From nobody Mon Feb 9 09:52:51 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) client-ip=66.175.222.108; envelope-from=bounce+27952+67157+1787277+3901457@groups.io; helo=mail02.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+67157+1787277+3901457@groups.io ARC-Seal: i=1; a=rsa-sha256; t=1604904409; cv=none; d=zohomail.com; s=zohoarc; b=ilre9XnrogOc6kNtNJCpft3fa769cuJmCvoQFvj4susrHI9VzpuCT5Jbf+9LcW2xkwy00l/UYa3pjoLLHjgRZDzneeSGl4fufXSJ//96GCxxPjLgCRo3tQaokRra2+xXI9xiLrg/XZqvdN2x6jjyaOKDPE7SwXN70l9aytLV27Q= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1604904409; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=vV2xWcglqRexXbgZJwnmc6/Gky+PVinmjjXlJCdIEOE=; b=d5kRt2NmpgDMZPzJ+owE8EQUPKgG+PoCRDFEjKsbhMPlScUqPexrRCAzDkzeqgyqcU8nQMluhFOvaCRVCQ8J4dtg0xpPu6v+I00PSB0gCGuJ0B8C5VPN9eO2nKmTwswdwN8IMLfQyaIi/6XyRQEQMQONCB5bhtB3aJJ9OW2WdIo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce+27952+67157+1787277+3901457@groups.io Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by mx.zohomail.com with SMTPS id 1604904409246593.1598422066945; Sun, 8 Nov 2020 22:46:49 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id ZyumYY1788612x06JmhJRxh1; Sun, 08 Nov 2020 22:46:48 -0800 X-Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by mx.groups.io with SMTP id smtpd.web12.8024.1604904403460684234 for ; Sun, 08 Nov 2020 22:46:43 -0800 X-Received: by mail-pf1-f176.google.com with SMTP id c20so7191507pfr.8 for ; Sun, 08 Nov 2020 22:46:43 -0800 (PST) X-Gm-Message-State: LunxBgegYsgjy2iQPP5vsTVIx1787277AA= X-Google-Smtp-Source: ABdhPJw8hx1k5q75XcNGG0GU2ShDv77W69uicsl5Zskf0pTpG0wH0v0RYhwvf3/ieqIlUmhZ0zY/JA== X-Received: by 2002:aa7:9abb:0:b029:18b:5a1d:b729 with SMTP id x27-20020aa79abb0000b029018b5a1db729mr11997672pfi.81.1604904402654; Sun, 08 Nov 2020 22:46:42 -0800 (PST) X-Received: from localhost.localdomain ([71.212.128.184]) by smtp.gmail.com with ESMTPSA id s145sm10215111pfs.187.2020.11.08.22.46.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Nov 2020 22:46:42 -0800 (PST) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jiewen Yao , Jian J Wang , Chao Zhang , Bret Barkelew , Dandan Bi Subject: [edk2-devel] [PATCH v9 11/13] SecurityPkg: Allow VariablePolicy state to delete authenticated variables Date: Sun, 8 Nov 2020 22:45:20 -0800 Message-Id: <20201109064522.919-12-bret.barkelew@microsoft.com> In-Reply-To: <20201109064522.919-1-bret.barkelew@microsoft.com> References: <20201109064522.919-1-bret.barkelew@microsoft.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,bret@corthon.com Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1604904408; bh=SZLtV6b9VG7n2QL24uh8hiy1kY2sI1qTejzJXF7Y9pM=; h=Cc:Date:From:Reply-To:Subject:To; b=FsOVDCQQ4G2vOnQgC8cnE0Fyb1uWKUrmOsLzAPxQawTQyMIV3HR0PagZ617cXrSNex2 p+jHPrgERHKP3OYPpojk76zkQm/ZaBfBQJ2BvEzuB9h0L+qAVJh7D9DsNY+C9ZoGN+bch UwE48EW+NLaaVGGA0Kf1B2LzSKiP+ZgL8RA= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" From: Bret Barkelew https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 Causes AuthService to check IsVariablePolicyEnabled() before enforcing write protections to allow variable deletion when policy engine is disabled. Only allows deletion, not modification. Cc: Jiewen Yao Cc: Jian J Wang Cc: Chao Zhang Cc: Bret Barkelew Signed-off-by: Bret Barkelew Reviewed-by: Dandan Bi Acked-by: Jian J Wang --- SecurityPkg/Library/AuthVariableLib/AuthService.c | 30 +++++++++++++= +++---- SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 ++ 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c b/SecurityPk= g/Library/AuthVariableLib/AuthService.c index 2f60331f2c04..4fb609504db7 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c @@ -19,12 +19,16 @@ to verify the signature. =20 Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.
+Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ =20 #include "AuthServiceInternal.h" =20 +#include +#include + // // Public Exponent of RSA Key. // @@ -217,9 +221,12 @@ NeedPhysicallyPresent( IN EFI_GUID *VendorGuid ) { - if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (StrC= mp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0)) - || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (Va= riableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) { - return TRUE; + // If the VariablePolicy engine is disabled, allow deletion of any authe= nticated variables. + if (IsVariablePolicyEnabled()) { + if ((CompareGuid (VendorGuid, &gEfiSecureBootEnableDisableGuid) && (St= rCmp (VariableName, EFI_SECURE_BOOT_ENABLE_NAME) =3D=3D 0)) + || (CompareGuid (VendorGuid, &gEfiCustomModeEnableGuid) && (StrCmp (= VariableName, EFI_CUSTOM_MODE_NAME) =3D=3D 0))) { + return TRUE; + } } =20 return FALSE; @@ -842,7 +849,8 @@ ProcessVariable ( &OrgVariableInfo ); =20 - if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attri= butes, Data, DataSize, Attributes) && UserPhysicalPresent()) { + // If the VariablePolicy engine is disabled, allow deletion of any authe= nticated variables. + if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable (OrgVariableInfo.Attri= butes, Data, DataSize, Attributes) && (UserPhysicalPresent() || !IsVariable= PolicyEnabled())) { // // Allow the delete operation of common authenticated variable(AT or A= W) at user physical presence. // @@ -1920,6 +1928,12 @@ VerifyTimeBasedPayload ( PayloadPtr =3D SigData + SigDataSize; PayloadSize =3D DataSize - OFFSET_OF_AUTHINFO2_CERT_DATA - (UINTN) SigDa= taSize; =20 + // If the VariablePolicy engine is disabled, allow deletion of any authe= nticated variables. + if (PayloadSize =3D=3D 0 && (Attributes & EFI_VARIABLE_APPEND_WRITE) =3D= =3D 0 && !IsVariablePolicyEnabled()) { + VerifyStatus =3D TRUE; + goto Exit; + } + // // Construct a serialization buffer of the values of the VariableName, V= endorGuid and Attributes // parameters of the SetVariable() call and the TimeStamp component of t= he @@ -2173,8 +2187,12 @@ VerifyTimeBasedPayload ( Exit: =20 if (AuthVarType =3D=3D AuthVarTypePk || AuthVarType =3D=3D AuthVarTypePr= iv) { - Pkcs7FreeSigners (TopLevelCert); - Pkcs7FreeSigners (SignerCerts); + if (TopLevelCert !=3D NULL) { + Pkcs7FreeSigners (TopLevelCert); + } + if (SignerCerts !=3D NULL) { + Pkcs7FreeSigners (SignerCerts); + } } =20 if (!VerifyStatus) { diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf b/Secu= rityPkg/Library/AuthVariableLib/AuthVariableLib.inf index 8d4ce14df494..8eadeebcebd7 100644 --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf @@ -3,6 +3,7 @@ # # Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
# Copyright (c) 2018, ARM Limited. All rights reserved.
+# Copyright (c) Microsoft Corporation. # # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -41,6 +42,7 @@ [LibraryClasses] MemoryAllocationLib BaseCryptLib PlatformSecureLib + VariablePolicyLib =20 [Guids] ## CONSUMES ## Variable:L"SetupMode" --=20 2.28.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#67157): https://edk2.groups.io/g/devel/message/67157 Mute This Topic: https://groups.io/mt/78130781/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-