Looks good. Thanks! Reviewed-by: Yao, Jiewen <jiewen....@intel.com>
-----Original Message----- From: Star Zeng [mailto:star.z...@intel.com] Sent: Tuesday, June 09, 2015 6:03 PM To: edk2-devel@lists.sourceforge.net Subject: [edk2] [PATCH 2/2] SecurityPkg Variable: Support the new introduced PcdMaxAuthVariableSize. 1. If PcdMaxAuthVariableSize is set to 0, keep current behavior as is and PcdMaxVariableSize used. 2. If PcdMaxAuthVariableSize is set to non 0, it will work on authenticated variables. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng <star.z...@intel.com> --- .../VariableAuthenticated/RuntimeDxe/AuthService.c | 11 ++-- .../VariableAuthenticated/RuntimeDxe/AuthService.h | 9 +++- .../VariableAuthenticated/RuntimeDxe/Variable.c | 60 ++++++++++++++-------- .../VariableAuthenticated/RuntimeDxe/Variable.h | 8 +++ .../RuntimeDxe/VariableRuntimeDxe.inf | 1 + .../VariableAuthenticated/RuntimeDxe/VariableSmm.c | 2 +- .../RuntimeDxe/VariableSmm.inf | 3 +- .../RuntimeDxe/VariableSmmRuntimeDxe.c | 6 ++- .../RuntimeDxe/VariableSmmRuntimeDxe.inf | 1 + 9 files changed, 73 insertions(+), 28 deletions(-) diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c index 36d4470..9599c8a 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.c @@ -124,13 +124,18 @@ InCustomMode ( /** Initializes for authenticated varibale service. + @param[in] MaxAuthVariableSize Reflect the overhead associated with the saving + of a single EFI authenticated variable with the exception + of the overhead associated with the length + of the string name of the EFI variable. + @retval EFI_SUCCESS Function successfully executed. @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resources. **/ EFI_STATUS AutenticatedVariableServiceInitialize ( - VOID + IN UINTN MaxAuthVariableSize ) { EFI_STATUS Status; @@ -158,7 +163,7 @@ AutenticatedVariableServiceInitialize ( // // Reserve runtime buffer for public key database. The size excludes variable header and name size. // - mMaxKeyDbSize = PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - sizeof (AUTHVAR_KEYDB_NAME); + mMaxKeyDbSize = (UINT32) (MaxAuthVariableSize - sizeof + (AUTHVAR_KEYDB_NAME)); mMaxKeyNumber = mMaxKeyDbSize / EFI_CERT_TYPE_RSA2048_SIZE; mPubKeyStore = AllocateRuntimePool (mMaxKeyDbSize); if (mPubKeyStore == NULL) { @@ -168,7 +173,7 @@ AutenticatedVariableServiceInitialize ( // // Reserve runtime buffer for certificate database. The size excludes variable header and name size. // - mMaxCertDbSize = PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER) - sizeof (EFI_CERT_DB_NAME); + mMaxCertDbSize = (UINT32) (MaxAuthVariableSize - sizeof + (EFI_CERT_DB_NAME)); mCertDbStore = AllocateRuntimePool (mMaxCertDbSize); if (mCertDbStore == NULL) { return EFI_OUT_OF_RESOURCES; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h index f28c825..56def50 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/AuthService.h @@ -139,13 +139,18 @@ UpdatePlatformMode ( /** Initializes for authenticated varibale service. + @param[in] MaxAuthVariableSize Reflect the overhead associated with the saving + of a single EFI authenticated variable with the exception + of the overhead associated with the length + of the string name of the EFI variable. + @retval EFI_SUCCESS Function successfully executed. - @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resource. + @retval EFI_OUT_OF_RESOURCES Fail to allocate enough memory resources. **/ EFI_STATUS AutenticatedVariableServiceInitialize ( - VOID + IN UINTN MaxAuthVariableSize ); /** diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c index 7ecc29b..15d0531 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c @@ -2153,7 +2153,7 @@ UpdateVariable ( // Trying to update NV variable prior to the installation of EFI_VARIABLE_WRITE_ARCH_PROTOCOL // return EFI_NOT_AVAILABLE_YET; - } else if ((Attributes & EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) != 0) { + } else if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) { // // Trying to update