From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f45.google.com (mail-pj1-f45.google.com [209.85.216.45]) by mx.groups.io with SMTP id smtpd.web12.37087.1598593903737073436 for ; Thu, 27 Aug 2020 22:51:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=Mo2KL9vA; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.216.45, mailfrom: bret@corthon.com) Received: by mail-pj1-f45.google.com with SMTP id q93so95195pjq.0 for ; Thu, 27 Aug 2020 22:51:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=mx7fOWrAVzO3TFvBoYoaKJ4TtZYXypLzuiHDWCDgs4Q=; b=Mo2KL9vA5GcNXlGyQGuSy9JMa/+IlWvvTHod4K9ttrLzQNNFx3DJ5Kvn60PdvnjOVI a8CkHz5gku6k47tffYllxrkLrOB78wxxqY+ypayr5rtTMeQtU594+S8kzF1kXvw3A7+U ZRaM567q6Tg5XpyU0gytZEybCtDU1BbQ2QFOd3blTtNQW2SCYGA0ulEBa6IByMF7nNkz 2H9Wn4FRidiwT6eWw8AvpEZMCPIW9gt1QMJQIO1mImBIc+0X3x9UEfVxDgTaIkg5CECg Ao+zGTj+tqEjF724e/iDcGpaXI+NkIUiXSqip9ewIGUKjwP8nXNo/B9DLSTe9VIAomlB nyYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=mx7fOWrAVzO3TFvBoYoaKJ4TtZYXypLzuiHDWCDgs4Q=; b=sK5xmk23URk5o97KngWHhieQpuhA5KuslRYulqI9YMfiCynX0WGV+/fpg/tY4t4e5H Qy2dh70X8szOVrQWNfCUxoR29H4UfxL6X2+sfygYN1vntNLkGQFt6OHdU3g6NCo0aLqf hsG1uJwxQddU1nuVwN9OeZBEs9t/RX8K8wEU9pDOiE2k/mBKooQqUYrltGyu5sUTrXE9 vNg+YTUx5invorRArddaE7om54MVPx1eVoSrWRAZZV/xyZoV3z11DKADq9bESd8mPRWz dMKL7+iZ5hl29oehoQ9u3yPMG9RUnxcB40vm3HwIn0uFlyUzePx7gGgy+W1ZbW6BNuM0 w03A== X-Gm-Message-State: AOAM533oA7i+uNyCQvjTT06G3yCX1AHoHo5ID/kn1+1sT8xJmKuKBeTO kkXf/1sgLLPw8SytV1IIuUtyr+de1Wr+cB3T X-Google-Smtp-Source: ABdhPJyKdsLrjOEiSYWFE162piENdVo0dDhlTZJFC5tFQQmmMhzRf4WN7utXV2wjLRhJj+dIPijR/g== X-Received: by 2002:a17:90b:1b45:: with SMTP id nv5mr248011pjb.35.1598593902857; Thu, 27 Aug 2020 22:51:42 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-132-206.tukw.qwest.net. [174.21.132.206]) by smtp.gmail.com with ESMTPSA id fz19sm41802pjb.40.2020.08.27.22.51.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Aug 2020 22:51:42 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao Subject: [PATCH v7 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Date: Thu, 27 Aug 2020 22:51:14 -0700 Message-Id: <20200828055127.1610-2-brbarkel@microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20200828055127.1610-1-brbarkel@microsoft.com> References: <20200828055127.1610-1-brbarkel@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 VariablePolicy is an updated interface to replace VarLock and VarCheckProtocol. Add the VariablePolicy protocol interface header and add to the MdeModulePkg.dec file. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Include/Protocol/VariablePolicy.h | 157 ++++++++++++++++++++ MdeModulePkg/MdeModulePkg.dec | 14 +- MdeModulePkg/MdeModulePkg.uni | 7 + 3 files changed, 177 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Include/Protocol/VariablePolicy.h b/MdeModulePkg/= Include/Protocol/VariablePolicy.h new file mode 100644 index 000000000000..8226c187a77b --- /dev/null +++ b/MdeModulePkg/Include/Protocol/VariablePolicy.h @@ -0,0 +1,157 @@ +/** @file -- VariablePolicy.h=0D +=0D +This protocol allows communication with Variable Policy Engine.=0D +=0D +Copyright (c) Microsoft Corporation.=0D +SPDX-License-Identifier: BSD-2-Clause-Patent=0D +**/=0D +=0D +#ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__=0D +#define __EDKII_VARIABLE_POLICY_PROTOCOL__=0D +=0D +#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000010000=0D +=0D +#define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \=0D + { \=0D + 0x81D1675C, 0x86F6, 0x48DF, { 0xBD, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25= , 0xC3 } \=0D + }=0D +=0D +#define VARIABLE_POLICY_ENTRY_REVISION 0x00010000=0D +=0D +#pragma pack(push, 1)=0D +typedef struct {=0D + UINT32 Version;=0D + UINT16 Size;=0D + UINT16 OffsetToName;=0D + EFI_GUID Namespace;=0D + UINT32 MinSize;=0D + UINT32 MaxSize;=0D + UINT32 