/** This code sets variable in storage blocks (Volatile or Non-Volatile). @param VariableName Name of Variable to be found. @param VendorGuid Variable vendor GUID. @param Attributes Attribute value of the variable found @param DataSize Size of Data found. If size is less than the data, this value contains the required size. @param Data Data pointer. @return EFI_INVALID_PARAMETER Invalid parameter. @return EFI_SUCCESS Set successfully. @return EFI_OUT_OF_RESOURCES Resource not enough to set variable. @return EFI_NOT_FOUND Not found. @return EFI_WRITE_PROTECTED Variable is read-only. **/ EFI_STATUS EFIAPI SmmVariableSetVariable ( IN CHAR16 *VariableName, IN EFI_GUID *VendorGuid, IN UINT32 Attributes, IN UINTN DataSize, IN VOID *Data ) { EFI_STATUS Status; // // Disable write protection when the calling SetVariable() through EFI_SMM_VARIABLE_PROTOCOL. // mEnableLocking = FALSE; Status = VariableServiceSetVariable ( VariableName, VendorGuid, Attributes, DataSize, Data ); mEnableLocking = TRUE; return Status; }
/** Set MOR lock variable. @param Data MOR Lock variable data. @retval EFI_SUCCESS The firmware has successfully stored the variable and its data as defined by the Attributes. @retval EFI_INVALID_PARAMETER An invalid combination of attribute bits was supplied, or the DataSize exceeds the maximum allowed. @retval EFI_INVALID_PARAMETER VariableName is an empty Unicode string. @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold the variable and its data. @retval EFI_DEVICE_ERROR The variable could not be saved due to a hardware failure. @retval EFI_WRITE_PROTECTED The variable in question is read-only. @retval EFI_WRITE_PROTECTED The variable in question cannot be deleted. @retval EFI_SECURITY_VIOLATION The variable could not be written due to EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS set but the AuthInfo does NOT pass the validation check carried out by the firmware. @retval EFI_NOT_FOUND The variable trying to be updated or deleted was not found. **/ EFI_STATUS SetMorLockVariable ( IN UINT8 Data ) { EFI_STATUS Status; mMorLockPassThru = TRUE; Status = VariableServiceSetVariable ( MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, sizeof(Data), &Data ); mMorLockPassThru = FALSE; return Status; }
/** Communication service SMI Handler entry. This SMI handler provides services for the variable wrapper driver. Caution: This function may receive untrusted input. This variable data and communicate buffer are external input, so this function will do basic validation. Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(), VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(), SmmVariableGetStatistics() should also do validation based on its own knowledge. @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). @param[in] RegisterContext Points to an optional handler context which was specified when the handler was registered. @param[in, out] CommBuffer A pointer to a collection of data in memory that will be conveyed from a non-SMM environment into an SMM environment. @param[in, out] CommBufferSize The size of the CommBuffer. @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers should still be called. @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should still be called. @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still be called. @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced. **/ EFI_STATUS EFIAPI SmmVariableHandler ( IN EFI_HANDLE DispatchHandle, IN CONST VOID *RegisterContext, IN OUT VOID *CommBuffer, IN OUT UINTN *CommBufferSize ) { EFI_STATUS Status; SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader; SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader; SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *GetNextVariableName; SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo; SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *GetPayloadSize; VARIABLE_INFO_ENTRY *VariableInfo; SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *VariableToLock; SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *CommVariableProperty; UINTN InfoSize; UINTN NameBufferSize; UINTN CommBufferPayloadSize; UINTN TempCommBufferSize; // // If input is invalid, stop processing this SMI // if (CommBuffer == NULL || CommBufferSize == NULL) { return EFI_SUCCESS; } TempCommBufferSize = *CommBufferSize; if (TempCommBufferSize < SMM_VARIABLE_COMMUNICATE_HEADER_SIZE) { DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer size invalid!\n")); return EFI_SUCCESS; } CommBufferPayloadSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE; if (CommBufferPayloadSize > mVariableBufferPayloadSize) { DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer payload size invalid!\n")); return EFI_SUCCESS; } if (!SmmIsBufferOutsideSmmValid ((UINTN)CommBuffer, TempCommBufferSize)) { DEBUG ((EFI_D_ERROR, "SmmVariableHandler: SMM communication buffer in SMRAM or overflow!\n")); return EFI_SUCCESS; } SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer; switch (SmmVariableFunctionHeader->Function) { case SMM_VARIABLE_FUNCTION_GET_VARIABLE: if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) { DEBUG ((EFI_D_ERROR, "GetVariable: SMM communication buffer size invalid!\n")); return EFI_SUCCESS; } // // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload. // CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize); SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload; if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) || ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) { // // Prevent InfoSize overflow happen // Status = EFI_ACCESS_DENIED; goto EXIT; } InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize; // // SMRAM range check already covered before // if (InfoSize > CommBufferPayloadSize) { DEBUG ((EFI_D_ERROR, "GetVariable: Data size exceed communication buffer size limit!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') { // // Make sure VariableName is A Null-terminated string. // Status = EFI_ACCESS_DENIED; goto EXIT; } Status = VariableServiceGetVariable ( SmmVariableHeader->Name, &SmmVariableHeader->Guid, &SmmVariableHeader->Attributes, &SmmVariableHeader->DataSize, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize ); CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize); break; case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME: if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) { DEBUG ((EFI_D_ERROR, "GetNextVariableName: SMM communication buffer size invalid!\n")); return EFI_SUCCESS; } // // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload. // CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize); GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) mVariableBufferPayload; if ((UINTN)(~0) - GetNextVariableName->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name)) { // // Prevent InfoSize overflow happen // Status = EFI_ACCESS_DENIED; goto EXIT; } InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize; // // SMRAM range check already covered before // if (InfoSize > CommBufferPayloadSize) { DEBUG ((EFI_D_ERROR, "GetNextVariableName: Data size exceed communication buffer size limit!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } NameBufferSize = CommBufferPayloadSize - OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name); if (NameBufferSize < sizeof (CHAR16) || GetNextVariableName->Name[NameBufferSize/sizeof (CHAR16) - 1] != L'\0') { // // Make sure input VariableName is A Null-terminated string. // Status = EFI_ACCESS_DENIED; goto EXIT; } Status = VariableServiceGetNextVariableName ( &GetNextVariableName->NameSize, GetNextVariableName->Name, &GetNextVariableName->Guid ); CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize); break; case SMM_VARIABLE_FUNCTION_SET_VARIABLE: if (CommBufferPayloadSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) { DEBUG ((EFI_D_ERROR, "SetVariable: SMM communication buffer size invalid!\n")); return EFI_SUCCESS; } // // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload. // CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize); SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) mVariableBufferPayload; if (((UINTN)(~0) - SmmVariableHeader->DataSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name)) || ((UINTN)(~0) - SmmVariableHeader->NameSize < OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize)) { // // Prevent InfoSize overflow happen // Status = EFI_ACCESS_DENIED; goto EXIT; } InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize; // // SMRAM range check already covered before // Data buffer should not contain SMM range // if (InfoSize > CommBufferPayloadSize) { DEBUG ((EFI_D_ERROR, "SetVariable: Data size exceed communication buffer size limit!