volatile authenticated variable prior to the installation of EFI_VARIABLE_WRITE_ARCH_PROTOCOL // The authenticated variable perhaps is not initialized, just return here. @@ -2190,7 +2190,7 @@ UpdateVariable ( // as a temporary storage. // NextVariable = GetEndPointer ((VARIABLE_STORE_HEADER *) ((UINTN) mVariableModuleGlobal->VariableGlobal.VolatileVariableBase)); - ScratchSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)); + ScratchSize = mVariableModuleGlobal->ScratchBufferSize; SetMem (NextVariable, ScratchSize, 0xff); DataReady = FALSE; @@ -2309,9 +2309,13 @@ UpdateVariable ( CopyMem (BufferForMerge, (UINT8 *) ((UINTN) Variable->CurrPtr + DataOffset), Variable->CurrPtr->DataSize); // - // Set Max Common Variable Data Size as default MaxDataSize + // Set Max Common/Auth Variable Data Size as default + MaxDataSize // - MaxDataSize = PcdGet32 (PcdMaxVariableSize) - DataOffset; + if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) { + MaxDataSize = mVariableModuleGlobal->MaxAuthVariableSize - DataOffset; + } else { + MaxDataSize = mVariableModuleGlobal->MaxVariableSize - DataOffset; + } if ((CompareGuid (VendorGuid, &gEfiImageSecurityDatabaseGuid) && ((StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE) == 0) || (StrCmp (VariableName, EFI_IMAGE_SECURITY_DATABASE1) == 0) || @@ -2351,7 +2355,7 @@ UpdateVariable ( } else { // // For other Variables, append the new data to the end of existing data. - // Max Harware error record variable data size is different from common variable + // Max Harware error record variable data size is different + from common/auth variable // if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { MaxDataSize = PcdGet32 (PcdMaxHardwareErrorVariableSize) - DataOffset; @@ -3237,7 +3241,7 @@ VariableServiceSetVariable ( // // The size of the VariableName, including the Unicode Null in bytes plus // the DataSize is limited to maximum size of PcdGet32 (PcdMaxHardwareErrorVariableSize) - // bytes for HwErrRec, and PcdGet32 (PcdMaxVariableSize) bytes for the others. + // bytes for HwErrRec. // if ((Attributes & EFI_VARIABLE_HARDWARE_ERROR_RECORD) == EFI_VARIABLE_HARDWARE_ERROR_RECORD) { if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxHardwareErrorVariableSize) - sizeof (VARIABLE_HEADER)) { @@ -3249,10 +3253,16 @@ VariableServiceSetVariable ( } else { // // The size of the VariableName, including the Unicode Null in bytes plus - // the DataSize is limited to maximum size of PcdGet32 (PcdMaxVariableSize) bytes. + // the DataSize is limited to maximum size of Max(Auth)VariableSize bytes. // - if (StrSize (VariableName) + PayloadSize > PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER)) { - return EFI_INVALID_PARAMETER; + if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) { + if (StrSize (VariableName) + PayloadSize > mVariableModuleGlobal->MaxAuthVariableSize - sizeof (VARIABLE_HEADER)) { + return EFI_INVALID_PARAMETER; + } + } else { + if (StrSize (VariableName) + PayloadSize > mVariableModuleGlobal->MaxVariableSize - sizeof (VARIABLE_HEADER)) { + return EFI_INVALID_PARAMETER; + } } } @@ -3442,9 +3452,13 @@ VariableServiceQueryVariableInfoInternal ( } // - // Let *MaximumVariableSize be PcdGet32 (PcdMaxVariableSize) with the exception of the variable header size. + // Let *MaximumVariableSize be Max(Auth)VariableSize with the exception of the variable header size. // - *MaximumVariableSize = PcdGet32 (PcdMaxVariableSize) - sizeof (VARIABLE_HEADER); + if ((Attributes & VARIABLE_ATTRIBUTE_AT_AW) != 0) { + *MaximumVariableSize = mVariableModuleGlobal->MaxAuthVariableSize - sizeof (VARIABLE_HEADER); + } else { + *MaximumVariableSize = mVariableModuleGlobal->MaxVariableSize - sizeof (VARIABLE_HEADER); + } } // @@ -3636,11 +3650,13 @@ ReclaimForOS( } RemainingHwErrVariableSpace = PcdGet32 (PcdHwErrStorageSize) - mVariableModuleGlobal->HwErrVariableTotalSize; + // // Check if the free area is below a threshold. // - if ((RemainingCommonRuntimeVariableSpace < PcdGet32 (PcdMaxVariableSize)) - || ((PcdGet32 (PcdHwErrStorageSize) != 0) && + if (((RemainingCommonRuntimeVariableSpace < mVariableModuleGlobal->MaxVariableSize) || + (RemainingCommonRuntimeVariableSpace < mVariableModuleGlobal->MaxAuthVariableSize)) || + ((PcdGet32 (PcdHwErrStorageSize) != 0) && (RemainingHwErrVariableSpace < PcdGet32 (PcdMaxHardwareErrorVariableSize)))){ Status = Reclaim ( mVariableModuleGlobal->VariableGlobal.NonVolatileVariableBase, @@ -3767,17 +3783,17 @@ InitNonVolatileVariableStore ( // Note that in EdkII variable driver implementation, Hardware Error Record type variable // is stored with common variable in the same NV region. So the platform integrator should // ensure that the value of PcdHwErrStorageSize is less than the value of - // VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)). + // (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)). // ASSERT (HwErrStorageSize < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER))); // // Ensure that the value of PcdMaxUserNvVariableSpaceSize is less than the value of - // VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)) - PcdGet32 (PcdHwErrStorageSize). + // (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)) - PcdGet32 (PcdHwErrStorageSize). // ASSERT (MaxUserNvVariableSpaceSize < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER) - HwErrStorageSize)); // // Ensure that the value of PcdBoottimeReservedNvVariableSpaceSize is less than the value of - // VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)) - PcdGet32 (PcdHwErrStorageSize). + // (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)) - PcdGet32 (PcdHwErrStorageSize). // ASSERT (BoottimeReservedNvVariableSpaceSize < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER) - HwErrStorageSize)); @@ -3788,9 +3804,12 @@ InitNonVolatileVariableStore ( DEBUG ((EFI_D_INFO, "Variable driver common space: 0x%x 0x%x 0x%x\n", mVariableModuleGlobal->CommonVariableSpace, mVariableModuleGlobal->CommonMaxUserVariableSpace, mVariableModuleGlobal->CommonRuntimeVariableSpace)); // - // The max variable or hardware error variable size should be < variable store size. + // The max NV variable size should be < (VariableStoreLength - sizeof (VARIABLE_STORE_HEADER)). // - ASSERT(MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) < VariableStoreLength); + ASSERT (MAX_NV_VARIABLE_SIZE < (VariableStoreLength - sizeof + (VARIABLE_STORE_HEADER))); + + mVariableModuleGlobal->MaxVariableSize = PcdGet32 + (PcdMaxVariableSize); mVariableModuleGlobal->MaxAuthVariableSize = + ((PcdGet32 (PcdMaxAuthVariableSize) != 0) ? PcdGet32 + (PcdMaxAuthVariableSize) : mVariableModuleGlobal->MaxVariableSize); // // Parse non-volatile variable data and get last variable offset. @@ -3963,7 +3982,7 @@ VariableWriteServiceInitialize ( // // Authenticated variable initialize. // - Status = AutenticatedVariableServiceInitialize (); + Status = AutenticatedVariableServiceInitialize + (mVariableModuleGlobal->MaxAuthVariableSize - sizeof + (VARIABLE_HEADER)); return Status; } @@ -4019,7 +4038,8 @@ VariableCommonInitialize ( // // Allocate memory for volatile variable store, note that there is a scratch space to store scratch data. // - ScratchSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)); + ScratchSize = MAX_NV_VARIABLE_SIZE; + mVariableModuleGlobal->ScratchBufferSize = ScratchSize; VolatileVariableStore = AllocateRuntimePool (PcdGet32 (PcdVariableStoreSize) + ScratchSize); if (VolatileVariableStore == NULL) { if (mVariableModuleGlobal->VariableGlobal.HobVariableBase != 0) { diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h index fd4dab2..4a4595f 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.h @@ -61,6 +61,11 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. #define VARIABLE_ATTRIBUTE_NV_BS_RT_HR (VARIABLE_ATTRIBUTE_NV_BS_RT | EFI_VARIABLE_HARDWARE_ERROR_RECORD) #define VARIABLE_ATTRIBUTE_NV_BS_RT_AW (VARIABLE_ATTRIBUTE_NV_BS_RT | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) #define