From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f46.google.com (mail-pj1-f46.google.com [209.85.216.46]) by mx.groups.io with SMTP id smtpd.web11.6962.1600841298758944672 for ; Tue, 22 Sep 2020 23:08:18 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@corthon-com.20150623.gappssmtp.com header.s=20150623 header.b=tORW3xQR; spf=none, err=permanent DNS error (domain: corthon.com, ip: 209.85.216.46, mailfrom: bret@corthon.com) Received: by mail-pj1-f46.google.com with SMTP id q4so2658183pjh.5 for ; Tue, 22 Sep 2020 23:08:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=corthon-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=zk7wY72g2WV/2xHu/iFlKD+OiSZeIfcehYGOBwtfumE=; b=tORW3xQRxjY4eBeufhZg8/obWFzqL/MkKJp70nydoZHMhgh1XD0mxzwV4fllGfaKad ZPjOhXPOPvchTa7t6+FPHaH3sCpeAdZyi3+P0hIig6Hxlvzpym+hRsNgMYEYUjZG0MdT +hCf9PiFoZKhU9ItnEDvY6wfEqL7Ts7oiaWZdyZ9skphEbdbc0RB0ib/NoLj2+q2EsjA NkifVv+i4fnNNvCB+G63kpW4bAQ9PaHTlD2cQv0oCfKiG6iuXslLy0GNK7EPZD3dawcU vzl820ARL9hjqiaNS8SIwBzrgCZZxFN9kd6ACIItQR8kzJnF+pbhfcZGRjG+p3jn6He5 NNnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zk7wY72g2WV/2xHu/iFlKD+OiSZeIfcehYGOBwtfumE=; b=heiy5yNTgx/jLuMkvj2O0b8ERXh46KIqHSZRfAkC7jM9j+6LKLwVcnjMRw0qCptTgM zxYK5XLxljvG05ws2FuGq2WOV2RJheGOnMZxXo/gTC2xHJhonRl2GuxTeRYCbBew+s+7 XCZBmzOdqBtR0Jm5tB5qwCLA2ZWudNTpb3xBBbv3HOlz4cE2+vDeqg3cK6f84rKdXEv+ a+ciGBQakWr5xSuyZ1APdeZn3rx5Xq2f1EdNBaMDP3HETyE/7tFrLUPWsu/KC3wVDBVT FRe2CXY3ZCTmDR2y1mv1CXBGxXikdpToMrJaKWK8b6zkTe/CUcqiX2AIJpDDeKeIm9a/ eEJg== X-Gm-Message-State: AOAM532gMUAZt/PwXU8ot9cYc5rGq89tVlCaQjLGyjlhS/F485eZH2Dg O4Ao2wjsHiQZCMCrhh+HDhtdegb/CaroZDwN X-Google-Smtp-Source: ABdhPJy7MaDONQQIHEWSFCLl+hAc9PQcrp8WcvkdiLIT6YAenlIJabQChYcaGXo5t1awhLvlamId/g== X-Received: by 2002:a17:90a:71c9:: with SMTP id m9mr6758515pjs.146.1600841297953; Tue, 22 Sep 2020 23:08:17 -0700 (PDT) Return-Path: Received: from localhost.localdomain (174-21-140-128.tukw.qwest.net. [174.21.140.128]) by smtp.gmail.com with ESMTPSA id x4sm16960498pff.57.2020.09.22.23.08.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 22 Sep 2020 23:08:17 -0700 (PDT) From: "Bret Barkelew" X-Google-Original-From: Bret Barkelew To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Liming Gao , Bret Barkelew , Dandan Bi Subject: [PATCH v8 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Date: Tue, 22 Sep 2020 23:07:35 -0700 Message-Id: <20200923060748.3795-2-bret.barkelew@microsoft.com> X-Mailer: git-send-email 2.28.0.windows.1 In-Reply-To: <20200923060748.3795-1-bret.barkelew@microsoft.com> References: <20200923060748.3795-1-bret.barkelew@microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable From: Bret Barkelew https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 VariablePolicy is an updated interface to replace VarLock and VarCheckProtocol. Add the VariablePolicy protocol interface header and add to the MdeModulePkg.dec file. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew Reviewed-by: Dandan Bi Acked-by: Jian J Wang --- MdeModulePkg/Include/Protocol/VariablePolicy.h | 157 ++++++++++++++++++++ MdeModulePkg/MdeModulePkg.dec | 14 +- MdeModulePkg/MdeModulePkg.uni | 7 + 3 files changed, 177 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Include/Protocol/VariablePolicy.h b/MdeModulePkg/= Include/Protocol/VariablePolicy.h new file mode 100644 index 000000000000..8226c187a77b --- /dev/null +++ b/MdeModulePkg/Include/Protocol/VariablePolicy.h @@ -0,0 +1,157 @@ +/** @file -- VariablePolicy.h=0D +=0D +This protocol allows communication with Variable Policy Engine.=0D +=0D +Copyright (c) Microsoft Corporation.