From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web10.1705.1592894576926750000 for ; Mon, 22 Jun 2020 23:42:57 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=nZN7lc9k; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.215.174, mailfrom: bret@corthon.com) Received: by mail-pg1-f174.google.com with SMTP id e18so9422135pgn.7 for ; Mon, 22 Jun 2020 23:42:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=JvKWWbpOyHgmFHBl6oYYQVfCYyJ8HADcIoVhLEu2ULA=; b=nZN7lc9kAdykXZisxWgoj1yrgR/z5bFabPV1d1NPSFiYhHStWKqf9QQEJr3cTaDISr CQzpZ0bvGw4V9cN7bNhfoulxJ5OyfJKAPJjdrGyOZ3MItLbrraPE2Ls/oS4rVXNHDMP3 fvqQU8/KGFwg/DIHTS+qi1b1LnUK21+8NyLYo0rMMtmAXruMh1E3bKMgwnismsS/pJg+ 1oXsu5jDP5IH5TFVmktLhpHeVkef8QEnj6huMcVI8pGWuuchdYK1kpPBhPjsznr9NvWM rx0ryv4Of7iNbqccGt5+K1uGZgl8xXd4kp4N97+Ra+idfVyFah1m+bK0tkXqo5sxWL6N sBDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=JvKWWbpOyHgmFHBl6oYYQVfCYyJ8HADcIoVhLEu2ULA=; b=kVo7yhJFlnqtvDy+tdi1kOZB6uJmG1T+fGDc9dpAmQwvNRXsmduOeZswh2C5nuoGV7 IvuPJZ7WhZ+A29dbYzpv7JPDu12qRZ8h+6ThtY5RGriQa5UUxCqPSHm4ULzvFZLi0L3d ToHfX/klCcx2NaVS0R4JelO7rwve98QLt7NG7wa71dTq1CsN/GV76nmdrK5vFweSMxxz wop5qpplXnK3DUBHOioZzen89m/JC3Vsoo9WjVtQHKZr0DaZxm1gM0zQgPG0FcdNoNfq qO82AaPZdkSusLp2KtCJR09OIAQwYV/uGDJmP99bgSpBMcKsyVOojlrILvcTJYeo8RzH S03w== X-Gm-Message-State: AOAM5339nM61YreT3xak/wpotpwpN6fTYDclf2aAq1anLdEaaPlwDV2t IGpYz6XMZegfXJbjaQOi2mmvnOMtUqxHFg== X-Google-Smtp-Source: ABdhPJzFnYQoIbQ8ysOpH3GTZmGC4EGLcVSJWjOt4um2eeZ9SqejPpXBLmKE0KjtNGM6w+GT+ttfdw== X-Received: by 2002:a63:145f:: with SMTP id 31mr16259412pgu.383.1592894576260; Mon, 22 Jun 2020 23:42:56 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-80-75.tukw.qwest.net. [174.21.80.75]) by smtp.gmail.com with ESMTPSA id d6sm1383818pjh.5.2020.06.22.23.42.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2020 23:42:55 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao Subject: [PATCH v6 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Date: Mon, 22 Jun 2020 23:40:51 -0700 Message-Id: <20200623064104.1908-2-brbarkel@microsoft.com> X-Mailer: git-send-email 2.26.2.windows.1.8.g01c50adf56.20200515075929 In-Reply-To: <20200623064104.1908-1-brbarkel@microsoft.com> References: <20200623064104.1908-1-brbarkel@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 VariablePolicy is an updated interface to replace VarLock and VarCheckProtocol. Add the VariablePolicy protocol interface header and add to the MdeModulePkg.dec file. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Include/Protocol/VariablePolicy.h | 157 ++++++++++++++++++++ MdeModulePkg/MdeModulePkg.dec | 14 +- MdeModulePkg/MdeModulePkg.uni | 7 + 3 files changed, 177 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Include/Protocol/VariablePolicy.h b/MdeModulePkg/= Include/Protocol/VariablePolicy.h new file mode 100644 index 000000000000..8226c187a77b --- /dev/null +++ b/MdeModulePkg/Include/Protocol/VariablePolicy.h @@ -0,0 +1,157 @@ +/** @file -- VariablePolicy.h=0D +=0D +This protocol allows communication with Variable Policy Engine.=0D +=0D +Copyright (c) Microsoft Corporation.=0D +SPDX-License-Identifier: BSD-2-Clause-Patent=0D +**/=0D +=0D +#ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__=0D +#define __EDKII_VARIABLE_POLICY_PROTOCOL__=0D +=0D +#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000010000=0D +=0D +#define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \=0D + { \=0D + 0x81D1675C, 0x86F6, 0x48DF, { 0xBD, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25= , 0xC3 } \=0D + }=0D +=0D +#define VARIABLE_POLICY_ENTRY_REVISION 0x00010000=0D +=0D +#pragma pack(push, 1)=0D +typedef struct {=0D + UINT32 Version;=0D + UINT16 Size;=0D + UINT16 OffsetToName;=0D + EFI_GUID Namespace;=0D + UINT32 MinSize;=0D + UINT32 MaxSize;=0D + UINT32 AttributesMustHave;=0D + UINT32 AttributesCantHave;=0D + UINT8 LockPolicyType;=0D + UINT8 Padding[3];=0D + // UINT8 LockPolicy[]; // Variable Length Field=0D + // CHAR16 Name[] // Variable Length Field=0D +} VARIABLE_POLICY_ENTRY;=0D +=0D +#define VARIABLE_POLICY_NO_MIN_SIZE 0=0D +#define VARIABLE_POLICY_NO_MAX_SIZE MAX_UINT32=0D +#define VARIABLE_POLICY_NO_MUST_ATTR 0=0D +#define VARIABLE_POLICY_NO_CANT_ATTR 0=0D +=0D +#define VARIABLE_POLICY_TYPE_NO_LOCK 0=0D +#define VARIABLE_POLICY_TYPE_LOCK_NOW 1=0D +#define VARIABLE_POLICY_TYPE_LOCK_ON_CREATE 2=0D +#define VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE 3=0D +=0D +typedef struct {=0D + EFI_GUID Namespace;=0D + UINT8 Value;=0D + UINT8 Padding;=0D + // CHAR16 Name[]; // Variable Length Field=0D +} VARIABLE_LOCK_ON_VAR_STATE_POLICY;=0D +#pragma pack(pop)=0D +=0D +/**=0D + This API function disables the variable policy enforcement. If it's=0D + already been called once, will return EFI_ALREADY_STARTED.=0D +=0D + @retval EFI_SUCCESS=0D + @retval EFI_ALREADY_STARTED Has already been called once this boot= .=0D + @retval EFI_WRITE_PROTECTED Interface has been locked until reboot= .=0D + @retval EFI_WRITE_PROTECTED Interface option is disabled by platfo= rm PCD.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *DISABLE_VARIABLE_POLICY)(=0D + VOID=0D + );=0D +=0D +/**=0D + This API function returns whether or not the policy engine is=0D + currently being enforced.=0D +=0D + @param[out] State Pointer to a return value for whether the poli= cy enforcement=0D + is currently enabled.=0D +=0D + @retval EFI_SUCCESS=0D + @retval Others An error has prevented this command from compl= eting.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *IS_VARIABLE_POLICY_ENABLED)(=0D + OUT BOOLEAN *State=0D + );=0D +=0D +/**=0D + This API function validates and registers a new policy with=0D + the policy enforcement engine.=0D +=0D + @param[in] NewPolicy Pointer to the incoming policy structure.=0D +=0D + @retval EFI_SUCCESS=0D + @retval EFI_INVALID_PARAMETER NewPolicy is NULL or is internally i= nconsistent.=0D + @retval EFI_ALREADY_STARTED An identical matching policy already= exists.=0D + @retval EFI_WRITE_PROTECTED The interface has been locked until = the next reboot.=0D + @retval EFI_ABORTED A calculation error has prevented th= is function from completing.=0D + @retval EFI_OUT_OF_RESOURCES Cannot grow the table to hold any mo= re policies.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *REGISTER_VARIABLE_POLICY)(=0D + IN CONST VARIABLE_POLICY_ENTRY *PolicyEntry=0D + );=0D +=0D +/**=0D + This API function will dump the entire contents of the variable policy t= able.=0D +=0D + Similar to GetVariable, the first call can be made with a 0 size and it = will return=0D + the size of the buffer required to hold the entire table.=0D +=0D + @param[out] Policy Pointer to the policy buffer. Can be NULL if Siz= e is 0.=0D + @param[in,out] Size On input, the size of the output buffer. On outp= ut, the size=0D + of the data returned.=0D +=0D + @retval EFI_SUCCESS Policy data is in the output buffer = and Size has been updated.=0D + @retval EFI_INVALID_PARAMETER Size is NULL, or Size is non-zero an= d Policy is NULL.=0D + @retval EFI_BUFFER_TOO_SMALL Size is insufficient to hold policy.= Size updated with required size.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *DUMP_VARIABLE_POLICY)(=0D + IN OUT UINT8 *Policy,=0D + IN OUT UINT32 *Size=0D + );=0D +=0D +/**=0D + This API function locks the interface so that no more policy updates=0D + can be performed or changes made to the enforcement until the next boot.= =0D +=0D + @retval EFI_SUCCESS=0D + @retval Others An error has prevented this command from compl= eting.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *LOCK_VARIABLE_POLICY)(=0D + VOID=0D + );=0D +=0D +typedef struct {=0D + UINT64 Revision;=0D + DISABLE_VARIABLE_POLICY DisableVariablePolicy;=0D + IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;=0D + REGISTER_VARIABLE_POLICY RegisterVariablePolicy;=0D + DUMP_VARIABLE_POLICY DumpVariablePolicy;=0D + LOCK_VARIABLE_POLICY LockVariablePolicy;=0D +} _EDKII_VARIABLE_POLICY_PROTOCOL;=0D +=0D +typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL;=0D +=0D +extern EFI_GUID gEdkiiVariablePolicyProtocolGuid;=0D +=0D +#endif=0D diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index 843e963ad34b..05d8ad4931f9 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -8,7 +8,7 @@ # Copyright (c) 2016, Linaro Ltd. All rights reserved.
=0D # (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
= =0D # Copyright (c) 2017, AMD Incorporated. All rights reserved.
=0D -# Copyright (c) 2016, Microsoft Corporation
=0D +# Copyright (c) Microsoft Corporation.
=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -624,6 +624,9 @@ [Protocols] # 0x80000006 | Incorrect error code provided.=0D #=0D =0D + ## Include/Protocol/VariablePolicy.h=0D + gEdkiiVariablePolicyProtocolGuid =3D { 0x81D1675C, 0x86F6, 0x48DF, { 0xB= D, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25, 0xC3 } }=0D +=0D [PcdsFeatureFlag]=0D ## Indicates if the platform can support update capsule across a system = reset.

=0D # TRUE - Supports update capsule across a system reset.
=0D @@ -1116,6 +1119,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] # @Prompt Variable storage size.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x10000|UINT32|0x300= 00005=0D =0D + ## Toggle for whether the VariablePolicy engine should allow disabling.= =0D + # The engine is enabled at power-on, but the interface allows the platfo= rm to=0D + # disable enforcement for servicing flexibility. If this PCD is disabled= , it will block the ability to=0D + # disable the enforcement and VariablePolicy enforcement will always be = ON.=0D + # TRUE - VariablePolicy can be disabled by request through the interfa= ce (until interface is locked)=0D + # FALSE - VariablePolicy interface will not accept requests to disable= and is ALWAYS ON=0D + # @Prompt Allow VariablePolicy enforcement to be disabled.=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|= FALSE|BOOLEAN|0x30000020=0D +=0D ## FFS filename to find the ACPI tables.=0D # @Prompt FFS name of ACPI tables storage.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiTableStorageFile|{ 0x25, 0x4e, 0x3= 7, 0x7e, 0x01, 0x8e, 0xee, 0x4f, 0x87, 0xf2, 0x39, 0xc, 0x23, 0xc6, 0x6, 0x= cd }|VOID*|0x30000016=0D diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni index 2007e0596c4f..b64e7f351cda 100644 --- a/MdeModulePkg/MdeModulePkg.uni +++ b/MdeModulePkg/MdeModulePkg.uni @@ -129,6 +129,13 @@ =0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdVariableStoreSize_HELP #lan= guage en-US "The size of volatile buffer. This buffer is used to store VOLA= TILE attribute variables."=0D =0D +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme= ntDisable_PROMPT #language en-US "Allow VariablePolicy enforcement to be d= isabled."=0D +=0D +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme= ntDisable_HELP #language en-US "If this PCD is disabled, it will block the= ability to
\n"=0D + = "disable the enforcement and VariablePolicy= enforcement will always be ON.
\n"=0D + = "TRUE - VariablePolicy can be disabled by r= equest through the interface (until interface is locked)
\n"=0D + = "FALSE - VariablePolicy interface will not = accept requests to disable and is ALWAYS ON
\n"=0D +=0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_PROMPT = #language en-US "FFS name of ACPI tables storage"=0D =0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_HELP #= language en-US "FFS filename to find the ACPI tables."=0D --=20 2.26.2.windows.1.8.g01c50adf56.20200515075929