diff options
Diffstat (limited to 'SecurityPkg/Library')
2 files changed, 87 insertions, 0 deletions
diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c new file mode 100644 index 0000000000..a264924224 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c @@ -0,0 +1,51 @@ +/** @file
+ Provides an abstracted interface for configuring PK related variable protection.
+
+ Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Uefi.h>
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/DebugLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+
+/**
+ Disable any applicable protection against variable 'PK'. The implementation
+ of this interface is platform specific, depending on the protection techniques
+ used per platform.
+
+ Note: It is the platform's responsibility to conduct cautious operation after
+ disabling this protection.
+
+ @retval EFI_SUCCESS State has been successfully updated.
+ @retval Others Error returned from implementation specific
+ underying APIs.
+
+**/
+EFI_STATUS
+EFIAPI
+DisablePKProtection (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
+
+ DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__));
+
+ // IMPORTANT NOTE: This operation is sticky and leaves variable protections disabled.
+ // The system *MUST* be reset after performing this operation.
+ Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy);
+ if (!EFI_ERROR (Status)) {
+ Status = VariablePolicy->DisableVariablePolicy ();
+ // EFI_ALREADY_STARTED means that everything is currently disabled.
+ // This should be considered SUCCESS.
+ if (Status == EFI_ALREADY_STARTED) {
+ Status = EFI_SUCCESS;
+ }
+ }
+
+ return Status;
+}
diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf new file mode 100644 index 0000000000..df42ce06c0 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf @@ -0,0 +1,36 @@ +## @file
+# Provides an abstracted interface for configuring PK related variable protection.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = PlatformPKProtectionLibVarPolicy
+ FILE_GUID = AE0C5992-526C-4518-93BA-3C2611B801E0
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = PlatformPKProtectionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+
+[Sources]
+ PlatformPKProtectionLibVarPolicy.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ DebugLib
+ UefiBootServicesTableLib
+
+[Protocols]
+ gEdkiiVariablePolicyProtocolGuid
|