Create a VarCheckPolicyLib for RuntimeDxe

microsoft · May 9, 2023 · 9807ab9 · 9807ab9
1 parent 70f0b41
commit 9807ab9
Show file tree

Hide file tree

Showing 3 changed files with 97 additions and 0 deletions.
diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.c b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.c
@@ -0,0 +1,65 @@
+/** @file -- VarCheckPolicyLib.c
+This is a NULL library instance that leverages the VarCheck interface
+and the business logic behind the VariablePolicy code to make its decisions.
+
+Copyright (c) Microsoft Corporation.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+#include <Library/VarCheckLib.h>
+#include <Library/DebugLib.h>
+
+#include <Library/VariablePolicyLib.h>
+
+// ================================================
+// As a VarCheck library, we're linked into the VariableServices
+// and may not be able to call them indirectly. To get around this,
+// use the internal GetVariable function to query the variable store.
+// ================================================
+EFI_STATUS
+EFIAPI
+VariableServiceGetVariable (
+  IN      CHAR16    *VariableName,
+  IN      EFI_GUID  *VendorGuid,
+  OUT     UINT32    *Attributes OPTIONAL,
+  IN OUT  UINTN     *DataSize,
+  OUT     VOID      *Data
+  );
+
+/**
+  Simple constructor function of VarCheckPolicyLib
+
+  @param[in] ImageHandle    The firmware allocated handle for the EFI image.
+  @param[in] SystemTable    A pointer to the EFI System Table.
+
+  @retval EFI_SUCCESS       The constructor executed correctly.
+
+**/
+EFI_STATUS
+EFIAPI
+VarCheckPolicyLibConstructor (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_STATUS  Status;
+
+  // Initialize the business logic with the internal GetVariable handler.
+  Status = InitVariablePolicyLib (VariableServiceGetVariable);
+
+  // Only proceed with init if the business logic could be initialized.
+  if (!EFI_ERROR (Status)) {
+    // Register the VarCheck handler for SetVariable filtering.
+    // Forward the check to the business logic of the library.
+    VarCheckLibRegisterSetVariableCheckHandler (ValidateSetVariable);
+  }
+  // Otherwise, there's not much we can do.
+  else {
+    DEBUG ((DEBUG_ERROR, "%a - Cannot Initialize VariablePolicyLib! %r\n", __FUNCTION__, Status));
+    ASSERT_EFI_ERROR (Status);
+  }
+
+  return Status;
+}
diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.inf b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.inf
@@ -0,0 +1,31 @@
+## @file VarCheckPolicyLib.inf
+# This is an instance of a VarCheck lib that leverages the business logic behind
+# the VariablePolicy code to make its decisions.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = VarCheckPolicyLibVariableDxe
+  FILE_GUID                      = C17DF9DB-A744-4011-A796-4EDA2ED97C2F
+  MODULE_TYPE                    = DXE_RUNTIME_DRIVER
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = NULL|DXE_RUNTIME_DRIVER
+  CONSTRUCTOR                    = VarCheckPolicyLibConstructor
+
+
+[Sources]
+  VarCheckPolicyLibVariableDxe.c
+
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+
+
+[LibraryClasses]
+  DebugLib
+  VarCheckLib
+  VariablePolicyLib
diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc
@@ -395,6 +395,7 @@
   MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
   MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
   MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
+  MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.inf     # MU_CHANGE
   MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
   MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf
   MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf