From: "Michael Kubacki" <mikuback@linux.microsoft.com>
To: devel@edk2.groups.io
Cc: Anatol Belski <anbelski@linux.microsoft.com>,
Anthony Perard <anthony.perard@citrix.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Dandan Bi <dandan.bi@intel.com>,
Gerd Hoffmann <kraxel@redhat.com>, Hao A Wu <hao.a.wu@intel.com>,
Jian J Wang <jian.j.wang@intel.com>,
Jianyong Wu <jianyong.wu@arm.com>,
Jiewen Yao <jiewen.yao@intel.com>,
Jordan Justen <jordan.l.justen@intel.com>,
Julien Grall <julien@xen.org>, Laszlo Ersek <lersek@redhat.com>,
Leif Lindholm <quic_llindhol@quicinc.com>,
Liming Gao <gaoliming@byosoft.com.cn>,
Michael D Kinney <michael.d.kinney@intel.com>,
Sami Mujawar <sami.mujawar@arm.com>,
Zhichao Gao <zhichao.gao@intel.com>
Subject: [edk2-devel] [PATCH v3 0/4] Add Variable Policy Audit App and Shell Command
Date: Mon, 30 Oct 2023 16:31:08 -0400 [thread overview]
Message-ID: <20231030203112.736-1-mikuback@linux.microsoft.com> (raw)
From: Michael Kubacki <michael.kubacki@microsoft.com>
Adds a new module (dynamic shell command) to ShellPkg that lists
variable policy information for all UEFI variables on the system.
Some other UEFI variable related functionality is also included to
give a greater sense of platform UEFI variable state.
Like all dynamic shell commands, a platform only needs to include
VariablePolicyDynamicCommand.inf in their flash image to have
the command registered in their UEFI shell.
The shell command is added to OvmfPkg so it is available in an
easily obtainable virtual platform.
The code can also be built as a standalone EFI application.
This is being made available to ease auditing and enabling of UEFI
variable policy to encourage its adoption for securing UEFI
variables.
---
Command Help:
Lists UEFI variable policy information.
VARPOLICY [-p] [-s] [-v]
-p - The policy flag will print variable policy info for each variable.
-s - The stats flag will print overall UEFI variable policy statistics.
-v - The verbose flag indicates all known information should be printed.
This includes a dump of the corresponding UEFI variable data in
addition to all other UEFI variable policy information.
EXAMPLES:
* To dump all active UEFI variables:
fs0:\> varpolicy
* To include UEFI variable policy information:
varpolicy -p
* To include UEFI variable statistics:
varpolicy -s
Press ENTER to continue or 'Q' break:
---
v3 changes:
- Integrated the dynamic shell command with ArmVirtPkg (Patch 4/4).
- Added recognition of additional UEFI variable namespaces:
- gEfiMemoryTypeInformationGuid
- gMtcVendorGuid
- gShellVariableGuid
- gShellAliasGuid
These were common and standardized well enough it is useful to
print a pretty name instead of "Unknown Vendor".
- Rebased and updated review tags
- Retested the following:
- EFI shell app and dynamic shell command have similar
functionality.
- Dynamic shell command on QEMU Q35 IA32, X64
- With and without SMM
- Dynamic shell command on QEMU ArmVirtPkg AARCH64
- Dynamic shell command on a physical platform with more UEFI
variables present than QEMU (SMM-based)
v2 changes:
- Allow the variable policy dynamic command to also be built as a
standalone EFI app.
- Rebased and updated review tags
Images showing example output are available in the PR:
https://github.com/tianocore/edk2/pull/4835
Cc: Anatol Belski <anbelski@linux.microsoft.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Ard Biesheuvel <ardb+tianocore@kernel.org>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jianyong Wu <jianyong.wu@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien@xen.org>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Leif Lindholm <quic_llindhol@quicinc.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Sami Mujawar <sami.mujawar@arm.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>
Michael Kubacki (4):
MdeModulePkg/VariablePolicy: Add more granular variable policy
querying
ShellPkg: Add varpolicy dynamic shell command and app
OvmfPkg: Add varpolicy shell command
ArmVirtPkg: Add varpolicy shell command
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c | 174 +++-
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c | 304 +++++++
MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 4 +-
MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c | 346 +++++++-
ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c | 897 ++++++++++++++++++++
ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c | 59 ++
ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c | 157 ++++
ArmVirtPkg/ArmVirt.dsc.inc | 4 +
ArmVirtPkg/ArmVirtCloudHv.fdf | 1 +
ArmVirtPkg/ArmVirtQemuFvMain.fdf.inc | 1 +
ArmVirtPkg/ArmVirtXen.fdf | 1 +
MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | 39 +-
MdeModulePkg/Include/Library/VariablePolicyLib.h | 107 +++
MdeModulePkg/Include/Protocol/VariablePolicy.h | 133 ++-
MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf | 1 +
OvmfPkg/CloudHv/CloudHvX64.dsc | 4 +
OvmfPkg/Microvm/MicrovmX64.dsc | 4 +
OvmfPkg/OvmfPkgIa32.dsc | 4 +
OvmfPkg/OvmfPkgIa32X64.dsc | 4 +
OvmfPkg/OvmfPkgX64.dsc | 4 +
OvmfPkg/OvmfXen.dsc | 4 +
ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h | 129 +++
ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni | 86 ++
ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf | 62 ++
ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf | 61 ++
ShellPkg/ShellPkg.dsc | 5 +
26 files changed, 2549 insertions(+), 46 deletions(-)
create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c
create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c
create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c
create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h
create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni
create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf
create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
--
2.42.0.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#110339): https://edk2.groups.io/g/devel/message/110339
Mute This Topic: https://groups.io/mt/102284379/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next reply other threads:[~2023-10-30 20:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-30 20:31 Michael Kubacki [this message]
2023-10-30 20:31 ` [edk2-devel] [PATCH v3 1/4] MdeModulePkg/VariablePolicy: Add more granular variable policy querying Michael Kubacki
2023-10-30 20:31 ` [edk2-devel] [PATCH v3 2/4] ShellPkg: Add varpolicy dynamic shell command and app Michael Kubacki
2023-10-30 20:31 ` [edk2-devel] [PATCH v3 3/4] OvmfPkg: Add varpolicy shell command Michael Kubacki
2023-10-30 20:31 ` [edk2-devel] [PATCH v3 4/4] ArmVirtPkg: " Michael Kubacki
2023-10-30 22:36 ` Ard Biesheuvel
2023-10-31 13:43 ` Laszlo Ersek
2023-10-31 15:24 ` Laszlo Ersek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231030203112.736-1-mikuback@linux.microsoft.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox