summaryrefslogtreecommitdiff
path: root/Features/Intel/UserInterface/UserAuthFeaturePkg/UserAuthenticationDxeSmm/UserAuthenticationVariableLock.c
blob: 201828791539ccbf27f8df1aa3cdf9616f6d6650 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

/** @file
  Source code to lock password variables.

  Copyright (c) 2023, Intel Corporation. All rights reserved.<BR>
  SPDX-License-Identifier: BSD-2-Clause-Patent

**/

#include <PiDxe.h>

#include <Protocol/VariablePolicy.h>

#include <Library/PrintLib.h>
#include <Library/DebugLib.h>
#include <Library/VariablePolicyHelperLib.h>
#include <Library/UefiBootServicesTableLib.h>

#include <Guid/UserAuthentication.h>

#include "UserAuthenticationVariable.h"

/**
  Lock password variables for security concern.

  @retval EFI_SUCCESS           Succeed to lock variable.
  @retval EFI_NOT_FOUND         Variable Lock protocol is not found.
  @retval EFI_ACCESS_DENIED     EFI_END_OF_DXE_EVENT_GROUP_GUID or EFI_EVENT_GROUP_READY_TO_BOOT has
                                already been signaled.
  @retval EFI_OUT_OF_RESOURCES  There is not enough resource to hold the lock request.

**/
EFI_STATUS
LockPasswordVariable (
  VOID
  )
{
  EFI_STATUS                      Status;
  CHAR16                          PasswordHistoryName[sizeof (USER_AUTHENTICATION_VAR_NAME)/sizeof (CHAR16) + 5];
  UINTN                           Index;
  EDKII_VARIABLE_POLICY_PROTOCOL  *VariablePolicy;

  Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid, NULL, (VOID **)&VariablePolicy);
  if (!EFI_ERROR (Status)) {
    Status = RegisterBasicVariablePolicy (
               VariablePolicy,
               &gUserAuthenticationGuid,
               USER_AUTHENTICATION_VAR_NAME,
               VARIABLE_POLICY_NO_MIN_SIZE,
               VARIABLE_POLICY_NO_MAX_SIZE,
               VARIABLE_POLICY_NO_MUST_ATTR,
               VARIABLE_POLICY_NO_CANT_ATTR,
               VARIABLE_POLICY_TYPE_LOCK_NOW
               );
    ASSERT_EFI_ERROR (Status);
    for (Index = 1; Index <= PASSWORD_HISTORY_CHECK_COUNT; Index++) {
      UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"%s%04x", USER_AUTHENTICATION_VAR_NAME, Index);
      Status = RegisterBasicVariablePolicy (
                 VariablePolicy,
                 &gUserAuthenticationGuid,
                 PasswordHistoryName,
                 VARIABLE_POLICY_NO_MIN_SIZE,
                 VARIABLE_POLICY_NO_MAX_SIZE,
                 VARIABLE_POLICY_NO_MUST_ATTR,
                 VARIABLE_POLICY_NO_CANT_ATTR,
                 VARIABLE_POLICY_TYPE_LOCK_NOW
                 );
      ASSERT_EFI_ERROR (Status);
    }

    Status = RegisterBasicVariablePolicy (
               VariablePolicy,
               &gUserAuthenticationGuid,
               USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME,
               VARIABLE_POLICY_NO_MIN_SIZE,
               VARIABLE_POLICY_NO_MAX_SIZE,
               VARIABLE_POLICY_NO_MUST_ATTR,
               VARIABLE_POLICY_NO_CANT_ATTR,
               VARIABLE_POLICY_TYPE_LOCK_NOW
               );
    ASSERT_EFI_ERROR (Status);
  }

  return Status;
}
generated by cgit v1.2.3 (git 2.39.0) at 2025-09-07 01:02:53 +0300