AttributesMustHave;=0D + UINT32 AttributesCantHave;=0D + UINT8 LockPolicyType;=0D + UINT8 Padding[3];=0D + // UINT8 LockPolicy[]; // Variable Length Field=0D + // CHAR16 Name[] // Variable Length Field=0D +} VARIABLE_POLICY_ENTRY;=0D +=0D +#define VARIABLE_POLICY_NO_MIN_SIZE 0=0D +#define VARIABLE_POLICY_NO_MAX_SIZE MAX_UINT32=0D +#define VARIABLE_POLICY_NO_MUST_ATTR 0=0D +#define VARIABLE_POLICY_NO_CANT_ATTR 0=0D +=0D +#define VARIABLE_POLICY_TYPE_NO_LOCK 0=0D +#define VARIABLE_POLICY_TYPE_LOCK_NOW 1=0D +#define VARIABLE_POLICY_TYPE_LOCK_ON_CREATE 2=0D +#define VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE 3=0D +=0D +typedef struct {=0D + EFI_GUID Namespace;=0D + UINT8 Value;=0D + UINT8 Padding;=0D + // CHAR16 Name[]; // Variable Length Field=0D +} VARIABLE_LOCK_ON_VAR_STATE_POLICY;=0D +#pragma pack(pop)=0D +=0D +/**=0D + This API function disables the variable policy enforcement. If it's=0D + already been called once, will return EFI_ALREADY_STARTED.=0D +=0D + @retval EFI_SUCCESS=0D + @retval EFI_ALREADY_STARTED Has already been called once this boot= .=0D + @retval EFI_WRITE_PROTECTED Interface has been locked until reboot= .=0D + @retval EFI_WRITE_PROTECTED Interface option is disabled by platfo= rm PCD.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *DISABLE_VARIABLE_POLICY)(=0D + VOID=0D + );=0D +=0D +/**=0D + This API function returns whether or not the policy engine is=0D + currently being enforced.=0D +=0D + @param[out] State Pointer to a return value for whether the poli= cy enforcement=0D + is currently enabled.=0D +=0D + @retval EFI_SUCCESS=0D + @retval Others An error has prevented this command from compl= eting.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *IS_VARIABLE_POLICY_ENABLED)(=0D + OUT BOOLEAN *State=0D + );=0D +=0D +/**=0D + This API function validates and registers a new policy with=0D + the policy enforcement engine.=0D +=0D + @param[in] NewPolicy Pointer to the incoming policy structure.=0D +=0D + @retval EFI_SUCCESS=0D + @retval EFI_INVALID_PARAMETER NewPolicy is NULL or is internally i= nconsistent.=0D + @retval EFI_ALREADY_STARTED An identical matching policy already= exists.=0D + @retval EFI_WRITE_PROTECTED The interface has been locked until = the next reboot.=0D + @retval EFI_ABORTED A calculation error has prevented th= is function from completing.=0D + @retval EFI_OUT_OF_RESOURCES Cannot grow the table to hold any mo= re policies.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *REGISTER_VARIABLE_POLICY)(=0D + IN CONST VARIABLE_POLICY_ENTRY *PolicyEntry=0D + );=0D +=0D +/**=0D + This API function will dump the entire contents of the variable policy t= able.=0D +=0D + Similar to GetVariable, the first call can be made with a 0 size and it = will return=0D + the size of the buffer required to hold the entire table.=0D +=0D + @param[out] Policy Pointer to the policy buffer. Can be NULL if Siz= e is 0.=0D + @param[in,out] Size On input, the size of the output buffer. On outp= ut, the size=0D + of the data returned.=0D +=0D + @retval EFI_SUCCESS Policy data is in the output buffer = and Size has been updated.=0D + @retval EFI_INVALID_PARAMETER Size is NULL, or Size is non-zero an= d Policy is NULL.=0D + @retval EFI_BUFFER_TOO_SMALL Size is insufficient to hold policy.= Size updated with required size.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *DUMP_VARIABLE_POLICY)(=0D + IN OUT UINT8 *Policy,=0D + IN OUT UINT32 *Size=0D + );=0D +=0D +/**=0D + This API function locks the interface so that no more policy updates=0D + can be performed or changes made to the enforcement until the next boot.= =0D +=0D + @retval EFI_SUCCESS=0D + @retval Others An error has prevented this command from compl= eting.