From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.120])
 by mx.groups.io with SMTP id smtpd.web11.4436.1589285738642793787
 for <devel@edk2.groups.io>;
 Tue, 12 May 2020 05:15:38 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=jEEob0VR;
 spf=pass (domain: redhat.com, ip: 205.139.110.120, mailfrom: lersek@redhat.com)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1589285737;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=6D53/PhuDREfh82T7Pi7MefB8TeLBkS4H7PyNuuns1w=;
	b=jEEob0VR5yr+MHsWuWrdIhzvkYkVht1QtIXDG9SztxiiVgp+zb3uhfM8SoIrNzNaxVnfBm
	QhhLe5YZ3KxFf0OI+c2TuNVBqBalv76QAm6OZ1En1i0xSbOZhdH8vnX6d2E5Qv3C3YLq6K
	vTK/M/1b0Mif8B02mx/A2En0rJWawjw=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-270-SPmuaO5kPSyhCM388GXnFw-1; Tue, 12 May 2020 08:15:28 -0400
X-MC-Unique: SPmuaO5kPSyhCM388GXnFw-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9738A80B70D;
	Tue, 12 May 2020 12:15:26 +0000 (UTC)
Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-120.ams2.redhat.com [10.36.114.120])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 127B05C1B5;
	Tue, 12 May 2020 12:15:22 +0000 (UTC)
Subject: Re: [edk2-devel] [PATCH v2 00/12] Add the VariablePolicy feature
From: "Laszlo Ersek" <lersek@redhat.com>
To: devel@edk2.groups.io, michael.kubacki@outlook.com
Cc: Jiewen Yao <jiewen.yao@intel.com>, Chao Zhang <chao.b.zhang@intel.com>,
 Jian J Wang <jian.j.wang@intel.com>, Hao A Wu <hao.a.wu@intel.com>,
 Liming Gao <liming.gao@intel.com>, Jordan Justen
 <jordan.l.justen@intel.com>, Ard Biesheuvel <ard.biesheuvel@arm.com>,
 Andrew Fish <afish@apple.com>, Ray Ni <ray.ni@intel.com>,
 Anthony Perard <anthony.perard@citrix.com>, Julien Grall <julien@xen.org>,
 Maurice Ma <maurice.ma@intel.com>, Guo Dong <guo.dong@intel.com>,
 Benjamin You <benjamin.you@intel.com>
References: <MWHPR07MB3440F5CB92F0D7DCF94AA14FE9BE0@MWHPR07MB3440.namprd07.prod.outlook.com>
 <11a89bca-ea96-9ba0-2177-e995b98e6943@redhat.com>
Message-ID: <6d21e1a2-f0e7-35a0-7c2e-7798d21f86e9@redhat.com>
Date: Tue, 12 May 2020 14:15:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <11a89bca-ea96-9ba0-2177-e995b98e6943@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 05/12/20 13:52, Laszlo Ersek wrote:
> On 05/12/20 08:46, Michael Kubacki wrote:
>> From: Michael Kubacki <michael.kubacki@microsoft.com>
>>
>> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2522
>>
>> The 12 patches in this series add the VariablePolicy feature to the core,
>> deprecate Edk2VarLock (while adding a compatibility layer to reduce code
>> churn), and integrate the VariablePolicy libraries and protocols into
>> Variable Services.
>>
>> Since the integration requires multiple changes, including adding libraries,
>> a protocol, an SMI communication handler, and VariableServices integration,
>> the patches are broken up by individual library additions and then a final
>> integration. Security-sensitive changes like bypassing Authenticated
>> Variable enforcement are also broken out into individual patches so that
>> attention can be called directly to them.
>>
>> Platform porting instructions are described in this wiki entry:
>> https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables#platform-porting
> 
> (1) This wiki article is helpful, thanks.
> 
> I have one remark: there's a heading saying "VarCheckPolicyLib NULL
> Instance":
> 
> https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables#varcheckpolicylib-null-instance
> 
> I think what's meant is "NULL class", not "NULL instance".
> 
> (2) The following platform DSC files in edk2 include the non-SMM
> variable driver
> ("MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf"),
> but they are not modified by this patch series:
> 
> ArmVirtPkg/ArmVirtQemu.dsc
> ArmVirtPkg/ArmVirtQemuKernel.dsc
> ArmVirtPkg/ArmVirtXen.dsc
> OvmfPkg/OvmfXen.dsc
> UefiPayloadPkg/UefiPayloadPkgIa32.dsc
> UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc
> 
> I'm asking that you please (a) include a patch for ArmVirtPkg, (b)
> update the OvmfPkg patch to cover "OvmfXen.dsc" too.
> 
> Not sure about the UefiPayloadPkg platforms; please ask their maintainers.
> 
> (I've CC'd the OvmfXen and UefiPayloadPkg maintainers/reviewers.)

(3) Could the wiki article please say a few words about what modules are
supposed to turn this mechanism into an actual policy? I.e., what
modules / use cases would consume the new protocol?

In this series, the only INF file that gets a reference to the new
protocol but is not related to the implementation of the protocol is
VariablePolicyFuncTestApp.

Thanks,
Laszlo