MdeModulePkg: Connect VariablePolicy business logic to VariableServices

https://bugzilla.tianocore.org/show_bug.cgi?id=2522

VariablePolicy is an updated interface to
replace VarLock and VarCheckProtocol.

Add connective code to publish the VariablePolicy protocol
and wire it to either the SMM communication interface
or directly into the VariablePolicyLib business logic.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Acked-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

1 files changed, 60 insertions, 0 deletions

diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
index 7d2b6c8e1f..0fca0bb2a9 100644
--- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
+++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
@@ -5,18 +5,34 @@
 Copyright (C) 2013, Red Hat, Inc.

 Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>

 (C) Copyright 2015 Hewlett Packard Enterprise Development LP<BR>

+Copyright (c) Microsoft Corporation.

 SPDX-License-Identifier: BSD-2-Clause-Patent

 

 **/

 

 #include "Variable.h"

 

+#include <Protocol/VariablePolicy.h>

+#include <Library/VariablePolicyLib.h>

+

+EFI_STATUS

+EFIAPI

+ProtocolIsVariablePolicyEnabled (

+  OUT BOOLEAN *State

+  );

+

 EFI_HANDLE                          mHandle                    = NULL;

 EFI_EVENT                           mVirtualAddressChangeEvent = NULL;

 VOID                                *mFtwRegistration          = NULL;

 VOID                                ***mVarCheckAddressPointer = NULL;

 UINTN                               mVarCheckAddressPointerCount = 0;

 EDKII_VARIABLE_LOCK_PROTOCOL        mVariableLock              = { VariableLockRequestToLock };

+EDKII_VARIABLE_POLICY_PROTOCOL      mVariablePolicyProtocol    = { EDKII_VARIABLE_POLICY_PROTOCOL_REVISION,

+                                                                    DisableVariablePolicy,

+                                                                    ProtocolIsVariablePolicyEnabled,

+                                                                    RegisterVariablePolicy,

+                                                                    DumpVariablePolicy,

+                                                                    LockVariablePolicy };

 EDKII_VAR_CHECK_PROTOCOL            mVarCheck                  = { VarCheckRegisterSetVariableCheckHandler,

                                                                     VarCheckVariablePropertySet,

                                                                     VarCheckVariablePropertyGet };

@@ -282,8 +298,13 @@ OnReadyToBoot (
   VOID                                    *Context

   )

 {

+  EFI_STATUS        Status;

+

   if (!mEndOfDxe) {

     MorLockInitAtEndOfDxe ();

+

+    Status = LockVariablePolicy ();

+    ASSERT_EFI_ERROR (Status);

     //

     // Set the End Of DXE bit in case the EFI_END_OF_DXE_EVENT_GROUP_GUID event is not signaled.

     //

@@ -322,8 +343,12 @@ OnEndOfDxe (
   VOID                                    *Context

   )

 {

+  EFI_STATUS    Status;

+

   DEBUG ((EFI_D_INFO, "[Variable]END_OF_DXE is signaled\n"));

   MorLockInitAtEndOfDxe ();

+  Status = LockVariablePolicy ();

+  ASSERT_EFI_ERROR (Status);

   mEndOfDxe = TRUE;

   mVarCheckAddressPointer = VarCheckLibInitializeAtEndOfDxe (&mVarCheckAddressPointerCount);

   //

@@ -467,6 +492,28 @@ FtwNotificationEvent (
 

 

 /**

+  This API function returns whether or not the policy engine is

+  currently being enforced.

+

+  @param[out]   State       Pointer to a return value for whether the policy enforcement

+                            is currently enabled.

+

+  @retval     EFI_SUCCESS

+  @retval     Others        An error has prevented this command from completing.

+

+**/

+EFI_STATUS

+EFIAPI

+ProtocolIsVariablePolicyEnabled (

+  OUT BOOLEAN *State

+  )

+{

+  *State = IsVariablePolicyEnabled ();

+  return EFI_SUCCESS;

+}

+

+

+/**

   Variable Driver main entry point. The Variable driver places the 4 EFI

   runtime services in the EFI System Table and installs arch protocols

   for variable read and write services being available. It also registers

@@ -576,6 +623,19 @@ VariableServiceInitialize (
                   );

   ASSERT_EFI_ERROR (Status);

 

+  // Register and initialize the VariablePolicy engine.

+  Status = InitVariablePolicyLib (VariableServiceGetVariable);

+  ASSERT_EFI_ERROR (Status);

+  Status = VarCheckRegisterSetVariableCheckHandler (ValidateSetVariable);

+  ASSERT_EFI_ERROR (Status);

+  Status = gBS->InstallMultipleProtocolInterfaces (

+                    &mHandle,

+                    &gEdkiiVariablePolicyProtocolGuid,

+                    &mVariablePolicyProtocol,

+                    NULL

+                    );

+  ASSERT_EFI_ERROR (Status);

+

   return EFI_SUCCESS;

 }