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *LOCK_VARIABLE_POLICY)(=0D + VOID=0D + );=0D +=0D +typedef struct {=0D + UINT64 Revision;=0D + DISABLE_VARIABLE_POLICY DisableVariablePolicy;=0D + IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;=0D + REGISTER_VARIABLE_POLICY RegisterVariablePolicy;=0D + DUMP_VARIABLE_POLICY DumpVariablePolicy;=0D + LOCK_VARIABLE_POLICY LockVariablePolicy;=0D +} _EDKII_VARIABLE_POLICY_PROTOCOL;=0D +=0D +typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL;=0D +=0D +extern EFI_GUID gEdkiiVariablePolicyProtocolGuid;=0D +=0D +#endif=0D diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index cb30a7975849..82aecc40d9a9 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -8,7 +8,7 @@ # Copyright (c) 2016, Linaro Ltd. All rights reserved.
=0D # (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
= =0D # Copyright (c) 2017, AMD Incorporated. All rights reserved.
=0D -# Copyright (c) 2016, Microsoft Corporation
=0D +# Copyright (c) Microsoft Corporation.
=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -627,6 +627,9 @@ [Protocols] # 0x80000006 | Incorrect error code provided.=0D #=0D =0D + ## Include/Protocol/VariablePolicy.h=0D + gEdkiiVariablePolicyProtocolGuid =3D { 0x81D1675C, 0x86F6, 0x48DF, { 0xB= D, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25, 0xC3 } }=0D +=0D [PcdsFeatureFlag]=0D ## Indicates if the platform can support update capsule across a system = reset.

=0D # TRUE - Supports update capsule across a system reset.
=0D @@ -1119,6 +1122,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] # @Prompt Variable storage size.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x10000|UINT32|0x300= 00005=0D =0D + ## Toggle for whether the VariablePolicy engine should allow disabling.= =0D + # The engine is enabled at power-on, but the interface allows the platfo= rm to=0D + # disable enforcement for servicing flexibility. If this PCD is disabled= , it will block the ability to=0D + # disable the enforcement and VariablePolicy enforcement will always be = ON.=0D + # TRUE - VariablePolicy can be disabled by request through the interfa= ce (until interface is locked)=0D + # FALSE - VariablePolicy interface will not accept requests to disable= and is ALWAYS ON=0D + # @Prompt Allow VariablePolicy enforcement to be disabled.=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|= FALSE|BOOLEAN|0x30000020=0D +=0D ## FFS filename to find the ACPI tables.=0D # @Prompt FFS name of ACPI tables storage.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiTableStorageFile|{ 0x25, 0x4e, 0x3= 7, 0x7e, 0x01, 0x8e, 0xee, 0x4f, 0x87, 0xf2, 0x39, 0xc, 0x23, 0xc6, 0x6, 0x= cd }|VOID*|0x30000016=0D diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni index b8c867379a86..40884c57a460 100644 --- a/MdeModulePkg/MdeModulePkg.uni +++ b/MdeModulePkg/MdeModulePkg.uni @@ -129,6 +129,13 @@ =0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdVariableStoreSize_HELP #lan= guage en-US "The size of volatile buffer. This buffer is used to store VOLA= TILE attribute variables."=0D =0D +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme= ntDisable_PROMPT #language en-US "Allow VariablePolicy enforcement to be d= isabled."=0D +=0D +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme= ntDisable_HELP #language en-US "If this PCD is disabled, it will block the= ability to
\n"=0D + = "disable the enforcement and VariablePolicy= enforcement will always be ON.
\n"=0D + = "TRUE - VariablePolicy can be disabled by r= equest through the interface (until interface is locked)
\n"=0D + = "FALSE - VariablePolicy interface will not = accept requests to disable and is ALWAYS ON
\n"=0D +=0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_PROMPT = #language en-US "FFS name of ACPI tables storage"=0D =0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_HELP #= language en-US "FFS filename to find the ACPI tables."=0D --=20 2.28.0.windows.1