From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id AF245D800D7 for ; Sat, 28 Oct 2023 01:18:35 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=PQAgtYTKRDuhveC5GCiYDUWEUTqMZcMQ1DzsmT8KLjY=; c=relaxed/simple; d=groups.io; h=DKIM-Filter:From:To:Cc:Subject:Date:Message-ID:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding; s=20140610; t=1698455914; v=1; b=Z7+k2ofJmFRjaWkumMiWH0rdhamQEICPL9rf0gZtTdbZuCZjGga5hfti28tw9UXBCyUrLJvb GmkN0yLwuc1utt6v/pGcp9H6aN9dz10vKg8Yve8jKYiDaf5ANxdrzUaHmDM7xbYmAxeL7kiJrq6 XXssZuJR4WGF6WjIkTiBTNN8= X-Received: by 127.0.0.2 with SMTP id wBT9YY7687511xJCYqh2h5lO; Fri, 27 Oct 2023 18:18:34 -0700 X-Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by mx.groups.io with SMTP id smtpd.web11.36256.1698455913786424992 for ; Fri, 27 Oct 2023 18:18:33 -0700 X-Received: from localhost.localdomain (unknown [47.201.241.95]) by linux.microsoft.com (Postfix) with ESMTPSA id 9808F20B74C0; Fri, 27 Oct 2023 18:18:31 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9808F20B74C0 From: "Michael Kubacki" To: devel@edk2.groups.io Cc: Anatol Belski , Anthony Perard , Dandan Bi , Gerd Hoffmann , Hao A Wu , Jian J Wang , Jianyong Wu , Jiewen Yao , Jordan Justen , Julien Grall , Liming Gao , Michael D Kinney , Zhichao Gao Subject: [edk2-devel] [PATCH v2 0/3] Add Variable Policy Audit App and Shell Command Date: Fri, 27 Oct 2023 21:18:09 -0400 Message-ID: <20231028011813.131-1-mikuback@linux.microsoft.com> MIME-Version: 1.0 Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,mikuback@linux.microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: k7xYRcDkvvCgh48og1yaO4F0x7686176AA= Content-Transfer-Encoding: quoted-printable X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=Z7+k2ofJ; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=linux.microsoft.com (policy=none) From: Michael Kubacki Adds a new module (dynamic shell command) to ShellPkg that lists variable policy information for all UEFI variables on the system. Some other UEFI variable related functionality is also included to give a greater sense of platform UEFI variable state. Like all dynamic shell commands, a platform only needs to include VariablePolicyDynamicCommand.inf in their flash image to have the command registered in their UEFI shell. The shell command is added to OvmfPkg so it is available in an easily obtainable virtual platform. The code can also be built as a standalone EFI application. This is being made available to ease auditing and enabling of UEFI variable policy to encourage its adoption for securing UEFI variables. --- Command Help: Lists UEFI variable policy information. VARPOLICY [-p] [-s] [-v] -p - The policy flag will print variable policy info for each variable. -s - The stats flag will print overall UEFI variable policy statistics. -v - The verbose flag indicates all known information should be printed= . This includes a dump of the corresponding UEFI variable data in=20 addition to all other UEFI variable policy information. EXAMPLES: * To dump all active UEFI variables:=20 fs0:\> varpolicy * To include UEFI variable policy information:=20 varpolicy -p=20 * To include UEFI variable statistics:=20 varpolicy -s Press ENTER to continue or 'Q' break:=20 --- v2 changes: - Allow the variable policy dynamic command to also be built as a standalone EFI app. Images showing example output are available in the PR: https://github.com/tianocore/edk2/pull/4835 Cc: Anatol Belski Cc: Anthony Perard Cc: Dandan Bi Cc: Gerd Hoffmann Cc: Hao A Wu Cc: Jian J Wang Cc: Jianyong Wu Cc: Jiewen Yao Cc: Jordan Justen Cc: Julien Grall Cc: Liming Gao Cc: Michael D Kinney Cc: Zhichao Gao Michael Kubacki (3): MdeModulePkg/VariablePolicy: Add more granular variable policy querying ShellPkg: Add varpolicy dynamic shell command and app OvmfPkg: Add varpolicy shell command MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c = | 174 +++- MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c = | 304 +++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c = | 4 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c = | 346 +++++++- ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c = | 877 ++++++++++++++++++++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c= | 59 ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynam= icCommand.c | 157 ++++ MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h = | 39 +- MdeModulePkg/Include/Library/VariablePolicyLib.h = | 107 +++ MdeModulePkg/Include/Protocol/VariablePolicy.h = | 133 ++- MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf = | 1 + OvmfPkg/CloudHv/CloudHvX64.dsc = | 4 + OvmfPkg/Microvm/MicrovmX64.dsc = | 4 + OvmfPkg/OvmfPkgIa32.dsc = | 4 + OvmfPkg/OvmfPkgIa32X64.dsc = | 4 + OvmfPkg/OvmfPkgX64.dsc = | 4 + OvmfPkg/OvmfXen.dsc = | 4 + ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h = | 126 +++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni = | 86 ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.i= nf | 58 ++ ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynam= icCommand.inf | 57 ++ ShellPkg/ShellPkg.dsc = | 5 + 22 files changed, 2511 insertions(+), 46 deletions(-) create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/= VariablePolicy.c create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/= VariablePolicyApp.c create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/= VariablePolicyDynamicCommand.c create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/= VariablePolicy.h create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/= VariablePolicy.uni create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/= VariablePolicyApp.inf create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/= VariablePolicyDynamicCommand.inf --=20 2.42.0.windows.2 -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110234): https://edk2.groups.io/g/devel/message/110234 Mute This Topic: https://groups.io/mt/102234059/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-