[v3] UEFI variable protection

[edk2-devel] [PATCH v3 00/28] UEFI variable protection

Judah Vang posted 28 patches 1 year, 11 months ago

Diff against v2 v4 v5
Download series mbox

Failed in applying to current master (apply log)

There is a newer version of this series

MdeModulePkg/MdeModulePkg.dec                                               |   13 +-
SecurityPkg/SecurityPkg.dec                                                 |   43 +-
ArmVirtPkg/ArmVirtQemu.dsc                                                  |    3 +-
EmulatorPkg/EmulatorPkg.dsc                                                 |    3 +-
MdeModulePkg/MdeModulePkg.dsc                                               |    4 +-
OvmfPkg/AmdSev/AmdSevX64.dsc                                                |    3 +-
OvmfPkg/Bhyve/BhyveX64.dsc                                                  |    3 +-
OvmfPkg/CloudHv/CloudHvX64.dsc                                              |    1 +
OvmfPkg/Microvm/MicrovmX64.dsc                                              |    3 +-
OvmfPkg/OvmfPkgIa32.dsc                                                     |    1 +
OvmfPkg/OvmfPkgIa32X64.dsc                                                  |    1 +
OvmfPkg/OvmfPkgX64.dsc                                                      |    1 +
OvmfPkg/OvmfXen.dsc                                                         |    3 +-
SecurityPkg/SecurityPkg.dsc                                                 |   13 +-
UefiPayloadPkg/UefiPayloadPkg.dsc                                           |    2 +
CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf                              |    2 +-
CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf                              |    2 +-
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf  |   34 +
MdeModulePkg/Universal/Variable/Pei/VariablePei.inf                         |   10 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf           |    3 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf                  |    3 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf        |    4 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf         |    3 +-
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf         |   43 +
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |   38 +
SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf        |   64 +
SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf        |   68 +
SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf        |   67 +
SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf |   62 +
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf                       |   36 +
MdeModulePkg/Include/Guid/ProtectedVariable.h                               |   22 +
MdeModulePkg/Include/Library/AuthVariableLib.h                              |    4 +-
MdeModulePkg/Include/Library/EncryptionVariableLib.h                        |  165 ++
MdeModulePkg/Include/Library/ProtectedVariableLib.h                         |  700 +++++++
MdeModulePkg/Universal/Variable/Pei/Variable.h                              |   80 +-
MdeModulePkg/Universal/Variable/Pei/VariableParsing.h                       |  309 +++
MdeModulePkg/Universal/Variable/Pei/VariableStore.h                         |  116 ++
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h                       |  127 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.h                |   91 +-
MdePkg/Include/Ppi/ReadOnlyVariable2.h                                      |    4 +-
SecurityPkg/Include/Library/RpmcLib.h                                       |   15 +-
SecurityPkg/Include/Library/VariableKeyLib.h                                |   37 +-
SecurityPkg/Include/Ppi/KeyServicePpi.h                                     |   57 +
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h              |   49 +
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h        |  611 ++++++
CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c                  |   11 +-
CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c                           |   14 +-
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c           |  449 ++++
MdeModulePkg/Universal/Variable/Pei/Variable.c                              |  890 ++------
MdeModulePkg/Universal/Variable/Pei/VariableParsing.c                       |  941 +++++++++
MdeModulePkg/Universal/Variable/Pei/VariableStore.c                         |  307 +++
MdeModulePkg/Universal/Variable/RuntimeDxe/Reclaim.c                        |  349 +++-
MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c                       | 2142 +++++++++++---------
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c                    |   26 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableExLib.c                  |  167 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableNonVolatile.c            |  194 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.c                |  320 ++-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeCache.c           |    2 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c                    |   39 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c          |   67 +-
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c              |  734 +++++++
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c          |  107 +
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c          | 2103 +++++++++++++++++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c             |  163 ++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c             | 1327 ++++++++++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c             |  209 ++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c    |  967 +++++++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c      |  233 +++
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c                               |    8 +-
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c                         |   59 +
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c                 |    6 +-
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni |   16 +
72 files changed, 12899 insertions(+), 1874 deletions(-)
create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
create mode 100644 MdeModulePkg/Include/Guid/ProtectedVariable.h
create mode 100644 MdeModulePkg/Include/Library/EncryptionVariableLib.h
create mode 100644 MdeModulePkg/Include/Library/ProtectedVariableLib.h
create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.h
create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.h
create mode 100644 SecurityPkg/Include/Ppi/KeyServicePpi.h
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h
create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.c
create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.c
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c
create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni

Expand all Fold all

[edk2-devel] [PATCH v3 00/28] UEFI variable protection

Posted by Judah Vang 1 year, 11 months ago

For a more detail description of the UEFI variable protected feature you can
view the Readme.md located at the following location:
https://github.com/judahvang/edk2/tree/rpmc-update

Patch 08 - Update GetNvVariableStore() to call GetVariableFlashNvStorageInfo()
and SafeUint64ToUint32().

Patch 09 - Fix 'NextVariableStore' parameter for CopyMem.  It was causing
an exception. Need to correctly cast 'NextVariableStore' so all platforms
build.  Add code to initialize 'ContextIn' structure in SmmVariableReady()
to fix issue with NULL function pointer.

Patch 16 - Change AllocateZeroPool() with AllocatePages() and FreePool()
with FreePages(). FreePool() is not supported in PEI phase so this was
causing a memory leak. Reverse the order of the FreePages() call.

Patch 17 - Change placement of buffer used for confidentiality crypto
operation to fix an issue when enabling confidentiality. Remove unneeded
increment of monotonic counter.

Patch 28 - Fix build issue when DiSABLE_SHA1_DEPRECATED_INTERFACES
is defined. Percolate the #ifndef DiSABLE_SHA1_DEPRECATED_INTERFACES
to all the Sha1 functions. Replace AllocatePool() with
AllocatePages() and FreePool() with FreePages() because
FreePool() is not supported in PEI phase. FreePool() does not
free the allocated pool in PEI phase causing a memory leak.

Judah Vang (28):
  MdeModulePkg: Add new GUID for Variable Store Info
  SecurityPkg: Add new GUIDs for
  MdeModulePkg: Update AUTH_VARIABLE_INFO struct
  MdeModulePkg: Add reference to new Ppi Guid
  MdeModulePkg: Add new ProtectedVariable GUIDs
  MdeModulePkg: Add new include files
  MdeModulePkg: Add Null ProtectedVariable Library
  MdeModulePkg: Add new Variable functionality
  MdeModulePkg: Add support for Protected Variables
  SecurityPkg: Add new KeyService types and defines
  SecurityPkg: Update RPMC APIs with index
  SecurityPkg: Add new variable types and functions
  SecurityPkg: Fix GetVariableKey API
  SecurityPkg: Add null encryption variable libs
  SecurityPkg: Add VariableKey library function
  SecurityPkg: Add EncryptionVariable lib with AES
  SecurityPkg: Add Protected Variable Services
  MdeModulePkg: Reference Null ProtectedVariableLib
  SecurityPkg: Add references to new *.inf files
  ArmVirtPkg: Add reference to ProtectedVariableNull
  UefiPayloadPkg: Add ProtectedVariable reference
  EmulatorPkg: Add ProtectedVariable reference
  OvmfPkg: Add ProtectedVariable reference
  OvmfPkg: Add ProtectedVariableLib reference
  OvmfPkg: Add ProtectedVariableLib reference
  OvmfPkg: Add ProtectedVariableLib reference
  OvmfPkg: Add ProtectedVariable reference
  CryptoPkg: Enable cypto HMAC KDF and AES library