=0D +SPDX-License-Identifier: BSD-2-Clause-Patent=0D +**/=0D +=0D +#ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__=0D +#define __EDKII_VARIABLE_POLICY_PROTOCOL__=0D +=0D +#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000010000=0D +=0D +#define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \=0D + { \=0D + 0x81D1675C, 0x86F6, 0x48DF, { 0xBD, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25= , 0xC3 } \=0D + }=0D +=0D +#define VARIABLE_POLICY_ENTRY_REVISION 0x00010000=0D +=0D +#pragma pack(push, 1)=0D +typedef struct {=0D + UINT32 Version;=0D + UINT16 Size;=0D + UINT16 OffsetToName;=0D + EFI_GUID Namespace;=0D + UINT32 MinSize;=0D + UINT32 MaxSize;=0D + UINT32 AttributesMustHave;=0D + UINT32 AttributesCantHave;=0D + UINT8 LockPolicyType;=0D + UINT8 Padding[3];=0D + // UINT8 LockPolicy[]; // Variable Length Field=0D + // CHAR16 Name[] // Variable Length Field=0D +} VARIABLE_POLICY_ENTRY;=0D +=0D +#define VARIABLE_POLICY_NO_MIN_SIZE 0=0D +#define VARIABLE_POLICY_NO_MAX_SIZE MAX_UINT32=0D +#define VARIABLE_POLICY_NO_MUST_ATTR 0=0D +#define VARIABLE_POLICY_NO_CANT_ATTR 0=0D +=0D +#define VARIABLE_POLICY_TYPE_NO_LOCK 0=0D +#define VARIABLE_POLICY_TYPE_LOCK_NOW 1=0D +#define VARIABLE_POLICY_TYPE_LOCK_ON_CREATE 2=0D +#define VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE 3=0D +=0D +typedef struct {=0D + EFI_GUID Namespace;=0D + UINT8 Value;=0D + UINT8 Padding;=0D + // CHAR16 Name[]; // Variable Length Field=0D +} VARIABLE_LOCK_ON_VAR_STATE_POLICY;=0D +#pragma pack(pop)=0D +=0D +/**=0D + This API function disables the variable policy enforcement. If it's=0D + already been called once, will return EFI_ALREADY_STARTED.=0D +=0D + @retval EFI_SUCCESS=0D + @retval EFI_ALREADY_STARTED Has already been called once this boot= .=0D + @retval EFI_WRITE_PROTECTED Interface has been locked until reboot= .=0D + @retval EFI_WRITE_PROTECTED Interface option is disabled by platfo= rm PCD.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *DISABLE_VARIABLE_POLICY)(=0D + VOID=0D + );=0D +=0D +/**=0D + This API function returns whether or not the policy engine is=0D + currently being enforced.=0D +=0D + @param[out] State Pointer to a return value for whether the poli= cy enforcement=0D + is currently enabled.=0D +=0D + @retval EFI_SUCCESS=0D + @retval Others An error has prevented this command from compl= eting.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *IS_VARIABLE_POLICY_ENABLED)(=0D + OUT BOOLEAN *State=0D + );=0D +=0D +/**=0D + This API function validates and registers a new policy with=0D + the policy enforcement engine.=0D +=0D + @param[in] NewPolicy Pointer to the incoming policy structure.=0D +=0D + @retval EFI_SUCCESS=0D + @retval EFI_INVALID_PARAMETER NewPolicy is NULL or is internally i= nconsistent.=0D + @retval EFI_ALREADY_STARTED An identical matching policy already= exists.=0D + @retval EFI_WRITE_PROTECTED The interface has been locked until = the next reboot.=0D + @retval EFI_ABORTED A calculation error has prevented th= is function from completing.=0D + @retval EFI_OUT_OF_RESOURCES Cannot grow the table to hold any mo= re policies.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *REGISTER_VARIABLE_POLICY)(=0D + IN CONST VARIABLE_POLICY_ENTRY *PolicyEntry=0D + );=0D +=0D +/**=0D + This API function will dump the entire contents of the variable policy t= able.=0D +=0D + Similar to GetVariable, the first call can be made with a 0 size and it = will return=0D + the size of the buffer required to hold the entire table.=0D +=0D + @param[out] Policy Pointer to the policy buffer. Can be NULL if Siz= e is 0.=0D + @param[in,out] Size On input, the size of the output buffer. On outp= ut, the size=0D + of the data returned.=0D +=0D + @retval EFI_SUCCESS Policy data is in the output buffer = and Size has been updated.=0D + @retval EFI_INVALID_PARAMETER Size is NULL, or Size is non-zero an= d Policy is NULL.=0D + @retval EFI_BUFFER_TOO_SMALL Size is insufficient to hold policy.= Size updated with required size.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *DUMP_VARIABLE_POLICY)(=0D + IN OUT UINT8 *Policy,=0D + IN OUT UINT32 *Size=0D + );=0D +=0D +/**=0D + This API function locks the interface so that no more policy updates=0D + can be performed or changes made to the enforcement until the next boot.= =0D +=0D + @retval EFI_SUCCESS=0D + @retval Others An error has prevented this command from compl= eting.