[edk2-devel] [PATCH v3 00/28] UEFI variable protection
Judah Vang
judah.vang at intel.com
Thu Jun 9 06:02:54 UTC 2022
For a more detail description of the UEFI variable protected feature you can
view the Readme.md located at the following location:
https://github.com/judahvang/edk2/tree/rpmc-update
Patch 08 - Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo()
and SafeUint64ToUint32().
Patch 09 - Fix 'NextVariableStore' parameter for CopyMem. It was causing
an exception. Need to correctly cast 'NextVariableStore' so all platforms
build. Add code to initialize 'ContextIn' structure in SmmVariableReady()
to fix issue with NULL function pointer.
Patch 16 - Change AllocateZeroPool() with AllocatePages() and FreePool()
with FreePages(). FreePool() is not supported in PEI phase so this was
causing a memory leak. Reverse the order of the FreePages() call.
Patch 17 - Change placement of buffer used for confidentiality crypto
operation to fix an issue when enabling confidentiality. Remove unneeded
increment of monotonic counter.
Patch 28 - Fix build issue when DiSABLE_SHA1_DEPRECATED_INTERFACES
is defined. Percolate the #ifndef DiSABLE_SHA1_DEPRECATED_INTERFACES
to all the Sha1 functions. Replace AllocatePool() with
AllocatePages() and FreePool() with FreePages() because
FreePool() is not supported in PEI phase. FreePool() does not
free the allocated pool in PEI phase causing a memory leak.
Judah Vang (28):
MdeModulePkg: Add new GUID for Variable Store Info
SecurityPkg: Add new GUIDs for
MdeModulePkg: Update AUTH_VARIABLE_INFO struct
MdeModulePkg: Add reference to new Ppi Guid
MdeModulePkg: Add new ProtectedVariable GUIDs
MdeModulePkg: Add new include files
MdeModulePkg: Add Null ProtectedVariable Library
MdeModulePkg: Add new Variable functionality
MdeModulePkg: Add support for Protected Variables
SecurityPkg: Add new KeyService types and defines
SecurityPkg: Update RPMC APIs with index
SecurityPkg: Add new variable types and functions
SecurityPkg: Fix GetVariableKey API
SecurityPkg: Add null encryption variable libs
SecurityPkg: Add VariableKey library function
SecurityPkg: Add EncryptionVariable lib with AES
SecurityPkg: Add Protected Variable Services
MdeModulePkg: Reference Null ProtectedVariableLib
SecurityPkg: Add references to new *.inf files
ArmVirtPkg: Add reference to ProtectedVariableNull
UefiPayloadPkg: Add ProtectedVariable reference
EmulatorPkg: Add ProtectedVariable reference
OvmfPkg: Add ProtectedVariable reference
OvmfPkg: Add ProtectedVariableLib reference
OvmfPkg: Add ProtectedVariableLib reference
OvmfPkg: Add ProtectedVariableLib reference
OvmfPkg: Add ProtectedVariable reference
CryptoPkg: Enable cypto HMAC KDF and AES library
MdeModulePkg/MdeModulePkg.dec | 13 +-
SecurityPkg/SecurityPkg.dec | 43 +-
ArmVirtPkg/ArmVirtQemu.dsc | 3 +-
EmulatorPkg/EmulatorPkg.dsc | 3 +-
MdeModulePkg/MdeModulePkg.dsc | 4 +-
OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +-
OvmfPkg/Bhyve/BhyveX64.dsc | 3 +-
OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
OvmfPkg/Microvm/MicrovmX64.dsc | 3 +-
OvmfPkg/OvmfPkgIa32.dsc | 1 +
OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
OvmfPkg/OvmfPkgX64.dsc | 1 +
OvmfPkg/OvmfXen.dsc | 3 +-
SecurityPkg/SecurityPkg.dsc | 13 +-
UefiPayloadPkg/UefiPayloadPkg.dsc | 2 +
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf | 2 +-
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +-
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf | 34 +
MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 3 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf | 4 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 3 +-
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 +
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf | 38 +
SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf | 64 +
SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf | 68 +
SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf | 67 +
SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf | 62 +
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36 +
MdeModulePkg/Include/Guid/ProtectedVariable.h | 22 +
MdeModulePkg/Include/Library/AuthVariableLib.h | 4 +-
MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 ++
MdeModulePkg/Include/Library/ProtectedVariableLib.h | 700 +++++++
MdeModulePkg/Universal/Variable/Pei/Variable.h | 80 +-
MdeModulePkg/Universal/Variable/Pei/VariableParsing.h | 309 +++
MdeModulePkg/Universal/Variable/Pei/VariableStore.h | 116 ++
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h | 127 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.h | 91 +-
MdePkg/Include/Ppi/ReadOnlyVariable2.h | 4 +-
SecurityPkg/Include/Library/RpmcLib.h | 15 +-
SecurityPkg/Include/Library/VariableKeyLib.h | 37 +-
SecurityPkg/Include/Ppi/KeyServicePpi.h | 57 +
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 +
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h | 611 ++++++
CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c | 11 +-
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c | 14 +-
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c | 449 ++++
MdeModulePkg/Universal/Variable/Pei/Variable.c | 890 ++------
MdeModulePkg/Universal/Variable/Pei/VariableParsing.c | 941 +++++++++
MdeModulePkg/Universal/Variable/Pei/VariableStore.c | 307 +++
MdeModulePkg/Universal/Variable/RuntimeDxe/Reclaim.c | 349 +++-
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2142 +++++++++++---------
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 26 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableExLib.c | 167 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableNonVolatile.c | 194 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.c | 320 ++-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeCache.c | 2 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c | 39 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 67 +-
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 734 +++++++
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c | 107 +
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c | 2103 +++++++++++++++++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c | 163 ++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c | 1327 ++++++++++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c | 209 ++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c | 967 +++++++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c | 233 +++
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 8 +-
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c | 59 +
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 6 +-
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni | 16 +
72 files changed, 12899 insertions(+), 1874 deletions(-)
create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
create mode 100644 MdeModulePkg/Include/Guid/ProtectedVariable.h
create mode 100644 MdeModulePkg/Include/Library/EncryptionVariableLib.h
create mode 100644 MdeModulePkg/Include/Library/ProtectedVariableLib.h
create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.h
create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.h
create mode 100644 SecurityPkg/Include/Ppi/KeyServicePpi.h
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h
create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.c
create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.c
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c
create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90353): https://edk2.groups.io/g/devel/message/90353
Mute This Topic: https://groups.io/mt/91640182/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list