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } if (SmmVariableHeader->NameSize < sizeof (CHAR16) || SmmVariableHeader->Name[SmmVariableHeader->NameSize/sizeof (CHAR16) - 1] != L'\0') { // // Make sure VariableName is A Null-terminated string. // Status = EFI_ACCESS_DENIED; goto EXIT; } Status = VariableServiceSetVariable ( SmmVariableHeader->Name, &SmmVariableHeader->Guid, SmmVariableHeader->Attributes, SmmVariableHeader->DataSize, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize ); break; case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO: if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO)) { DEBUG ((EFI_D_ERROR, "QueryVariableInfo: SMM communication buffer size invalid!\n")); return EFI_SUCCESS; } QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data; Status = VariableServiceQueryVariableInfo ( QueryVariableInfo->Attributes, &QueryVariableInfo->MaximumVariableStorageSize, &QueryVariableInfo->RemainingVariableStorageSize, &QueryVariableInfo->MaximumVariableSize ); break; case SMM_VARIABLE_FUNCTION_GET_PAYLOAD_SIZE: if (CommBufferPayloadSize < sizeof (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE)) { DEBUG ((EFI_D_ERROR, "GetPayloadSize: SMM communication buffer size invalid!\n")); return EFI_SUCCESS; } GetPayloadSize = (SMM_VARIABLE_COMMUNICATE_GET_PAYLOAD_SIZE *) SmmVariableFunctionHeader->Data; GetPayloadSize->VariablePayloadSize = mVariableBufferPayloadSize; Status = EFI_SUCCESS; break; case SMM_VARIABLE_FUNCTION_READY_TO_BOOT: mEndOfDxe = TRUE; // // The initialization for variable quota. // InitializeVariableQuota (); if (AtRuntime()) { Status = EFI_UNSUPPORTED; break; } ReclaimForOS (); Status = EFI_SUCCESS; break; case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE: mAtRuntime = TRUE; Status = EFI_SUCCESS; break; case SMM_VARIABLE_FUNCTION_GET_STATISTICS: VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data; InfoSize = TempCommBufferSize - SMM_VARIABLE_COMMUNICATE_HEADER_SIZE; // // Do not need to check SmmVariableFunctionHeader->Data in SMRAM here. // It is covered by previous CommBuffer check // if (!SmmIsBufferOutsideSmmValid ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) { DEBUG ((EFI_D_ERROR, "GetStatistics: SMM communication buffer in SMRAM!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } Status = SmmVariableGetStatistics (VariableInfo, &InfoSize); *CommBufferSize = InfoSize + SMM_VARIABLE_COMMUNICATE_HEADER_SIZE; break; case SMM_VARIABLE_FUNCTION_LOCK_VARIABLE: if (mEndOfDxe) { Status = EFI_ACCESS_DENIED; } else { VariableToLock = (SMM_VARIABLE_COMMUNICATE_LOCK_VARIABLE *) SmmVariableFunctionHeader->Data; Status = VariableLockRequestToLock ( NULL, VariableToLock->Name, &VariableToLock->Guid ); } break; case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_SET: if (mEndOfDxe) { Status = EFI_ACCESS_DENIED; } else { CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) SmmVariableFunctionHeader->Data; Status = VarCheckVariablePropertySet ( CommVariableProperty->Name, &CommVariableProperty->Guid, &CommVariableProperty->VariableProperty ); } break; case SMM_VARIABLE_FUNCTION_VAR_CHECK_VARIABLE_PROPERTY_GET: if (CommBufferPayloadSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) { DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: SMM communication buffer size invalid!\n")); return EFI_SUCCESS; } // // Copy the input communicate buffer payload to pre-allocated SMM variable buffer payload. // CopyMem (mVariableBufferPayload, SmmVariableFunctionHeader->Data, CommBufferPayloadSize); CommVariableProperty = (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY *) mVariableBufferPayload; if ((UINTN) (~0) - CommVariableProperty->NameSize < OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name)) { // // Prevent InfoSize overflow happen // Status = EFI_ACCESS_DENIED; goto EXIT; } InfoSize = OFFSET_OF (SMM_VARIABLE_COMMUNICATE_VAR_CHECK_VARIABLE_PROPERTY, Name) + CommVariableProperty->NameSize; // // SMRAM range check already covered before // if (InfoSize > CommBufferPayloadSize) { DEBUG ((EFI_D_ERROR, "VarCheckVariablePropertyGet: Data size exceed communication buffer size limit!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } if (CommVariableProperty->NameSize < sizeof (CHAR16) || CommVariableProperty->Name[CommVariableProperty->NameSize/sizeof (CHAR16) - 1] != L'\0') { // // Make sure VariableName is A Null-terminated string. // Status = EFI_ACCESS_DENIED; goto EXIT; } Status = VarCheckVariablePropertyGet ( CommVariableProperty->Name, &CommVariableProperty->Guid, &CommVariableProperty->VariableProperty ); CopyMem (SmmVariableFunctionHeader->Data, mVariableBufferPayload, CommBufferPayloadSize); break; default: Status = EFI_UNSUPPORTED; } EXIT: SmmVariableFunctionHeader->ReturnStatus = Status; return EFI_SUCCESS; }
/** Communication service SMI Handler entry. This SMI handler provides services for the variable wrapper driver. Caution: This function may receive untrusted input. This variable data and communicate buffer are external input, so this function will do basic validation. Each sub function VariableServiceGetVariable(), VariableServiceGetNextVariableName(), VariableServiceSetVariable(), VariableServiceQueryVariableInfo(), ReclaimForOS(), SmmVariableGetStatistics() should also do validation based on its own knowledge. @param[in] DispatchHandle The unique handle assigned to this handler by SmiHandlerRegister(). @param[in] RegisterContext Points to an optional handler context which was specified when the handler was registered. @param[in, out] CommBuffer A pointer to a collection of data in memory that will be conveyed from a non-SMM environment into an SMM environment. @param[in, out] CommBufferSize The size of the CommBuffer. @retval EFI_SUCCESS The interrupt was handled and quiesced. No other handlers should still be called. @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quiesced but other handlers should still be called. @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pending and other handlers should still be called. @retval EFI_INTERRUPT_PENDING The interrupt could not be quiesced. **/ EFI_STATUS EFIAPI SmmVariableHandler ( IN EFI_HANDLE DispatchHandle, IN CONST VOID *RegisterContext, IN OUT VOID *CommBuffer, IN OUT UINTN *CommBufferSize ) { EFI_STATUS Status; SMM_VARIABLE_COMMUNICATE_HEADER *SmmVariableFunctionHeader; SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *SmmVariableHeader; SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *GetNextVariableName; SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *QueryVariableInfo; VARIABLE_INFO_ENTRY *VariableInfo; UINTN InfoSize; // // If input is invalid, stop processing this SMI // if (CommBuffer == NULL || CommBufferSize == NULL) { return EFI_SUCCESS; } if (*CommBufferSize < sizeof(SMM_VARIABLE_COMMUNICATE_HEADER) - 1) { return EFI_SUCCESS; } if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBuffer, *CommBufferSize)) { DEBUG ((EFI_D_ERROR, "SMM communication buffer size is in SMRAM!\n")); return EFI_SUCCESS; } SmmVariableFunctionHeader = (SMM_VARIABLE_COMMUNICATE_HEADER *)CommBuffer; switch (SmmVariableFunctionHeader->Function) { case SMM_VARIABLE_FUNCTION_GET_VARIABLE: SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data; InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE, Name) + SmmVariableHeader->DataSize + SmmVariableHeader->NameSize; // // SMRAM range check already covered before // if (InfoSize > *CommBufferSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_HEADER, Data)) { DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } Status = VariableServiceGetVariable ( SmmVariableHeader->Name, &SmmVariableHeader->Guid, &SmmVariableHeader->Attributes, &SmmVariableHeader->DataSize, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize ); break; case SMM_VARIABLE_FUNCTION_GET_NEXT_VARIABLE_NAME: GetNextVariableName = (SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME *) SmmVariableFunctionHeader->Data; InfoSize = OFFSET_OF(SMM_VARIABLE_COMMUNICATE_GET_NEXT_VARIABLE_NAME, Name) + GetNextVariableName->NameSize; // // SMRAM range check already covered before // if (InfoSize > *CommBufferSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_HEADER, Data)) { DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } Status = VariableServiceGetNextVariableName ( &GetNextVariableName->NameSize, GetNextVariableName->Name, &GetNextVariableName->Guid ); break; case SMM_VARIABLE_FUNCTION_SET_VARIABLE: SmmVariableHeader = (SMM_VARIABLE_COMMUNICATE_ACCESS_VARIABLE *) SmmVariableFunctionHeader->Data; Status = VariableServiceSetVariable ( SmmVariableHeader->Name, &SmmVariableHeader->Guid, SmmVariableHeader->Attributes, SmmVariableHeader->DataSize, (UINT8 *)SmmVariableHeader->Name + SmmVariableHeader->NameSize ); break; case SMM_VARIABLE_FUNCTION_QUERY_VARIABLE_INFO: QueryVariableInfo = (SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO *) SmmVariableFunctionHeader->Data; InfoSize = sizeof(SMM_VARIABLE_COMMUNICATE_QUERY_VARIABLE_INFO); // // SMRAM range check already covered before // if (InfoSize > *CommBufferSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_HEADER, Data)) { DEBUG ((EFI_D_ERROR, "Data size exceed communication buffer size limit!