diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc index 4dcf7c4f5a..b92044efd0 100644 --- a/MdeModulePkg/MdeModulePkg.dsc +++ b/MdeModulePkg/MdeModulePkg.dsc @@ -113,10 +113,10 @@ VariableFlashInfoLib|MdeModulePkg/Library/BaseVariableFlashInfoLib/BaseVariableFlashInfoLib.inf IpmiCommandLib|MdeModulePkg/Library/BaseIpmiCommandLibNull/BaseIpmiCommandLibNull.inf SpiHcPlatformLib|MdeModulePkg/Library/BaseSpiHcPlatformLibNull/BaseSpiHcPlatformLibNull.inf - MemoryTypeInfoSecVarCheckLib|MdeModulePkg/Library/MemoryTypeInfoSecVarCheckLib/MemoryTypeInfoSecVarCheckLib.inf # MU_CHANGE TCBZ1086 + MemoryTypeInfoSecVarCheckLib|MdeModulePkg/Library/MemoryTypeInfoSecVarCheckLib/MemoryTypeInfoSecVarCheckLib.inf # MU_CHANGE TCBZ1086 ExceptionPersistenceLib|MdeModulePkg/Library/BaseExceptionPersistenceLibNull/BaseExceptionPersistenceLibNull.inf # MU_CHANGE - AdvLoggerAccessLib|MdeModulePkg/Library/AdvLoggerAccessLibNull/AdvLoggerAccessLib.inf ## MU_CHANGE + DeviceStateLib|MdeModulePkg/Library/DeviceStateLib/DeviceStateLib.inf # MU_CHANGE PanicLib|MdePkg/Library/BasePanicLibNull/BasePanicLibNull.inf # MU_CHANGE NULL|MdePkg/Library/StackCheckLibNull/StackCheckLibNull.inf # MU_CHANGE: /GS and -fstack-protector support diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicyLockingCommon.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicyLockingCommon.c index a9cfee67a5..1d0cc5aedb 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicyLockingCommon.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicyLockingCommon.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include #include #include @@ -61,6 +62,14 @@ LockPolicyInterfaceAtReadyToBoot ( { EFI_STATUS Status; + DEBUG_CODE_BEGIN (); + if ((GetDeviceState () & DEVICE_STATE_UNIT_TEST_MODE) != 0) { + DEBUG ((DEBUG_INFO, "[%a] Unit test mode is enabled -- skipping variable policy lock.\n", __FUNCTION__)); + return; + } + + DEBUG_CODE_END (); + if (mCallbackInterface != NULL) { DEBUG ((DEBUG_INFO, "[%a] Invoking pre-lock callback.\n", __FUNCTION__)); Status = mCallbackInterface->PreLock (mVariablePolicy); diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf index 8baa051f1a..0586d7906e 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf @@ -78,6 +78,7 @@ VariablePolicyHelperLib SafeIntLib MemoryTypeInfoSecVarCheckLib # MU_CHANGE TCBZ1086 - Mitigate potential system brick due to UEFI MemoryTypeInformation var changes + DeviceStateLib # MU_CHANGE - Check device state before locking variable policy [Protocols] gEfiFirmwareVolumeBlockProtocolGuid ## CONSUMES diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf index 5cc4259453..3c02ded42d 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf @@ -63,6 +63,7 @@ SafeIntLib PcdLib MmUnblockMemoryLib + DeviceStateLib # MU_CHANGE - Check device state before locking variable policy [Protocols] gEfiVariableWriteArchProtocolGuid ## PRODUCES