From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by mx.groups.io with SMTP id smtpd.web09.13401.1651255497426905077 for ; Fri, 29 Apr 2022 11:04:57 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=Qz65dqJ4; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: judah.vang@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1651255497; x=1682791497; h=from:to:subject:date:message-id:mime-version: content-transfer-encoding; bh=4wtDCF14rDIhvQBWv9VMl7pzcpad8Tmx5hhirgzb00o=; b=Qz65dqJ4bMaHxpKEuLHZoe3KbCdJoQmvonwWQx/UH9ojBbqWmZJBzeSm sTrm354iUJWZQ8dTGMkviq0ETo1NoS+8SH9wSCMADc9ZwKq+89Z9JqVl4 uUla2ig5/qM0WWaSITPXFNA1UelbaUz1OSgiviD7AQ77lHEwGYXNb0kWX AjptULG66j497ws7D0QefoWx3nc6FWxKMOWxfFbyB0hJjkyl7k2SfMOIN Xtsg6g/NsXxQHhbw8oFrQLKDJgfn2Op7S0yP6xggEsYn/DvfICtmJjueC zkhG6aqaWqCF9RkZkm38CK2J5tPlT20bk8Qcul8DqYMJ8r+jFCzg5lXvR g==; X-IronPort-AV: E=McAfee;i="6400,9594,10332"; a="264316966" X-IronPort-AV: E=Sophos;i="5.91,186,1647327600"; d="scan'208";a="264316966" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Apr 2022 11:04:55 -0700 X-IronPort-AV: E=Sophos;i="5.91,186,1647327600"; d="scan'208";a="514955197" Received: from jvang-mobl.amr.corp.intel.com ([10.212.198.238]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Apr 2022 11:04:55 -0700 From: "Judah Vang" To: devel@edk2.groups.io Subject: [Patch v2 00/28] UEFI variable protection Date: Fri, 29 Apr 2022 11:04:02 -0700 Message-Id: <20220429180430.3292-1-judah.vang@intel.com> X-Mailer: git-send-email 2.35.1.windows.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit For a more detail description of the UEFI variable protected feature you can view the Readme.md located at the following location: https://github.com/judahvang/edk2/tree/rpmc-update Judah Vang (28): MdeModulePkg: Add new GUID for Variable Store Info SecurityPkg: Add new GUIDs for MdeModulePkg: Update AUTH_VARIABLE_INFO struct MdeModulePkg: Add reference to new Ppi Guid MdeModulePkg: Add new ProtectedVariable GUIDs MdeModulePkg: Add new include files MdeModulePkg: Add Null ProtectedVariable Library MdeModulePkg: Add new Variable functionality MdeModulePkg: Add support for Protected Variables SecurityPkg: Add new KeyService types and defines SecurityPkg: Update RPMC APIs with index SecurityPkg: Add new variable types and functions SecurityPkg: Fix GetVariableKey API SecurityPkg: Add null encryption variable libs SecurityPkg: Add VariableKey library function SecurityPkg: Add EncryptionVariable lib with AES SecurityPkg: Add Protected Variable Services MdeModulePkg: Reference Null ProtectedVariableLib SecurityPkg: Add references to new *.inf files ArmVirtPkg: Add reference to ProtectedVariableNull UefiPayloadPkg: Add ProtectedVariable reference EmulatorPkg: Add ProtectedVariable reference OvmfPkg: Add ProtectedVariable reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariableLib reference OvmfPkg: Add ProtectedVariable reference CryptoPkg: Enable cypto HMAC KDF library MdeModulePkg/MdeModulePkg.dec | 13 +- SecurityPkg/SecurityPkg.dec | 43 +- ArmVirtPkg/ArmVirtQemu.dsc | 3 +- EmulatorPkg/EmulatorPkg.dsc | 3 +- MdeModulePkg/MdeModulePkg.dsc | 4 +- OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +- OvmfPkg/Bhyve/BhyveX64.dsc | 3 +- OvmfPkg/CloudHv/CloudHvX64.dsc | 1 + OvmfPkg/Microvm/MicrovmX64.dsc | 3 +- OvmfPkg/OvmfPkgIa32.dsc | 1 + OvmfPkg/OvmfPkgIa32X64.dsc | 1 + OvmfPkg/OvmfPkgX64.dsc | 1 + OvmfPkg/OvmfXen.dsc | 3 +- SecurityPkg/SecurityPkg.dsc | 13 +- UefiPayloadPkg/UefiPayloadPkg.dsc | 2 + CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +- MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf | 34 + MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 3 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf | 4 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 3 +- SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 + SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf | 38 + SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf | 64 + SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf | 68 + SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf | 67 + SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf | 62 + SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36 + MdeModulePkg/Include/Guid/ProtectedVariable.h | 22 + MdeModulePkg/Include/Library/AuthVariableLib.h | 4 +- MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 ++ MdeModulePkg/Include/Library/ProtectedVariableLib.h | 700 +++++++ MdeModulePkg/Universal/Variable/Pei/Variable.h | 80 +- MdeModulePkg/Universal/Variable/Pei/VariableParsing.h | 309 +++ MdeModulePkg/Universal/Variable/Pei/VariableStore.h | 116 ++ MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h | 126 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.h | 91 +- MdePkg/Include/Ppi/ReadOnlyVariable2.h | 4 +- SecurityPkg/Include/Library/RpmcLib.h | 15 +- SecurityPkg/Include/Library/VariableKeyLib.h | 37 +- SecurityPkg/Include/Ppi/KeyServicePpi.h | 57 + SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 + SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h | 611 ++++++ MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c | 449 ++++ MdeModulePkg/Universal/Variable/Pei/Variable.c | 886 ++------ MdeModulePkg/Universal/Variable/Pei/VariableParsing.c | 941 +++++++++ MdeModulePkg/Universal/Variable/Pei/VariableStore.c | 305 +++ MdeModulePkg/Universal/Variable/RuntimeDxe/Reclaim.c | 349 +++- MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2139 +++++++++++--------- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 26 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableExLib.c | 167 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableNonVolatile.c | 194 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.c | 320 ++- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeCache.c | 2 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c | 39 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 41 +- SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 728 +++++++ SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c | 107 + SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c | 2095 +++++++++++++++++++ SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c | 163 ++ SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c | 1331 ++++++++++++ SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c | 209 ++ SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c | 975 +++++++++ SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c | 233 +++ SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 8 +- SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c | 59 + SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 6 +- SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni | 16 + 69 files changed, 12845 insertions(+), 1863 deletions(-) create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf create mode 100644 SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf create mode 100644 SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf create mode 100644 MdeModulePkg/Include/Guid/ProtectedVariable.h create mode 100644 MdeModulePkg/Include/Library/EncryptionVariableLib.h create mode 100644 MdeModulePkg/Include/Library/ProtectedVariableLib.h create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.h create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.h create mode 100644 SecurityPkg/Include/Ppi/KeyServicePpi.h create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.c create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.c create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni -- 2.35.1.windows.2