=0D +=0D +**/=0D +typedef=0D +EFI_STATUS=0D +(EFIAPI *LOCK_VARIABLE_POLICY)(=0D + VOID=0D + );=0D +=0D +typedef struct {=0D + UINT64 Revision;=0D + DISABLE_VARIABLE_POLICY DisableVariablePolicy;=0D + IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;=0D + REGISTER_VARIABLE_POLICY RegisterVariablePolicy;=0D + DUMP_VARIABLE_POLICY DumpVariablePolicy;=0D + LOCK_VARIABLE_POLICY LockVariablePolicy;=0D +} _EDKII_VARIABLE_POLICY_PROTOCOL;=0D +=0D +typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL;=0D +=0D +extern EFI_GUID gEdkiiVariablePolicyProtocolGuid;=0D +=0D +#endif=0D diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index cb30a7975849..82aecc40d9a9 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -8,7 +8,7 @@ # Copyright (c) 2016, Linaro Ltd. All rights reserved.
=0D # (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
= =0D # Copyright (c) 2017, AMD Incorporated. All rights reserved.
=0D -# Copyright (c) 2016, Microsoft Corporation
=0D +# Copyright (c) Microsoft Corporation.
=0D # SPDX-License-Identifier: BSD-2-Clause-Patent=0D #=0D ##=0D @@ -627,6 +627,9 @@ [Protocols] # 0x80000006 | Incorrect error code provided.=0D #=0D =0D + ## Include/Protocol/VariablePolicy.h=0D + gEdkiiVariablePolicyProtocolGuid =3D { 0x81D1675C, 0x86F6, 0x48DF, { 0xB= D, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25, 0xC3 } }=0D +=0D [PcdsFeatureFlag]=0D ## Indicates if the platform can support update capsule across a system = reset.

=0D # TRUE - Supports update capsule across a system reset.
=0D @@ -1119,6 +1122,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] # @Prompt Variable storage size.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x10000|UINT32|0x300= 00005=0D =0D + ## Toggle for whether the VariablePolicy engine should allow disabling.= =0D + # The engine is enabled at power-on, but the interface allows the platfo= rm to=0D + # disable enforcement for servicing flexibility. If this PCD is disabled= , it will block the ability to=0D + # disable the enforcement and VariablePolicy enforcement will always be = ON.=0D + # TRUE - VariablePolicy can be disabled by request through the interfa= ce (until interface is locked)=0D + # FALSE - VariablePolicy interface will not accept requests to disable= and is ALWAYS ON=0D + # @Prompt Allow VariablePolicy enforcement to be disabled.=0D + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|= FALSE|BOOLEAN|0x30000020=0D +=0D ## FFS filename to find the ACPI tables.=0D # @Prompt FFS name of ACPI tables storage.=0D gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiTableStorageFile|{ 0x25, 0x4e, 0x3= 7, 0x7e, 0x01, 0x8e, 0xee, 0x4f, 0x87, 0xf2, 0x39, 0xc, 0x23, 0xc6, 0x6, 0x= cd }|VOID*|0x30000016=0D diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni index b8c867379a86..40884c57a460 100644 --- a/MdeModulePkg/MdeModulePkg.uni +++ b/MdeModulePkg/MdeModulePkg.uni @@ -129,6 +129,13 @@ =0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdVariableStoreSize_HELP #lan= guage en-US "The size of volatile buffer. This buffer is used to store VOLA= TILE attribute variables."=0D =0D +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme= ntDisable_PROMPT #language en-US "Allow VariablePolicy enforcement to be d= isabled."=0D +=0D +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme= ntDisable_HELP #language en-US "If this PCD is disabled, it will block the= ability to
\n"=0D + = "disable the enforcement and VariablePolicy= enforcement will always be ON.
\n"=0D + = "TRUE - VariablePolicy can be disabled by r= equest through the interface (until interface is locked)
\n"=0D + = "FALSE - VariablePolicy interface will not = accept requests to disable and is ALWAYS ON
\n"=0D +=0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_PROMPT = #language en-US "FFS name of ACPI tables storage"=0D =0D #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_HELP #= language en-US "FFS filename to find the ACPI tables."=0D --=20 2.28.0.windows.1