From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, michael.kubacki@outlook.com
Cc: Jordan Justen <jordan.l.justen@intel.com>,
Ard Biesheuvel <ard.biesheuvel@arm.com>,
Bret Barkelew <brbarkel@microsoft.com>
Subject: Re: [edk2-devel] [PATCH v3 05/14] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform
Date: Fri, 22 May 2020 23:41:08 +0200 [thread overview]
Message-ID: <2e4a7b3c-a732-48bd-27b2-d3aef4b1690a@redhat.com> (raw)
In-Reply-To: <MWHPR07MB34408EF372162D45FB5BCB52E9B70@MWHPR07MB3440.namprd07.prod.outlook.com>
Hello Michael / Bret,
I don't understand the (lack of) updates in this patch:
On 05/22/20 00:43, Michael Kubacki wrote:
> From: Bret Barkelew <brbarkel@microsoft.com>
>
> https://bugzilla.tianocore.org/show_bug.cgi?id=2522
>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Bret Barkelew <brbarkel@microsoft.com>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> ---
> OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++
> OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++
> OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++
> OvmfPkg/OvmfXen.dsc | 7 +++++++
My request (1) under the corresponding v2 patch was to include the
OvmfXen.dsc platform in the modifications. That request has been addressed.
Please find said v2 feedback from me here:
http://mid.mail-archive.com/a0e0e3d4-6712-078a-4d95-29408109b0b0@redhat.com
(Alternative link: <https://edk2.groups.io/g/devel/message/59271>.)
However:
> 4 files changed, 31 insertions(+)
>
> diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
> index cbc5f0e583bc..2c64591f88a3 100644
> --- a/OvmfPkg/OvmfPkgIa32.dsc
> +++ b/OvmfPkg/OvmfPkgIa32.dsc
> @@ -3,6 +3,7 @@
> #
> # Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> #
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> @@ -194,6 +195,8 @@ [LibraryClasses]
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
> + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
>
>
> #
> @@ -327,6 +330,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> @@ -480,6 +484,9 @@ [PcdsFixedAtBuild]
> gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000
> !endif
>
> + # Optional: Omit if VariablePolicy should be always-on.
> + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|TRUE
> +
My request (2) in the same message was to drop this PCD setting. That
request has not been addressed.
So I'm now confused -- based on addressing (1), it seems like my v2
review has been processed. But then, why was my request (2) silently
ignored? Did you miss it somehow?
... Maybe you entirely missed my message that I posted in response to
version 2 of this specific patch (i.e. you may have fully missed the
message I link at the top). That could be the case because I mentioned
"OvmfXen.dsc" under the v2 blurb as well. So perhaps you only read my
feedback to the blurb.
In v4, please remove the "PcdAllowVariablePolicyEnforcementDisable"
setting. The reason why I'm requesting that is captured in my v2
feedback (see link near the top).
Thanks,
Laszlo
> gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
>
> gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07
> @@ -921,6 +928,7 @@ [Components]
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf {
> <LibraryClasses>
> NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
> }
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
>
> diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
> index 6d69cc6cb56f..99527e03b9d0 100644
> --- a/OvmfPkg/OvmfPkgIa32X64.dsc
> +++ b/OvmfPkg/OvmfPkgIa32X64.dsc
> @@ -3,6 +3,7 @@
> #
> # Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> #
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> @@ -198,6 +199,8 @@ [LibraryClasses]
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
> + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
>
>
> #
> @@ -331,6 +334,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> @@ -484,6 +488,9 @@ [PcdsFixedAtBuild]
> gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000
> !endif
>
> + # Optional: Omit if VariablePolicy should be always-on.
> + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|TRUE
> +
> gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
>
> gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07
> @@ -934,6 +941,7 @@ [Components.X64]
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf {
> <LibraryClasses>
> NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
> }
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
>
> diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
> index 5ad4f461ce52..4a6b18d7899d 100644
> --- a/OvmfPkg/OvmfPkgX64.dsc
> +++ b/OvmfPkg/OvmfPkgX64.dsc
> @@ -3,6 +3,7 @@
> #
> # Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> #
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> #
> @@ -198,6 +199,8 @@ [LibraryClasses]
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> !endif
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
> + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
>
>
> #
> @@ -331,6 +334,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> @@ -484,6 +488,9 @@ [PcdsFixedAtBuild]
> gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000
> !endif
>
> + # Optional: Omit if VariablePolicy should be always-on.
> + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|TRUE
> +
> gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
>
> gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07
> @@ -932,6 +939,7 @@ [Components]
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf {
> <LibraryClasses>
> NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf
> + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
> }
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
>
> diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc
> index 47ee8db8b884..c2d476133b9d 100644
> --- a/OvmfPkg/OvmfXen.dsc
> +++ b/OvmfPkg/OvmfXen.dsc
> @@ -3,6 +3,7 @@
> #
> # Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
> # (C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR>
> +# Copyright (c) Microsoft Corporation.<BR>
> # Copyright (c) 2019, Citrix Systems, Inc.
> #
> # SPDX-License-Identifier: BSD-2-Clause-Patent
> @@ -182,6 +183,8 @@ [LibraryClasses]
>
> AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
> VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
> + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
>
>
> #
> @@ -301,6 +304,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
> BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf
> QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf
> + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
>
> [LibraryClasses.common.UEFI_DRIVER]
> PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf
> @@ -394,6 +398,9 @@ [PcdsFixedAtBuild]
> gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000
> !endif
>
> + # Optional: Omit if VariablePolicy should be always-on.
> + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|TRUE
> +
> gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0
>
> gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07
>
next prev parent reply other threads:[~2020-05-22 21:41 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200521224331.15616-1-michael.kubacki@outlook.com>
2020-05-21 22:43 ` [PATCH v3 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 02/14] MdeModulePkg: Define the VariablePolicyLib Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 03/14] MdeModulePkg: Define the VariablePolicyHelperLib Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 04/14] MdeModulePkg: Define the VarCheckPolicyLib and SMM interface Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 05/14] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform Michael Kubacki
2020-05-22 21:41 ` Laszlo Ersek [this message]
2020-05-22 22:35 ` [EXTERNAL] Re: [edk2-devel] " Bret Barkelew
2020-05-25 18:02 ` Laszlo Ersek
2020-05-21 22:43 ` [PATCH v3 06/14] EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 07/14] ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform Michael Kubacki
2020-05-22 21:47 ` [edk2-devel] " Laszlo Ersek
2020-05-21 22:43 ` [PATCH v3 08/14] UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform Michael Kubacki
2020-05-22 0:29 ` [edk2-devel] " Ma, Maurice
2020-05-21 22:43 ` [PATCH v3 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices Michael Kubacki
2020-05-22 20:29 ` [edk2-devel] " Laszlo Ersek
2020-05-21 22:43 ` [PATCH v3 10/14] MdeModulePkg: Allow VariablePolicy state to delete protected variables Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 11/14] SecurityPkg: Allow VariablePolicy state to delete authenticated variables Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 12/14] MdeModulePkg: Change TCG MOR variables to use VariablePolicy Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 13/14] MdeModulePkg: Drop VarLock from RuntimeDxe variable driver Michael Kubacki
2020-05-21 22:43 ` [PATCH v3 14/14] MdeModulePkg: Add a shell-based functional test for VariablePolicy Michael Kubacki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2e4a7b3c-a732-48bd-27b2-d3aef4b1690a@redhat.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox