From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [207.211.31.120]) by mx.groups.io with SMTP id smtpd.web11.22602.1590184031453354084 for ; Fri, 22 May 2020 14:47:11 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=OpkKFnsg; spf=pass (domain: redhat.com, ip: 207.211.31.120, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1590184030; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=k6vWscmbMgBYIbIZXtlscI5KdVMca7amM3r6LG77HnY=; b=OpkKFnsghV7kuTm8HQyaFPXknqbczrQSApF7z/vrp/MYTSirF6wNwoP6n/2e8ZYnAxV9/z qcLDy0bfYDCrelTvDQrFSIH5d02//0FzPYB8p4kcYcszCfLGCNhp+tcVKnjtX65wcPnhd0 R9raVeJmHU1NsLL9LM/35Gy+cg9dbR8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-177-DJsOqkIEMFyIKYXWUBwMLQ-1; Fri, 22 May 2020 17:47:07 -0400 X-MC-Unique: DJsOqkIEMFyIKYXWUBwMLQ-1 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EFC778014D4; Fri, 22 May 2020 21:47:05 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-112-40.ams2.redhat.com [10.36.112.40]) by smtp.corp.redhat.com (Postfix) with ESMTP id B0DE31059123; Fri, 22 May 2020 21:47:04 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v3 07/14] ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform To: devel@edk2.groups.io, michael.kubacki@outlook.com Cc: Ard Biesheuvel , Leif Lindholm , Bret Barkelew References: <20200521224331.15616-1-michael.kubacki@outlook.com> From: "Laszlo Ersek" Message-ID: <43be80eb-84a7-02ad-46e3-4fd3873e0308@redhat.com> Date: Fri, 22 May 2020 23:47:03 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Hi, On 05/22/20 00:43, Michael Kubacki wrote: > From: Bret Barkelew > > https://bugzilla.tianocore.org/show_bug.cgi?id=2522 > > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Leif Lindholm > Cc: Bret Barkelew > Signed-off-by: Michael Kubacki > --- > ArmVirtPkg/ArmVirt.dsc.inc | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/ArmVirtPkg/ArmVirt.dsc.inc b/ArmVirtPkg/ArmVirt.dsc.inc > index cf44fc73890b..ee965e72b075 100644 > --- a/ArmVirtPkg/ArmVirt.dsc.inc > +++ b/ArmVirtPkg/ArmVirt.dsc.inc > @@ -2,6 +2,7 @@ > # Copyright (c) 2011-2015, ARM Limited. All rights reserved. > # Copyright (c) 2014, Linaro Limited. All rights reserved. > # Copyright (c) 2015 - 2018, Intel Corporation. All rights reserved. > +# Copyright (c) Microsoft Corporation. > # > # SPDX-License-Identifier: BSD-2-Clause-Patent > # > @@ -173,6 +174,8 @@ [LibraryClasses.common] > AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLibNull.inf > !endif > VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf > + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf > UefiBootManagerLib|MdeModulePkg/Library/UefiBootManagerLib/UefiBootManagerLib.inf > > ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf > @@ -246,6 +249,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER] > !if $(TARGET) != RELEASE > DebugLib|MdePkg/Library/DxeRuntimeDebugLibSerialPort/DxeRuntimeDebugLibSerialPort.inf > !endif > + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf > > !if $(SECURE_BOOT_ENABLE) == TRUE > BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf > @@ -301,6 +305,9 @@ [PcdsFixedAtBuild.common] > gEfiMdePkgTokenSpaceGuid.PcdDebugPropertyMask|0x2f > !endif > > + # Optional: Omit if VariablePolicy should be always-on. > + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|TRUE > + > # DEBUG_INIT 0x00000001 // Initialization > # DEBUG_WARN 0x00000002 // Warnings > # DEBUG_LOAD 0x00000004 // Load events > (1) Similarly to my OvmfPkg request, please remove the PcdAllowVariablePolicyEnforcementDisable=TRUE setting. The default should be secure, as described in: https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables#pcdallowvariablepolicyenforcementdisable otherwise, the patch looks OK to me. Thanks! Laszlo