From: "Bret Barkelew" <bret@corthon.com>
To: devel@edk2.groups.io
Cc: Jian J Wang <jian.j.wang@intel.com>,
Hao A Wu <hao.a.wu@intel.com>, Liming Gao <liming.gao@intel.com>
Subject: [PATCH v7 04/14] MdeModulePkg: Define the VarCheckPolicyLib and SMM interface
Date: Thu, 27 Aug 2020 22:51:17 -0700 [thread overview]
Message-ID: <20200828055127.1610-5-brbarkel@microsoft.com> (raw)
In-Reply-To: <20200828055127.1610-1-brbarkel@microsoft.com>
https://bugzilla.tianocore.org/show_bug.cgi?id=2522
VariablePolicy is an updated interface to
replace VarLock and VarCheckProtocol.
This is an instance of a VarCheckLib that is backed by the
VariablePolicyLib business logic. It also publishes the SMM
calling interface for messages from the DXE protocol.
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c | 345 ++++++++++++++++++++
MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | 54 +++
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf | 42 +++
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni | 12 +
MdeModulePkg/MdeModulePkg.dec | 4 +
MdeModulePkg/MdeModulePkg.dsc | 2 +
6 files changed, 459 insertions(+)
diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
new file mode 100644
index 000000000000..5a0a1599ab41
--- /dev/null
+++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
@@ -0,0 +1,345 @@
+/** @file -- VarCheckPolicyLib.c
+This is a NULL library instance that leverages the VarCheck interface
+and the business logic behind the VariablePolicy code to make its decisions.
+
+Copyright (c) Microsoft Corporation.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/VarCheckLib.h>
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/SafeIntLib.h>
+#include <Library/MmServicesTableLib.h>
+#include <Library/SmmMemLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/MemoryAllocationLib.h>
+
+#include <Protocol/MmCommunication.h>
+
+#include <Protocol/VariablePolicy.h>
+#include <Library/VariablePolicyLib.h>
+
+#include <Guid/VarCheckPolicyMmi.h>
+
+//================================================
+// As a VarCheck library, we're linked into the VariableServices
+// and may not be able to call them indirectly. To get around this,
+// use the internal GetVariable function to query the variable store.
+//================================================
+EFI_STATUS
+EFIAPI
+VariableServiceGetVariable (
+ IN CHAR16 *VariableName,
+ IN EFI_GUID *VendorGuid,
+ OUT UINT32 *Attributes OPTIONAL,
+ IN OUT UINTN *DataSize,
+ OUT VOID *Data
+ );
+
+
+UINT8 mSecurityEvalBuffer[VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE];
+
+
+/**
+ MM Communication Handler to recieve commands from the DXE protocol for
+ Variable Policies. This communication channel is used to register new policies
+ and poll and toggle the enforcement of variable policies.
+
+ @param[in] DispatchHandle All parameters standard to MM communications convention.
+ @param[in] RegisterContext All parameters standard to MM communications convention.
+ @param[in,out] CommBuffer All parameters standard to MM communications convention.
+ @param[in,out] CommBufferSize All parameters standard to MM communications convention.
+
+ @retval EFI_SUCCESS
+ @retval EFI_INVALID_PARAMETER CommBuffer or CommBufferSize is null pointer.
+ @retval EFI_INVALID_PARAMETER CommBuffer size is wrong.
+ @retval EFI_INVALID_PARAMETER Revision or signature don't match.
+
+**/
+STATIC
+EFI_STATUS
+EFIAPI
+VarCheckPolicyLibMmiHandler (
+ IN EFI_HANDLE DispatchHandle,
+ IN CONST VOID *RegisterContext,
+ IN OUT VOID *CommBuffer,
+ IN OUT UINTN *CommBufferSize
+ )
+{
+ UINTN InternalCommBufferSize;
+ VOID *InternalCommBuffer;
+ EFI_STATUS Status;
+ EFI_STATUS SubCommandStatus;
+ VAR_CHECK_POLICY_COMM_HEADER *PolicyCommmHeader;
+ VAR_CHECK_POLICY_COMM_HEADER *InternalPolicyCommmHeader;
+ VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS *IsEnabledParams;
+ VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsIn;
+ VAR_CHECK_POLICY_COMM_DUMP_PARAMS *DumpParamsOut;
+ UINT8 *DumpInputBuffer;
+ UINT8 *DumpOutputBuffer;
+ UINTN DumpTotalPages;
+ VARIABLE_POLICY_ENTRY *PolicyEntry;
+ UINTN ExpectedSize;
+ UINT32 TempSize;
+ // Pagination Cache Variables
+ static UINT8 *PaginationCache = NULL;
+ static UINTN PaginationCacheSize = 0;
+ static UINT32 CurrentPaginationCommand = 0;
+
+ Status = EFI_SUCCESS;
+
+ //
+ // Validate some input parameters.
+ //
+ // If either of the pointers are NULL, we can't proceed.
+ if (CommBuffer == NULL || CommBufferSize == NULL) {
+ DEBUG(( DEBUG_INFO, "%a - Invalid comm buffer pointers!\n", __FUNCTION__ ));
+ return EFI_INVALID_PARAMETER;
+ }
+ // Make sure that the buffer does not overlap SMM.
+ // This should be covered by the SmiManage infrastructure, but just to be safe...
+ InternalCommBufferSize = *CommBufferSize;
+ if (InternalCommBufferSize > VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE || !SmmIsBufferOutsideSmmValid((UINTN)CommBuffer, (UINT64)InternalCommBufferSize)) {
+ DEBUG ((DEBUG_ERROR, "%a - Invalid CommBuffer supplied! 0x%016lX[0x%016lX]\n", __FUNCTION__, CommBuffer, InternalCommBufferSize));
+ return EFI_INVALID_PARAMETER;
+ }
+ // If the size does not meet a minimum threshold, we cannot proceed.
+ ExpectedSize = sizeof(VAR_CHECK_POLICY_COMM_HEADER);
+ if (InternalCommBufferSize < ExpectedSize) {
+ DEBUG(( DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __FUNCTION__, InternalCommBufferSize, ExpectedSize ));
+ return EFI_INVALID_PARAMETER;
+ }
+
+ //
+ // Before proceeding any further, copy the buffer internally so that we can compare
+ // without worrying about TOCTOU.
+ //
+ InternalCommBuffer = &mSecurityEvalBuffer[0];
+ CopyMem(InternalCommBuffer, CommBuffer, InternalCommBufferSize);
+ PolicyCommmHeader = CommBuffer;
+ InternalPolicyCommmHeader = InternalCommBuffer;
+ // Check the revision and the signature of the comm header.
+ if (InternalPolicyCommmHeader->Signature != VAR_CHECK_POLICY_COMM_SIG ||
+ InternalPolicyCommmHeader->Revision != VAR_CHECK_POLICY_COMM_REVISION) {
+ DEBUG(( DEBUG_INFO, "%a - Signature or revision are incorrect!\n", __FUNCTION__ ));
+ // We have verified the buffer is not null and have enough size to hold Result field.
+ PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ return EFI_SUCCESS;
+ }
+
+ // If we're in the middle of a paginated dump and any other command is sent,
+ // pagination cache must be cleared.
+ if (PaginationCache != NULL && InternalPolicyCommmHeader->Command != CurrentPaginationCommand) {
+ FreePool (PaginationCache);
+ PaginationCache = NULL;
+ PaginationCacheSize = 0;
+ CurrentPaginationCommand = 0;
+ }
+
+ //
+ // Now we can process the command as it was sent.
+ //
+ PolicyCommmHeader->Result = EFI_ABORTED; // Set a default return for incomplete commands.
+ switch(InternalPolicyCommmHeader->Command) {
+ case VAR_CHECK_POLICY_COMMAND_DISABLE:
+ PolicyCommmHeader->Result = DisableVariablePolicy();
+ break;
+
+ case VAR_CHECK_POLICY_COMMAND_IS_ENABLED:
+ // Make sure that we're dealing with a reasonable size.
+ // This add should be safe because these are fixed sizes so far.
+ ExpectedSize += sizeof(VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS);
+ if (InternalCommBufferSize < ExpectedSize) {
+ DEBUG(( DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __FUNCTION__, InternalCommBufferSize, ExpectedSize ));
+ PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ // Now that we know we've got a valid size, we can fill in the rest of the data.
