[PATCH v4 0/3] Add RpmcLib and VariableKeyLib

[PATCH v4 0/3] Add RpmcLib and VariableKeyLib

[Wang, Jian J]

> v4: remove CounterId which should not be exposed

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Patch branch: https://github.com/jwang36/edk2/tree/bz2594-part1-common-interfaces-between-platform-and-edk2-v4

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>

Jian J Wang (3):
  SecurityPkg: add RpmcLib and VariableKeyLib public headers
  SecurityPkg: add null version of RpmcLib
  SecurityPkg: add null version of VariableKeyLib

 SecurityPkg/Include/Library/RpmcLib.h         | 42 ++++++++++++
 SecurityPkg/Include/Library/VariableKeyLib.h  | 59 ++++++++++++++++
 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 47 +++++++++++++
 .../Library/RpmcLibNull/RpmcLibNull.inf       | 33 +++++++++
 .../VariableKeyLibNull/VariableKeyLibNull.c   | 67 +++++++++++++++++++
 .../VariableKeyLibNull/VariableKeyLibNull.inf | 33 +++++++++
 SecurityPkg/SecurityPkg.dec                   |  8 +++
 SecurityPkg/SecurityPkg.dsc                   |  8 +++
 8 files changed, 297 insertions(+)
 create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
 create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h
 create mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
 create mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
 create mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
 create mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf

-- 
2.24.0.windows.2

[PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

[Wang, Jian J]

> v4: remove CounterId which should not be exposed

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594

RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
device and Key generator from platform. They will be used to ensure the
integrity and confidentiality of NV variables.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
 SecurityPkg/Include/Library/RpmcLib.h        | 42 ++++++++++++++
 SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
 SecurityPkg/SecurityPkg.dec                  |  8 +++
 3 files changed, 109 insertions(+)
 create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
 create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h

diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h
new file mode 100644
index 0000000000..8e3868516c
--- /dev/null
+++ b/SecurityPkg/Include/Library/RpmcLib.h
@@ -0,0 +1,42 @@
+/** @file
+  Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _RPMC_LIB_H_
+#define _RPMC_LIB_H_
+
+#include <Uefi/UefiBaseType.h>
+
+/**
+  Requests the monotonic counter from the designated RPMC counter.
+
+  @param[out]   CounterValue            A pointer to a buffer to store the RPMC value.
+
+  @retval       EFI_SUCCESS             The operation completed successfully.
+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.
+  @retval       EFI_UNSUPPORTED         The operation is un-supported.
+**/
+EFI_STATUS
+EFIAPI
+RequestMonotonicCounter (
+  OUT UINT32  *CounterValue
+  );
+
+/**
+  Increments the monotonic counter in the SPI flash device by 1.
+
+  @retval       EFI_SUCCESS             The operation completed successfully.
+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.
+  @retval       EFI_UNSUPPORTED         The operation is un-supported.
+**/
+EFI_STATUS
+EFIAPI
+IncrementMonotonicCounter (
+  VOID
+  );
+
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h
new file mode 100644
index 0000000000..fe642b3d66
--- /dev/null
+++ b/SecurityPkg/Include/Library/VariableKeyLib.h
@@ -0,0 +1,59 @@
+/** @file
+  Public definitions for Variable Key Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _VARIABLE_KEY_LIB_H_
+#define _VARIABLE_KEY_LIB_H_
+
+#include <Uefi/UefiBaseType.h>
+
+/**
+  Retrieves the variable root key.
+
+  @param[out]     VariableRootKey         A pointer to pointer for the variable root key buffer.
+  @param[in,out]  VariableRootKeySize     The size in bytes of the variable root key.
+
+  @retval       EFI_SUCCESS             The variable root key was returned.
+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to get the variable root key.
+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.
+  @retval       EFI_UNSUPPORTED         The variable root key is not supported in the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+GetVariableRootKey (
+      OUT VOID    **VariableRootKey,
+  IN  OUT UINTN   *VariableRootKeySize
+  );
+
+/**
+  Regenerates the variable root key.
+
+  @retval       EFI_SUCCESS             The variable root key was regenerated successfully.
+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to regenerate the root key.
+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.
+  @retval       EFI_UNSUPPORTED         Key regeneration is not supported in the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+RegenerateKey (
+  VOID
+  );
+
+/**
+  Locks the regenerate key interface.
+
+  @retval       EFI_SUCCESS             The key interface was locked successfully.
+  @retval       EFI_UNSUPPORTED         Locking the key interface is not supported in the current boot configuration.
+  @retval       Others                  An error occurred while attempting to lock the key interface.
+**/
+EFI_STATUS
+EFIAPI
+LockKeyInterface (
+  VOID
+  );
+
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 5335cc5397..2cdfb02cc5 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -76,6 +76,14 @@
   #
   TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h
 
+  ## @libraryclass  Provides interfaces to access RPMC device.
+  #
+  RpmcLib|Include/Library/RpmcLib.h
+
+  ## @libraryclass  Provides interfaces to access variable root key.
+  #
+  VariableKeyLib|Include/Library/VariableKeyLib.h
+
 [Guids]
   ## Security package token space guid.
   # Include/Guid/SecurityPkgTokenSpace.h
-- 
2.24.0.windows.2

Re: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

[Bret Barkelew]

[-- Attachment #1: Type: text/plain, Size: 7641 bytes --]

Is there a reason this needs to be called “VariableKeyLib” rather than any other “KeyLib”? It seems general-purpose as an interface.

- Bret

________________________________
From: devel@edk2.groups.io <devel@edk2.groups.io> on behalf of Wang, Jian J via Groups.Io <jian.j.wang=intel.com@groups.io>
Sent: Monday, March 23, 2020 11:35:21 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Jiewen Yao <jiewen.yao@intel.com>; Chao Zhang <chao.b.zhang@intel.com>; Nishant C Mistry <nishant.c.mistry@intel.com>
Subject: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

> v4: remove CounterId which should not be exposed

REF: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2594&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305504454&amp;sdata=wCxxsc6cc%2Ffduq88XOZOZv6debpAQMZiIdsFjD0zHXE%3D&amp;reserved=0

RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
device and Key generator from platform. They will be used to ensure the
integrity and confidentiality of NV variables.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
 SecurityPkg/Include/Library/RpmcLib.h        | 42 ++++++++++++++
 SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
 SecurityPkg/SecurityPkg.dec                  |  8 +++
 3 files changed, 109 insertions(+)
 create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
 create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h

diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h
new file mode 100644
index 0000000000..8e3868516c
--- /dev/null
+++ b/SecurityPkg/Include/Library/RpmcLib.h
@@ -0,0 +1,42 @@
+/** @file

+  Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.

+

+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#ifndef _RPMC_LIB_H_

+#define _RPMC_LIB_H_

+

+#include <Uefi/UefiBaseType.h>

+

+/**

+  Requests the monotonic counter from the designated RPMC counter.

+

+  @param[out]   CounterValue            A pointer to a buffer to store the RPMC value.

+

+  @retval       EFI_SUCCESS             The operation completed successfully.

+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.

+  @retval       EFI_UNSUPPORTED         The operation is un-supported.

+**/

+EFI_STATUS

+EFIAPI

+RequestMonotonicCounter (

+  OUT UINT32  *CounterValue

+  );

+

+/**

+  Increments the monotonic counter in the SPI flash device by 1.

+

+  @retval       EFI_SUCCESS             The operation completed successfully.

+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.

+  @retval       EFI_UNSUPPORTED         The operation is un-supported.

+**/

+EFI_STATUS

+EFIAPI

+IncrementMonotonicCounter (

+  VOID

+  );

+

+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h
new file mode 100644
index 0000000000..fe642b3d66
--- /dev/null
+++ b/SecurityPkg/Include/Library/VariableKeyLib.h
@@ -0,0 +1,59 @@
+/** @file

+  Public definitions for Variable Key Library.

+

+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#ifndef _VARIABLE_KEY_LIB_H_

+#define _VARIABLE_KEY_LIB_H_

+

+#include <Uefi/UefiBaseType.h>

+

+/**

+  Retrieves the variable root key.

+

+  @param[out]     VariableRootKey         A pointer to pointer for the variable root key buffer.

+  @param[in,out]  VariableRootKeySize     The size in bytes of the variable root key.

+

+  @retval       EFI_SUCCESS             The variable root key was returned.

+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to get the variable root key.

+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.

+  @retval       EFI_UNSUPPORTED         The variable root key is not supported in the current boot configuration.

+**/

+EFI_STATUS

+EFIAPI

+GetVariableRootKey (

+      OUT VOID    **VariableRootKey,

+  IN  OUT UINTN   *VariableRootKeySize

+  );

+

+/**

+  Regenerates the variable root key.

+

+  @retval       EFI_SUCCESS             The variable root key was regenerated successfully.

+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to regenerate the root key.

+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.

+  @retval       EFI_UNSUPPORTED         Key regeneration is not supported in the current boot configuration.

+**/

+EFI_STATUS

+EFIAPI

+RegenerateKey (

+  VOID

+  );

+

+/**

+  Locks the regenerate key interface.

+

+  @retval       EFI_SUCCESS             The key interface was locked successfully.

+  @retval       EFI_UNSUPPORTED         Locking the key interface is not supported in the current boot configuration.

+  @retval       Others                  An error occurred while attempting to lock the key interface.

+**/

+EFI_STATUS

+EFIAPI

+LockKeyInterface (

+  VOID

+  );

+

+#endif
\ No newline at end of file
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 5335cc5397..2cdfb02cc5 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -76,6 +76,14 @@
   #

   TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h



+  ## @libraryclass  Provides interfaces to access RPMC device.

+  #

+  RpmcLib|Include/Library/RpmcLib.h

+

+  ## @libraryclass  Provides interfaces to access variable root key.

+  #

+  VariableKeyLib|Include/Library/VariableKeyLib.h

+

 [Guids]

   ## Security package token space guid.

   # Include/Guid/SecurityPkgTokenSpace.h

--
2.24.0.windows.2


-=-=-=-=-=-=
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#56132): https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F56132&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=CoBs9mwnHTAAZiErAEHS3E7dbdRd%2FZefJPKXKPmJwfc%3D&amp;reserved=0
Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.io%2Fmt%2F72512084%2F1852292&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=%2B14%2BIfGmu88GSnKZnpb51EGaW3MqfFCT1%2BWI5Bhdlo0%3D&amp;reserved=0
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=JLLWLjx0OW0eTjn7xXG5aNHdAfWQqhY4qLXSuNhhcys%3D&amp;reserved=0  [bret.barkelew@microsoft.com]
-=-=-=-=-=-=


[-- Attachment #2: Type: text/html, Size: 14528 bytes --]

Re: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

[Yao, Jiewen]

[-- Attachment #1: Type: text/plain, Size: 9475 bytes --]

Good point.

I think the original design limits the usage to be variable driver. As such, the API only gets a "variable root key".

A "platform root key" can derive the "variable root key" and some "other features' root key".

The tricky part is to regenerate the key, when the variable is under attack.
In that case, we want to only regenerate the "variable root key", instead of "platform root key".
That's why we want to introduce a variablekeylib module.
To make API consistent, maybe we should rename GetVariableRootKey() to GetVariableKey(), RegenerateKey() to RegenerateVariableKey(), and LockKeyInterface() to LockVariableKeyInterface()


If we really want to create a generic platformkeylib module, then we need add a key indicator. Such as:
EFI_STATUS
EFIAPI
GetPlatformKey (
  IN GUID   *KeyIndicator,
  OUT VOID    **PlatformKey,
  IN  OUT UINTN   *PlatformKeySize
  );

Then the variable driver can pass a GUID, and any other feature driver can pass anther GUID.

Thank you
Yao Jiewen


From: Bret Barkelew <Bret.Barkelew@microsoft.com>
Sent: Wednesday, March 25, 2020 1:44 AM
To: devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; Mistry, Nishant C <nishant.c.mistry@intel.com>
Subject: RE: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

Is there a reason this needs to be called "VariableKeyLib" rather than any other "KeyLib"? It seems general-purpose as an interface.

- Bret

________________________________
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> on behalf of Wang, Jian J via Groups.Io <jian.j.wang=intel.com@groups.io<mailto:jian.j.wang=intel.com@groups.io>>
Sent: Monday, March 23, 2020 11:35:21 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>
Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Chao Zhang <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; Nishant C Mistry <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
Subject: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

> v4: remove CounterId which should not be exposed

REF: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2594&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305504454&amp;sdata=wCxxsc6cc%2Ffduq88XOZOZv6debpAQMZiIdsFjD0zHXE%3D&amp;reserved=0

RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
device and Key generator from platform. They will be used to ensure the
integrity and confidentiality of NV variables.

Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
Cc: Chao Zhang <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
---
 SecurityPkg/Include/Library/RpmcLib.h        | 42 ++++++++++++++
 SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
 SecurityPkg/SecurityPkg.dec                  |  8 +++
 3 files changed, 109 insertions(+)
 create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
 create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h

diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h
new file mode 100644
index 0000000000..8e3868516c
--- /dev/null
+++ b/SecurityPkg/Include/Library/RpmcLib.h
@@ -0,0 +1,42 @@
+/** @file

+  Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.

+

+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#ifndef _RPMC_LIB_H_

+#define _RPMC_LIB_H_

+

+#include <Uefi/UefiBaseType.h>

+

+/**

+  Requests the monotonic counter from the designated RPMC counter.

+

+  @param[out]   CounterValue            A pointer to a buffer to store the RPMC value.

+

+  @retval       EFI_SUCCESS             The operation completed successfully.

+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.

+  @retval       EFI_UNSUPPORTED         The operation is un-supported.

+**/

+EFI_STATUS

+EFIAPI

+RequestMonotonicCounter (

+  OUT UINT32  *CounterValue

+  );

+

+/**

+  Increments the monotonic counter in the SPI flash device by 1.

+

+  @retval       EFI_SUCCESS             The operation completed successfully.

+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.

+  @retval       EFI_UNSUPPORTED         The operation is un-supported.

+**/

+EFI_STATUS

+EFIAPI

+IncrementMonotonicCounter (

+  VOID

+  );

+

+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h
new file mode 100644
index 0000000000..fe642b3d66
--- /dev/null
+++ b/SecurityPkg/Include/Library/VariableKeyLib.h
@@ -0,0 +1,59 @@
+/** @file

+  Public definitions for Variable Key Library.

+

+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#ifndef _VARIABLE_KEY_LIB_H_

+#define _VARIABLE_KEY_LIB_H_

+

+#include <Uefi/UefiBaseType.h>

+

+/**

+  Retrieves the variable root key.

+

+  @param[out]     VariableRootKey         A pointer to pointer for the variable root key buffer.

+  @param[in,out]  VariableRootKeySize     The size in bytes of the variable root key.

+

+  @retval       EFI_SUCCESS             The variable root key was returned.

+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to get the variable root key.

+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.

+  @retval       EFI_UNSUPPORTED         The variable root key is not supported in the current boot configuration.

+**/

+EFI_STATUS

+EFIAPI

+GetVariableRootKey (

+      OUT VOID    **VariableRootKey,

+  IN  OUT UINTN   *VariableRootKeySize

+  );

+

+/**

+  Regenerates the variable root key.

+

+  @retval       EFI_SUCCESS             The variable root key was regenerated successfully.

+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to regenerate the root key.

+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.

+  @retval       EFI_UNSUPPORTED         Key regeneration is not supported in the current boot configuration.

+**/

+EFI_STATUS

+EFIAPI

+RegenerateKey (

+  VOID

+  );

+

+/**

+  Locks the regenerate key interface.

+

+  @retval       EFI_SUCCESS             The key interface was locked successfully.

+  @retval       EFI_UNSUPPORTED         Locking the key interface is not supported in the current boot configuration.

+  @retval       Others                  An error occurred while attempting to lock the key interface.

+**/

+EFI_STATUS

+EFIAPI

+LockKeyInterface (

+  VOID

+  );

+

+#endif
\ No newline at end of file
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 5335cc5397..2cdfb02cc5 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -76,6 +76,14 @@
   #

   TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h



+  ## @libraryclass  Provides interfaces to access RPMC device.

+  #

+  RpmcLib|Include/Library/RpmcLib.h

+

+  ## @libraryclass  Provides interfaces to access variable root key.

+  #

+  VariableKeyLib|Include/Library/VariableKeyLib.h

+

 [Guids]

   ## Security package token space guid.

   # Include/Guid/SecurityPkgTokenSpace.h

--
2.24.0.windows.2


-=-=-=-=-=-=
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#56132): https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F56132&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=CoBs9mwnHTAAZiErAEHS3E7dbdRd%2FZefJPKXKPmJwfc%3D&amp;reserved=0
Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.io%2Fmt%2F72512084%2F1852292&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=%2B14%2BIfGmu88GSnKZnpb51EGaW3MqfFCT1%2BWI5Bhdlo0%3D&amp;reserved=0
Group Owner: devel+owner@edk2.groups.io<mailto:devel+owner@edk2.groups.io>
Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=JLLWLjx0OW0eTjn7xXG5aNHdAfWQqhY4qLXSuNhhcys%3D&amp;reserved=0  [bret.barkelew@microsoft.com]
-=-=-=-=-=-=

[-- Attachment #2: Type: text/html, Size: 19037 bytes --]

Re: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

[Wang, Jian J]

[-- Attachment #1: Type: text/plain, Size: 10245 bytes --]

I agree to change the function name to be more specific to avoid confusion, since this lib is intended
to be used for variable service only. I'll send v5 soon.

Regards,
Jian

From: Yao, Jiewen <jiewen.yao@intel.com>
Sent: Wednesday, March 25, 2020 5:55 PM
To: Bret Barkelew <Bret.Barkelew@microsoft.com>; devel@edk2.groups.io; Wang, Jian J <jian.j.wang@intel.com>
Cc: Zhang, Chao B <chao.b.zhang@intel.com>; Mistry, Nishant C <nishant.c.mistry@intel.com>
Subject: RE: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

Good point.

I think the original design limits the usage to be variable driver. As such, the API only gets a "variable root key".

A "platform root key" can derive the "variable root key" and some "other features' root key".

The tricky part is to regenerate the key, when the variable is under attack.
In that case, we want to only regenerate the "variable root key", instead of "platform root key".

That's why we want to introduce a variablekeylib module.
To make API consistent, maybe we should rename GetVariableRootKey() to GetVariableKey(), RegenerateKey() to RegenerateVariableKey(), and LockKeyInterface() to LockVariableKeyInterface()


If we really want to create a generic platformkeylib module, then we need add a key indicator. Such as:
EFI_STATUS
EFIAPI
GetPlatformKey (
  IN GUID   *KeyIndicator,
  OUT VOID    **PlatformKey,
  IN  OUT UINTN   *PlatformKeySize
  );
Then the variable driver can pass a GUID, and any other feature driver can pass anther GUID.

Thank you
Yao Jiewen


From: Bret Barkelew <Bret.Barkelew@microsoft.com<mailto:Bret.Barkelew@microsoft.com>>
Sent: Wednesday, March 25, 2020 1:44 AM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; Mistry, Nishant C <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
Subject: RE: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

Is there a reason this needs to be called "VariableKeyLib" rather than any other "KeyLib"? It seems general-purpose as an interface.

- Bret

________________________________
From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> on behalf of Wang, Jian J via Groups.Io <jian.j.wang=intel.com@groups.io<mailto:jian.j.wang=intel.com@groups.io>>
Sent: Monday, March 23, 2020 11:35:21 PM
To: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>>
Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Chao Zhang <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; Nishant C Mistry <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
Subject: [EXTERNAL] [edk2-devel] [PATCH v4 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

> v4: remove CounterId which should not be exposed

REF: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2594&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305504454&amp;sdata=wCxxsc6cc%2Ffduq88XOZOZv6debpAQMZiIdsFjD0zHXE%3D&amp;reserved=0

RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
device and Key generator from platform. They will be used to ensure the
integrity and confidentiality of NV variables.

Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
Cc: Chao Zhang <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
---
 SecurityPkg/Include/Library/RpmcLib.h        | 42 ++++++++++++++
 SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
 SecurityPkg/SecurityPkg.dec                  |  8 +++
 3 files changed, 109 insertions(+)
 create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
 create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h

diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h
new file mode 100644
index 0000000000..8e3868516c
--- /dev/null
+++ b/SecurityPkg/Include/Library/RpmcLib.h
@@ -0,0 +1,42 @@
+/** @file

+  Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.

+

+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#ifndef _RPMC_LIB_H_

+#define _RPMC_LIB_H_

+

+#include <Uefi/UefiBaseType.h>

+

+/**

+  Requests the monotonic counter from the designated RPMC counter.

+

+  @param[out]   CounterValue            A pointer to a buffer to store the RPMC value.

+

+  @retval       EFI_SUCCESS             The operation completed successfully.

+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.

+  @retval       EFI_UNSUPPORTED         The operation is un-supported.

+**/

+EFI_STATUS

+EFIAPI

+RequestMonotonicCounter (

+  OUT UINT32  *CounterValue

+  );

+

+/**

+  Increments the monotonic counter in the SPI flash device by 1.

+

+  @retval       EFI_SUCCESS             The operation completed successfully.

+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.

+  @retval       EFI_UNSUPPORTED         The operation is un-supported.

+**/

+EFI_STATUS

+EFIAPI

+IncrementMonotonicCounter (

+  VOID

+  );

+

+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h
new file mode 100644
index 0000000000..fe642b3d66
--- /dev/null
+++ b/SecurityPkg/Include/Library/VariableKeyLib.h
@@ -0,0 +1,59 @@
+/** @file

+  Public definitions for Variable Key Library.

+

+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#ifndef _VARIABLE_KEY_LIB_H_

+#define _VARIABLE_KEY_LIB_H_

+

+#include <Uefi/UefiBaseType.h>

+

+/**

+  Retrieves the variable root key.

+

+  @param[out]     VariableRootKey         A pointer to pointer for the variable root key buffer.

+  @param[in,out]  VariableRootKeySize     The size in bytes of the variable root key.

+

+  @retval       EFI_SUCCESS             The variable root key was returned.

+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to get the variable root key.

+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.

+  @retval       EFI_UNSUPPORTED         The variable root key is not supported in the current boot configuration.

+**/

+EFI_STATUS

+EFIAPI

+GetVariableRootKey (

+      OUT VOID    **VariableRootKey,

+  IN  OUT UINTN   *VariableRootKeySize

+  );

+

+/**

+  Regenerates the variable root key.

+

+  @retval       EFI_SUCCESS             The variable root key was regenerated successfully.

+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to regenerate the root key.

+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.

+  @retval       EFI_UNSUPPORTED         Key regeneration is not supported in the current boot configuration.

+**/

+EFI_STATUS

+EFIAPI

+RegenerateKey (

+  VOID

+  );

+

+/**

+  Locks the regenerate key interface.

+

+  @retval       EFI_SUCCESS             The key interface was locked successfully.

+  @retval       EFI_UNSUPPORTED         Locking the key interface is not supported in the current boot configuration.

+  @retval       Others                  An error occurred while attempting to lock the key interface.

+**/

+EFI_STATUS

+EFIAPI

+LockKeyInterface (

+  VOID

+  );

+

+#endif
\ No newline at end of file
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 5335cc5397..2cdfb02cc5 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -76,6 +76,14 @@
   #

   TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h



+  ## @libraryclass  Provides interfaces to access RPMC device.

+  #

+  RpmcLib|Include/Library/RpmcLib.h

+

+  ## @libraryclass  Provides interfaces to access variable root key.

+  #

+  VariableKeyLib|Include/Library/VariableKeyLib.h

+

 [Guids]

   ## Security package token space guid.

   # Include/Guid/SecurityPkgTokenSpace.h

--
2.24.0.windows.2


-=-=-=-=-=-=
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#56132): https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F56132&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=CoBs9mwnHTAAZiErAEHS3E7dbdRd%2FZefJPKXKPmJwfc%3D&amp;reserved=0
Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.io%2Fmt%2F72512084%2F1852292&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=%2B14%2BIfGmu88GSnKZnpb51EGaW3MqfFCT1%2BWI5Bhdlo0%3D&amp;reserved=0
Group Owner: devel+owner@edk2.groups.io<mailto:devel+owner@edk2.groups.io>
Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&amp;data=02%7C01%7Cbret.barkelew%40microsoft.com%7C3e34ac4a40d94c82e86b08d7cfbd8b82%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637206285305514447&amp;sdata=JLLWLjx0OW0eTjn7xXG5aNHdAfWQqhY4qLXSuNhhcys%3D&amp;reserved=0  [bret.barkelew@microsoft.com]
-=-=-=-=-=-=

[-- Attachment #2: Type: text/html, Size: 20615 bytes --]

[PATCH v4 2/3] SecurityPkg: add null version of RpmcLib

[Wang, Jian J]

> v4: remove CounterId which should not be exposed

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594

Add null version of RpmcLib instance. The full version should be provided
by platform which supports RPMC device.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 47 +++++++++++++++++++
 .../Library/RpmcLibNull/RpmcLibNull.inf       | 33 +++++++++++++
 SecurityPkg/SecurityPkg.dsc                   |  6 +++
 3 files changed, 86 insertions(+)
 create mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
 create mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf

diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
new file mode 100644
index 0000000000..e1dd09eb10
--- /dev/null
+++ b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
@@ -0,0 +1,47 @@
+/** @file
+  NULL RpmcLib instance for build purpose.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/DebugLib.h>
+#include <Library/RpmcLib.h>
+
+/**
+  Requests the monotonic counter from the designated RPMC counter.
+
+  @param[out]   CounterValue            A pointer to a buffer to store the RPMC value.
+
+  @retval       EFI_SUCCESS             The operation completed successfully.
+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.
+  @retval       EFI_UNSUPPORTED         The operation is un-supported.
+**/
+EFI_STATUS
+EFIAPI
+RequestMonotonicCounter (
+  OUT UINT32  *CounterValue
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
+  Increments the monotonic counter in the SPI flash device by 1.
+
+  @retval       EFI_SUCCESS             The operation completed successfully.
+  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting to update the counter.
+  @retval       EFI_UNSUPPORTED         The operation is un-supported.
+**/
+EFI_STATUS
+EFIAPI
+IncrementMonotonicCounter (
+  VOID
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
new file mode 100644
index 0000000000..500edfa87d
--- /dev/null
+++ b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
@@ -0,0 +1,33 @@
+## @file
+#  Provides Null version of RpmcLib for build purpose.
+#
+#  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010029
+  BASE_NAME                      = RpmcLibNull
+  FILE_GUID                      = FAE0BA22-92E2-4334-8F0F-96AFF9BAE360
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = RpmcLib
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64 Arm AArch64
+#
+
+[Sources]
+  RpmcLibNull.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  DebugLib
+
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index a2eeadda7a..97e0e7ed6e 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -64,6 +64,7 @@
   TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
   TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
   ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf
+  RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
 
