From 92fd5da3ddd3f29855ef54a9c6971eb2d58c7c8e Mon Sep 17 00:00:00 2001 From: "Zhang, Chao B" Date: Mon, 27 Jun 2016 11:10:07 +0800 Subject: SecurityPkg: AuthVariableLib: Cache UserPhysicalPresent in AuthVariableLib AuthVariableLib is updated to cache the UserPhysicalPresent state to global variable. This avoids calling PlatformSecureLib during runtime and makes PhysicalPresent state consistent during one boot. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Chao Zhang Reviewed-by: Yao Jiewen Reviewed-by: Star Zeng (cherry picked from commit 90fa53213ec458b5c4f8851c09aeb3de977531e5) --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 8 ++++---- SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h | 1 + SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c | 7 +++++++ 3 files changed, 12 insertions(+), 4 deletions(-) (limited to 'SecurityPkg/Library') diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPkg/Library/AuthVariableLib/AuthService.c index 1f9ba15384..0dd62b0741 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -928,7 +928,7 @@ ProcessVarWithPk ( } Del = FALSE; - if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode == SETUP_MODE && !IsPk)) { + if ((InCustomMode() && mUserPhysicalPresent) || (mPlatformMode == SETUP_MODE && !IsPk)) { Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data); PayloadSize = DataSize - AUTHINFO2_SIZE (Data); if (PayloadSize == 0) { @@ -1046,7 +1046,7 @@ ProcessVarWithKek ( } Status = EFI_SUCCESS; - if (mPlatformMode == USER_MODE && !(InCustomMode() && UserPhysicalPresent())) { + if (mPlatformMode == USER_MODE && !(InCustomMode() && mUserPhysicalPresent)) { // // Time-based, verify against X509 Cert KEK. // @@ -1201,7 +1201,7 @@ ProcessVariable ( &OrgVariableInfo ); - if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && UserPhysicalPresent()) { + if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attributes, Data, DataSize, Attributes) && mUserPhysicalPresent) { // // Allow the delete operation of common authenticated variable at user physical presence. // @@ -1219,7 +1219,7 @@ ProcessVariable ( return Status; } - if (NeedPhysicallyPresent (VariableName, VendorGuid) && !UserPhysicalPresent()) { + if (NeedPhysicallyPresent (VariableName, VendorGuid) && !mUserPhysicalPresent) { // // This variable is protected, only physical present user could modify its value. // diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h index add05c21cc..4d6915bcaa 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h @@ -125,6 +125,7 @@ extern UINT8 *mCertDbStore; extern UINT32 mMaxCertDbSize; extern UINT32 mPlatformMode; extern UINT8 mVendorKeyState; +extern BOOLEAN mUserPhysicalPresent; extern VOID *mHashCtx; diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c index 00ec1710fc..69eac134cb 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c @@ -35,6 +35,7 @@ UINT8 *mCertDbStore; UINT32 mMaxCertDbSize; UINT32 mPlatformMode; UINT8 mVendorKeyState; +BOOLEAN mUserPhysicalPresent; EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID, EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID, EFI_CERT_X509_GUID}; @@ -407,6 +408,12 @@ AuthVariableLibInitialize ( AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer; AuthVarLibContextOut->AddressPointerCount = sizeof (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]); + // + // Cache UserPhysicalPresent State. + // Platform should report PhysicalPresent before this point + // + mUserPhysicalPresent = UserPhysicalPresent(); + return Status; } -- cgit v1.2.3