VARIABLE_ATTRIBUTE_NV_BS_RT_AT_HR_AW (VARIABLE_ATTRIBUTE_NV_BS_RT_AT | EFI_VARIABLE_HARDWARE_ERROR_RECORD | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) +#define VARIABLE_ATTRIBUTE_AT_AW (EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS | EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS) + +#define MAX_NV_VARIABLE_SIZE (MAX (MAX (PcdGet32 (PcdMaxVariableSize), \ + PcdGet32 (PcdMaxAuthVariableSize)), \ + PcdGet32 +(PcdMaxHardwareErrorVariableSize))) /// /// The size of a 3 character ISO639 language code. @@ -106,6 +111,9 @@ typedef struct { UINTN CommonVariableTotalSize; UINTN CommonUserVariableTotalSize; UINTN HwErrVariableTotalSize; + UINTN MaxVariableSize; + UINTN MaxAuthVariableSize; + UINTN ScratchBufferSize; CHAR8 *PlatformLangCodes; CHAR8 *LangCodes; CHAR8 *PlatformLang; diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf index cbf7da0..2b1b1c0 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableRuntimeDxe.in +++ f @@ -139,6 +139,7 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64 ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdHwErrStorageSize ## CONSUMES diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c index a1ac461..1eb169a 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.c @@ -932,7 +932,7 @@ VariableServiceInitialize ( ); ASSERT_EFI_ERROR (Status); - mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) + + mVariableBufferPayloadSize = MAX_NV_VARIABLE_SIZE + OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - sizeof (VARIABLE_HEADER); Status = gSmst->SmmAllocatePool ( diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf index efb80f3..00181db 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmm.inf @@ -146,6 +146,7 @@ gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase ## SOMETIMES_CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdFlashNvStorageVariableBase64 ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdHwErrStorageSize ## CONSUMES @@ -161,4 +162,4 @@ TRUE [UserExtensions.TianoCore."ExtraFiles"] - VariableSmmExtra.uni \ No newline at end of file + VariableSmmExtra.uni diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c index e87e12f..94b60bf 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.c +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe +++ .c @@ -59,6 +59,10 @@ EFI_LOCK mVariableServicesLock; EDKII_VARIABLE_LOCK_PROTOCOL mVariableLock; EDKII_VAR_CHECK_PROTOCOL mVarCheck; +#define MAX_NV_VARIABLE_SIZE (MAX (MAX (PcdGet32 (PcdMaxVariableSize), \ + PcdGet32 (PcdMaxAuthVariableSize)), \ + PcdGet32 +(PcdMaxHardwareErrorVariableSize))) + /** SecureBoot Hook for SetVariable. @@ -931,7 +935,7 @@ SmmVariableReady ( // // Allocate memory for variable communicate buffer. // - mVariableBufferPayloadSize = MAX (PcdGet32 (PcdMaxVariableSize), PcdGet32 (PcdMaxHardwareErrorVariableSize)) + + mVariableBufferPayloadSize = MAX_NV_VARIABLE_SIZE + OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) - sizeof (VARIABLE_HEADER); mVariableBufferSize = SMM_COMMUNICATE_HEADER_SIZE + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE + mVariableBufferPayloadSize; mVariableBuffer = AllocateRuntimePool (mVariableBufferSize); diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.inf b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.inf index e48a0f1..db6a4de 100644 --- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe.inf +++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/VariableSmmRuntimeDxe +++ .inf @@ -92,6 +92,7 @@ [Pcd] gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVariableSize ## CONSUMES + gEfiMdeModulePkgTokenSpaceGuid.PcdMaxAuthVariableSize ## CONSUMES gEfiMdeModulePkgTokenSpaceGuid.PcdMaxHardwareErrorVariableSize ## CONSUMES [Depex] -- 1.9.5.msysgit.0 ------------------------------------------------------------------------------ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel ------------------------------------------------------------------------------ _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
