From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web09.27698.1661225752710081170 for ; Mon, 22 Aug 2022 20:35:52 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@linux.microsoft.com header.s=default header.b=GtDUG31x; spf=pass (domain: linux.microsoft.com, ip: 13.77.154.182, mailfrom: mikuback@linux.microsoft.com) Received: from [192.168.4.22] (unknown [47.195.228.134]) by linux.microsoft.com (Postfix) with ESMTPSA id B2B3F2174E29; Mon, 22 Aug 2022 20:35:51 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com B2B3F2174E29 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1661225752; bh=dOX3s+osXr/La9+Qrhgx6Kbgg2eQR1Z/e7viMhiGxuc=; h=Date:Subject:From:To:Reply-To:References:In-Reply-To:From; b=GtDUG31xBa53zXxsT6EZcGzO2JUj5hNEkhJh1UMyf7/zfgiqVGaPKIQlgIysnIVyC FhKfOPCVEl8NHfGpZIXrvVkBRYTkBssd3aQ8Y2pL+cSSfs5KPfS9OkQVod+AjDN4Ao 07U72U7aRCKvloL2b5SlVfVteAyA0u3RP389u5RE= Message-ID: <18c5ba46-dd66-f378-e9c4-9a71fd5e91a1@linux.microsoft.com> Date: Mon, 22 Aug 2022 23:35:50 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.12.0 Subject: Re: [edk2-devel] [Patch v2 00/28] UEFI variable protection From: "Michael Kubacki" To: devel@edk2.groups.io, judah.vang@intel.com Reply-To: devel@edk2.groups.io, mikuback@linux.microsoft.com References: <20220429180430.3292-1-judah.vang@intel.com> <16EFC4965F71DFB8.20068@groups.io> In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Hi Judah, Just wanted to send a reminder to see if you have this data from your=20 testing. Thanks, Michael On 6/16/2022 3:13 PM, Michael Kubacki wrote: > Do you have the data below? >=20 > This is important for platform adoption and would be useful to include=20 > in the following section. >=20 > https://github.com/judahvang/edk2/tree/rpmc-update#platform-integration-c= onsiderations=20 >=20 >=20 > Thanks, > Michael >=20 > On 5/16/2022 10:48 PM, Michael Kubacki wrote: >> Hi Judah, >> >> Do you have reference information for the following? >> >> 1. Overall boot time impact for a sample variable store? >> >> -=C2=A0 In particular: >> =C2=A0=C2=A0 - Initial HMAC calculation/verification time. >> =C2=A0=C2=A0 - Non-volatile write impact time to caluclate new store HMA= C value=20 >> and update MetaDataHmacVar. >> =C2=A0=C2=A0 - Variable reclaim before and after time. >> >> 2. Overall non-volatile store size overhead impact with AES-CBC=20 >> encrypted variables? >> >> I understand these will vary based on system properties like SPI flash= =20 >> parameters, cryptographic processor details, etc. I'm trying to get an= =20 >> idea of the impact from sample data or averages on a particular system= =20 >> configuration. Also to learn whether the native encryption instruction= =20 >> (AES-NI) was used and if that could provide any benefit given the=20 >> potential number of encryption/decryption operations introduced. >> >> For the code design, I feel the ProtectedVariableLib interface is a=20 >> bit too coupled against internal implementation details of the=20 >> variable driver. I generally understand why the code is split out to=20 >> wrap operations around the new functionality and it follows the=20 >> AuthVarLib pattern but changing the library or driver will continue to= =20 >> require large changes across both like this due to the coupling. >> >> Small things I noticed: >> 1. VariableKeyLib.inf should not be "BASE", it directly depends on PEI= =20 >> services >> 2. Typo "varabile" in some files >> 3. Does ProtectedVariableLibNull actually need to depend on=20 >> BaseMemoryLib? >> >> Thanks, >> Michael >> >> On 4/29/2022 2:04 PM, Judah Vang wrote: >>> For a more detail description of the UEFI variable protected feature=20 >>> you can >>> view the Readme.md located at the following location: >>> https://github.com/judahvang/edk2/tree/rpmc-update >>> >>> >>> Judah Vang (28): >>> =C2=A0=C2=A0 MdeModulePkg: Add new GUID for Variable Store Info >>> =C2=A0=C2=A0 SecurityPkg: Add new GUIDs for >>> =C2=A0=C2=A0 MdeModulePkg: Update AUTH_VARIABLE_INFO struct >>> =C2=A0=C2=A0 MdeModulePkg: Add reference to new Ppi Guid >>> =C2=A0=C2=A0 MdeModulePkg: Add new ProtectedVariable GUIDs >>> =C2=A0=C2=A0 MdeModulePkg: Add new include files >>> =C2=A0=C2=A0 MdeModulePkg: Add Null ProtectedVariable Library >>> =C2=A0=C2=A0 MdeModulePkg: Add new Variable functionality >>> =C2=A0=C2=A0 MdeModulePkg: Add support for Protected Variables >>> =C2=A0=C2=A0 SecurityPkg: Add new KeyService types and defines >>> =C2=A0=C2=A0 SecurityPkg: Update RPMC APIs with index >>> =C2=A0=C2=A0 SecurityPkg: Add new variable types and functions >>> =C2=A0=C2=A0 SecurityPkg: Fix GetVariableKey API >>> =C2=A0=C2=A0 SecurityPkg: Add null encryption variable libs >>> =C2=A0=C2=A0 SecurityPkg: Add VariableKey library function >>> =C2=A0=C2=A0 SecurityPkg: Add EncryptionVariable lib with AES >>> =C2=A0=C2=A0 SecurityPkg: Add Protected Variable Services >>> =C2=A0=C2=A0 MdeModulePkg: Reference Null ProtectedVariableLib >>> =C2=A0=C2=A0 SecurityPkg: Add references to new *.inf files >>> =C2=A0=C2=A0 ArmVirtPkg: Add reference to ProtectedVariableNull >>> =C2=A0=C2=A0 UefiPayloadPkg: Add ProtectedVariable reference >>> =C2=A0=C2=A0 EmulatorPkg: Add ProtectedVariable reference >>> =C2=A0=C2=A0 OvmfPkg: Add ProtectedVariable reference >>> =C2=A0=C2=A0 OvmfPkg: Add ProtectedVariableLib reference >>> =C2=A0=C2=A0 OvmfPkg: Add ProtectedVariableLib reference >>> =C2=A0=C2=A0 OvmfPkg: Add ProtectedVariableLib reference >>> =C2=A0=C2=A0 OvmfPkg: Add ProtectedVariable reference >>> =C2=A0=C2=A0 CryptoPkg: Enable cypto HMAC KDF library >>> >>> MdeModulePkg/MdeModulePkg.dec |=C2=A0=C2=A0 13 +- >>> SecurityPkg/SecurityPkg.dec |=C2=A0=C2=A0 43 +- >>> ArmVirtPkg/ArmVirtQemu.dsc |=C2=A0=C2=A0=C2=A0 3 +- >>> EmulatorPkg/EmulatorPkg.dsc |=C2=A0=C2=A0=C2=A0 3 +- >>> MdeModulePkg/MdeModulePkg.dsc |=C2=A0=C2=A0=C2=A0 4 +- >>> OvmfPkg/AmdSev/AmdSevX64.dsc |=C2=A0=C2=A0=C2=A0 3 +- >>> OvmfPkg/Bhyve/BhyveX64.dsc |=C2=A0=C2=A0=C2=A0 3 +- >>> OvmfPkg/CloudHv/CloudHvX64.dsc |=C2=A0=C2=A0=C2=A0 1 + >>> OvmfPkg/Microvm/MicrovmX64.dsc |=C2=A0=C2=A0=C2=A0 3 +- >>> OvmfPkg/OvmfPkgIa32.dsc |=C2=A0=C2=A0=C2=A0 1 + >>> OvmfPkg/OvmfPkgIa32X64.dsc |=C2=A0=C2=A0=C2=A0 1 + >>> OvmfPkg/OvmfPkgX64.dsc |=C2=A0=C2=A0=C2=A0 1 + >>> OvmfPkg/OvmfXen.dsc |=C2=A0=C2=A0=C2=A0 3 +- >>> SecurityPkg/SecurityPkg.dsc |=C2=A0=C2=A0 13 +- >>> UefiPayloadPkg/UefiPayloadPkg.dsc |=C2=A0=C2=A0=C2=A0 2 + >>> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf |=C2=A0=C2=A0=C2=A0 2 +- >>> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.= inf=20 >>> |=C2=A0=C2=A0 34 + >>> MdeModulePkg/Universal/Variable/Pei/VariablePei.inf |=C2=A0=C2=A0 10 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf=20 >>> |=C2=A0=C2=A0=C2=A0 3 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf |=C2=A0=C2= =A0=C2=A0 3 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf=20 >>> |=C2=A0=C2=A0=C2=A0 4 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf=20 >>> |=C2=A0=C2=A0=C2=A0 3 +- >>> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf=20 >>> |=C2=A0=C2=A0 43 + >>> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull= .inf=20 >>> |=C2=A0=C2=A0 38 + >>> SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf=20 >>> |=C2=A0=C2=A0 64 + >>> SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf=20 >>> |=C2=A0=C2=A0 68 + >>> SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf=20 >>> |=C2=A0=C2=A0 67 + >>> SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib= .inf=20 >>> |=C2=A0=C2=A0 62 + >>> SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf |=C2=A0=C2=A0 36 = + >>> MdeModulePkg/Include/Guid/ProtectedVariable.h |=C2=A0=C2=A0 22 + >>> MdeModulePkg/Include/Library/AuthVariableLib.h |=C2=A0=C2=A0=C2=A0 4 +- >>> MdeModulePkg/Include/Library/EncryptionVariableLib.h |=C2=A0 165 ++ >>> MdeModulePkg/Include/Library/ProtectedVariableLib.h |=C2=A0 700 +++++++ >>> MdeModulePkg/Universal/Variable/Pei/Variable.h |=C2=A0=C2=A0 80 +- >>> MdeModulePkg/Universal/Variable/Pei/VariableParsing.h |=C2=A0 309 +++ >>> MdeModulePkg/Universal/Variable/Pei/VariableStore.h |=C2=A0 116 ++ >>> MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h |=C2=A0 126 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.h |=C2=A0=C2= =A0 91 +- >>> MdePkg/Include/Ppi/ReadOnlyVariable2.h |=C2=A0=C2=A0=C2=A0 4 +- >>> SecurityPkg/Include/Library/RpmcLib.h |=C2=A0=C2=A0 15 +- >>> SecurityPkg/Include/Library/VariableKeyLib.h |=C2=A0=C2=A0 37 +- >>> SecurityPkg/Include/Ppi/KeyServicePpi.h |=C2=A0=C2=A0 57 + >>> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h |=C2=A0= =C2=A0 49 + >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h=20 >>> |=C2=A0 611 ++++++ >>> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c | =20 >>> 449 ++++ >>> MdeModulePkg/Universal/Variable/Pei/Variable.c |=C2=A0 886 ++------ >>> MdeModulePkg/Universal/Variable/Pei/VariableParsing.c |=C2=A0 941 +++++= ++++ >>> MdeModulePkg/Universal/Variable/Pei/VariableStore.c |=C2=A0 305 +++ >>> MdeModulePkg/Universal/Variable/RuntimeDxe/Reclaim.c |=C2=A0 349 +++- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2139=20 >>> +++++++++++--------- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c |=C2=A0=C2=A0 = 26 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableExLib.c |=C2=A0 167 = +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableNonVolatile.c | =20 >>> 194 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.c |=C2=A0 32= 0 ++- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeCache.c=20 >>> |=C2=A0=C2=A0=C2=A0 2 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c |=C2=A0=C2=A0 = 39 +- >>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c=20 >>> |=C2=A0=C2=A0 41 +- >>> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c |=C2=A0 = 728=20 >>> +++++++ >>> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c | = =20 >>> 107 + >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c |=20 >>> 2095 +++++++++++++++++++ >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c | =20 >>> 163 ++ >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c |=20 >>> 1331 ++++++++++++ >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c | =20 >>> 209 ++ >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.= c=20 >>> |=C2=A0 975 +++++++++ >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c = | =20 >>> 233 +++ >>> SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c |=C2=A0=C2=A0=C2=A0 8 +- >>> SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c |=C2=A0=C2=A0 59 + >>> SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c |=C2=A0=C2= =A0=C2=A0 6 +- >>> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull= .uni=20 >>> |=C2=A0=C2=A0 16 + >>> =C2=A0 69 files changed, 12845 insertions(+), 1863 deletions(-) >>> =C2=A0 create mode 100644=20 >>> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.= inf=20 >>> >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull= .inf=20 >>> >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib= .inf=20 >>> >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf >>> =C2=A0 create mode 100644 MdeModulePkg/Include/Guid/ProtectedVariable.h >>> =C2=A0 create mode 100644=20 >>> MdeModulePkg/Include/Library/EncryptionVariableLib.h >>> =C2=A0 create mode 100644 MdeModulePkg/Include/Library/ProtectedVariabl= eLib.h >>> =C2=A0 create mode 100644=20 >>> MdeModulePkg/Universal/Variable/Pei/VariableParsing.h >>> =C2=A0 create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableS= tore.h >>> =C2=A0 create mode 100644 SecurityPkg/Include/Ppi/KeyServicePpi.h >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h >>> =C2=A0 create mode 100644=20 >>> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c >>> =C2=A0 create mode 100644=20 >>> MdeModulePkg/Universal/Variable/Pei/VariableParsing.c >>> =C2=A0 create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableS= tore.c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.= c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c >>> =C2=A0 create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKe= yLib.c >>> =C2=A0 create mode 100644=20 >>> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull= .uni=20 >>> >>> >> >> >>=20 >>