 [LibraryClasses.ARM]
   #
@@ -217,6 +218,11 @@
   SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
   SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
 
+  #
+  # Variable Confidentiality & Integrity
+  #
+  SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
+
   #
   # Other
   #
-- 
2.24.0.windows.2

[PATCH v4 3/3] SecurityPkg: add null version of VariableKeyLib

[Wang, Jian J]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594

Add null version of VariableKeyLib instance. The full version should be
provided by platforms which supports key generator.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
 .../VariableKeyLibNull/VariableKeyLibNull.c   | 67 +++++++++++++++++++
 .../VariableKeyLibNull/VariableKeyLibNull.inf | 33 +++++++++
 SecurityPkg/SecurityPkg.dsc                   |  2 +
 3 files changed, 102 insertions(+)
 create mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
 create mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf

diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
new file mode 100644
index 0000000000..2ef6a68ea0
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
@@ -0,0 +1,67 @@
+/** @file
+  Null version of VariableKeyLib for build purpose. Don't use it in real product.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Library/DebugLib.h>
+#include <Library/VariableKeyLib.h>
+
+/**
+  Retrieves the variable root key.
+
+  @param[out]     VariableRootKey         A pointer to pointer for the variable root key buffer.
+  @param[in,out]  VariableRootKeySize     The size in bytes of the variable root key.
+
+  @retval       EFI_SUCCESS             The variable root key was returned.
+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to get the variable root key.
+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.
+  @retval       EFI_UNSUPPORTED         The variable root key is not supported in the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+GetVariableRootKey (
+      OUT VOID    **VariableRootKey,
+  IN  OUT UINTN   *VariableRootKeySize
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
+  Regenerates the variable root key.
+
+  @retval       EFI_SUCCESS             The variable root key was regenerated successfully.
+  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to regenerate the root key.
+  @retval       EFI_ACCESS_DENIED       The function was invoked after locking the key interface.
+  @retval       EFI_UNSUPPORTED         Key regeneration is not supported in the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+RegenerateKey (
+  VOID
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
+  Locks the regenerate key interface.
+
+  @retval       EFI_SUCCESS             The key interface was locked successfully.
+  @retval       EFI_UNSUPPORTED         Locking the key interface is not supported in the current boot configuration.
+  @retval       Others                  An error occurred while attempting to lock the key interface.
+**/
+EFI_STATUS
+EFIAPI
+LockKeyInterface (
+  VOID
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
new file mode 100644
index 0000000000..ea74e38cf9
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
@@ -0,0 +1,33 @@
+## @file
+#  Provides Null version of VariableKeyLib for build only.
+#
+#  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010029
+  BASE_NAME                      = VariableKeyLibNull
+  FILE_GUID                      = 2B640ED8-1E6A-4516-9F1D-25910E59BC4A
+  MODULE_TYPE                    = BASE
+  VERSION_STRING                 = 1.0
+  LIBRARY_CLASS                  = VariableKeyLib
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = IA32 X64 Arm AArch64
+#
+
+[Sources]
+  VariableKeyLibNull.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+  BaseLib
+  DebugLib
+
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 97e0e7ed6e..4b85f77b02 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -64,6 +64,7 @@
   TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
   TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
   ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf
+  VariableKeyLib|SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
   RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
 
 [LibraryClasses.ARM]
@@ -221,6 +222,7 @@
   #
   # Variable Confidentiality & Integrity
   #
+  SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
   SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
 
   #
-- 
2.24.0.windows.2