Re: [edk2] [PATCH] SecurityPkg: AuthVariableLib: Revert UserPhysicalPresent feature from AuthVariableLib

Yao, Jiewen Thu, 21 Jul 2016 18:42:06 -0700

Reviewed-by: jiewen....@intel.com

> -----Original Message-----
> From: Zhang, Chao B
> Sent: Thursday, July 21, 2016 3:20 PM
> To: edk2-devel@lists.01.org
> Cc: Yao, Jiewen <jiewen....@intel.com>; Zhang, Chao B
> <chao.b.zh...@intel.com>
> Subject: [PATCH] SecurityPkg: AuthVariableLib: Revert UserPhysicalPresent
> feature from AuthVariableLib
> 
> Physical Presence state reporting is constrained by physical presence caching
> in variable driver. For example, reporting must be prior to Physical Presence
> after caching. After caching, Physical Presence state becomes constant
> rather than instant. Therefore, PlatformSecureLib is responsible for reporting
> Physical Presence state in expected way.
> 
> This reverts commit 90fa53213ec458b5c4f8851c09aeb3de977531e5.
> 
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Chao Zhang <chao.b.zh...@intel.com>
> ---
>  SecurityPkg/Library/AuthVariableLib/AuthService.c         | 8 ++++----
>  SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h | 1 -
>  SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c     | 7 -------
>  3 files changed, 4 insertions(+), 12 deletions(-)
> 
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> index 1d49b6a..6e1e284 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthService.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthService.c
> @@ -931,7 +931,7 @@ ProcessVarWithPk (
>    // Init state of Del. State may change due to secure check
>    //
>    Del = FALSE;
> -  if ((InCustomMode() && mUserPhysicalPresent) || (mPlatformMode ==
> SETUP_MODE && !IsPk)) {
> +  if ((InCustomMode() && UserPhysicalPresent()) || (mPlatformMode ==
> SETUP_MODE && !IsPk)) {
>      Payload = (UINT8 *) Data + AUTHINFO2_SIZE (Data);
>      PayloadSize = DataSize - AUTHINFO2_SIZE (Data);
>      if (PayloadSize == 0) {
> @@ -1049,7 +1049,7 @@ ProcessVarWithKek (
>    }
> 
>    Status = EFI_SUCCESS;
> -  if (mPlatformMode == USER_MODE && !(InCustomMode() &&
> mUserPhysicalPresent)) {
> +  if (mPlatformMode == USER_MODE && !(InCustomMode() &&
> UserPhysicalPresent())) {
>      //
>      // Time-based, verify against X509 Cert KEK.
>      //
> @@ -1204,7 +1204,7 @@ ProcessVariable (
>               &OrgVariableInfo
>               );
> 
> -  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable
> (OrgVariableInfo.Attributes, Data, DataSize, Attributes) &&
> mUserPhysicalPresent) {
> +  if ((!EFI_ERROR (Status)) && IsDeleteAuthVariable
> (OrgVariableInfo.Attributes, Data, DataSize, Attributes) &&
> UserPhysicalPresent()) {
>      //
>      // Allow the delete operation of common authenticated variable at
> user physical presence.
>      //
> @@ -1222,7 +1222,7 @@ ProcessVariable (
>      return Status;
>    }
> 
> -  if (NeedPhysicallyPresent (VariableName, VendorGuid)
> && !mUserPhysicalPresent) {
> +  if (NeedPhysicallyPresent (VariableName, VendorGuid)
> && !UserPhysicalPresent()) {
>      //
>      // This variable is protected, only physical present user could modify 
> its
> value.
>      //
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> index ac7ea89..e7c4bf0 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h
> @@ -128,7 +128,6 @@ extern UINT8    *mCertDbStore;
>  extern UINT32   mMaxCertDbSize;
>  extern UINT32   mPlatformMode;
>  extern UINT8    mVendorKeyState;
> -extern BOOLEAN  mUserPhysicalPresent;
> 
>  extern VOID     *mHashCtx;
> 
> diff --git a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> index dd35a44..c4fbb64 100644
> --- a/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> +++ b/SecurityPkg/Library/AuthVariableLib/AuthVariableLib.c
> @@ -35,7 +35,6 @@ UINT8    *mCertDbStore;
>  UINT32   mMaxCertDbSize;
>  UINT32   mPlatformMode;
>  UINT8    mVendorKeyState;
> -BOOLEAN  mUserPhysicalPresent;
> 
>  EFI_GUID mSignatureSupport[] = {EFI_CERT_SHA1_GUID,
> EFI_CERT_SHA256_GUID, EFI_CERT_RSA2048_GUID,
> EFI_CERT_X509_GUID};
> 
> @@ -436,12 +435,6 @@ AuthVariableLibInitialize (
>    AuthVarLibContextOut->AddressPointer = mAuthVarAddressPointer;
>    AuthVarLibContextOut->AddressPointerCount = sizeof
> (mAuthVarAddressPointer) / sizeof (mAuthVarAddressPointer[0]);
> 
> -  //
> -  // Cache UserPhysicalPresent State.
> -  // Platform should report PhysicalPresent before this point
> -  //
> -  mUserPhysicalPresent = UserPhysicalPresent();
> -
>    return Status;
>  }
> 
> --
> 1.9.5.msysgit.1


_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Re: [edk2] [PATCH] SecurityPkg: AuthVariableLib: Revert UserPhysicalPresent feature from AuthVariableLib

Reply via email to