 MdeModulePkg/MdeModulePkg.dec                                               |   13 +-
 SecurityPkg/SecurityPkg.dec                                                 |   43 +-
 ArmVirtPkg/ArmVirtQemu.dsc                                                  |    3 +-
 EmulatorPkg/EmulatorPkg.dsc                                                 |    3 +-
 MdeModulePkg/MdeModulePkg.dsc                                               |    4 +-
 OvmfPkg/AmdSev/AmdSevX64.dsc                                                |    3 +-
 OvmfPkg/Bhyve/BhyveX64.dsc                                                  |    3 +-
 OvmfPkg/CloudHv/CloudHvX64.dsc                                              |    1 +
 OvmfPkg/Microvm/MicrovmX64.dsc                                              |    3 +-
 OvmfPkg/OvmfPkgIa32.dsc                                                     |    1 +
 OvmfPkg/OvmfPkgIa32X64.dsc                                                  |    1 +
 OvmfPkg/OvmfPkgX64.dsc                                                      |    1 +
 OvmfPkg/OvmfXen.dsc                                                         |    3 +-
 SecurityPkg/SecurityPkg.dsc                                                 |   13 +-
 UefiPayloadPkg/UefiPayloadPkg.dsc                                           |    2 +
 CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf                              |    2 +-
 CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf                              |    2 +-
 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf  |   34 +
 MdeModulePkg/Universal/Variable/Pei/VariablePei.inf                         |   10 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf           |    3 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf                  |    3 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf        |    4 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf         |    3 +-
 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf         |   43 +
 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf |   38 +
 SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf        |   64 +
 SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf        |   68 +
 SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf        |   67 +
 SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf |   62 +
 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf                       |   36 +
 MdeModulePkg/Include/Guid/ProtectedVariable.h                               |   22 +
 MdeModulePkg/Include/Library/AuthVariableLib.h                              |    4 +-
 MdeModulePkg/Include/Library/EncryptionVariableLib.h                        |  165 ++
 MdeModulePkg/Include/Library/ProtectedVariableLib.h                         |  700 +++++++
 MdeModulePkg/Universal/Variable/Pei/Variable.h                              |   80 +-
 MdeModulePkg/Universal/Variable/Pei/VariableParsing.h                       |  309 +++
 MdeModulePkg/Universal/Variable/Pei/VariableStore.h                         |  116 ++
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h                       |  127 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.h                |   91 +-
 MdePkg/Include/Ppi/ReadOnlyVariable2.h                                      |    4 +-
 SecurityPkg/Include/Library/RpmcLib.h                                       |   15 +-
 SecurityPkg/Include/Library/VariableKeyLib.h                                |   37 +-
 SecurityPkg/Include/Ppi/KeyServicePpi.h                                     |   57 +
 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h              |   49 +
 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h        |  611 ++++++
 CryptoPkg/Library/BaseCryptLib/SysCall/BaseMemAllocation.c                  |   11 +-
 CryptoPkg/Library/BaseHashApiLib/BaseHashApiLib.c                           |   14 +-
 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c           |  449 ++++
 MdeModulePkg/Universal/Variable/Pei/Variable.c                              |  890 ++------
 MdeModulePkg/Universal/Variable/Pei/VariableParsing.c                       |  941 +++++++++
 MdeModulePkg/Universal/Variable/Pei/VariableStore.c                         |  307 +++
 MdeModulePkg/Universal/Variable/RuntimeDxe/Reclaim.c                        |  349 +++-
 MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c                       | 2142 +++++++++++---------
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c                    |   26 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableExLib.c                  |  167 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableNonVolatile.c            |  194 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.c                |  320 ++-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeCache.c           |    2 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c                    |   39 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c          |   67 +-
 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c              |  734 +++++++
 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c          |  107 +
 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c          | 2103 +++++++++++++++++++
 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c             |  163 ++
 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c             | 1327 ++++++++++++
 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c             |  209 ++
 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c    |  967 +++++++++
 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c      |  233 +++
 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c                               |    8 +-
 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c                         |   59 +
 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c                 |    6 +-
 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni |   16 +
 72 files changed, 12899 insertions(+), 1874 deletions(-)
 create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
 create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
 create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf
 create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
 create mode 100644 MdeModulePkg/Include/Guid/ProtectedVariable.h
 create mode 100644 MdeModulePkg/Include/Library/EncryptionVariableLib.h
 create mode 100644 MdeModulePkg/Include/Library/ProtectedVariableLib.h
 create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.h
 create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.h
 create mode 100644 SecurityPkg/Include/Ppi/KeyServicePpi.h
 create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h
 create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
 create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.c
 create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.c
 create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
 create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c
 create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c
 create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
 create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni

-- 
2.35.1.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#90353): https://edk2.groups.io/g/devel/message/90353
Mute This Topic: https://groups.io/mt/91640182/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-