Please sign in to comment.
MdeModulePkg/Variable/RuntimeDxe: delay MorLock creation until EndOfDxe
The "MemoryOverwriteRequestControl" (a.k.a. MOR) variable comes from the "TCG Platform Reset Attack Mitigation Specification": https://www.trustedcomputinggroup.org/wp-content/uploads/Platform-Reset-Attack-Mitigation-Specification.pdf The "MemoryOverwriteRequestControlLock" variable (a.k.a. MORL) is a Microsoft extension, called "Secure MOR implementation": https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-requirements Currently the VariableSmm driver creates MORL without regard to MOR. This can lead to a situation where a platform does not support MOR from the prerequisite spec (because it does not include the "SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf" driver), but appears to support MORL from the dependent Microsoft spec. "winload.efi" notices this inconsistency, and disables the Device Guard Virtualization Based Security in Windows Server 2016 and Windows 10 64-bit Enterprise. If the platform includes "SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf", then MOR will exist by the time EndOfDxe is reached, and VariableSmm can safely create MORL. Otherwise, do not create MORL (delete it if it exists), and also prevent other modules from creating it. Cc: Eric Dong <email@example.com> Cc: Jiewen Yao <firstname.lastname@example.org> Cc: Ladi Prosek <email@example.com> Cc: Star Zeng <firstname.lastname@example.org> Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=727 Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1496170 Reported-by: Ladi Prosek <email@example.com> Suggested-by: Jiewen Yao <firstname.lastname@example.org> Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Laszlo Ersek <email@example.com> Reviewed-by: Jiewen Yao <firstname.lastname@example.org> Tested-by: Ladi Prosek <email@example.com>
- Loading branch information...
Showing with 58 additions and 5 deletions.