diff options
author | Laszlo Ersek <lersek@redhat.com> | 2017-09-30 17:37:57 +0200 |
---|---|---|
committer | Laszlo Ersek <lersek@redhat.com> | 2017-10-10 11:25:26 +0200 |
commit | 7516532f9c2ddc263040c5989b3adc7fb47fb401 (patch) | |
tree | 67d4e9dcf04cfe75be4797ba6a861c519c2b24c0 /MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | |
parent | e3531164cc008571de1da7fc2fb9005f9d89849d (diff) | |
download | edk2-7516532f9c2ddc263040c5989b3adc7fb47fb401.tar.gz edk2-7516532f9c2ddc263040c5989b3adc7fb47fb401.tar.bz2 edk2-7516532f9c2ddc263040c5989b3adc7fb47fb401.zip |
MdeModulePkg/Variable/RuntimeDxe: delay MorLock creation until EndOfDxe
The "MemoryOverwriteRequestControl" (a.k.a. MOR) variable comes from the
"TCG Platform Reset Attack Mitigation Specification":
https://www.trustedcomputinggroup.org/wp-content/uploads/Platform-Reset-Attack-Mitigation-Specification.pdf
The "MemoryOverwriteRequestControlLock" variable (a.k.a. MORL) is a
Microsoft extension, called "Secure MOR implementation":
https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-requirements
Currently the VariableSmm driver creates MORL without regard to MOR. This
can lead to a situation where a platform does not support MOR from the
prerequisite spec (because it does not include the
"SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf" driver), but appears
to support MORL from the dependent Microsoft spec.
"winload.efi" notices this inconsistency, and disables the Device Guard
Virtualization Based Security in Windows Server 2016 and Windows 10 64-bit
Enterprise.
If the platform includes
"SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf", then MOR will exist
by the time EndOfDxe is reached, and VariableSmm can safely create MORL.
Otherwise, do not create MORL (delete it if it exists), and also prevent
other modules from creating it.
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Ladi Prosek <lprosek@redhat.com>
Cc: Star Zeng <star.zeng@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=727
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1496170
Reported-by: Ladi Prosek <lprosek@redhat.com>
Suggested-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Tested-by: Ladi Prosek <lprosek@redhat.com>
Diffstat (limited to 'MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf')
0 files changed, 0 insertions, 0 deletions