From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web11.15315.1597153938462577507 for ; Tue, 11 Aug 2020 06:52:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=Sbbu8Lhj; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: dandan.bi@intel.com) IronPort-SDR: /KLbaFNvVFkCz3Q0vnwqQUZy7aOpomDg5zCv79MXEVMpt8DiI6c4/PZQURaWE4tH6z1oY2DD2J Gac6BrRyHOpQ== X-IronPort-AV: E=McAfee;i="6000,8403,9709"; a="141586036" X-IronPort-AV: E=Sophos;i="5.75,461,1589266800"; d="scan'208";a="141586036" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Aug 2020 06:52:14 -0700 IronPort-SDR: lDCD5eICLcLuF8/6EAD22h1yJeHdWtckgughGZZRlxyo2gv07Pohv6vhLBFlSkn2nOrVaKYC7X 9Pkkb2w3dKcQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,461,1589266800"; d="scan'208";a="324764495" Received: from orsmsx604-2.jf.intel.com (HELO ORSMSX604.amr.corp.intel.com) ([10.22.229.84]) by orsmga008.jf.intel.com with ESMTP; 11 Aug 2020 06:52:12 -0700 Received: from orsmsx604.amr.corp.intel.com (10.22.229.17) by ORSMSX604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Tue, 11 Aug 2020 06:52:12 -0700 Received: from orsmsx161.amr.corp.intel.com (10.22.240.84) by orsmsx604.amr.corp.intel.com (10.22.229.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.1713.5 via Frontend Transport; Tue, 11 Aug 2020 06:52:12 -0700 Received: from ORSEDG001.ED.cps.intel.com (10.7.248.4) by ORSMSX161.amr.corp.intel.com (10.22.240.84) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 11 Aug 2020 06:52:12 -0700 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.173) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 11 Aug 2020 06:52:12 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fR0sfFLvuuf5wHJqXi6PNjdsMkkIp/oe99ItM2R/QKPBpCRNBjgeedZNR04eSzQQ1C8JJTsHfMa3v/GGPx4o5gPrvhoKWyBczfAOwmpSmNe338urIYSRnfzMiYINrnEleTyJhsNUho2Zc5vTrnR0TbfZ055A0PAF7Plfbo/wNAnpgSmojtDz9Nsf5Y8Svq+BFV8Zr4LvOtCOHiK+FrvwjZ9Ik2BJHMSBrhP+BRoHQsFY9rT1beZXzS0ih6BQKdXUh/u+9fQDlLkqDs1Qfh9CcRcHmSKujHJS9lNXfRpIihmnYFF4gN6lvNFn7D53kArNQffXAhSMmzdG8buEwwri8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dLJRq7nMI5UpZPp1IxRTInxNNMtkGiGx/d0R6dxRgDo=; b=JCvjqXccb+MNcsDRA1f+AjLEJ6/kW96l8+dPG1ViZZDwqG9jCwuqKkfazQqPKVMkIU2curwFMDgL9ZB7PiYus6fRrTAh0iXW42VztrQAfVKaFPpx4VLrpcZf6zLSf7U3KpplRXBRw+vTZiYvyrUWm8SnwB7m8cVoJRnFe1RUZM81OCYkjRy1YPJz6b+hCSWaSYgsTHEzJKgTN9s1InINH7Q/PXu4MHRCeDlU9/NhBUbrksCh1+T6okxTwaPgk4NQ4UiIj0LMFFozX+4VG4OYLNg4g/ahzkVqf60+4Oc17twUR088RkcINbPYVYYj8Gg+TooOcPeVZYdvDfl2FXHanQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dLJRq7nMI5UpZPp1IxRTInxNNMtkGiGx/d0R6dxRgDo=; b=Sbbu8Lhjy+jnG4vF9IMuqPbFG18WdKJU2KrZYtM8VaJ4oY3MkAMMOwk2OwDMt2SMMDE5E6yigiFDCFXcrf+xdlm3TnE4mkS0mWcsAVHtzq7A9q6o7m8HT2sIMBkB+79vDrq8Gg923fOQ0CdEKfs0FUBEUWKMWWakArfhDd3aio4= Received: from BN6PR11MB1393.namprd11.prod.outlook.com (2603:10b6:404:3c::12) by BN8PR11MB3810.namprd11.prod.outlook.com (2603:10b6:408:8f::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3261.20; Tue, 11 Aug 2020 13:52:09 +0000 Received: from BN6PR11MB1393.namprd11.prod.outlook.com ([fe80::6d02:4e33:1d2c:8d27]) by BN6PR11MB1393.namprd11.prod.outlook.com ([fe80::6d02:4e33:1d2c:8d27%11]) with mapi id 15.20.3261.024; Tue, 11 Aug 2020 13:52:09 +0000 From: "Dandan Bi" To: "devel@edk2.groups.io" , "Bi, Dandan" , "bret@corthon.com" CC: "Yao, Jiewen" , "Zhang, Chao B" , "Wang, Jian J" , "Wu, Hao A" , "Gao, Liming" , "Justen, Jordan L" , Laszlo Ersek , "Ard Biesheuvel" , Andrew Fish , "Ni, Ray" Subject: Re: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature Thread-Topic: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature Thread-Index: AQHWSVAuZdBkXd9Y9UWZINYJzo2326jzlZ8wgD+RDyA= Date: Tue, 11 Aug 2020 13:52:09 +0000 Message-ID: References: <20200623064104.1908-1-brbarkel@microsoft.com> <161DCDB779DB4B3C.30988@groups.io> In-Reply-To: <161DCDB779DB4B3C.30988@groups.io> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.55.46.46] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 44837a16-75b8-44d5-3e20-08d83dfdbdda x-ms-traffictypediagnostic: BN8PR11MB3810: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: fQY5D44EVO0T8Gs5akQF/d5lbclw75EHnuH34qG/BC0iepqq3hltIxOYznaXGgiqRoKwMq2f4FEiKHxORG9jIw32UM3kh7xxnKrfxJ7YZLMuIGks8Q5GUQAxzoDdgdIUzYHqdBEg/nOMrL1L5Csc9iXF3+0Z0lOkhwBx9JVF3AUIRwx3M9cTBaWSi8Db1jeJVSsivYkFuNaitv2VWajsqPChD2xTx26Nl19QrYWjF47QprPwryWLNW0qKdHEhH5mYvjavsEKheW7xpQcPo/FPMNBl/+4Q+aHZKKPyVNhIUH41m4pg95QZ9M3KZQhxdmj0XC99DjkNn5WdmI27tlFWWTOwlj5RwWhwWEqLwIw2TZ69tID7xQ7Clak1NZ53sUt4nsqUIkUhW+sOCrLRlPeMQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1393.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(396003)(39860400002)(366004)(136003)(376002)(346002)(186003)(107886003)(71200400001)(2906002)(6506007)(53546011)(33656002)(966005)(26005)(316002)(4326008)(30864003)(83380400001)(19627235002)(8936002)(66476007)(66556008)(52536014)(110136005)(66446008)(5660300002)(54906003)(478600001)(9686003)(76116006)(55016002)(86362001)(66946007)(8676002)(7696005)(64756008);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: hUl9/PW9RUtjag/2IAS9rms1BS1yk+mExPylEL7gMmmWOGFwi4uHpEOirHajLjdySBjCPUF7DhVxjWQRxtO5LoWyMkKNIixZ7ncpO78xGm5zoT+vvMWBjpZ0yTQdbidkCOsYcdNw7kn7jSsKhHqaHfLydauY5kJgef3dIzHjrDilkfBDYmY+enO98v+/nyGmJwzM22yAQPuZhiSuJLGcR8E8+RJ7MNObq/dnjWiilByn9bWpntGnG2ucVBQFTfF5ForQ040vnQoNCwElPmaCgXysBj+ZTNQBGR8xQz71Aa7sNTFwDZtCbKi35L4E2Gna0kmLWlr+aBGkw7NDbWIarnlsUmui98yr+1S4pqxBHyps7PiPWmBFRJ6G4NwmzZaqQ++mnKll6qub5RkjZ8KQulbDZRam12mCdUt/PkoMcltKuTY6qpHXaflSpTjrjRwt+ydQqVuaJnpukt8WgAfGvCoq16ItHWk85RglPLDxyooqmldZhTCn+9CQzgeBBVneBpOfTslsqnypn19E8AYX3Xche6V7+e1mVOHhPdcHMzukoc5iRXz2wD7oRNMvLQl74KL2Ltw6n6//VygZ0FN/s00BlXNYBnM8wvQI5R3iThbHn0beY1PoyeNMGpboJiF7BR96L2//cjxmL8p+oGh/ow== MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1393.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 44837a16-75b8-44d5-3e20-08d83dfdbdda X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2020 13:52:09.1872 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: o2urRH8DUIreQd81um7YZ74QB9VcxW2sZ0qfqZWSw+XSKccEo0O9D7et/ZQn1T33OqXiamDZQmwVcnCZoIWmXg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3810 Return-Path: dandan.bi@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Bret, Sorry for the delayed response. Some more comments here: 1. Currently I see the LockVaribePolicy is called at ReadyToBoot by variab= le driver, could we update it to be called at EndOfDxe? We should prevent m= alicious code registering policy after EndOfDxe for security concern. And c= ould we also add the test case to check the variable policy is locked at En= dofDxe? 2. For patch 4, the SMM communication, some general guidelines for SMI ha= ndler: a) Check whether the communication buffer is outside SMM and valid. For this feature, please double check whether the communication buffer is = checked, if all the range in communication buffer has already been checked = within existing edk2 core infrastructure, please also add the comments in t= he code to mention that it has been checked. b) Should copy the communication buffer to SMRAM before checking the data = fields to avoid TOC/TOU attac For this feature, for example, when dump variable policy, if malicious cod= e updates the DumpParams->TotalSize in communication buffer to smaller one = to allocate the PaginationCache buffer, and then update it the correct one = and dump the variable policy data into the PaginationCache buffer, it will = cause buffer overflow in this case. So please double check the code and co= py the communication buffer into SMRAM to avoid such kind issue.