -1292,7 +1298,7 @@ AutoUpdateLangVariable ( //
// Successfully convert PlatformLang to Lang, and set the BestLang value into Lang variable simultaneously.
//
- FindVariable (L"Lang", &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
+ FindVariable (L"Lang", &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
Status = UpdateVariable (L"Lang", &gEfiGlobalVariableGuid, BestLang,
ISO_639_2_ENTRY_SIZE + 1, Attributes, 0, 0, &Variable, NULL);
@@ -1326,7 +1332,7 @@ AutoUpdateLangVariable ( //
// Successfully convert Lang to PlatformLang, and set the BestPlatformLang value into PlatformLang variable simultaneously.
//
- FindVariable (L"PlatformLang", &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
+ FindVariable (L"PlatformLang", &gEfiGlobalVariableGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
Status = UpdateVariable (L"PlatformLang", &gEfiGlobalVariableGuid, BestPlatformLang,
AsciiStrSize (BestPlatformLang), Attributes, 0, 0, &Variable, NULL);
@@ -1456,6 +1462,14 @@ UpdateVariable ( Status = EFI_INVALID_PARAMETER;
goto Done;
}
+
+ //
+ // Only variable that have RT attributes can be updated/deleted in Runtime.
+ //
+ if ((Variable->CurrPtr->Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == 0) {
+ Status = EFI_INVALID_PARAMETER;
+ goto Done;
+ }
}
//
@@ -1905,7 +1919,7 @@ VariableServiceGetVariable ( AcquireLockOnlyAtBootTime(&mVariableModuleGlobal->VariableGlobal.VariableServicesLock);
- Status = FindVariable (VariableName, VendorGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
+ Status = FindVariable (VariableName, VendorGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
if (Variable.CurrPtr == NULL || EFI_ERROR (Status)) {
goto Done;
}
@@ -1980,7 +1994,7 @@ VariableServiceGetNextVariableName ( AcquireLockOnlyAtBootTime(&mVariableModuleGlobal->VariableGlobal.VariableServicesLock);
- Status = FindVariable (VariableName, VendorGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
+ Status = FindVariable (VariableName, VendorGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, FALSE);
if (Variable.CurrPtr == NULL || EFI_ERROR (Status)) {
goto Done;
}
@@ -2057,6 +2071,7 @@ VariableServiceGetNextVariableName ( Status = FindVariableEx (
GetVariableNamePtr (Variable.CurrPtr),
&Variable.CurrPtr->VendorGuid,
+ FALSE,
&VariableInHob
);
if (!EFI_ERROR (Status)) {
@@ -2220,8 +2235,13 @@ VariableServiceSetVariable ( //
// Check whether the input variable is already existed.
//
- FindVariable (VariableName, VendorGuid, &Variable, &mVariableModuleGlobal->VariableGlobal);
-
+ Status = FindVariable (VariableName, VendorGuid, &Variable, &mVariableModuleGlobal->VariableGlobal, TRUE);
+ if (!EFI_ERROR (Status)) {
+ if (((Variable.CurrPtr->Attributes & EFI_VARIABLE_RUNTIME_ACCESS) == 0) && AtRuntime ()) {
+ return EFI_WRITE_PROTECTED;
+ }
+ }
+
//
// Hook the operation of setting PlatformLangCodes/PlatformLang and LangCodes/Lang.
//
@@ -2233,7 +2253,8 @@ VariableServiceSetVariable ( Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes, TRUE);
} else if (CompareGuid (VendorGuid, &gEfiGlobalVariableGuid) && (StrCmp (VariableName, EFI_KEY_EXCHANGE_KEY_NAME) == 0)) {
Status = ProcessVarWithPk (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes, FALSE);
- } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) && ((Attributes & EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS) == 0)) {
+ } else if (CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) &&
+ ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0))) {
Status = ProcessVarWithKek (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes);
} else {
Status = ProcessVariable (VariableName, VendorGuid, Data, DataSize, &Variable, Attributes);
|