From 9807ab9f7ef6a1f0ba6c977f6758a17e84e00b69 Mon Sep 17 00:00:00 2001 From: "brbarkel@microsoft.com" Date: Wed, 4 May 2022 21:45:16 -0700 Subject: [PATCH] Create a VarCheckPolicyLib for RuntimeDxe --- .../VarCheckPolicyLibVariableDxe.c | 65 +++++++++++++++++++ .../VarCheckPolicyLibVariableDxe.inf | 31 +++++++++ MdeModulePkg/MdeModulePkg.dsc | 1 + 3 files changed, 97 insertions(+) create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.c create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.inf diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.c b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.c new file mode 100644 index 0000000000..631e94d168 --- /dev/null +++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.c @@ -0,0 +1,65 @@ +/** @file -- VarCheckPolicyLib.c +This is a NULL library instance that leverages the VarCheck interface +and the business logic behind the VariablePolicy code to make its decisions. + +Copyright (c) Microsoft Corporation. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include + +#include + +// ================================================ +// As a VarCheck library, we're linked into the VariableServices +// and may not be able to call them indirectly. To get around this, +// use the internal GetVariable function to query the variable store. +// ================================================ +EFI_STATUS +EFIAPI +VariableServiceGetVariable ( + IN CHAR16 *VariableName, + IN EFI_GUID *VendorGuid, + OUT UINT32 *Attributes OPTIONAL, + IN OUT UINTN *DataSize, + OUT VOID *Data + ); + +/** + Simple constructor function of VarCheckPolicyLib + + @param[in] ImageHandle The firmware allocated handle for the EFI image. + @param[in] SystemTable A pointer to the EFI System Table. + + @retval EFI_SUCCESS The constructor executed correctly. + +**/ +EFI_STATUS +EFIAPI +VarCheckPolicyLibConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + + // Initialize the business logic with the internal GetVariable handler. + Status = InitVariablePolicyLib (VariableServiceGetVariable); + + // Only proceed with init if the business logic could be initialized. + if (!EFI_ERROR (Status)) { + // Register the VarCheck handler for SetVariable filtering. + // Forward the check to the business logic of the library. + VarCheckLibRegisterSetVariableCheckHandler (ValidateSetVariable); + } + // Otherwise, there's not much we can do. + else { + DEBUG ((DEBUG_ERROR, "%a - Cannot Initialize VariablePolicyLib! %r\n", __FUNCTION__, Status)); + ASSERT_EFI_ERROR (Status); + } + + return Status; +} diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.inf b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.inf new file mode 100644 index 0000000000..828273e112 --- /dev/null +++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.inf @@ -0,0 +1,31 @@ +## @file VarCheckPolicyLib.inf +# This is an instance of a VarCheck lib that leverages the business logic behind +# the VariablePolicy code to make its decisions. +# +# Copyright (c) Microsoft Corporation. +# SPDX-License-Identifier: BSD-2-Clause-Patent +## + +[Defines] + INF_VERSION = 0x00010005 + BASE_NAME = VarCheckPolicyLibVariableDxe + FILE_GUID = C17DF9DB-A744-4011-A796-4EDA2ED97C2F + MODULE_TYPE = DXE_RUNTIME_DRIVER + VERSION_STRING = 1.0 + LIBRARY_CLASS = NULL|DXE_RUNTIME_DRIVER + CONSTRUCTOR = VarCheckPolicyLibConstructor + + +[Sources] + VarCheckPolicyLibVariableDxe.c + + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + + +[LibraryClasses] + DebugLib + VarCheckLib + VariablePolicyLib diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc index 5ea411f274..16750b428b 100644 --- a/MdeModulePkg/MdeModulePkg.dsc +++ b/MdeModulePkg/MdeModulePkg.dsc @@ -395,6 +395,7 @@ MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf + MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibVariableDxe.inf # MU_CHANGE MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.inf MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf