Improving error handing in Variable Smm

[PaddyDeng-v]

Description

This PR includes 2 commits that improves error handling in VariableSmm

1. Gracefully fail in MmVariableServiceInitialize: Some platform may disable dead loop on assert. In this case, we should also abort the function in assert cases.
2. Check mNvVariableCache before use in SmiVariableHandler

• Breaking change?
  • Breaking change - Does this PR cause a break in build or boot behavior?
  • Examples: Does it add a new library class or move a module to a different repo.
• Impacts security?
  • Security - Does this PR have a direct security impact?
  • Examples: Crypto algorithm change or buffer overflow fix.
• Includes tests?
  • Tests - Does this PR include any explicit test code?
  • Examples: Unit tests or integration tests.

How This Was Tested

After apply both commits, the platform can still boot to OS. No error is happing.

Integration Instructions

N/A

[makubacki]

@PaddyDeng-v, I think you need to consider system-state cleanup since this is a behavior change. Previously, an assertion call either:

• Did nothing
• Triggered a breakpoint
• Entered a deadloop

This change adds a new possibility to return partially through the initialization flow at various points to firmware execution.

If subsequent initialization fails, gEfiSmmVariableProtocolGuid should likely be uninstalled as it exposes MM variable services within the MM environment that would be in a "partially initialized" state.

For example, if gEfiSmmVariableProtocolGuid is installed successfully (Line 1179), but gEdkiiSmmVarCheckProtocolGuid installation fails (Line 1196), that means the call to register the variable SMI handler (Line 1237) is not executed. MM drivers (using gEfiSmmVariableProtocolGuid directly) might participate in a flow where they expect variables written from outside the MM environment (which relies on the SMI handler) and that is not available.

These types of dependencies can be established and broken down throughout initialization, but I think the simplest answer is that "if initialization fails, variable services are not available". So, interfaces in global databases (like the protocol database) are removed.

[MatthiasHuang]

mNvVariableCache is assigned in InitNonVolatileVariableStore() via VariableCommonInitialize(), which runs at the very top of MmVariableServiceInitialize. Since commit 1 now aborts before MmiHandlerRegister when that fails, the SMI handler should only ever be registered when mNvVariableCache is non-NULL, so these per-case NULL checks look unreachable in the normal flow. Are they guarding a specific scenario (e.g. a custom/downstream init ordering)? If so, a brief comment would help future readers; if not, they could be dropped, since commit 1 is the actual safeguard

[MatthiasHuang]

Small consistency note: the new guards correctly set Status and goto EXIT (so ReturnStatus is written back), but the sibling buffer-size checks in these cases still return EFI_SUCCESS without setting ReturnStatus. Because the DXE caller reads SmmVariableFunctionHeader->ReturnStatus directly, that path can surface a stale value from the previous operation. Converting these to Status = EFI_INVALID_PARAMETER; goto EXIT; would make the handler consistent. (Pre-existing; optional, but you're already in these cases.)