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } Status = VariableServiceQueryVariableInfo ( QueryVariableInfo->Attributes, &QueryVariableInfo->MaximumVariableStorageSize, &QueryVariableInfo->RemainingVariableStorageSize, &QueryVariableInfo->MaximumVariableSize ); break; case SMM_VARIABLE_FUNCTION_READY_TO_BOOT: if (AtRuntime()) { Status = EFI_UNSUPPORTED; break; } ReclaimForOS (); Status = EFI_SUCCESS; break; case SMM_VARIABLE_FUNCTION_EXIT_BOOT_SERVICE: mAtRuntime = TRUE; Status = EFI_SUCCESS; break; case SMM_VARIABLE_FUNCTION_GET_STATISTICS: VariableInfo = (VARIABLE_INFO_ENTRY *) SmmVariableFunctionHeader->Data; InfoSize = *CommBufferSize - OFFSET_OF (SMM_VARIABLE_COMMUNICATE_HEADER, Data); // // Do not need to check SmmVariableFunctionHeader->Data in SMRAM here. // It is covered by previous CommBuffer check // if (InternalIsAddressInSmram ((EFI_PHYSICAL_ADDRESS)(UINTN)CommBufferSize, sizeof(UINTN))) { DEBUG ((EFI_D_ERROR, "SMM communication buffer size is in SMRAM!\n")); Status = EFI_ACCESS_DENIED; goto EXIT; } Status = SmmVariableGetStatistics (VariableInfo, &InfoSize); *CommBufferSize = InfoSize + OFFSET_OF (SMM_VARIABLE_COMMUNICATE_HEADER, Data); break; default: Status = EFI_UNSUPPORTED; } EXIT: SmmVariableFunctionHeader->ReturnStatus = Status; return EFI_SUCCESS; }
/** Delayed initialization for MOR Control Lock at EndOfDxe. This function performs any operations queued by MorLockInit(). **/ VOID MorLockInitAtEndOfDxe ( VOID ) { UINTN MorSize; EFI_STATUS MorStatus; if (!mMorLockInitializationRequired) { // // The EFI_SMM_FAULT_TOLERANT_WRITE_PROTOCOL has never been installed, thus // the variable write service is unavailable. This should never happen. // ASSERT (FALSE); return; } // // Check if the MOR variable exists. // MorSize = 0; MorStatus = VariableServiceGetVariable ( MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, &gEfiMemoryOverwriteControlDataGuid, NULL, // Attributes &MorSize, NULL // Data ); // // We provided a zero-sized buffer, so the above call can never succeed. // ASSERT (EFI_ERROR (MorStatus)); if (MorStatus == EFI_BUFFER_TOO_SMALL) { // // The MOR variable exists. // // Some OSes don't follow the TCG's Platform Reset Attack Mitigation spec // in that the OS should never create the MOR variable, only read and write // it -- these OSes (unintentionally) create MOR if the platform firmware // does not produce it. Whether this is the case (from the last OS boot) // can be deduced from the absence of the TCG / TCG2 protocols, as edk2's // MOR implementation depends on (one of) those protocols. // if (VariableHaveTcgProtocols ()) { // // The MOR variable originates from the platform firmware; set the MOR // Control Lock variable to report the locking capability to the OS. // SetMorLockVariable (0); return; } // // The MOR variable's origin is inexplicable; delete it. // DEBUG (( DEBUG_WARN, "%a: deleting unexpected / unsupported variable %g:%s\n", __FUNCTION__, &gEfiMemoryOverwriteControlDataGuid, MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME )); mMorPassThru = TRUE; VariableServiceSetVariable ( MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, &gEfiMemoryOverwriteControlDataGuid, 0, // Attributes 0, // DataSize NULL // Data ); mMorPassThru = FALSE; } // // The MOR variable is absent; the platform firmware does not support it. // Lock the variable so that no other module may create it. // VariableLockRequestToLock ( NULL, // This MEMORY_OVERWRITE_REQUEST_VARIABLE_NAME, &gEfiMemoryOverwriteControlDataGuid ); // // Delete the MOR Control Lock variable too (should it exists for some // reason) and prevent other modules from creating it. // mMorLockPassThru = TRUE; VariableServiceSetVariable ( MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid, 0, // Attributes 0, // DataSize NULL // Data ); mMorLockPassThru = FALSE; VariableLockRequestToLock ( NULL, // This MEMORY_OVERWRITE_REQUEST_CONTROL_LOCK_NAME, &gEfiMemoryOverwriteRequestControlLockGuid ); }