From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.107.92.135]) by mx.groups.io with SMTP id smtpd.web11.2467.1592378912598032643 for ; Wed, 17 Jun 2020 00:28:32 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=StWU+sFo; spf=pass (domain: microsoft.com, ip: 40.107.92.135, mailfrom: bret.barkelew@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i/Av7fOuCRBQ2cnD3leTzKjuGvBhZ6DV5PrMWFz873dfgqffX3KzyQCUtQBiOePeOUe3DI8h8cqZjGkIo9gSHysDeL/u/cXP3KEZ/yEO2MRrwz85ZoHY2XUdPqsbGB8PMeQQWUj/HK0SC5Xob6fyImBOr+i81+1nZfHwNcktcjVrGjBFYgr/NMNxgLmOcef2MH3Y/Iin6nu6NlAaTW2BIwnopHvvxuPn7taO9RPStofioacflIhk1yKKo05slgyLvmx6ozNobAIBj8M81hW/a0W+TqGgm5bbgMvU++VuRnlx/hj8Gzft7MQNFkM/anr2majjGe7yAuas12VCX8uqug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XM/sNjtNXCxCAAC4cfcakdixvX+RcHkdhKkREoanoeM=; b=mcI/Q4JM470+Ll9Z26CnZcZ1oFDoRIfd5PQEOGNq4Lz1qmGk8xZmVi6q6es2wXsHcGmdYJfPBJ9Df5aO9hA3Zw+JwrrTaf6KnPUmhQ39ogwf+QSh0iz6LuDWH1VEdfXySJKouzE+au/btquZsXHBb/vwKK1E22pf1Vh5EqftlLHFIL6SHy5ayEHtL/7D00ej/Wx2NSBXWZUcRz8lxNYqzNGOrQXCAqvWrETBmnb9QJV1dxV8deXQL1pAD18hlpNzgpAeQoNhmq5i5XDxLPr55vJmtFeRmbvEPZtJ0mgkqyrKkE21KI3Qm9WaqOgqRua8V8mWhitaJiyaeganXVrKQQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XM/sNjtNXCxCAAC4cfcakdixvX+RcHkdhKkREoanoeM=; b=StWU+sFotRACbr1zn/ZE2nMaW3o6sQ78tBZAix0mnXdHgd4tcK7259DYHg146bZcJAVAuTIDHrGmZQLyPja9JIRg7OvJc2Qg35J71mc9SlgkRAvunSPZ29LacLjl0EvQGcbWoYw4514qlAWQ5dGRiDYopj3YFfn4kxpio2bUBm0= Received: from CY4PR21MB0743.namprd21.prod.outlook.com (2603:10b6:903:b2::9) by CY4PR2101MB0865.namprd21.prod.outlook.com (2603:10b6:910:8a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3131.9; Wed, 17 Jun 2020 07:28:30 +0000 Received: from CY4PR21MB0743.namprd21.prod.outlook.com ([fe80::4ef:d9e:62c:f319]) by CY4PR21MB0743.namprd21.prod.outlook.com ([fe80::f112:82fb:d4fd:f7dd%10]) with mapi id 15.20.3131.009; Wed, 17 Jun 2020 07:28:30 +0000 From: "Bret Barkelew" To: "devel@edk2.groups.io" , "bret@corthon.com" CC: Jian J Wang , Hao A Wu , liming.gao Subject: Re: [EXTERNAL] [edk2-devel] [PATCH v5 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Thread-Topic: [EXTERNAL] [edk2-devel] [PATCH v5 01/14] MdeModulePkg: Define the VariablePolicy protocol interface Thread-Index: AQHWOYy5ZePHGXj7/0WM8v7+PulvbqjcfpTD Date: Wed, 17 Jun 2020 07:28:30 +0000 Message-ID: References: <20200603065810.806-1-brbarkel@microsoft.com>,<20200603065810.806-2-brbarkel@microsoft.com> In-Reply-To: <20200603065810.806-2-brbarkel@microsoft.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-17T07:28:27.770Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [71.212.143.8] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 49e7e1cc-f95c-4b08-b192-08d8129008ec x-ms-traffictypediagnostic: CY4PR2101MB0865: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-forefront-prvs: 04371797A5 x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: EgMXGXcFQmPGo6ujr5tjp/DM7iWcWpC12/h0hW1438X6od1Ip6/JT6Swk0qa0O8SmY0tKWwa4GRcGI3mbUdH8i1cQfzt+A3DoPh/tW6w+nioYD56pdJ1dm4skEYz+p3qjYS7tEe67IZdPPg/rzhVPa5kZLvRUAvtLdlyNNa+c/1PZbJPuq0Q/eRBZq8Spi1y0xisyO2WuSpq+qkzzBQYtpPfSTE0phA07Fe1lB2AJzo+gmC0wo7jnpsY70lVAkJdtgavKfS2sylaAqT7vD9h+PeDabDrkjrO6uVDjXCjfC41CsE6IXH6C2Cc+6zg3JaC+a2Z90StwzE0iULn8yvatCYwEw9RYaIrSOn2OtlU2War+t1By/JGddwAvqLTOWHgG6QeDMvtYJRkdqq435gcUQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CY4PR21MB0743.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(4636009)(136003)(346002)(39860400002)(396003)(376002)(366004)(53546011)(8676002)(8990500004)(26005)(10290500003)(8936002)(9686003)(186003)(4326008)(6506007)(966005)(478600001)(2906002)(55016002)(19627405001)(86362001)(316002)(5660300002)(166002)(82960400001)(30864003)(66446008)(66946007)(64756008)(66476007)(66556008)(91956017)(76116006)(82950400001)(71200400001)(33656002)(83380400001)(7696005)(52536014)(110136005)(54906003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: 5uqzrKx9QYx/VDA0CsKTJsuJTo8WV6y69sF2PRUa97U8f78cXlk7kZZ1fjRYQZ0jBgkij9Dq1qDiw0i3V53ORJaIkopt2Put0vRaNlOPXrvOrTv2YWd8OvandmB34E9zmejHHwrPybBf4bpXDwpRt9ZxmX9pNZZ/c0UMDC+A+tsmqsR3KhdkmzJwrViMFwlh6CFtYcL7fD/KnxvRVTr+aM5PUBAM27POELo0QaEw75NzbzikIkGV61KpjLSjw0mg1SKAi3whKX7VPG3mtfLWYq4APKmLfDVAWlPn7NS5vjgnnWZCPT9sMU5l8b8WAnI33UtKEQcL9QruUCqhBzeEN0RWl5F2mCyRDnYQQIbuh9bTCUEhnz/X0XH0SkP0pUk4YvIZag06KE/eOOMGAJXPMq8a804jHNrWP8tVn5nThVgR6XC/oyZnndQphWpR3Hz3STpb4BzOdrNNoO22pdBUE8Z6+IP+QDo/p4JDyaZeEqA= x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CY4PR21MB0743.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 49e7e1cc-f95c-4b08-b192-08d8129008ec X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2020 07:28:30.6155 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dLHRXXn4rOUUB76Z8yHBsUSwjpF8pTfb6wzzfyApiDPG9DvkPXr2g0uUwfdrh6ypmLKBwJu5svmKJ6Rl8WpKcQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR2101MB0865 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CY4PR21MB07432F4CC4DD6130919CCFCBEF9A0CY4PR21MB0743namp_" --_000_CY4PR21MB07432F4CC4DD6130919CCFCBEF9A0CY4PR21MB0743namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Bump. This specific patch needs Reviews. - Bret ________________________________ From: devel@edk2.groups.io on behalf of Bret Barkele= w via groups.io Sent: Tuesday, June 2, 2020 11:57 PM To: devel@edk2.groups.io Cc: Jian J Wang ; Hao A Wu ; lim= ing.gao Subject: [EXTERNAL] [edk2-devel] [PATCH v5 01/14] MdeModulePkg: Define the = VariablePolicy protocol interface https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fbugzill= a.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&data=3D02%7C01%7CBret.Barkel= ew%40microsoft.com%7Ccaae5a1fbb05498c984f08d807a3dae0%7C72f988bf86f141af91a= b2d7cd011db47%7C1%7C0%7C637267747624441639&sdata=3Dzb9OOX6YpaObdlezhQms= j5zCSd1JS6ay6DVhGkiJRdU%3D&reserved=3D0 VariablePolicy is an updated interface to replace VarLock and VarCheckProtocol. Add the VariablePolicy protocol interface header and add to the MdeModulePkg.dec file. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Include/Protocol/VariablePolicy.h | 157 ++++++++++++++++++++ MdeModulePkg/MdeModulePkg.dec | 14 +- MdeModulePkg/MdeModulePkg.uni | 7 + 3 files changed, 177 insertions(+), 1 deletion(-) diff --git a/MdeModulePkg/Include/Protocol/VariablePolicy.h b/MdeModulePkg/= Include/Protocol/VariablePolicy.h new file mode 100644 index 000000000000..8226c187a77b --- /dev/null +++ b/MdeModulePkg/Include/Protocol/VariablePolicy.h @@ -0,0 +1,157 @@ +/** @file -- VariablePolicy.h + +This protocol allows communication with Variable Policy Engine. + +Copyright (c) Microsoft Corporation. +SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +#ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__ +#define __EDKII_VARIABLE_POLICY_PROTOCOL__ + +#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION 0x0000000000010000 + +#define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \ + { \ + 0x81D1675C, 0x86F6, 0x48DF, { 0xBD, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25= , 0xC3 } \ + } + +#define VARIABLE_POLICY_ENTRY_REVISION 0x00010000 + +#pragma pack(push, 1) +typedef struct { + UINT32 Version; + UINT16 Size; + UINT16 OffsetToName; + EFI_GUID Namespace; + UINT32 MinSize; + UINT32 MaxSize; + UINT32 AttributesMustHave; + UINT32 AttributesCantHave; + UINT8 LockPolicyType; + UINT8 Padding[3]; + // UINT8 LockPolicy[]; // Variable Length Field + // CHAR16 Name[] // Variable Length Field +} VARIABLE_POLICY_ENTRY; + +#define VARIABLE_POLICY_NO_MIN_SIZE 0 +#define VARIABLE_POLICY_NO_MAX_SIZE MAX_UINT32 +#define VARIABLE_POLICY_NO_MUST_ATTR 0 +#define VARIABLE_POLICY_NO_CANT_ATTR 0 + +#define VARIABLE_POLICY_TYPE_NO_LOCK 0 +#define VARIABLE_POLICY_TYPE_LOCK_NOW 1 +#define VARIABLE_POLICY_TYPE_LOCK_ON_CREATE 2 +#define VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE 3 + +typedef struct { + EFI_GUID Namespace; + UINT8 Value; + UINT8 Padding; + // CHAR16 Name[]; // Variable Length Field +} VARIABLE_LOCK_ON_VAR_STATE_POLICY; +#pragma pack(pop) + +/** + This API function disables the variable policy enforcement. If it's + already been called once, will return EFI_ALREADY_STARTED. + + @retval EFI_SUCCESS + @retval EFI_ALREADY_STARTED Has already been called once this boot= . + @retval EFI_WRITE_PROTECTED Interface has been locked until reboot= . + @retval EFI_WRITE_PROTECTED Interface option is disabled by platfo= rm PCD. + +**/ +typedef +EFI_STATUS +(EFIAPI *DISABLE_VARIABLE_POLICY)( + VOID + ); + +/** + This API function returns whether or not the policy engine is + currently being enforced. + + @param[out] State Pointer to a return value for whether the poli= cy enforcement + is currently enabled. + + @retval EFI_SUCCESS + @retval Others An error has prevented this command from compl= eting. + +**/ +typedef +EFI_STATUS +(EFIAPI *IS_VARIABLE_POLICY_ENABLED)( + OUT BOOLEAN *State + ); + +/** + This API function validates and registers a new policy with + the policy enforcement engine. + + @param[in] NewPolicy Pointer to the incoming policy structure. + + @retval EFI_SUCCESS + @retval EFI_INVALID_PARAMETER NewPolicy is NULL or is internally i= nconsistent. + @retval EFI_ALREADY_STARTED An identical matching policy already= exists. + @retval EFI_WRITE_PROTECTED The interface has been locked until = the next reboot. + @retval EFI_ABORTED A calculation error has prevented th= is function from completing. + @retval EFI_OUT_OF_RESOURCES Cannot grow the table to hold any mo= re policies. + +**/ +typedef +EFI_STATUS +(EFIAPI *REGISTER_VARIABLE_POLICY)( + IN CONST VARIABLE_POLICY_ENTRY *PolicyEntry + ); + +/** + This API function will dump the entire contents of the variable policy t= able. + + Similar to GetVariable, the first call can be made with a 0 size and it = will return + the size of the buffer required to hold the entire table. + + @param[out] Policy Pointer to the policy buffer. Can be NULL if Siz= e is 0. + @param[in,out] Size On input, the size of the output buffer. On outp= ut, the size + of the data returned. + + @retval EFI_SUCCESS Policy data is in the output buffer = and Size has been updated. + @retval EFI_INVALID_PARAMETER Size is NULL, or Size is non-zero an= d Policy is NULL. + @retval EFI_BUFFER_TOO_SMALL Size is insufficient to hold policy.= Size updated with required size. + +**/ +typedef +EFI_STATUS +(EFIAPI *DUMP_VARIABLE_POLICY)( + IN OUT UINT8 *Policy, + IN OUT UINT32 *Size + ); + +/** + This API function locks the interface so that no more policy updates + can be performed or changes made to the enforcement until the next boot. + + @retval EFI_SUCCESS + @retval Others An error has prevented this command from compl= eting. + +**/ +typedef +EFI_STATUS +(EFIAPI *LOCK_VARIABLE_POLICY)( + VOID + ); + +typedef struct { + UINT64 Revision; + DISABLE_VARIABLE_POLICY DisableVariablePolicy; + IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled; + REGISTER_VARIABLE_POLICY RegisterVariablePolicy; + DUMP_VARIABLE_POLICY DumpVariablePolicy; + LOCK_VARIABLE_POLICY LockVariablePolicy; +} _EDKII_VARIABLE_POLICY_PROTOCOL; + +typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL; + +extern EFI_GUID gEdkiiVariablePolicyProtocolGuid; + +#endif diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index 4f44af694862..2e0461b87c32 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -8,7 +8,7 @@ # Copyright (c) 2016, Linaro Ltd. All rights reserved.
# (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP
# Copyright (c) 2017, AMD Incorporated. All rights reserved.
-# Copyright (c) 2016, Microsoft Corporation
+# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent # ## @@ -624,6 +624,9 @@ [Protocols] # 0x80000006 | Incorrect error code provided. # + ## Include/Protocol/VariablePolicy.h + gEdkiiVariablePolicyProtocolGuid =3D { 0x81D1675C, 0x86F6, 0x48DF, { 0xB= D, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25, 0xC3 } } + [PcdsFeatureFlag] ## Indicates if the platform can support update capsule across a system = reset.

# TRUE - Supports update capsule across a system reset.
@@ -1129,6 +1132,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] # @Prompt Variable storage size. gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x10000|UINT32|0x300= 00005 + ## Toggle for whether the VariablePolicy engine should allow disabling. + # The engine is enabled at power-on, but the interface allows the platfo= rm to + # disable enforcement for servicing flexibility. If this PCD is disabled= , it will block the ability to + # disable the enforcement and VariablePolicy enforcement will always be = ON. + # TRUE - VariablePolicy can be disabled by request through the interfa= ce (until interface is locked) + # FALSE - VariablePolicy interface will not accept requests to disable= and is ALWAYS ON + # @Prompt Allow VariablePolicy enforcement to be disabled. + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|= FALSE|BOOLEAN|0x30000020 + ## FFS filename to find the ACPI tables. # @Prompt FFS name of ACPI tables storage. gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiTableStorageFile|{ 0x25, 0x4e, 0x3= 7, 0x7e, 0x01, 0x8e, 0xee, 0x4f, 0x87, 0xf2, 0x39, 0xc, 0x23, 0xc6, 0x6, 0x= cd }|VOID*|0x30000016 diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni index 2007e0596c4f..b64e7f351cda 100644 --- a/MdeModulePkg/MdeModulePkg.uni +++ b/MdeModulePkg/MdeModulePkg.uni @@ -129,6 +129,13 @@ #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdVariableStoreSize_HELP #lan= guage en-US "The size of volatile buffer. This buffer is used to store VOLA= TILE attribute variables." +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme= ntDisable_PROMPT #language en-US "Allow VariablePolicy enforcement to be d= isabled." + +#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnforceme= ntDisable_HELP #language en-US "If this PCD is disabled, it will block the= ability to
\n" + = "disable the enforcement and VariablePolicy= enforcement will always be ON.
\n" + = "TRUE - VariablePolicy can be disabled by r= equest through the interface (until interface is locked)
\n" + = "FALSE - VariablePolicy interface will not = accept requests to disable and is ALWAYS ON
\n" + #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_PROMPT = #language en-US "FFS name of ACPI tables storage" #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_HELP #= language en-US "FFS filename to find the ACPI tables." -- 2.26.2.windows.1.8.g01c50adf56.20200515075929 -=3D-=3D-=3D-=3D-=3D-=3D Groups.io Links: You receive all messages sent to this group. View/Reply Online (#60644): https://nam06.safelinks.protection.outlook.com/= ?url=3Dhttps%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F60644&data= =3D02%7C01%7CBret.Barkelew%40microsoft.com%7Ccaae5a1fbb05498c984f08d807a3da= e0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747624441639&sdat= a=3DZQFJQe8PJmptFsKmkJCFozLPOxTS47DpJFUnScb0B3M%3D&reserved=3D0 Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=3Dhttp= s%3A%2F%2Fgroups.io%2Fmt%2F74646433%2F1822150&data=3D02%7C01%7CBret.Bar= kelew%40microsoft.com%7Ccaae5a1fbb05498c984f08d807a3dae0%7C72f988bf86f141af= 91ab2d7cd011db47%7C1%7C0%7C637267747624441639&sdata=3DxQG6kqTp47BHoWZnM= %2BZ0RkY3Wzvxnf1E0YL2YCr8vJc%3D&reserved=3D0 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A= %2F%2Fedk2.groups.io%2Fg%2Fdevel%2Funsub&data=3D02%7C01%7CBret.Barkelew= %40microsoft.com%7Ccaae5a1fbb05498c984f08d807a3dae0%7C72f988bf86f141af91ab2= d7cd011db47%7C1%7C0%7C637267747624441639&sdata=3DZ7rwTjYt934NJzkClQX32d= ISKzS%2FA7SrSaFL%2FKwDPOM%3D&reserved=3D0 [brbarkel@microsoft.com] -=3D-=3D-=3D-=3D-=3D-=3D --_000_CY4PR21MB07432F4CC4DD6130919CCFCBEF9A0CY4PR21MB0743namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Bump. This specific patch needs Reviews.

- Bret

From: devel@edk2.groups.io = <devel@edk2.groups.io> on behalf of Bret Barkelew via groups.io <b= ret=3Dcorthon.com@groups.io>
Sent: Tuesday, June 2, 2020 11:57 PM
To: devel@edk2.groups.io <devel@edk2.groups.io>
Cc: Jian J Wang <jian.j.wang@intel.com>; Hao A Wu <hao.a.wu= @intel.com>; liming.gao <liming.gao@intel.com>
Subject: [EXTERNAL] [edk2-devel] [PATCH v5 01/14] MdeModulePkg: Defi= ne the VariablePolicy protocol interface
 
https://nam06.safelinks.protection.outlook.com/?url=3Dhtt= ps%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&amp;data= =3D02%7C01%7CBret.Barkelew%40microsoft.com%7Ccaae5a1fbb05498c984f08d807a3da= e0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747624441639&amp;= sdata=3Dzb9OOX6YpaObdlezhQmsj5zCSd1JS6ay6DVhGkiJRdU%3D&amp;reserved=3D0=

VariablePolicy is an updated interface to
replace VarLock and VarCheckProtocol.

Add the VariablePolicy protocol interface
header and add to the MdeModulePkg.dec file.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Bret Barkelew <brbarkel@microsoft.com>
Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
---
 MdeModulePkg/Include/Protocol/VariablePolicy.h | 157 +++&= #43;++++++++++++++&= #43;+
 MdeModulePkg/MdeModulePkg.dec      &nbs= p;           |  14 &= #43;-
 MdeModulePkg/MdeModulePkg.uni      &nbs= p;           |  = ; 7 +
 3 files changed, 177 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Include/Protocol/VariablePolicy.h b/MdeModulePkg/= Include/Protocol/VariablePolicy.h
new file mode 100644
index 000000000000..8226c187a77b
--- /dev/null
+++ b/MdeModulePkg/Include/Protocol/VariablePolicy.h
@@ -0,0 +1,157 @@
+/** @file -- VariablePolicy.h

+

+This protocol allows communication with Variable Policy Engine.

