From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.120]) by mx.groups.io with SMTP id smtpd.web11.4436.1589285738642793787 for ; Tue, 12 May 2020 05:15:38 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=jEEob0VR; spf=pass (domain: redhat.com, ip: 205.139.110.120, mailfrom: lersek@redhat.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1589285737; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6D53/PhuDREfh82T7Pi7MefB8TeLBkS4H7PyNuuns1w=; b=jEEob0VR5yr+MHsWuWrdIhzvkYkVht1QtIXDG9SztxiiVgp+zb3uhfM8SoIrNzNaxVnfBm QhhLe5YZ3KxFf0OI+c2TuNVBqBalv76QAm6OZ1En1i0xSbOZhdH8vnX6d2E5Qv3C3YLq6K vTK/M/1b0Mif8B02mx/A2En0rJWawjw= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-270-SPmuaO5kPSyhCM388GXnFw-1; Tue, 12 May 2020 08:15:28 -0400 X-MC-Unique: SPmuaO5kPSyhCM388GXnFw-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9738A80B70D; Tue, 12 May 2020 12:15:26 +0000 (UTC) Received: from lacos-laptop-7.usersys.redhat.com (ovpn-114-120.ams2.redhat.com [10.36.114.120]) by smtp.corp.redhat.com (Postfix) with ESMTP id 127B05C1B5; Tue, 12 May 2020 12:15:22 +0000 (UTC) Subject: Re: [edk2-devel] [PATCH v2 00/12] Add the VariablePolicy feature From: "Laszlo Ersek" To: devel@edk2.groups.io, michael.kubacki@outlook.com Cc: Jiewen Yao , Chao Zhang , Jian J Wang , Hao A Wu , Liming Gao , Jordan Justen , Ard Biesheuvel , Andrew Fish , Ray Ni , Anthony Perard , Julien Grall , Maurice Ma , Guo Dong , Benjamin You References: <11a89bca-ea96-9ba0-2177-e995b98e6943@redhat.com> Message-ID: <6d21e1a2-f0e7-35a0-7c2e-7798d21f86e9@redhat.com> Date: Tue, 12 May 2020 14:15:22 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <11a89bca-ea96-9ba0-2177-e995b98e6943@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit On 05/12/20 13:52, Laszlo Ersek wrote: > On 05/12/20 08:46, Michael Kubacki wrote: >> From: Michael Kubacki >> >> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2522 >> >> The 12 patches in this series add the VariablePolicy feature to the core, >> deprecate Edk2VarLock (while adding a compatibility layer to reduce code >> churn), and integrate the VariablePolicy libraries and protocols into >> Variable Services. >> >> Since the integration requires multiple changes, including adding libraries, >> a protocol, an SMI communication handler, and VariableServices integration, >> the patches are broken up by individual library additions and then a final >> integration. Security-sensitive changes like bypassing Authenticated >> Variable enforcement are also broken out into individual patches so that >> attention can be called directly to them. >> >> Platform porting instructions are described in this wiki entry: >> https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables#platform-porting > > (1) This wiki article is helpful, thanks. > > I have one remark: there's a heading saying "VarCheckPolicyLib NULL > Instance": > > https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables#varcheckpolicylib-null-instance > > I think what's meant is "NULL class", not "NULL instance". > > (2) The following platform DSC files in edk2 include the non-SMM > variable driver > ("MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf"), > but they are not modified by this patch series: > > ArmVirtPkg/ArmVirtQemu.dsc > ArmVirtPkg/ArmVirtQemuKernel.dsc > ArmVirtPkg/ArmVirtXen.dsc > OvmfPkg/OvmfXen.dsc > UefiPayloadPkg/UefiPayloadPkgIa32.dsc > UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc > > I'm asking that you please (a) include a patch for ArmVirtPkg, (b) > update the OvmfPkg patch to cover "OvmfXen.dsc" too. > > Not sure about the UefiPayloadPkg platforms; please ask their maintainers. > > (I've CC'd the OvmfXen and UefiPayloadPkg maintainers/reviewers.) (3) Could the wiki article please say a few words about what modules are supposed to turn this mechanism into an actual policy? I.e., what modules / use cases would consume the new protocol? In this series, the only INF file that gets a reference to the new protocol but is not related to the implementation of the protocol is VariablePolicyFuncTestApp. Thanks, Laszlo