SecurityPkg: Replace VariableLock with VariablePolicy Since VariableLock compromises security in the SMM environment, it is deprecated. Used VariablePolicy instead for stronger and more flexible UEFI variable protection. Ref: [acd66e4] Cc: Sachin Ganesh <sachinganesh@ami.com> Signed-off-by: Sathya Ravichandran <sathyar@ami.com>
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c index de4f5e5..93137c3 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -15,7 +15,7 @@ #include <PiDxe.h> #include <Protocol/Tcg2Protocol.h> -#include <Protocol/VariableLock.h> +#include <Library/VariablePolicyHelperLib.h> #include <Library/DebugLib.h> #include <Library/BaseMemoryLib.h> #include <Library/UefiRuntimeServicesTableLib.h> @@ -918,20 +918,26 @@ EFI_STATUS Status; UINTN DataSize; EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; - EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicyProtocol; EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; // // This flags variable controls whether physical presence is required for TPM command. // It should be protected from malicious software. We set it as read-only variable here. // - Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol); + Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicyProtocol); if (!EFI_ERROR (Status)) { - Status = VariableLockProtocol->RequestToLock ( - VariableLockProtocol, - TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, - &gEfiTcg2PhysicalPresenceGuid - ); + Status = RegisterBasicVariablePolicy ( + VariablePolicyProtocol, + &gEfiTcg2PhysicalPresenceGuid, + TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW + ); + if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "[TPM2] Error when lock variable %s, Status = %r\n", TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status)); ASSERT_EFI_ERROR (Status);
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf index e1c7c20..4ee1309 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
@@ -50,10 +50,11 @@ HobLib Tpm2CommandLib Tcg2PpVendorLib + VariablePolicyHelperLib [Protocols] gEfiTcg2ProtocolGuid ## SOMETIMES_CONSUMES - gEdkiiVariableLockProtocolGuid ## SOMETIMES_CONSUMES + gEdkiiVariablePolicyProtocolGuid ## SOMETIMES_CONSUMES [Pcd] gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags ## SOMETIMES_CONSUMES
diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c index 597ce77..6e81a18 100644 --- a/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c
@@ -16,7 +16,7 @@ #include <PiDxe.h> #include <Protocol/TcgService.h> -#include <Protocol/VariableLock.h> +#include <Library/VariablePolicyHelperLib.h> #include <Library/DebugLib.h> #include <Library/BaseMemoryLib.h> #include <Library/UefiRuntimeServicesTableLib.h> @@ -1183,14 +1183,14 @@ VOID ) { - EFI_STATUS Status; - BOOLEAN LifetimeLock; - BOOLEAN CmdEnable; - UINTN DataSize; - EFI_PHYSICAL_PRESENCE TcgPpData; - EFI_TCG_PROTOCOL *TcgProtocol; - EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; - EFI_PHYSICAL_PRESENCE_FLAGS PpiFlags; + EFI_STATUS Status; + BOOLEAN LifetimeLock; + BOOLEAN CmdEnable; + UINTN DataSize; + EFI_PHYSICAL_PRESENCE TcgPpData; + EFI_TCG_PROTOCOL *TcgProtocol; + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicyProtocol; + EFI_PHYSICAL_PRESENCE_FLAGS PpiFlags; Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol); if (EFI_ERROR (Status)) { @@ -1229,13 +1229,19 @@ // This flags variable controls whether physical presence is required for TPM command. // It should be protected from malicious software. We set it as read-only variable here. // - Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol); + Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicyProtocol); if (!EFI_ERROR (Status)) { - Status = VariableLockProtocol->RequestToLock ( - VariableLockProtocol, - PHYSICAL_PRESENCE_FLAGS_VARIABLE, - &gEfiPhysicalPresenceGuid - ); + Status = RegisterBasicVariablePolicy ( + VariablePolicyProtocol, + &gEfiPhysicalPresenceGuid, + PHYSICAL_PRESENCE_FLAGS_VARIABLE, + VARIABLE_POLICY_NO_MIN_SIZE, + VARIABLE_POLICY_NO_MAX_SIZE, + VARIABLE_POLICY_NO_MUST_ATTR, + VARIABLE_POLICY_NO_CANT_ATTR, + VARIABLE_POLICY_TYPE_LOCK_NOW + ); + if (EFI_ERROR (Status)) { DEBUG ((DEBUG_ERROR, "[TPM] Error when lock variable %s, Status = %r\n", PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status)); ASSERT_EFI_ERROR (Status);
diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.inf b/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.inf index cfe14f2..a597d8c 100644 --- a/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.inf +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.inf
@@ -50,10 +50,11 @@ PrintLib HiiLib TcgPpVendorLib + VariablePolicyHelperLib [Protocols] gEfiTcgProtocolGuid ## SOMETIMES_CONSUMES - gEdkiiVariableLockProtocolGuid ## SOMETIMES_CONSUMES + gEdkiiVariablePolicyProtocolGuid ## SOMETIMES_CONSUMES [Guids] ## SOMETIMES_CONSUMES ## HII