+

+Copyright (c) Microsoft Corporation.

+SPDX-License-Identifier: BSD-2-Clause-Patent

+**/

+

+#ifndef __EDKII_VARIABLE_POLICY_PROTOCOL__

+#define __EDKII_VARIABLE_POLICY_PROTOCOL__

+

+#define EDKII_VARIABLE_POLICY_PROTOCOL_REVISION   0x00000000= 00010000

+

+#define EDKII_VARIABLE_POLICY_PROTOCOL_GUID \

+  { \

+    0x81D1675C, 0x86F6, 0x48DF, { 0xBD, 0x95, 0x9A, 0x6= E, 0x4F, 0x09, 0x25, 0xC3 } \

+  }

+

+#define VARIABLE_POLICY_ENTRY_REVISION      0= x00010000

+

+#pragma pack(push, 1)

+typedef struct {

+  UINT32   Version;

+  UINT16   Size;

+  UINT16   OffsetToName;

+  EFI_GUID Namespace;

+  UINT32   MinSize;

+  UINT32   MaxSize;

+  UINT32   AttributesMustHave;

+  UINT32   AttributesCantHave;

+  UINT8    LockPolicyType;

+  UINT8    Padding[3];

+  // UINT8    LockPolicy[];    = ; // Variable Length Field

+  // CHAR16   Name[]      = ;      // Variable Length Field

+} VARIABLE_POLICY_ENTRY;

+

+#define     VARIABLE_POLICY_NO_MIN_SIZE  = ;           0

+#define     VARIABLE_POLICY_NO_MAX_SIZE  = ;           MAX_UINT32
+#define     VARIABLE_POLICY_NO_MUST_ATTR &nbs= p;          0

+#define     VARIABLE_POLICY_NO_CANT_ATTR &nbs= p;          0

+

+#define     VARIABLE_POLICY_TYPE_NO_LOCK &nbs= p;          0

+#define     VARIABLE_POLICY_TYPE_LOCK_NOW &nb= sp;         1

+#define     VARIABLE_POLICY_TYPE_LOCK_ON_CREATE&nb= sp;    2

+#define     VARIABLE_POLICY_TYPE_LOCK_ON_VAR_STATE=   3

+

+typedef struct {

+  EFI_GUID Namespace;

+  UINT8    Value;

+  UINT8    Padding;

+  // CHAR16   Name[];     &nbs= p;     // Variable Length Field

+} VARIABLE_LOCK_ON_VAR_STATE_POLICY;

+#pragma pack(pop)

+

+/**

+  This API function disables the variable policy enforcement. If = it's

+  already been called once, will return EFI_ALREADY_STARTED.

+

+  @retval     EFI_SUCCESS

+  @retval     EFI_ALREADY_STARTED  = Has already been called once this boot.

+  @retval     EFI_WRITE_PROTECTED  = Interface has been locked until reboot.

+  @retval     EFI_WRITE_PROTECTED  = Interface option is disabled by platform PCD.

+

+**/

+typedef

+EFI_STATUS

+(EFIAPI *DISABLE_VARIABLE_POLICY)(

+  VOID

+  );

+

+/**

+  This API function returns whether or not the policy engine is
+  currently being enforced.

+

+  @param[out]   State     &nbs= p; Pointer to a return value for whether the policy enforcement

+           &nbs= p;            &= nbsp;   is currently enabled.

+

+  @retval     EFI_SUCCESS

+  @retval     Others    &= nbsp;   An error has prevented this command from completing.

+

+**/

+typedef

+EFI_STATUS

+(EFIAPI *IS_VARIABLE_POLICY_ENABLED)(

+  OUT BOOLEAN *State

+  );

+

+/**

+  This API function validates and registers a new policy with

+  the policy enforcement engine.

+

+  @param[in]  NewPolicy     Pointer to t= he incoming policy structure.

+

+  @retval     EFI_SUCCESS

+  @retval     EFI_INVALID_PARAMETER &nbs= p; NewPolicy is NULL or is internally inconsistent.

+  @retval     EFI_ALREADY_STARTED  =    An identical matching policy already exists.

+  @retval     EFI_WRITE_PROTECTED  =    The interface has been locked until the next reboot.

+  @retval     EFI_ABORTED   &n= bsp;         A calculation error ha= s prevented this function from completing.

+  @retval     EFI_OUT_OF_RESOURCES  = ;  Cannot grow the table to hold any more policies.

+

+**/

+typedef

+EFI_STATUS

+(EFIAPI *REGISTER_VARIABLE_POLICY)(

+  IN CONST VARIABLE_POLICY_ENTRY  *PolicyEntry

+  );

+

+/**

+  This API function will dump the entire contents of the variable= policy table.

+

+  Similar to GetVariable, the first call can be made with a 0 siz= e and it will return

+  the size of the buffer required to hold the entire table.

+

+  @param[out]     Policy  Pointer to the= policy buffer. Can be NULL if Size is 0.

+  @param[in,out]  Size    On input, the size = of the output buffer. On output, the size

+           &nbs= p;            &= nbsp; of the data returned.

+

+  @retval     EFI_SUCCESS   &n= bsp;         Policy data is in the = output buffer and Size has been updated.

+  @retval     EFI_INVALID_PARAMETER &nbs= p; Size is NULL, or Size is non-zero and Policy is NULL.

+  @retval     EFI_BUFFER_TOO_SMALL  = ;  Size is insufficient to hold policy. Size updated with required siz= e.

+

+**/

+typedef

+EFI_STATUS

+(EFIAPI *DUMP_VARIABLE_POLICY)(

+  IN OUT UINT8  *Policy,

+  IN OUT UINT32 *Size

+  );

+

+/**

+  This API function locks the interface so that no more policy up= dates

+  can be performed or changes made to the enforcement until the n= ext boot.

+

+  @retval     EFI_SUCCESS

+  @retval     Others    &= nbsp;   An error has prevented this command from completing.

+

+**/

+typedef

+EFI_STATUS

+(EFIAPI *LOCK_VARIABLE_POLICY)(

+  VOID

+  );

+

+typedef struct {

+  UINT64         &nb= sp;           Revision;
+  DISABLE_VARIABLE_POLICY    DisableVariablePolicy= ;

+  IS_VARIABLE_POLICY_ENABLED IsVariablePolicyEnabled;

+  REGISTER_VARIABLE_POLICY   RegisterVariablePolicy;
+  DUMP_VARIABLE_POLICY       DumpVa= riablePolicy;

+  LOCK_VARIABLE_POLICY       LockVa= riablePolicy;

+} _EDKII_VARIABLE_POLICY_PROTOCOL;

+

+typedef _EDKII_VARIABLE_POLICY_PROTOCOL EDKII_VARIABLE_POLICY_PROTOCOL= ;

+

+extern EFI_GUID gEdkiiVariablePolicyProtocolGuid;

+

+#endif

diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec<= br> index 4f44af694862..2e0461b87c32 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -8,7 +8,7 @@
 # Copyright (c) 2016, Linaro Ltd. All rights reserved.<BR>

 # (C) Copyright 2016 - 2019 Hewlett Packard Enterprise Development LP= <BR>

 # Copyright (c) 2017, AMD Incorporated. All rights reserved.<BR>= ;

-# Copyright (c) 2016, Microsoft Corporation<BR>

+# Copyright (c) Microsoft Corporation.<BR>

 # SPDX-License-Identifier: BSD-2-Clause-Patent

 #

 ##

@@ -624,6 +624,9 @@ [Protocols]
 #   0x80000006 | Incorrect error code provided.

 #

 

+  ## Include/Protocol/VariablePolicy.h

+  gEdkiiVariablePolicyProtocolGuid =3D { 0x81D1675C, 0x86F6, 0x48= DF, { 0xBD, 0x95, 0x9A, 0x6E, 0x4F, 0x09, 0x25, 0xC3 } }

+

 [PcdsFeatureFlag]

   ## Indicates if the platform can support update capsule across= a system reset.<BR><BR>

   #   TRUE  - Supports update capsule across a sy= stem reset.<BR>

@@ -1129,6 +1132,15 @@ [PcdsFixedAtBuild, PcdsPatchableInModule]
   # @Prompt Variable storage size.

   gEfiMdeModulePkgTokenSpaceGuid.PcdVariableStoreSize|0x10000|UI= NT32|0x30000005

 

+  ## Toggle for whether the VariablePolicy engine should allow di= sabling.

+  # The engine is enabled at power-on, but the interface allows t= he platform to

+  # disable enforcement for servicing flexibility. If this PCD is= disabled, it will block the ability to

+  # disable the enforcement and VariablePolicy enforcement will a= lways be ON.

+  #   TRUE - VariablePolicy can be disabled by request = through the interface (until interface is locked)

+  #   FALSE - VariablePolicy interface will not accept = requests to disable and is ALWAYS ON

+  # @Prompt Allow VariablePolicy enforcement to be disabled.

+  gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcemen= tDisable|FALSE|BOOLEAN|0x30000020

+

   ## FFS filename to find the ACPI tables.

   # @Prompt FFS name of ACPI tables storage.

   gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiTableStorageFile|{ 0x25,= 0x4e, 0x37, 0x7e, 0x01, 0x8e, 0xee, 0x4f, 0x87, 0xf2, 0x39, 0xc, 0x23, 0xc= 6, 0x6, 0xcd }|VOID*|0x30000016

diff --git a/MdeModulePkg/MdeModulePkg.uni b/MdeModulePkg/MdeModulePkg.uni<= br> index 2007e0596c4f..b64e7f351cda 100644
--- a/MdeModulePkg/MdeModulePkg.uni
+++ b/MdeModulePkg/MdeModulePkg.uni
@@ -129,6 +129,13 @@
 

 #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdVariableStoreSize_HELP&= nbsp; #language en-US "The size of volatile buffer. This buffer is use= d to store VOLATILE attribute variables."

 

+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnfor= cementDisable_PROMPT  #language en-US "Allow VariablePolicy enfor= cement to be disabled."

+

+#string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAllowVariablePolicyEnfor= cementDisable_HELP  #language en-US "If this PCD is disabled, it = will block the ability to<BR>\n"

+           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      "disable the enforcement and Varia= blePolicy enforcement will always be ON.<BR>\n"

+           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      "TRUE - VariablePolicy can be disa= bled by request through the interface (until interface is locked)<BR>= \n"

+           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      "FALSE - VariablePolicy interface = will not accept requests to disable and is ALWAYS ON<BR>\n"

+

 #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_PR= OMPT  #language en-US "FFS name of ACPI tables storage"

 

 #string STR_gEfiMdeModulePkgTokenSpaceGuid_PcdAcpiTableStorageFile_HE= LP  #language en-US "FFS filename to find the ACPI tables."<= br>
--
2.26.2.windows.1.8.g01c50adf56.20200515075929


-=3D-=3D-=3D-=3D-=3D-=3D
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#60644): https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr= oups.io%2Fg%2Fdevel%2Fmessage%2F60644&amp;data=3D02%7C01%7CBret.Barkele= w%40microsoft.com%7Ccaae5a1fbb05498c984f08d807a3dae0%7C72f988bf86f141af91ab= 2d7cd011db47%7C1%7C0%7C637267747624441639&amp;sdata=3DZQFJQe8PJmptFsKmk= JCFozLPOxTS47DpJFUnScb0B3M%3D&amp;reserved=3D0
Mute This Topic: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgroups.= io%2Fmt%2F74646433%2F1822150&amp;data=3D02%7C01%7CBret.Barkelew%40micro= soft.com%7Ccaae5a1fbb05498c984f08d807a3dae0%7C72f988bf86f141af91ab2d7cd011d= b47%7C1%7C0%7C637267747624441639&amp;sdata=3DxQG6kqTp47BHoWZnM%2BZ0RkY3= Wzvxnf1E0YL2YCr8vJc%3D&amp;reserved=3D0
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.gr= oups.io%2Fg%2Fdevel%2Funsub&amp;data=3D02%7C01%7CBret.Barkelew%40micros= oft.com%7Ccaae5a1fbb05498c984f08d807a3dae0%7C72f988bf86f141af91ab2d7cd011db= 47%7C1%7C0%7C637267747624441639&amp;sdata=3DZ7rwTjYt934NJzkClQX32dISKzS= %2FA7SrSaFL%2FKwDPOM%3D&amp;reserved=3D0  [brbarkel@microsoft.com]
-=3D-=3D-=3D-=3D-=3D-=3D

--_000_CY4PR21MB07432F4CC4DD6130919CCFCBEF9A0CY4PR21MB0743namp_--