From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga18.intel.com (mga18.intel.com [134.134.136.126])
 by mx.groups.io with SMTP id smtpd.web11.2122.1586571886075965009
 for <devel@edk2.groups.io>;
 Fri, 10 Apr 2020 19:24:46 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.126, mailfrom: jiewen.yao@intel.com)
IronPort-SDR: JQwDpbnDnmXFw4NV+ypJpAIAYBPnO4hpALjyx00r6cPge/zoqD3BfXfYIjbft57Z4v5Q3AxeN7
 VvXFDB9EY+Vw==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Apr 2020 19:24:45 -0700
IronPort-SDR: LGHk7r/0pUKpYhzzmzzn60HVhLx/cXzrd8O3scNB9rtAF9JpLUQZAjrIzSpCTJI4n+wkmmj56A
 cxTDPHgv6i5Q==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.72,368,1580803200"; 
   d="scan'208";a="362602449"
Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205])
  by fmsmga001.fm.intel.com with ESMTP; 10 Apr 2020 19:24:44 -0700
Received: from shsmsx151.ccr.corp.intel.com (10.239.6.50) by
 fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS)
 id 14.3.439.0; Fri, 10 Apr 2020 19:24:44 -0700
Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.138]) by
 SHSMSX151.ccr.corp.intel.com ([169.254.3.22]) with mapi id 14.03.0439.000;
 Sat, 11 Apr 2020 10:24:41 +0800
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "michael.kubacki@outlook.com" <michael.kubacki@outlook.com>,
	"devel@edk2.groups.io" <devel@edk2.groups.io>
CC: "Zhang, Chao B" <chao.b.zhang@intel.com>, "Wang, Jian J"
	<jian.j.wang@intel.com>, "Wu, Hao A" <hao.a.wu@intel.com>, "Gao, Liming"
	<liming.gao@intel.com>
Subject: Re: [PATCH v1 0/9] Add the VariablePolicy feature
Thread-Topic: [PATCH v1 0/9] Add the VariablePolicy feature
Thread-Index: AQHWD2cEcp9kkOdebUirS0jcCtr0hqhzMGfA
Date: Sat, 11 Apr 2020 02:24:41 +0000
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F9D76C5@shsmsx102.ccr.corp.intel.com>
References: <MWHPR07MB3440C61EDC28D3447901CAEAE9DE0@MWHPR07MB3440.namprd07.prod.outlook.com>
In-Reply-To: <MWHPR07MB3440C61EDC28D3447901CAEAE9DE0@MWHPR07MB3440.namprd07.prod.outlook.com>
Accept-Language: zh-CN, en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
dlp-product: dlpe-windows
dlp-version: 11.2.0.6
dlp-reaction: no-action
x-originating-ip: [10.239.127.40]
MIME-Version: 1.0
Return-Path: jiewen.yao@intel.com
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi Michael
Thanks for the work.

I remember the feedback before that I have concern on having an API to *Dis=
ableVariablePolicy*, and I prefer we have a way to disable the *DisableVari=
ablePolicy*.

May I know how that is addressed in this patch?

Thank you
Yao Jiewen




> -----Original Message-----
> From: michael.kubacki@outlook.com <michael.kubacki@outlook.com>
> Sent: Saturday, April 11, 2020 2:36 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B
> <chao.b.zhang@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A
> <hao.a.wu@intel.com>; Gao, Liming <liming.gao@intel.com>
> Subject: [PATCH v1 0/9] Add the VariablePolicy feature
>=20
> From: Michael Kubacki <michael.kubacki@microsoft.com>
>=20
> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522
>=20
> The 9 patches in this series add the VariablePolicy feature to the core,
> deprecate Edk2VarLock (while adding a compatibility layer to reduce code
> churn), and integrate the VariablePolicy libraries and protocols into
> Variable Services.
>=20
> Since the integration requires multiple changes, including adding librari=
es,
> a protocol, an SMI communication handler, and VariableServices integratio=
n,
> the patches are broken up by individual library additions and then a fina=
l
> integration. Security-sensitive changes like bypassing Authenticated
> Variable enforcement are also broken out into individual patches so that
> attention can be called directly to them.
>=20
> The discussion of the feature can be found in multiple places throughout
> the last year on the RFC channel, staging branches, and in devel.
>=20
> Most recently, this subject was discussed in this thread:
> https://edk2.groups.io/g/devel/message/53712
> (the code branches shared in that discussion are now out of date, but the
> whitepapers and discussion are relevant).
>=20
> On a separate note, shallow threading might not work on this patch series
> due to changes made by the SMTP server. Please bear with me while I am
> investigating if this can be changed.
>=20
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
>=20
> Bret Barkelew (9):
>   MdeModulePkg: Define the VariablePolicy protocol interface
>   MdeModulePkg: Define the VariablePolicyLib
>   MdeModulePkg: Define the VariablePolicyHelperLib
>   MdeModulePkg: Define the VarCheckPolicyLib and SMM interface
>   MdeModulePkg: Connect VariablePolicy business logic to
>     VariableServices
>   MdeModulePkg: Allow VariablePolicy state to delete protected variables
>   SecurityPkg: Allow VariablePolicy state to delete authenticated
>     variables
>   MdeModulePkg: Change TCG MOR variables to use VariablePolicy
>   MdeModulePkg: Drop VarLock from RuntimeDxe variable driver
>=20
>  MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
> |  211 ++
>  MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c
> |  396 ++++
>  MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c              =
                 |
> 773 +++++++
>=20
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePol=
icy
> UnitTest.c   | 2285 ++++++++++++++++++++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
> |   52 +-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
> |   60 +-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
> |   49 +-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
> |   51 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c
> |   71 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
> |  445 ++++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
> |   15 +
>  SecurityPkg/Library/AuthVariableLib/AuthService.c                       =
                 |   22
> +-
>  MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h                           =
                 |
> 43 +
>  MdeModulePkg/Include/Library/VariablePolicyHelperLib.h                  =
                 |
> 164 ++
>  MdeModulePkg/Include/Library/VariablePolicyLib.h                        =
                 |  206
> ++
>  MdeModulePkg/Include/Protocol/VariablePolicy.h                          =
                 |  156
> ++
>  MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
> |   44 +
>  MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
> |   12 +
>  MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
> |   36 +
>  MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni
> |   12 +
>  MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf            =
                 |
> 38 +
>  MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
> |   12 +
>=20
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePol=
icy
> UnitTest.inf |   41 +
>  MdeModulePkg/MdeModulePkg.dec                                           =
                 |   17 +-
>  MdeModulePkg/MdeModulePkg.dsc                                           =
                 |    7 +
>  MdeModulePkg/Test/MdeModulePkgHostTest.dsc                              =
                 |
> 8 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
> |    5 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
> |    4 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
> |    8 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
> |    4 +
>  SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf                 =
                 |    2
> +
>  31 files changed, 5172 insertions(+), 77 deletions(-)
>  create mode 100644
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePol=
icy
> UnitTest.c
>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c
>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
>  create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
>  create mode 100644 MdeModulePkg/Include/Library/VariablePolicyHelperLib.=
h
>  create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h
>  create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h
>  create mode 100644
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
>  create mode 100644
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePol=
icy
> UnitTest.inf
>=20
> --
> 2.16.3.windows.1