From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-DM6-obe.outbound.protection.outlook.com (NAM12-DM6-obe.outbound.protection.outlook.com [40.107.243.92]) by mx.groups.io with SMTP id smtpd.web10.5784.1600200056211418249 for ; Tue, 15 Sep 2020 13:00:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@microsoft.com header.s=selector2 header.b=VdYrfPK8; spf=pass (domain: microsoft.com, ip: 40.107.243.92, mailfrom: bret.barkelew@microsoft.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GvBFzbUuHZkeUZXEQhHQ+AkT2efeSnrKrwzuz3VG4tGZ5wEd0/cLvgGrHr1uk0l2tIfOp1HBnH8wMsVTALZp0RNSifjanaYHJGLiUvz7EVhheFp0Cz+MfFIZTD5HE/zSUUSPe9UmOtM27ZA8HiS2Qetqa/Bc8nhGXEad71NXz8mEskicSGmJ86+Rzf0LWOm17IkG7z+7Zby1tmWMQ4LzPeu6aAbukRpP9Uwr6e4fBxp/oUHTgPWhDme4J+HErMmXZWHeloV7B+6FYnClcMjXX8TSZ9KUNoDzaeXl1LA89H3G0cTU6aGgdB5bCc9fV2CEYNWVmgMnTLHkrwtB42iCPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hEpx3qY/9Sd2bcrGL9A9+yWajhOqjSaDCVMH4z7f2RA=; b=ZG8u3BQt3vhc/PfqjE6+K5Es1FSPraPcbCWWmT4mG1EKjEPmRVjDiCgVsmP9uZfz6sX7lQMcU+JHz8L6mIhqvgRjdofFKfQZV/S0jyZGdsxILZ+/Dgp4Hb611ytWOKTSNL+D5bDdQ0xC3MamFKDT+NHSiqGNWkDKWWbr7veO2EWPSmpSGET13x7vXBiL49SOYT8XtMQTMSNQbk9Itr2Z0ZuqHuDScCPsULtkh81CB57kqZjf2Nz7z1ZNXeeRHxhI2w3WB1fD16TJosQvNd23RAibOTWbEBEvcyrKVY8pZZfr9SOkRQ/IFGG1ZD1b/y2w0PcOs+yB/VIkuhTru2ji3A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hEpx3qY/9Sd2bcrGL9A9+yWajhOqjSaDCVMH4z7f2RA=; b=VdYrfPK8Wpk9av6oE0kGNsyZWNLvx/mhuMt3qWCgpyvVjCggkYord5vBDJcw30Ui8JWNV7Sq8cgVhFVaFxus2UQpr3uXFLDoQKrbElRdmnsT2rONFKPSe9IVY/l3xOyi5zGS7NKYq7RSFXJUEsAuSVffTac0NtYbQ4wZ5+eK6CI= Received: from CY4PR21MB0743.namprd21.prod.outlook.com (2603:10b6:903:b2::9) by CY4PR2101MB0867.namprd21.prod.outlook.com (2603:10b6:910:94::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.4; Tue, 15 Sep 2020 20:00:53 +0000 Received: from CY4PR21MB0743.namprd21.prod.outlook.com ([fe80::4062:c6d8:795:753a]) by CY4PR21MB0743.namprd21.prod.outlook.com ([fe80::4062:c6d8:795:753a%11]) with mapi id 15.20.3412.001; Tue, 15 Sep 2020 20:00:53 +0000 From: "Bret Barkelew" To: "devel@edk2.groups.io" , "dandan.bi@intel.com" , "bret@corthon.com" CC: "Yao, Jiewen" , Chao Zhang , "Wang, Jian J" , "Wu, Hao A" , liming.gao , "Justen, Jordan L" , Laszlo Ersek , Ard Biesheuvel , Andrew Fish , "Ni, Ray" Subject: Re: [edk2-devel] [PATCH v7 00/14] Add the VariablePolicy feature Thread-Topic: [edk2-devel] [PATCH v7 00/14] Add the VariablePolicy feature Thread-Index: AQHWi3dodnasbMpGAEaAjnqzeq1n0alqHrOK Date: Tue, 15 Sep 2020 20:00:52 +0000 Message-ID: References: <20200828055127.1610-1-brbarkel@microsoft.com>, In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-09-15T20:00:10.2275738Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Privileged authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=microsoft.com; x-originating-ip: [71.212.128.185] x-ms-publictraffictype: Email x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 267598ff-d062-43ac-d166-08d859b20d84 x-ms-traffictypediagnostic: CY4PR2101MB0867: x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8273; x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: sQa1q7T4KKl5mEbuIcYeubOxCWEmL6YixOtqb6IxBNNjaYxCuzCN8VfjSvfJxAQJAoN6AFHUj0BVt/kiHdhaiQpL7+zwKLAghUvM/CDdYBeZVRYlVGsi1DQNKjHvx1DsJ0Jrz30eQqpHeZEDyAzZntp6yUoZzkgT3yfj9VvbSyxhXJ8p2JGrVqYx+ktF3TD6+MZDVJKY/DXZfAm8xUTiLFjUR8FcCkj24MHUTYHmDX2C/qrAWFpN1EObVw1Fa84DaivSmozXoItdNteUmm2R2vZ4aj/9bQNtycfZl0iZ3T3NJRthYCZws5UUhMed0wBGsvujfMgDklGRTSh2Hod8EDZQEf2+cTDnqT+lvpwe9HGthgh3S1ayPgvbLlHFpzrw5rzj8DEtMmNLkoWnOpkUCC0jt4AesnNDOfWPY+WeClCfT+WaMbNbbI/lXwIuW9Zo x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CY4PR21MB0743.namprd21.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(376002)(136003)(366004)(346002)(396003)(39860400002)(86362001)(110136005)(54906003)(2906002)(8676002)(33656002)(9686003)(55016002)(8990500004)(7696005)(4326008)(316002)(8936002)(26005)(52536014)(66556008)(966005)(7416002)(166002)(478600001)(30864003)(82950400001)(186003)(10290500003)(82960400001)(5660300002)(66476007)(6506007)(53546011)(66946007)(76116006)(71200400001)(66446008)(83380400001)(64756008);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: lrHiBMkt4TGq0Vb6GlhRkJOKEc+ejw1O5ElmJO7IF7W4N56CrYDmpYakRl752wAgypJBmORR2RftMM1QER3IOx3ZyQxb+sXIXbusUOlgBXq9MDxOloCO1gGo42MyfWat+8wggtFWB8pk3OyhQzgAtKAZpGb7FNtM2fpXWAfAfLUl5tiUBLoMUMMX0rYiYxiH1R7xDbYOvzSLHS4mjL6KNyW1xWZTrkRoRu9LGZS+R5wDcuFLMVyGkad65SQ+seBiOWyzDyBDujR9Z+9V8cFxzgmpfwcPI/CiBK0rdM9LRyl36biOkblvruQ2MRj8S1GUun0dQkHSIb75O3f8WlLNAkGsZEvPcd7K8Ve+wYs4ocrgCMAiXnxS5/wBPcLBTxjBKuZka26errYI1ejQJKxp/tKnDUqabDHNid0mZ/Ciwrzsgymy+IeALl+u55lYVRb9d1l4DfgAUFkT10hdNI8llpDhzxo1k7vnIZKCvO4rUHa/LaYh1S/J9TSxW7ZArEUwF2idZuZRkp/iKvM2mWIDGN6QM3PpPxARq8RB282Ls6vApG4LlxNR96Cq5oRmM/CpYF+ojGTHks1dwYZLOl4W3TNuagUzXywEaXqpZbNjUQ4WYy//xjWIK6V6qQ91iRVd8io45EHjuGs6wYOIHxqCow== x-ms-exchange-transport-forked: True MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CY4PR21MB0743.namprd21.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 267598ff-d062-43ac-d166-08d859b20d84 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2020 20:00:52.8038 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 8mD/hFKZ8y08LI3n3CfkHlQB7h6Gv1HxNdo1k505auQYaC0C2ZwMNx2T+4e+ia3N4L/Qf2xKgXIzY+0uNmixqQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR2101MB0867 Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0743DE36758855D682275AF9EF200CY4PR21MB0743namp_" --_000_CY4PR21MB0743DE36758855D682275AF9EF200CY4PR21MB0743namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sounds good! Thanks! Will hold for at least this week. Still need some more= RBs. - Bret ________________________________ From: devel@edk2.groups.io on behalf of Dandan Bi v= ia groups.io Sent: Tuesday, September 15, 2020 8:44:01 AM To: devel@edk2.groups.io ; bret@corthon.com Cc: Yao, Jiewen ; Chao Zhang ; Wang, Jian J ; Wu, Hao A ; li= ming.gao ; Justen, Jordan L ; Laszlo Ersek ; Ard Biesheuvel ; Andrew Fish ; Ni, Ray Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v7 00/14] Add the VariablePoli= cy feature Hi Bret, The V7 version is OK from my side. Reviewed-by: Dandan Bi Please hold to see if any comments from other reviewers. Hi Jiewen and Jian, Do you have any comments? Thanks, Dandan > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Bret > Barkelew > Sent: Friday, August 28, 2020 1:51 PM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Chao Zhang > ; Wang, Jian J ; Wu, Hao > A ; Gao, Liming ; Justen, > Jordan L ; Laszlo Ersek ; > Ard Biesheuvel ; Andrew Fish > ; Ni, Ray > Subject: [edk2-devel] [PATCH v7 00/14] Add the VariablePolicy feature > > The 14 patches in this series add the VariablePolicy feature to the core= , > deprecate Edk2VarLock (while adding a compatibility layer to reduce code > churn), and integrate the VariablePolicy libraries and protocols into Va= riable > Services. > > Since the integration requires multiple changes, including adding librar= ies, a > protocol, an SMI communication handler, and VariableServices integration= , > the patches are broken up by individual library additions and then a fin= al > integration. Security-sensitive changes like bypassing Authenticated Var= iable > enforcement are also broken out into individual patches so that attentio= n can > be called directly to them. > > Platform porting instructions are described in this wiki entry: > https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgith= ub.com%2Ftianocore%2Ftianocore.github.io%2Fwiki%2FVariablePolicy-&data= =3D02%7C01%7CBret.Barkelew%40microsoft.com%7C28ce33648af54aa8e07f08d8598e5= 9e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637357816016734689&sda= ta=3DSwzfGHP86ZeenEaOIvbpU5mwrz9l25LTEuF0wPseGcY%3D&reserved=3D0 > Protocol---Enhanced-Method-for-Managing-Variables#platform-porting > > Discussion of the feature can be found in multiple places throughout the= last > year on the RFC channel, staging branches, and in devel. > > Most recently, this subject was discussed in this thread: > https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2= .groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=3D02%7C01%7CBret.Barkelew= %40microsoft.com%7C28ce33648af54aa8e07f08d8598e59e2%7C72f988bf86f141af91ab2= d7cd011db47%7C1%7C0%7C637357816016734689&sdata=3DF6Ywepo61wFPI5Cr14mHzJ= B6yCRyFA2JHevNGY8TwaQ%3D&reserved=3D0 > (the code branches shared in that discussion are now out of date, but th= e > whitepapers and discussion are relevant). > > Cc: Jiewen Yao > Cc: Chao Zhang > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Liming Gao > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Andrew Fish > Cc: Ray Ni > Cc: Bret Barkelew > Signed-off-by: Bret Barkelew > > v7 changes: > * Address comments from Dandan about security of the MM handler > * Add readme > * Fix bug around hex characters in BOOT####, etc > * Add additional testing for hex characters > * Add additional testing for authenticated variables > > v6 changes: > * Fix an issue with uninitialized Status in InitVariablePolicyLib() and > DeinitVariablePolicyLib() > * Fix GCC building in shell-based functional test > * Rebase on latest origin/master > > v5 changes: > * Fix the CONST mismatch in VariablePolicy.h and VariablePolicySmmDxe.c > * Fix EFIAPI mismatches in the functional unittest > * Rebase on latest origin/master > > v4 changes: > * Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from > platforms > * Rebase on master > * Migrate to new MmCommunicate2 protocol > * Fix an oversight in the default return value for > InitMmCommonCommBuffer > * Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume varia= bles > > V3 changes: > * Address all non-unittest issues with ECC > * Make additional style changes > * Include section name in hunk headers in "ini-style" files > * Remove requirement for the EdkiiPiSmmCommunicationsRegionTable > driver > (now allocates its own buffer) > * Change names from VARIABLE_POLICY_PROTOCOL and > gVariablePolicyProtocolGuid > to EDKII_VARIABLE_POLICY_PROTOCOL and > gEdkiiVariablePolicyProtocolGuid > * Fix GCC warning about initializing externs > * Add UNI strings for new PCD > * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg > * Reorder patches according to Liming's feedback about adding to platfor= ms > before changing variable driver > > V2 changes: > * Fixed implementation for RuntimeDxe > * Add PCD to block DisableVariablePolicy > * Fix the DumpVariablePolicy pagination in SMM > > > Bret Barkelew (14): > MdeModulePkg: Define the VariablePolicy protocol interface > MdeModulePkg: Define the VariablePolicyLib > MdeModulePkg: Define the VariablePolicyHelperLib > MdeModulePkg: Define the VarCheckPolicyLib and SMM interface > OvmfPkg: Add VariablePolicy engine to OvmfPkg platform > EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform > ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform > UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform > MdeModulePkg: Connect VariablePolicy business logic to > VariableServices > MdeModulePkg: Allow VariablePolicy state to delete protected variables > SecurityPkg: Allow VariablePolicy state to delete authenticated > variables > MdeModulePkg: Change TCG MOR variables to use VariablePolicy > MdeModulePkg: Drop VarLock from RuntimeDxe variable driver > MdeModulePkg: Add a shell-based functional test for VariablePolicy > > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c > | 345 +++ > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c > | 396 ++++ > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c > | 46 + > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDx > e.c | 85 + > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c > | 830 +++++++ > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > licyUnitTest.c | 2452 ++++++++++++++++++++ > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > ncTestApp.c | 2226 ++++++++++++++++++ > MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c > | 52 +- > MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c > | 60 +- > MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c > | 49 +- > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > | 53 + > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock > .c | 71 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c > | 642 +++++ > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe. > c | 14 + > SecurityPkg/Library/AuthVariableLib/AuthService.c = | 22 > +- > ArmVirtPkg/ArmVirt.dsc.inc = | 4 + > EmulatorPkg/EmulatorPkg.dsc = | 3 + > MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h = | > 54 + > MdeModulePkg/Include/Library/VariablePolicyHelperLib.h > | 164 ++ > MdeModulePkg/Include/Library/VariablePolicyLib.h = | > 207 ++ > MdeModulePkg/Include/Protocol/VariablePolicy.h = | > 157 ++ > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf > | 42 + > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni > | 12 + > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.in= f > | 35 + > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.un= i > | 12 + > MdeModulePkg/Library/VariablePolicyLib/ReadMe.md = | > 410 ++++ > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > | 49 + > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni > | 12 + > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf > | 51 + > > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > licyUnitTest.inf | 45 + > MdeModulePkg/MdeModulePkg.ci.yaml = | 8 +- > MdeModulePkg/MdeModulePkg.dec = | 26 +- > MdeModulePkg/MdeModulePkg.dsc = | 9 + > MdeModulePkg/MdeModulePkg.uni = | 7 + > MdeModulePkg/Test/MdeModulePkgHostTest.dsc = | > 11 + > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md > | 55 + > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > ncTestApp.inf | 47 + > > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyTe > stAuthVar.h | 128 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > | 5 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf > | 4 + > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i > nf | 11 + > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > | 4 + > OvmfPkg/OvmfPkgIa32.dsc = | 5 + > OvmfPkg/OvmfPkgIa32X64.dsc = | 5 + > OvmfPkg/OvmfPkgX64.dsc = | 5 + > OvmfPkg/OvmfXen.dsc = | 4 + > SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf = | > 2 + > UefiPayloadPkg/UefiPayloadPkgIa32.dsc = | 4 + > UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc = | 4 + > 49 files changed, 8865 insertions(+), 79 deletions(-) create mode 1006= 44 > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDx > e.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > licyUnitTest.c > create mode 100644 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > ncTestApp.c > create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock > .c > create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c > create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h > create mode 100644 > MdeModulePkg/Include/Library/VariablePolicyHelperLib.h > create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h > create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h > create mode 100644 > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf > create mode 100644 > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni > create mode 100644 > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf > create mode 100644 > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni > create mode 100644 MdeModulePkg/Library/VariablePolicyLib/ReadMe.md > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > licyUnitTest.inf > create mode 100644 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md > create mode 100644 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > ncTestApp.inf > create mode 100644 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyTe > stAuthVar.h > > -- > 2.28.0.windows.1 > > > --_000_CY4PR21MB0743DE36758855D682275AF9EF200CY4PR21MB0743namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Sounds good! Thanks! Will h= old for at least this week. Still need some more RBs.

- Bret
From: devel@edk2.groups.io= <devel@edk2.groups.io> on behalf of Dandan Bi via groups.io <dand= an.bi=3Dintel.com@groups.io>
Sent: Tuesday, September 15, 2020 8:44:01 AM
To: devel@edk2.groups.io <devel@edk2.groups.io>; bret@corthon= .com <bret@corthon.com>
Cc: Yao, Jiewen <jiewen.yao@intel.com>; Chao Zhang <chao.b= .zhang@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A= <hao.a.wu@intel.com>; liming.gao <liming.gao@intel.com>; Juste= n, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redh= at.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Andrew Fish <afish@appl= e.com>; Ni, Ray <ray.ni@intel.com>
Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v7 00/14] Add the Varia= blePolicy feature
 
Hi Bret,

The V7 version is OK from my side.  Reviewed-by: Dandan Bi <d= andan.bi@intel.com>
Please hold to see if any comments from other reviewers.


Hi Jiewen and Jian,

Do you have any comments?
 


Thanks,
Dandan
> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of = Bret
> Barkelew
> Sent: Friday, August 28, 2020 1:51 PM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Chao Zhang
> <chao.b.zhang@intel.com>; Wang, Jian J <jian.j.wang@intel.co= m>; Wu, Hao
> A <hao.a.wu@intel.com>; Gao, Liming <liming.gao@intel.com>= ;; Justen,
> Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@r= edhat.com>;
> Ard Biesheuvel <ard.biesheuvel@arm.com>; Andrew Fish
> <afish@apple.com>; Ni, Ray <ray.ni@intel.com>
> Subject: [edk2-devel] [PATCH v7 00/14] Add the VariablePolicy feature=
>
> The 14 patches in this series add the VariablePolicy feature to the c= ore,
> deprecate Edk2VarLock (while adding a compatibility layer to reduce c= ode
> churn), and integrate the VariablePolicy libraries and protocols into= Variable
> Services.
>
> Since the integration requires multiple changes, including adding lib= raries, a
> protocol, an SMI communication handler, and VariableServices integrat= ion,
> the patches are broken up by individual library additions and then a = final
> integration. Security-sensitive changes like bypassing Authenticated = Variable
> enforcement are also broken out into individual patches so that atten= tion can
> be called directly to them.
>
> Platform porting instructions are described in this wiki entry:
> https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgithub= .com%2Ftianocore%2Ftianocore.github.io%2Fwiki%2FVariablePolicy-&amp;dat= a=3D02%7C01%7CBret.Barkelew%40microsoft.com%7C28ce33648af54aa8e07f08d8598e5= 9e2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637357816016734689&amp= ;sdata=3DSwzfGHP86ZeenEaOIvbpU5mwrz9l25LTEuF0wPseGcY%3D&amp;reserved=3D= 0
> Protocol---Enhanced-Method-for-Managing-Variables#platform-porting >
> Discussion of the feature can be found in multiple places throughout = the last
> year on the RFC channel, staging branches, and in devel.
>
> Most recently, this subject was discussed in this thread:
> https://nam06.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fedk2.g= roups.io%2Fg%2Fdevel%2Fmessage%2F53712&amp;data=3D02%7C01%7CBret.Barkel= ew%40microsoft.com%7C28ce33648af54aa8e07f08d8598e59e2%7C72f988bf86f141af91a= b2d7cd011db47%7C1%7C0%7C637357816016734689&amp;sdata=3DF6Ywepo61wFPI5Cr= 14mHzJB6yCRyFA2JHevNGY8TwaQ%3D&amp;reserved=3D0
> (the code branches shared in that discussion are now out of date, but= the
> whitepapers and discussion are relevant).
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Hao A Wu <hao.a.wu@intel.com>
> Cc: Liming Gao <liming.gao@intel.com>
> Cc: Jordan Justen <jordan.l.justen@intel.com>
> Cc: Laszlo Ersek <lersek@redhat.com>
> Cc: Ard Biesheuvel <ard.biesheuvel@arm.com>
> Cc: Andrew Fish <afish@apple.com>
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Bret Barkelew <brbarkel@microsoft.com>
> Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
>
> v7 changes:
> * Address comments from Dandan about security of the MM handler
> * Add readme
> * Fix bug around hex characters in BOOT####, etc
> * Add additional testing for hex characters
> * Add additional testing for authenticated variables
>
> v6 changes:
> * Fix an issue with uninitialized Status in InitVariablePolicyLib() a= nd
> DeinitVariablePolicyLib()
> * Fix GCC building in shell-based functional test
> * Rebase on latest origin/master
>
> v5 changes:
> * Fix the CONST mismatch in VariablePolicy.h and VariablePolicySmmDxe= .c
> * Fix EFIAPI mismatches in the functional unittest
> * Rebase on latest origin/master
>
> v4 changes:
> * Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from > platforms
> * Rebase on master
> * Migrate to new MmCommunicate2 protocol
> * Fix an oversight in the default return value for
> InitMmCommonCommBuffer
> * Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume va= riables
>
> V3 changes:
> * Address all non-unittest issues with ECC
> * Make additional style changes
> * Include section name in hunk headers in "ini-style" files=
> * Remove requirement for the EdkiiPiSmmCommunicationsRegionTable
> driver
>   (now allocates its own buffer)
> * Change names from VARIABLE_POLICY_PROTOCOL and
> gVariablePolicyProtocolGuid
>   to EDKII_VARIABLE_POLICY_PROTOCOL and
> gEdkiiVariablePolicyProtocolGuid
> * Fix GCC warning about initializing externs
> * Add UNI strings for new PCD
> * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg
> * Reorder patches according to Liming's feedback about adding to plat= forms
>   before changing variable driver
>
> V2 changes:
> * Fixed implementation for RuntimeDxe
> * Add PCD to block DisableVariablePolicy
> * Fix the DumpVariablePolicy pagination in SMM
>
>
> Bret Barkelew (14):
>   MdeModulePkg: Define the VariablePolicy protocol interfac= e
>   MdeModulePkg: Define the VariablePolicyLib
>   MdeModulePkg: Define the VariablePolicyHelperLib
>   MdeModulePkg: Define the VarCheckPolicyLib and SMM interf= ace
>   OvmfPkg: Add VariablePolicy engine to OvmfPkg platform >   EmulatorPkg: Add VariablePolicy engine to EmulatorPkg pla= tform
>   ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platf= orm
>   UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadP= kg platform
>   MdeModulePkg: Connect VariablePolicy business logic to >     VariableServices
>   MdeModulePkg: Allow VariablePolicy state to delete protec= ted variables
>   SecurityPkg: Allow VariablePolicy state to delete authent= icated
>     variables
>   MdeModulePkg: Change TCG MOR variables to use VariablePol= icy
>   MdeModulePkg: Drop VarLock from RuntimeDxe variable drive= r
>   MdeModulePkg: Add a shell-based functional test for Varia= blePolicy
>
>  MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
> |  345 +++
>  MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelp= erLib.c
> |  396 ++++
>  MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitN= ull.c
> |   46 +
>
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntime= Dx
> e.c           =     |   85 +
>  MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
> |  830 +++++++
>
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variabl= ePo
> licyUnitTest.c   | 2452 ++++++++++++++++++++
>
> MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyF= u
> ncTestApp.c        | 2226 ++++++++= ++++++++++
>  MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
> |   52 +-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
> |   60 +-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
> |   49 +-
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
> |   53 +
>
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock > .c           &= nbsp;        |   71 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe= .c
> |  642 +++++
>
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.
> c           &n= bsp;           | &nb= sp; 14 +
>  SecurityPkg/Library/AuthVariableLib/AuthService.c  &n= bsp;            = ;            &n= bsp;            |&nb= sp;  22
> +-
>  ArmVirtPkg/ArmVirt.dsc.inc      &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      |    4 +
>  EmulatorPkg/EmulatorPkg.dsc      =             &nb= sp;            =             &nb= sp;            =       |    3 +
>  MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h   =             &nb= sp;            =             &nb= sp;   |
> 54 +
>  MdeModulePkg/Include/Library/VariablePolicyHelperLib.h
> |  164 ++
>  MdeModulePkg/Include/Library/VariablePolicyLib.h  &nb= sp;            =             &nb= sp;            = |
> 207 ++
>  MdeModulePkg/Include/Protocol/VariablePolicy.h   = ;            &n= bsp;            = ;            &n= bsp;  |
> 157 ++
>  MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf > |   42 +
>  MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni > |   12 +
>  MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelp= erLib.inf
> |   35 +
>  MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelp= erLib.uni
> |   12 +
>  MdeModulePkg/Library/VariablePolicyLib/ReadMe.md  &nb= sp;            =             &nb= sp;            = |
> 410 ++++
>  MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > |   49 +
>  MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni > |   12 +
>  MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntime= Dxe.inf
> |   51 +
>
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variabl= ePo
> licyUnitTest.inf |   45 +
>  MdeModulePkg/MdeModulePkg.ci.yaml     =             &nb= sp;            =             &nb= sp;            = |    8 +-
>  MdeModulePkg/MdeModulePkg.dec     &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;    |   26 +-
>  MdeModulePkg/MdeModulePkg.dsc     &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;    |    9 +
>  MdeModulePkg/MdeModulePkg.uni     &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;    |    7 +
>  MdeModulePkg/Test/MdeModulePkgHostTest.dsc   &nb= sp;            =             &nb= sp;            =       |
> 11 +
>  MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md=
> |   55 +
>
> MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyF= u
> ncTestApp.inf      |   47 +
>
> MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyT= e
> stAuthVar.h        |  128 + >  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.i= nf
> |    5 +
>  MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
> |    4 +
>
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i > nf           &= nbsp;         |   11 + >
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > |    4 +
>  OvmfPkg/OvmfPkgIa32.dsc      &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;         |    5 +<= br> >  OvmfPkg/OvmfPkgIa32X64.dsc      &= nbsp;           &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;      |    5 +
>  OvmfPkg/OvmfPkgX64.dsc       = ;            &n= bsp;            = ;            &n= bsp;            = ;          |   = 5 +
>  OvmfPkg/OvmfXen.dsc       &n= bsp;            = ;            &n= bsp;            = ;            &n= bsp;            |&nb= sp;   4 +
>  SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf &n= bsp;            = ;            &n= bsp;       |
> 2 +
>  UefiPayloadPkg/UefiPayloadPkgIa32.dsc    &n= bsp;            = ;            &n= bsp;            = ;          |   = 4 +
>  UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc    = ;            &n= bsp;            = ;            &n= bsp;       |    4 +
>  49 files changed, 8865 insertions(+), 79 deletions(-)  cre= ate mode 100644
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.= c
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c<= br> >  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntime= Dx
> e.c
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variabl= ePo
> licyUnitTest.c
>  create mode 100644
> MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyF= u
> ncTestApp.c
>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock > .c
>  create mode 100644
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
>  create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.= h
>  create mode 100644
> MdeModulePkg/Include/Library/VariablePolicyHelperLib.h
>  create mode 100644 MdeModulePkg/Include/Library/VariablePolicyL= ib.h
>  create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy= .h
>  create mode 100644
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
>  create mode 100644
> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.= inf
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.= uni
>  create mode 100644 MdeModulePkg/Library/VariablePolicyLib/ReadM= e.md
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.in= f
>  create mode 100644
> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/Variabl= ePo
> licyUnitTest.inf
>  create mode 100644
> MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md
>  create mode 100644
> MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyF= u
> ncTestApp.inf
>  create mode 100644
> MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyT= e
> stAuthVar.h
>
> --
> 2.28.0.windows.1
>
>
>




--_000_CY4PR21MB0743DE36758855D682275AF9EF200CY4PR21MB0743namp_--