Skip to content

Commit

Permalink
MdeModulePkg: Don't Lock Variable Policy if Device is in Unit Test Mode
Browse files Browse the repository at this point in the history
To enable testing variable policy functionality in the shell, it needs
to be unlocked when the test starts. This PR adds a check to the system
device state and avoids locking if it is in unit test mode.

- [x] Impacts functionality?
- **Functionality** - Does the change ultimately impact how firmware
functions?
- Examples: Add a new library, publish a new PPI, update an algorithm,
...
- [x] Impacts security?
- **Security** - Does the change have a direct security impact on an
application,
    flow, or firmware?
  - Examples: Crypto algorithm change, buffer overflow fix, parameter
    validation improvement, ...
- [ ] Breaking change?
- **Breaking change** - Will anyone consuming this change experience a
break
    in build or boot behavior?
- Examples: Add a new library class, move a module to a different repo,
call
    a function in a new library class in a pre-existing module, ...
- [ ] Includes tests?
  - **Tests** - Does the change include any explicit test code?
  - Examples: Unit tests, integration tests, robot tests, ...
- [ ] Includes documentation?
- **Documentation** - Does the change contain explicit documentation
additions
    outside direct code modifications (and comments)?
- Examples: Update readme file, add feature readme file, link to
documentation
    on an a separate Web page, ...

Tested by running the variable policy test app in Q35.

N/A
  • Loading branch information
TaylorBeebe authored and Flickdm committed Jul 18, 2024
1 parent 8d3f73f commit 7005df7
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 2 deletions.
7 changes: 5 additions & 2 deletions MdeModulePkg/MdeModulePkg.dsc
Original file line number Diff line number Diff line change
Expand Up @@ -112,13 +112,16 @@
MmUnblockMemoryLib|MdePkg/Library/MmUnblockMemoryLib/MmUnblockMemoryLibNull.inf
VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf
IpmiCommandLib|MdeModulePkg/Library/BaseIpmiCommandLibNull/BaseIpmiCommandLibNull.inf
SpiHcPlatformLib|MdeModulePkg/Library/BaseSpiHcPlatformLibNull/BaseSpiHcPlatformLibNull.inf
MemoryTypeInfoSecVarCheckLib|MdeModulePkg/Library/MemoryTypeInfoSecVarCheckLib/MemoryTypeInfoSecVarCheckLib.inf # MU_CHANGE TCBZ1086

AdvLoggerAccessLib|MdeModulePkg/Library/AdvLoggerAccessLibNull/AdvLoggerAccessLib.inf ## MU_CHANGE
AdvLoggerAccessLib|MdeModulePkg/Library/AdvLoggerAccessLibNull/AdvLoggerAccessLib.inf ## MS_CHANGE
MemoryTypeInfoSecVarCheckLib|MdeModulePkg/Library/MemoryTypeInfoSecVarCheckLib/MemoryTypeInfoSecVarCheckLib.inf # MU_CHANGE TCBZ1086
DeviceStateLib|MdeModulePkg/Library/DeviceStateLib/DeviceStateLib.inf # MU_CHANGE

PanicLib|MdePkg/Library/BasePanicLibNull/BasePanicLibNull.inf # MU_CHANGE

NULL|MdePkg/Library/StackCheckLibNull/StackCheckLibNull.inf # MU_CHANGE: /GS and -fstack-protector support

[LibraryClasses.EBC.PEIM]
IoLib|MdePkg/Library/PeiIoLibCpuIo/PeiIoLibCpuIo.inf

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
#include <Uefi.h>
#include <Library/UefiLib.h>
#include <Library/DebugLib.h>
#include <Library/DeviceStateLib.h>
#include <Library/UefiBootServicesTableLib.h>

#include <Protocol/VariablePolicy.h>
Expand Down Expand Up @@ -61,6 +62,14 @@ LockPolicyInterfaceAtReadyToBoot (
{
EFI_STATUS Status;

DEBUG_CODE_BEGIN ();
if ((GetDeviceState () & DEVICE_STATE_UNIT_TEST_MODE) != 0) {
DEBUG ((DEBUG_INFO, "[%a] Unit test mode is enabled -- skipping variable policy lock.\n", __FUNCTION__));
return;
}

DEBUG_CODE_END ();

if (mCallbackInterface != NULL) {
DEBUG ((DEBUG_INFO, "[%a] Invoking pre-lock callback.\n", __FUNCTION__));
Status = mCallbackInterface->PreLock (mVariablePolicy);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@
VariablePolicyHelperLib
SafeIntLib
MemoryTypeInfoSecVarCheckLib # MU_CHANGE TCBZ1086 - Mitigate potential system brick due to UEFI MemoryTypeInformation var changes
DeviceStateLib # MU_CHANGE - Check device state before locking variable policy

[Protocols]
gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
SafeIntLib
PcdLib
MmUnblockMemoryLib
DeviceStateLib # MU_CHANGE - Check device state before locking variable policy

[Protocols]
gEfiVariableWriteArchProtocolGuid ## PRODUCES
Expand Down

0 comments on commit 7005df7

Please sign in to comment.