diff options
5 files changed, 125 insertions, 0 deletions
diff --git a/SecurityPkg/Include/Library/PlatformPKProtectionLib.h b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h new file mode 100644 index 0000000000..3586a47b77 --- /dev/null +++ b/SecurityPkg/Include/Library/PlatformPKProtectionLib.h @@ -0,0 +1,31 @@ +/** @file
+ Provides an abstracted interface for configuring PK related variable protection.
+
+ Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef PLATFORM_PK_PROTECTION_LIB_H_
+#define PLATFORM_PK_PROTECTION_LIB_H_
+
+/**
+ Disable any applicable protection against variable 'PK'. The implementation
+ of this interface is platform specific, depending on the protection techniques
+ used per platform.
+
+ Note: It is the platform's responsibility to conduct cautious operation after
+ disabling this protection.
+
+ @retval EFI_SUCCESS State has been successfully updated.
+ @retval Others Error returned from implementation specific
+ underying APIs.
+
+**/
+EFI_STATUS
+EFIAPI
+DisablePKProtection (
+ VOID
+ );
+
+#endif
diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c new file mode 100644 index 0000000000..a264924224 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.c @@ -0,0 +1,51 @@ +/** @file
+ Provides an abstracted interface for configuring PK related variable protection.
+
+ Copyright (c) Microsoft Corporation.
+ SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Uefi.h>
+#include <Protocol/VariablePolicy.h>
+
+#include <Library/DebugLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+
+/**
+ Disable any applicable protection against variable 'PK'. The implementation
+ of this interface is platform specific, depending on the protection techniques
+ used per platform.
+
+ Note: It is the platform's responsibility to conduct cautious operation after
+ disabling this protection.
+
+ @retval EFI_SUCCESS State has been successfully updated.
+ @retval Others Error returned from implementation specific
+ underying APIs.
+
+**/
+EFI_STATUS
+EFIAPI
+DisablePKProtection (
+ VOID
+ )
+{
+ EFI_STATUS Status;
+ EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
+
+ DEBUG ((DEBUG_INFO, "%a() Entry...\n", __FUNCTION__));
+
+ // IMPORTANT NOTE: This operation is sticky and leaves variable protections disabled.
+ // The system *MUST* be reset after performing this operation.
+ Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy);
+ if (!EFI_ERROR (Status)) {
+ Status = VariablePolicy->DisableVariablePolicy ();
+ // EFI_ALREADY_STARTED means that everything is currently disabled.
+ // This should be considered SUCCESS.
+ if (Status == EFI_ALREADY_STARTED) {
+ Status = EFI_SUCCESS;
+ }
+ }
+
+ return Status;
+}
diff --git a/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf new file mode 100644 index 0000000000..df42ce06c0 --- /dev/null +++ b/SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf @@ -0,0 +1,36 @@ +## @file
+# Provides an abstracted interface for configuring PK related variable protection.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = PlatformPKProtectionLibVarPolicy
+ FILE_GUID = AE0C5992-526C-4518-93BA-3C2611B801E0
+ MODULE_TYPE = DXE_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = PlatformPKProtectionLib|DXE_DRIVER DXE_RUNTIME_DRIVER UEFI_APPLICATION
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 AARCH64
+#
+
+[Sources]
+ PlatformPKProtectionLibVarPolicy.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ DebugLib
+ UefiBootServicesTableLib
+
+[Protocols]
+ gEdkiiVariablePolicyProtocolGuid
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 0ee75efc1a..7ecf9565d9 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -99,6 +99,11 @@ ## @libraryclass Provides support to enroll Secure Boot keys.
#
SecureBootVariableProvisionLib|Include/Library/SecureBootVariableProvisionLib.h
+
+ ## @libraryclass Provides support to manage variable 'PK' related protections.
+ #
+ PlatformPKProtectionLib|Include/Library/PlatformPKProtectionLib.h
+
[Guids]
## Security package token space guid.
# Include/Guid/SecurityPkgTokenSpace.h
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc index d883747474..f48187650f 100644 --- a/SecurityPkg/SecurityPkg.dsc +++ b/SecurityPkg/SecurityPkg.dsc @@ -71,6 +71,7 @@ TcgEventLogRecordLib|SecurityPkg/Library/TcgEventLogRecordLib/TcgEventLogRecordLib.inf
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
+ PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariableProvisionLib/SecureBootVariableProvisionLib.inf
TdxLib|MdePkg/Library/TdxLib/TdxLib.inf
@@ -261,6 +262,7 @@ #
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
+ SecurityPkg/Library/PlatformPKProtectionLibVarPolicy/PlatformPKProtectionLibVarPolicy.inf
#
# Other
|