From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120])
 by mx.groups.io with SMTP id smtpd.web11.22602.1590184031453354084
 for <devel@edk2.groups.io>;
 Fri, 22 May 2020 14:47:11 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=OpkKFnsg;
 spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1590184030;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=k6vWscmbMgBYIbIZXtlscI5KdVMca7amM3r6LG77HnY=;
	b=OpkKFnsghV7kuTm8HQyaFPXknqbczrQSApF7z/vrp/MYTSirF6wNwoP6n/2e8ZYnAxV9/z
	qcLDy0bfYDCrelTvDQrFSIH5d02//0FzPYB8p4kcYcszCfLGCNhp+tcVKnjtX65wcPnhd0
	R9raVeJmHU1NsLL9LM/35Gy+cg9dbR8=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-177-DJsOqkIEMFyIKYXWUBwMLQ-1; Fri, 22 May 2020 17:47:07 -0400
X-MC-Unique: DJsOqkIEMFyIKYXWUBwMLQ-1
Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EFC778014D4;
	Fri, 22 May 2020 21:47:05 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-40.ams2.redhat.com [10.36.112.40])
	by smtp.corp.redhat.com (Postfix) with ESMTP id B0DE31059123;
	Fri, 22 May 2020 21:47:04 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH v3 07/14] ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform
To: devel@edk2.groups.io, michael.kubacki@outlook.com
Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>, Leif Lindholm
 <leif@nuviainc.com>, Bret Barkelew <brbarkel@microsoft.com>
References: <20200521224331.15616-1-michael.kubacki@outlook.com>
 <MWHPR07MB3440C2470BE70CD5F5A34CFBE9B70@MWHPR07MB3440.namprd07.prod.outlook.com>
From: "Laszlo Ersek" <lersek@redhat.com>
Message-ID: <43be80eb-84a7-02ad-46e3-4fd3873e0308@redhat.com>
Date: Fri, 22 May 2020 23:47:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <MWHPR07MB3440C2470BE70CD5F5A34CFBE9B70@MWHPR07MB3440.namprd07.prod.outlook.com>
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Hi,

On 05/22/20 00:43, Michael Kubacki wrote:
> From: Bret Barkelew <brbarkel@microsoft.com>
> 
> https://bugzilla.tianocore.org/show_bug.cgi?id=2522
> 
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Leif Lindholm <leif@nuviainc.com>
> Cc: Bret Barkelew <brbarkel@microsoft.com>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
> ---
>  ArmVirtPkg/ArmVirt.dsc.inc | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc
> index cf44fc73890b..ee965e72b075 100644
> --- a/ArmVirtPkg/ArmVirt.dsc.inc
> +++ b/ArmVirtPkg/ArmVirt.dsc.inc
> @@ -2,6 +2,7 @@
>  #  Copyright (c) 2011-2015, ARM Limited. All rights reserved.
>  #  Copyright (c) 2014, Linaro Limited. All rights reserved.
>  #  Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved.
> +#  Copyright (c) Microsoft Corporation.
>  #
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
> @@ -173,6 +174,8 @@ [LibraryClasses.common]
>    AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf
>  !endif
>    VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf
> +  VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
> +  VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
>    UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf
>  
>    ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf
> @@ -246,6 +249,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER]
>  !if $(TARGET) != RELEASE
>    DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf
>  !endif
> +  VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
>  
>  !if $(SECURE_BOOT_ENABLE) == TRUE
>    BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -301,6 +305,9 @@ [PcdsFixedAtBuild.common]
>    gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2f
>  !endif
>  
> +  # Optional: Omit if VariablePolicy should be always-on.
> +  gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|TRUE
> +
>    #  DEBUG_INIT      0x00000001  // Initialization
>    #  DEBUG_WARN      0x00000002  // Warnings
>    #  DEBUG_LOAD      0x00000004  // Load events
> 

(1) Similarly to my OvmfPkg request, please remove the
PcdAllowVariablePolicyEnforcementDisable=TRUE setting. The default
should be secure, as described in:

https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables#pcdallowvariablepolicyenforcementdisable

otherwise, the patch looks OK to me.

Thanks!
Laszlo