+ IsEnabledParams = (VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS*)((UINT8*)CommBuffer + sizeof(VAR_CHECK_POLICY_COMM_HEADER));
+ IsEnabledParams->State = IsVariablePolicyEnabled();
+ PolicyCommmHeader->Result = EFI_SUCCESS;
+ break;
+
+ case VAR_CHECK_POLICY_COMMAND_REGISTER:
+ // Make sure that we're dealing with a reasonable size.
+ // This add should be safe because these are fixed sizes so far.
+ ExpectedSize += sizeof(VARIABLE_POLICY_ENTRY);
+ if (InternalCommBufferSize < ExpectedSize) {
+ DEBUG(( DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __FUNCTION__, InternalCommBufferSize, ExpectedSize ));
+ PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ // At the very least, we can assume that we're working with a valid policy entry.
+ // Time to compare its internal size.
+ PolicyEntry = (VARIABLE_POLICY_ENTRY*)((UINT8*)InternalCommBuffer + sizeof(VAR_CHECK_POLICY_COMM_HEADER));
+ if (PolicyEntry->Version != VARIABLE_POLICY_ENTRY_REVISION ||
+ PolicyEntry->Size < sizeof(VARIABLE_POLICY_ENTRY) ||
+ EFI_ERROR(SafeUintnAdd(sizeof(VAR_CHECK_POLICY_COMM_HEADER), PolicyEntry->Size, &ExpectedSize)) ||
+ InternalCommBufferSize < ExpectedSize) {
+ DEBUG(( DEBUG_INFO, "%a - Bad policy entry contents!\n", __FUNCTION__ ));
+ PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ PolicyCommmHeader->Result = RegisterVariablePolicy( PolicyEntry );
+ break;
+
+ case VAR_CHECK_POLICY_COMMAND_DUMP:
+ // Make sure that we're dealing with a reasonable size.
+ // This add should be safe because these are fixed sizes so far.
+ ExpectedSize += sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS) + VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE;
+ if (InternalCommBufferSize < ExpectedSize) {
+ DEBUG(( DEBUG_INFO, "%a - Bad comm buffer size! %d < %d\n", __FUNCTION__, InternalCommBufferSize, ExpectedSize ));
+ PolicyCommmHeader->Result = EFI_INVALID_PARAMETER;
+ break;
+ }
+
+ // Now that we know we've got a valid size, we can fill in the rest of the data.
+ DumpParamsIn = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS*)(InternalPolicyCommmHeader + 1);
+ DumpParamsOut = (VAR_CHECK_POLICY_COMM_DUMP_PARAMS*)(PolicyCommmHeader + 1);
+
+ // If we're requesting the first page, initialize the cache and get the sizes.
+ if (DumpParamsIn->PageRequested == 0) {
+ if (PaginationCache != NULL) {
+ FreePool (PaginationCache);
+ PaginationCache = NULL;
+ }
+
+ // Determine what the required size is going to be.
+ DumpParamsOut->TotalSize = 0;
+ DumpParamsOut->PageSize = 0;
+ DumpParamsOut->HasMore = FALSE;
+ SubCommandStatus = DumpVariablePolicy (NULL, &TempSize);
+ if (SubCommandStatus == EFI_BUFFER_TOO_SMALL && TempSize > 0) {
+ CurrentPaginationCommand = VAR_CHECK_POLICY_COMMAND_DUMP;
+ PaginationCacheSize = TempSize;
+ DumpParamsOut->TotalSize = TempSize;
+ PaginationCache = AllocatePool (PaginationCacheSize);
+ if (PaginationCache == NULL) {
+ SubCommandStatus = EFI_OUT_OF_RESOURCES;
+ }
+ }
+
+ // If we've allocated our pagination cache, we're good to cache.
+ if (PaginationCache != NULL) {
+ SubCommandStatus = DumpVariablePolicy (PaginationCache, &TempSize);
+ }
+
+ // Populate the remaining fields and we can boogie.
+ if (!EFI_ERROR (SubCommandStatus) && PaginationCache != NULL) {
+ DumpParamsOut->HasMore = TRUE;
+ }
+ } else if (PaginationCache != NULL) {
+ DumpParamsOut->TotalSize = (UINT32)PaginationCacheSize;
+ DumpOutputBuffer = (UINT8*)(DumpParamsOut + 1);
+
+ // Make sure that we don't over-index the cache.
+ DumpTotalPages = PaginationCacheSize / VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE;
+ if (PaginationCacheSize % VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE) {
+ DumpTotalPages++;
+ }
+ if (DumpParamsIn->PageRequested > DumpTotalPages) {
+ SubCommandStatus = EFI_INVALID_PARAMETER;
+ } else {
+ // Figure out how far into the page cache we need to go for our next page.
+ // We know the blind subtraction won't be bad because we already checked for page 0.
+ DumpInputBuffer = &PaginationCache[VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE * (DumpParamsIn->PageRequested - 1)];
+ TempSize = VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE;
+ // If we're getting the last page, adjust the PageSize.
+ if (DumpParamsIn->PageRequested == DumpTotalPages) {
+ TempSize = PaginationCacheSize % VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE;
+ }
+ CopyMem (DumpOutputBuffer, DumpInputBuffer, TempSize);
+ DumpParamsOut->PageSize = TempSize;
+ // If we just got the last page, settle up the cache.
+ if (DumpParamsIn->PageRequested == DumpTotalPages) {
+ DumpParamsOut->HasMore = FALSE;
+ FreePool (PaginationCache);
+ PaginationCache = NULL;
+ PaginationCacheSize = 0;
+ CurrentPaginationCommand = 0;
+ // Otherwise, we could do more here.
+ } else {
+ DumpParamsOut->HasMore = TRUE;
+ }
+
+ // If we made it this far, we're basically good.
+ SubCommandStatus = EFI_SUCCESS;
+ }
+ // If we've requested any other page than 0 and the cache is empty, we must have timed out.
+ } else {
+ DumpParamsOut->TotalSize = 0;
+ DumpParamsOut->PageSize = 0;
+ DumpParamsOut->HasMore = FALSE;
+ SubCommandStatus = EFI_TIMEOUT;
+ }
+
+ // There's currently no use for this, but it shouldn't be hard to implement.
+ PolicyCommmHeader->Result = SubCommandStatus;
+ break;
+
+ case VAR_CHECK_POLICY_COMMAND_LOCK:
+ PolicyCommmHeader->Result = LockVariablePolicy();
+ break;
+
+ default:
+ // Mark unknown requested command as EFI_UNSUPPORTED.
+ DEBUG(( DEBUG_INFO, "%a - Invalid command requested! %d\n", __FUNCTION__, PolicyCommmHeader->Command ));
+ PolicyCommmHeader->Result = EFI_UNSUPPORTED;
+ break;
+ }
+
+ DEBUG(( DEBUG_VERBOSE, "%a - Command %d returning %r.\n", __FUNCTION__,
+ PolicyCommmHeader->Command, PolicyCommmHeader->Result ));
+
+ return Status;
+}
+
+
+/**
+ Constructor function of VarCheckPolicyLib to register VarCheck handler and
+ SW MMI handlers.
+
+ @param[in] ImageHandle The firmware allocated handle for the EFI image.
+ @param[in] SystemTable A pointer to the EFI System Table.
+
+ @retval EFI_SUCCESS The constructor executed correctly.
+
+**/
+EFI_STATUS
+EFIAPI
+VarCheckPolicyLibConstructor (
+ IN EFI_HANDLE ImageHandle,
+ IN EFI_SYSTEM_TABLE *SystemTable
+ )
+{
+ EFI_STATUS Status;
+ EFI_HANDLE DiscardedHandle;
+
+ // Initialize the business logic with the internal GetVariable handler.
+ Status = InitVariablePolicyLib( VariableServiceGetVariable );
+
+ // Only proceed with init if the business logic could be initialized.
+ if (!EFI_ERROR( Status )) {
+ // Register the VarCheck handler for SetVariable filtering.
+ // Forward the check to the business logic of the library.
+ VarCheckLibRegisterSetVariableCheckHandler( ValidateSetVariable );
+
+ // Register the MMI handlers for receiving policy commands.
+ DiscardedHandle = NULL;
+ Status = gMmst->MmiHandlerRegister( VarCheckPolicyLibMmiHandler,
+ &gVarCheckPolicyLibMmiHandlerGuid,
+ &DiscardedHandle );
+ }
+ // Otherwise, there's not much we can do.
+ else {
+ DEBUG(( DEBUG_ERROR, "%a - Cannot Initialize VariablePolicyLib! %r\n", __FUNCTION__, Status ));
+ ASSERT_EFI_ERROR( Status );
+ }
+
+ return Status;
+}
diff --git a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
new file mode 100644
index 000000000000..77bcc62f3ccf
--- /dev/null
+++ b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
@@ -0,0 +1,54 @@
+/** @file -- VarCheckPolicyMmiCommon.h
+This header contains communication definitions that are shared between DXE
+and the MM component of VarCheckPolicy.
+
+Copyright (c) Microsoft Corporation.
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+#ifndef _VAR_CHECK_POLICY_MMI_COMMON_H_
+#define _VAR_CHECK_POLICY_MMI_COMMON_H_
+
+#define VAR_CHECK_POLICY_COMM_SIG SIGNATURE_32('V', 'C', 'P', 'C')
+#define VAR_CHECK_POLICY_COMM_REVISION 1
+
+#pragma pack(push, 1)
+
+typedef struct _VAR_CHECK_POLICY_COMM_HEADER {
+ UINT32 Signature;
+ UINT32 Revision;
+ UINT32 Command;
+ EFI_STATUS Result;
+} VAR_CHECK_POLICY_COMM_HEADER;
+
+typedef struct _VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS {
+ BOOLEAN State;
+} VAR_CHECK_POLICY_COMM_IS_ENABLED_PARAMS;
+
+typedef struct _VAR_CHECK_POLICY_COMM_DUMP_PARAMS {
+ UINT32 PageRequested;
+ UINT32 TotalSize;
+ UINT32 PageSize;
+ BOOLEAN HasMore;
+} VAR_CHECK_POLICY_COMM_DUMP_PARAMS;
+
+#pragma pack(pop)
+
+// Make sure that we will hold at least the headers.
+#define VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE MAX((OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + sizeof (VAR_CHECK_POLICY_COMM_HEADER) + EFI_PAGES_TO_SIZE(1)), EFI_PAGES_TO_SIZE(4))
+#define VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \
+ (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \
+ sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \
+ sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS)))
+STATIC_ASSERT (
+ VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,
+ "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE"
+ );
+
+#define VAR_CHECK_POLICY_COMMAND_DISABLE 0x0001
+#define VAR_CHECK_POLICY_COMMAND_IS_ENABLED 0x0002
+#define VAR_CHECK_POLICY_COMMAND_REGISTER 0x0003
+#define VAR_CHECK_POLICY_COMMAND_DUMP 0x0004
+#define VAR_CHECK_POLICY_COMMAND_LOCK 0x0005
+
+#endif // _VAR_CHECK_POLICY_MMI_COMMON_H_
diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
new file mode 100644
index 000000000000..077bcc8990ca
--- /dev/null
+++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
@@ -0,0 +1,42 @@
+## @file VarCheckPolicyLib.inf
+# This is an instance of a VarCheck lib that leverages the business logic behind
+# the VariablePolicy code to make its decisions.
+#
+# Copyright (c) Microsoft Corporation.
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+
+[Defines]
+ INF_VERSION = 0x00010005
+ BASE_NAME = VarCheckPolicyLib
+ FILE_GUID = 9C28A48F-C884-4B1F-8B95-DEF125448023
+ MODULE_TYPE = DXE_RUNTIME_DRIVER
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = NULL|DXE_RUNTIME_DRIVER DXE_SMM_DRIVER
+ CONSTRUCTOR = VarCheckPolicyLibConstructor
+
+
+[Sources]
+ VarCheckPolicyLib.c
+
+
+[Packages]
+ MdePkg/MdePkg.dec
+ MdeModulePkg/MdeModulePkg.dec
+
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+ BaseMemoryLib
+ DxeServicesLib
+ MemoryAllocationLib
+ VarCheckLib
+ VariablePolicyLib
+ VariablePolicyHelperLib
+ SafeIntLib
+ MmServicesTableLib
+
+
+[Guids]
+ gVarCheckPolicyLibMmiHandlerGuid ## CONSUME ## Used to register for MM Communication events.
diff --git a/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
new file mode 100644
index 000000000000..eedeeed15d31
--- /dev/null
+++ b/MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
@@ -0,0 +1,12 @@
+// /** @file
+// VarCheckPolicyLib.uni
+//
+// Copyright (c) Microsoft Corporation.
+// SPDX-License-Identifier: BSD-2-Clause-Patent
+//
+// **/
+
+
+#string STR_MODULE_ABSTRACT #language en-US "NULL library implementation that conforms to the VarCheck interface to allow VariablePolicy engine to enforce policies"
+
+#string STR_MODULE_DESCRIPTION #language en-US "NULL library implementation that conforms to the VarCheck interface to allow VariablePolicy engine to enforce policies"
diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index 51f7f9d7246a..00075528198d 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -385,6 +385,10 @@ [Guids]
## Include/Guid/EndofS3Resume.h
gEdkiiEndOfS3ResumeGuid = { 0x96f5296d, 0x05f7, 0x4f3c, {0x84, 0x67, 0xe4, 0x56, 0x89, 0x0e, 0x0c, 0xb5 } }
+ ## Used (similar to Variable Services) to communicate policies to the enforcement engine.
+ # {DA1B0D11-D1A7-46C4-9DC9-F3714875C6EB}
+ gVarCheckPolicyLibMmiHandlerGuid = { 0xda1b0d11, 0xd1a7, 0x46c4, { 0x9d, 0xc9, 0xf3, 0x71, 0x48, 0x75, 0xc6, 0xeb }}
+
## Include/Guid/S3SmmInitDone.h
gEdkiiS3SmmInitDoneGuid = { 0x8f9d4825, 0x797d, 0x48fc, { 0x84, 0x71, 0x84, 0x50, 0x25, 0x79, 0x2e, 0xf6 } }
diff --git a/MdeModulePkg/MdeModulePkg.dsc b/MdeModulePkg/MdeModulePkg.dsc
index 37795b9e4f58..f0a75a3b337b 100644
--- a/MdeModulePkg/MdeModulePkg.dsc
+++ b/MdeModulePkg/MdeModulePkg.dsc
@@ -313,6 +313,7 @@ [Components]
MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
+ MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
@@ -458,6 +459,7 @@ [Components.IA32, Components.X64]
MdeModulePkg/Core/PiSmmCore/PiSmmCore.inf
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf {
<LibraryClasses>
+ NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
NULL|MdeModulePkg/Library/VarCheckHiiLib/VarCheckHiiLib.inf
NULL|MdeModulePkg/Library/VarCheckPcdLib/VarCheckPcdLib.inf
--
2.28.0.windows.1
next prev parent reply other threads:[~2020-08-28 5:51 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-28 5:51 [PATCH v7 00/14] Add the VariablePolicy feature Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 02/14] MdeModulePkg: Define the VariablePolicyLib Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 03/14] MdeModulePkg: Define the VariablePolicyHelperLib Bret Barkelew
2020-08-28 5:51 ` Bret Barkelew [this message]
2020-08-28 5:51 ` [PATCH v7 05/14] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 06/14] EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform Bret Barkelew
2020-09-23 2:47 ` [edk2-devel] " Ni, Ray
2020-09-23 4:29 ` Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 07/14] ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 08/14] UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables Bret Barkelew
[not found] ` <007a01d68bc9$744d2af0$5ce780d0$@byosoft.com.cn>
2020-09-16 2:51 ` [edk2-devel] " Yao, Jiewen
2020-09-16 21:48 ` Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 13/14] MdeModulePkg: Drop VarLock from RuntimeDxe variable driver Bret Barkelew
2020-08-28 5:51 ` [PATCH v7 14/14] MdeModulePkg: Add a shell-based functional test for VariablePolicy Bret Barkelew
2020-09-08 1:09 ` 回复: [edk2-devel] [PATCH v7 00/14] Add the VariablePolicy feature gaoliming
2020-09-15 15:44 ` Dandan Bi
2020-09-15 20:00 ` Bret Barkelew
2020-09-22 15:35 ` Wang, Jian J
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200828055127.1610-5-brbarkel@microsoft.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox