Cool. Thank you Bret! From: Bret Barkelew Sent: Tuesday, April 14, 2020 1:25 PM To: Michael Kubacki ; Yao, Jiewen ; devel@edk2.groups.io Cc: Zhang, Chao B ; Wang, Jian J ; Wu, Hao A ; Gao, Liming Subject: RE: [EXTERNAL] Re: [PATCH v1 0/9] Add the VariablePolicy feature Jiewen, Thanks (as always 😉) for the feedback! I’ll consider how best to address this and provide an update later this week after some others have had a chance to look at it. - Bret From: Michael Kubacki Sent: Monday, April 13, 2020 10:17 AM To: Yao, Jiewen; devel@edk2.groups.io Cc: Zhang, Chao B; Wang, Jian J; Wu, Hao A; Gao, Liming; Bret Barkelew Subject: [EXTERNAL] Re: [PATCH v1 0/9] Add the VariablePolicy feature This particular series was Bret's work so I'll let him speak to it. Thanks, Michael On 4/10/2020 7:24 PM, Yao, Jiewen wrote: > Hi Michael > Thanks for the work. > > I remember the feedback before that I have concern on having an API to *DisableVariablePolicy*, and I prefer we have a way to disable the *DisableVariablePolicy*. > > May I know how that is addressed in this patch? > > Thank you > Yao Jiewen > > > > >> -----Original Message----- >> From: michael.kubacki@outlook.com > >> Sent: Saturday, April 11, 2020 2:36 AM >> To: devel@edk2.groups.io >> Cc: Yao, Jiewen >; Zhang, Chao B >> >; Wang, Jian J >; Wu, Hao A >> >; Gao, Liming > >> Subject: [PATCH v1 0/9] Add the VariablePolicy feature >> >> From: Michael Kubacki > >> >> REF:https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&data=02%7C01%7CBret.Barkelew%40microsoft.com%7Ce2e70011eb234e05925108d7dfce776d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637223950173802418&sdata=qALCkFg05umllXL46sG5nAMmst99oyLYbyGSsqEWYtY%3D&reserved=0 >> >> The 9 patches in this series add the VariablePolicy feature to the core, >> deprecate Edk2VarLock (while adding a compatibility layer to reduce code >> churn), and integrate the VariablePolicy libraries and protocols into >> Variable Services. >> >> Since the integration requires multiple changes, including adding libraries, >> a protocol, an SMI communication handler, and VariableServices integration, >> the patches are broken up by individual library additions and then a final >> integration. Security-sensitive changes like bypassing Authenticated >> Variable enforcement are also broken out into individual patches so that >> attention can be called directly to them. >> >> The discussion of the feature can be found in multiple places throughout >> the last year on the RFC channel, staging branches, and in devel. >> >> Most recently, this subject was discussed in this thread: >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=02%7C01%7CBret.Barkelew%40microsoft.com%7Ce2e70011eb234e05925108d7dfce776d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637223950173802418&sdata=HupEk9iq0qxeXA5NYCNFoUV0uXa%2BvqYV81UX76bH9eQ%3D&reserved=0 >> (the code branches shared in that discussion are now out of date, but the >> whitepapers and discussion are relevant). >> >> On a separate note, shallow threading might not work on this patch series >> due to changes made by the SMTP server. Please bear with me while I am >> investigating if this can be changed. >> >> Cc: Jiewen Yao > >> Cc: Chao Zhang > >> Cc: Jian J Wang > >> Cc: Hao A Wu > >> Cc: Liming Gao > >> Signed-off-by: Bret Barkelew > >> Signed-off-by: Michael Kubacki > >> >> Bret Barkelew (9): >> MdeModulePkg: Define the VariablePolicy protocol interface >> MdeModulePkg: Define the VariablePolicyLib >> MdeModulePkg: Define the VariablePolicyHelperLib >> MdeModulePkg: Define the VarCheckPolicyLib and SMM interface >> MdeModulePkg: Connect VariablePolicy business logic to >> VariableServices >> MdeModulePkg: Allow VariablePolicy state to delete protected variables >> SecurityPkg: Allow VariablePolicy state to delete authenticated >> variables >> MdeModulePkg: Change TCG MOR variables to use VariablePolicy >> MdeModulePkg: Drop VarLock from RuntimeDxe variable driver >> >> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c >> | 211 ++ >> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c >> | 396 ++++ >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c | >> 773 +++++++ >> >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy >> UnitTest.c | 2285 ++++++++++++++++++++ >> MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c >> | 52 +- >> MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c >> | 60 +- >> MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c >> | 49 +- >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c >> | 51 + >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c >> | 71 + >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c >> | 445 ++++ >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c >> | 15 + >> SecurityPkg/Library/AuthVariableLib/AuthService.c | 22 >> +- >> MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | >> 43 + >> MdeModulePkg/Include/Library/VariablePolicyHelperLib.h | >> 164 ++ >> MdeModulePkg/Include/Library/VariablePolicyLib.h | 206 >> ++ >> MdeModulePkg/Include/Protocol/VariablePolicy.h | 156 >> ++ >> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf >> | 44 + >> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni >> | 12 + >> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf >> | 36 + >> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni >> | 12 + >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf | >> 38 + >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni >> | 12 + >> >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy >> UnitTest.inf | 41 + >> MdeModulePkg/MdeModulePkg.dec | 17 +- >> MdeModulePkg/MdeModulePkg.dsc | 7 + >> MdeModulePkg/Test/MdeModulePkgHostTest.dsc | >> 8 + >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf >> | 5 + >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf >> | 4 + >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf >> | 8 + >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf >> | 4 + >> SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 >> + >> 31 files changed, 5172 insertions(+), 77 deletions(-) >> create mode 100644 >> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c >> create mode 100644 >> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c >> create mode 100644 >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c >> create mode 100644 >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy >> UnitTest.c >> create mode 100644 >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c >> create mode 100644 >> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c >> create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h >> create mode 100644 MdeModulePkg/Include/Library/VariablePolicyHelperLib.h >> create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h >> create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h >> create mode 100644 >> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf >> create mode 100644 >> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni >> create mode 100644 >> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf >> create mode 100644 >> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni >> create mode 100644 >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf >> create mode 100644 >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni >> create mode 100644 >> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy >> UnitTest.inf >> >> -- >> 2.16.3.windows.1 >