=20 3. Did you do any security test for this feature? 4. Currently, LockVariablePolicy can prevent RegisterVariablePolicy and Di= sableVariablePolicy. So in SMI hander, could we check the variable policy i= s locked or not firstly and then decide whether need to check and execution= for VAR_CHECK_POLICY_COMMAND_REGISTER and VAR_CHECK_POLICY_COMMAND_DISABLE= ? 5. Since there is the logic when variable policy is disabled, it will perm= it deletion of auth/protected variables. Could we add some comments in code= to mention that variable policy should always be enabled for security conc= ern to avoid giving bad example? Thanks, Dandan > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Dandan > Bi > Sent: Thursday, July 2, 2020 10:14 AM > To: devel@edk2.groups.io; bret@corthon.com > Cc: Yao, Jiewen ; Zhang, Chao B > ; Wang, Jian J ; Wu, Hao > A ; Gao, Liming ; Justen, > Jordan L ; Laszlo Ersek ; > Ard Biesheuvel ; Andrew Fish > ; Ni, Ray > Subject: Re: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy featur= e >=20 > Hi Bret, >=20 > Thanks for the contribution. >=20 > I have taken an overview of this patch series and have some small commen= ts > in the related patches, please check in sub-patch. >=20 > I will review the patch series more in details and bring more comments b= ack > if have. Do you have a branch for these patches in GitHub? Which should = be > easy for review. >=20 >=20 > Thanks, > Dandan >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Bret > > Barkelew > > Sent: Tuesday, June 23, 2020 2:41 PM > > To: devel@edk2.groups.io > > Cc: Yao, Jiewen ; Zhang, Chao B > > ; Wang, Jian J ; Wu, > > Hao A ; Gao, Liming ; > > Justen, Jordan L ; Laszlo Ersek > > ; Ard Biesheuvel ; > Andrew > > Fish ; Ni, Ray > > Subject: [edk2-devel] [PATCH v6 00/14] Add the VariablePolicy feature > > > > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 > > > > The 14 patches in this series add the VariablePolicy feature to the > > core, deprecate Edk2VarLock (while adding a compatibility layer to > > reduce code churn), and integrate the VariablePolicy libraries and > > protocols into Variable Services. > > > > Since the integration requires multiple changes, including adding > > libraries, a protocol, an SMI communication handler, and > > VariableServices integration, the patches are broken up by individual > > library additions and then a final integration. Security-sensitive > > changes like bypassing Authenticated Variable enforcement are also > > broken out into individual patches so that attention can be called dir= ectly to > them. > > > > Platform porting instructions are described in this wiki entry: > > https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy- > > Protocol---Enhanced-Method-for-Managing-Variables#platform-porting > > > > Discussion of the feature can be found in multiple places throughout > > the last year on the RFC channel, staging branches, and in devel. > > > > Most recently, this subject was discussed in this thread: > > https://edk2.groups.io/g/devel/message/53712 > > (the code branches shared in that discussion are now out of date, but > > the whitepapers and discussion are relevant). > > > > Cc: Jiewen Yao > > Cc: Chao Zhang > > Cc: Jian J Wang > > Cc: Hao A Wu > > Cc: Liming Gao > > Cc: Jordan Justen > > Cc: Laszlo Ersek > > Cc: Ard Biesheuvel > > Cc: Andrew Fish > > Cc: Ray Ni > > Cc: Bret Barkelew > > Signed-off-by: Bret Barkelew > > > > v6 changes: > > * Fix an issue with uninitialized Status in InitVariablePolicyLib() > > and > > DeinitVariablePolicyLib() > > * Fix GCC building in shell-based functional test > > * Rebase on latest origin/master > > > > v5 changes: > > * Fix the CONST mismatch in VariablePolicy.h and > > VariablePolicySmmDxe.c > > * Fix EFIAPI mismatches in the functional unittest > > * Rebase on latest origin/master > > > > v4 changes: > > * Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from > > platforms > > * Rebase on master > > * Migrate to new MmCommunicate2 protocol > > * Fix an oversight in the default return value for > > InitMmCommonCommBuffer > > * Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume > > variables > > > > V3 changes: > > * Address all non-unittest issues with ECC > > * Make additional style changes > > * Include section name in hunk headers in "ini-style" files > > * Remove requirement for the EdkiiPiSmmCommunicationsRegionTable > > driver > > (now allocates its own buffer) > > * Change names from VARIABLE_POLICY_PROTOCOL and > > gVariablePolicyProtocolGuid > > to EDKII_VARIABLE_POLICY_PROTOCOL and > > gEdkiiVariablePolicyProtocolGuid > > * Fix GCC warning about initializing externs > > * Add UNI strings for new PCD > > * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg > > * Reorder patches according to Liming's feedback about adding to > platforms > > before changing variable driver > > > > V2 changes: > > * Fixed implementation for RuntimeDxe > > * Add PCD to block DisableVariablePolicy > > * Fix the DumpVariablePolicy pagination in SMM > > > > Bret Barkelew (14): > > MdeModulePkg: Define the VariablePolicy protocol interface > > MdeModulePkg: Define the VariablePolicyLib > > MdeModulePkg: Define the VariablePolicyHelperLib > > MdeModulePkg: Define the VarCheckPolicyLib and SMM interface > > OvmfPkg: Add VariablePolicy engine to OvmfPkg platform > > EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform > > ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform > > UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform > > MdeModulePkg: Connect VariablePolicy business logic to > > VariableServices > > MdeModulePkg: Allow VariablePolicy state to delete protected variabl= es > > SecurityPkg: Allow VariablePolicy state to delete authenticated > > variables > > MdeModulePkg: Change TCG MOR variables to use VariablePolicy > > MdeModulePkg: Drop VarLock from RuntimeDxe variable driver > > MdeModulePkg: Add a shell-based functional test for VariablePolicy > > > > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c > > | 320 +++ > > > > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c > > | 396 ++++ > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c > > | 46 + > > > > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDx > > e.c | 85 + > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c > > | 816 +++++++ > > > > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > > licyUnitTest.c | 2440 ++++++++++++++++++++ > > > > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > > ncTestApp.c | 1978 ++++++++++++++++ > > MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c > > | 52 +- > > MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c > > | 60 +- > > MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c > > | 49 +- > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > > | 53 + > > > > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock > > .c | 71 + > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c > > | 642 +++++ > > > > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe. > > c | 14 + > > SecurityPkg/Library/AuthVariableLib/AuthService.c = | > 22 > > +- > > ArmVirtPkg/ArmVirt.dsc.inc = | 4 + > > EmulatorPkg/EmulatorPkg.dsc = | 3 + > > MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h > | > > 54 + > > MdeModulePkg/Include/Library/VariablePolicyHelperLib.h > > | 164 ++ > > MdeModulePkg/Include/Library/VariablePolicyLib.h = | > > 207 ++ > > MdeModulePkg/Include/Protocol/VariablePolicy.h = | > > 157 ++ > > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf > > | 42 + > > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni > > | 12 + > > > > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.i > > nf > > | 35 + > > > > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.u > > ni > > | 12 + > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > > | 44 + > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni > > | 12 + > > > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf > > | 51 + > > > > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > > licyUnitTest.inf | 40 + > > MdeModulePkg/MdeModulePkg.ci.yaml = | 4 > +- > > MdeModulePkg/MdeModulePkg.dec = | 26 +- > > MdeModulePkg/MdeModulePkg.dsc = | 15 + > > MdeModulePkg/MdeModulePkg.uni = | 7 + > > MdeModulePkg/Test/MdeModulePkgHostTest.dsc > | > > 11 + > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md > > | 55 + > > > > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > > ncTestApp.inf | 42 + > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > > | 5 + > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf > > | 4 + > > > > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i > > nf | 10 + > > > > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > > | 4 + > > OvmfPkg/OvmfPkgIa32.dsc = | 5 + > > OvmfPkg/OvmfPkgIa32X64.dsc = | 5 + > > OvmfPkg/OvmfPkgX64.dsc = | 5 + > > OvmfPkg/OvmfXen.dsc = | 4 + > > SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf = | > > 2 + > > UefiPayloadPkg/UefiPayloadPkgIa32.dsc = | 4 + > > UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc = | 4 + > > 47 files changed, 8015 insertions(+), 78 deletions(-) create mode > > 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeD > > x > > e.c > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variable > > Po > > licyUnitTest.c > > create mode 100644 > > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > > ncTestApp.c > > create mode 100644 > > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock > > .c > > create mode 100644 > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c > > create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h > > create mode 100644 > > MdeModulePkg/Include/Library/VariablePolicyHelperLib.h > > create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h > > create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h > > create mode 100644 > > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf > > create mode 100644 > > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.i > > nf > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.u > > ni > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf > > create mode 100644 > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variable > > Po > > licyUnitTest.inf > > create mode 100644 > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md > > create mode 100644 > > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > > ncTestApp.inf > > > > -- > > 2.26.2.windows.1.8.g01c50adf56.20200515075929 > > > > > > >=20 >=20 >=20