From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by spool.mail.gandi.net (Postfix) with ESMTPS id 89C62D80DF6 for ; Sat, 28 Oct 2023 07:03:21 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=cfMSQgm5ZQ+7JQafNU9qlJ0YhzxR0OYtta5uU+OpEuA=; c=relaxed/simple; d=groups.io; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject:To:Cc:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20140610; t=1698476600; v=1; b=pahLLEVZ2sIoGyp4JQYIodwo4hDbNz0S8DoADEZRKF7Aps0GeU/8sz2nP45kKrzQxSsi2yr7 RaNr/yZNqjmUwFgTSeZ+ZcDrwdG1m1imu9McmfgoWwFJbjbBECYxmMHM9V4FD0QIp3RPv8jZNPI 9/hQDoPgmRnOHCGTvpeJI2cA= X-Received: by 127.0.0.2 with SMTP id exGSYY7687511xh5QpspBfot; Sat, 28 Oct 2023 00:03:20 -0700 X-Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by mx.groups.io with SMTP id smtpd.web10.14222.1698476599043033806 for ; Sat, 28 Oct 2023 00:03:19 -0700 X-Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by ams.source.kernel.org (Postfix) with ESMTP id 83664B81676 for ; Sat, 28 Oct 2023 07:03:16 +0000 (UTC) X-Received: by smtp.kernel.org (Postfix) with ESMTPSA id B1B87C433CD for ; Sat, 28 Oct 2023 07:03:15 +0000 (UTC) X-Received: by mail-lj1-f178.google.com with SMTP id 38308e7fff4ca-2c503da4fd6so41749491fa.1 for ; Sat, 28 Oct 2023 00:03:15 -0700 (PDT) X-Gm-Message-State: C4lVAh2HYu9O2GDoazVtDqHTx7686176AA= X-Google-Smtp-Source: AGHT+IHTK/iqPcQXp1Vz2FgvKe+FoCAC76P1jiNzvGoerHxxUtt1yIPqHUjJVeVGEw1o1PPlLRBfcBXmMqSp5Ftj8Oc= X-Received: by 2002:a2e:b889:0:b0:2c5:22b4:b573 with SMTP id r9-20020a2eb889000000b002c522b4b573mr3716425ljp.36.1698476593730; Sat, 28 Oct 2023 00:03:13 -0700 (PDT) MIME-Version: 1.0 References: <20231028011813.131-1-mikuback@linux.microsoft.com> In-Reply-To: <20231028011813.131-1-mikuback@linux.microsoft.com> From: "Ard Biesheuvel" Date: Sat, 28 Oct 2023 09:03:02 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [edk2-devel] [PATCH v2 0/3] Add Variable Policy Audit App and Shell Command To: devel@edk2.groups.io, mikuback@linux.microsoft.com Cc: Anatol Belski , Anthony Perard , Dandan Bi , Gerd Hoffmann , Hao A Wu , Jian J Wang , Jianyong Wu , Jiewen Yao , Jordan Justen , Julien Grall , Liming Gao , Michael D Kinney , Zhichao Gao Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,ardb@kernel.org List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: Content-Type: text/plain; charset="UTF-8" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20140610 header.b=pahLLEVZ; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 66.175.222.108 as permitted sender) smtp.mailfrom=bounce@groups.io; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=kernel.org (policy=none) On Sat, 28 Oct 2023 at 03:18, Michael Kubacki wrote: > > From: Michael Kubacki > > Adds a new module (dynamic shell command) to ShellPkg that lists > variable policy information for all UEFI variables on the system. > > Some other UEFI variable related functionality is also included to > give a greater sense of platform UEFI variable state. > Thanks, this looks usefu. For the series, Reviewed-by: Ard Biesheuvel Could we add it to ArmVirtPkg as well please? > Like all dynamic shell commands, a platform only needs to include > VariablePolicyDynamicCommand.inf in their flash image to have > the command registered in their UEFI shell. > > The shell command is added to OvmfPkg so it is available in an > easily obtainable virtual platform. > > The code can also be built as a standalone EFI application. > > This is being made available to ease auditing and enabling of UEFI > variable policy to encourage its adoption for securing UEFI > variables. > > --- > > Command Help: > > Lists UEFI variable policy information. > > VARPOLICY [-p] [-s] [-v] > > -p - The policy flag will print variable policy info for each variable. > > -s - The stats flag will print overall UEFI variable policy statistics. > > -v - The verbose flag indicates all known information should be printed. > > This includes a dump of the corresponding UEFI variable data in > addition to all other UEFI variable policy information. > > EXAMPLES: > > * To dump all active UEFI variables: > fs0:\> varpolicy > > * To include UEFI variable policy information: > varpolicy -p > > * To include UEFI variable statistics: > varpolicy -s > > Press ENTER to continue or 'Q' break: > > --- > > v2 changes: > > - Allow the variable policy dynamic command to also be built as a > standalone EFI app. > > Images showing example output are available in the PR: > https://github.com/tianocore/edk2/pull/4835 > > Cc: Anatol Belski > Cc: Anthony Perard > Cc: Dandan Bi > Cc: Gerd Hoffmann > Cc: Hao A Wu > Cc: Jian J Wang > Cc: Jianyong Wu > Cc: Jiewen Yao > Cc: Jordan Justen > Cc: Julien Grall > Cc: Liming Gao > Cc: Michael D Kinney > Cc: Zhichao Gao > > Michael Kubacki (3): > MdeModulePkg/VariablePolicy: Add more granular variable policy > querying > ShellPkg: Add varpolicy dynamic shell command and app > OvmfPkg: Add varpolicy shell command > > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c | 174 +++- > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c | 304 +++++++ > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 4 +- > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c | 346 +++++++- > ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c | 877 ++++++++++++++++++++ > ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c | 59 ++ > ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c | 157 ++++ > MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | 39 +- > MdeModulePkg/Include/Library/VariablePolicyLib.h | 107 +++ > MdeModulePkg/Include/Protocol/VariablePolicy.h | 133 ++- > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf | 1 + > OvmfPkg/CloudHv/CloudHvX64.dsc | 4 + > OvmfPkg/Microvm/MicrovmX64.dsc | 4 + > OvmfPkg/OvmfPkgIa32.dsc | 4 + > OvmfPkg/OvmfPkgIa32X64.dsc | 4 + > OvmfPkg/OvmfPkgX64.dsc | 4 + > OvmfPkg/OvmfXen.dsc | 4 + > ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h | 126 +++ > ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni | 86 ++ > ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf | 58 ++ > ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf | 57 ++ > ShellPkg/ShellPkg.dsc | 5 + > 22 files changed, 2511 insertions(+), 46 deletions(-) > create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.c > create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.c > create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c > create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.h > create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicy.uni > create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyApp.inf > create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf > > -- > 2.42.0.windows.2 > > > > ------------ > Groups.io Links: You receive all messages sent to this group. > View/Reply Online (#110234): https://edk2.groups.io/g/devel/message/110234 > Mute This Topic: https://groups.io/mt/102234059/5717338 > Group Owner: devel+owner@edk2.groups.io > Unsubscribe: https://edk2.groups.io/g/devel/unsub [ardb+tianocore@kernel.org] > ------------ > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#110238): https://edk2.groups.io/g/devel/message/110238 Mute This Topic: https://groups.io/mt/102234059/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=-=-=-=-=-=-=-=-=-=-=-