From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mx.groups.io with SMTP id smtpd.web10.43317.1590456025736082021 for ; Mon, 25 May 2020 18:20:25 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@intel.onmicrosoft.com header.s=selector2-intel-onmicrosoft-com header.b=GhHmE3mo; spf=pass (domain: intel.com, ip: 134.134.136.24, mailfrom: guomin.jiang@intel.com) IronPort-SDR: WmfMfjw8VVunEi0vJXVzDf7WNA/q9uyweLFWj+vZHFLMv3yDx/06PDHYPy4PrC1/bmpL83dNB+ bX3npk0lmWWg== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 May 2020 18:20:25 -0700 IronPort-SDR: VFLGnKBBV8bMfbcgw1Or3G1zoXb4NOkG1JNXhzboqtKLxuTMP/GPAMmQ0eRvvW7Lh2AfrXZpjZ IqEi8stR0eRA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,435,1583222400"; d="scan'208";a="468114938" Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by fmsmga005.fm.intel.com with ESMTP; 25 May 2020 18:20:24 -0700 Received: from fmsmsx153.amr.corp.intel.com (10.18.125.6) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 25 May 2020 18:20:24 -0700 Received: from FMSEDG001.ED.cps.intel.com (10.1.192.133) by FMSMSX153.amr.corp.intel.com (10.18.125.6) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 25 May 2020 18:20:24 -0700 Received: from NAM11-DM6-obe.outbound.protection.outlook.com (104.47.57.174) by edgegateway.intel.com (192.55.55.68) with Microsoft SMTP Server (TLS) id 14.3.439.0; Mon, 25 May 2020 18:20:24 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LTNEh8kNlYzToLkkLHtCtikq9KKyw1cE2fQuhBpUaM30FIpIn5B6zz3MSU1mGhp9jP0Pr6HO8cefNdLKrtQtFuDjYtpmw/rK8XPB1OWDoDRwkUoQ7pQekYx2g/T3oVz6UqL3eC9sdOmvGgsn3bRJUuavRDf6u474VBaDJaVJ4W8XGuKRveUFyNWotmOnFs4K2LBKj5wCNKtFF0/n7yk4vwffLszE3JWQSi80VigenGuIHy47XbHGChx/nQ1MY9bzCv2GIkv3qgti7RjZHT4EUA4UuEJG83jmyI2CIPR0FGgXcW0Fimvi0jRbyFZybLuDEUkeTDfY2R4i/HyOepP2og== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d+bfNKLvXqGHBlPg2cJW6UitmLbueZRFApG9o/ed/2Y=; b=QVF7+cvvwd9RISIYRpBrJXGlDlQ3tY1UxjdM4260cxJYMkbddYylaNiIb1eqOoQOI3goqPH/2GZBPgBe1kEAzf3lS8sLrnrFrsh9LuygdDdWVp1VC4yEpGk8z7woGU2b94S31jzQW51jGkmPONO8I9loDhqN5ktI9O/e14yY7Ix6rvQ6uavwULyslqdq+FRIhrLpWxGDvuJ5Fni+m5140z9GPgcZM05qzVW7TzmgF/WXD9wuu+yxJGrPVgvYeKgBS8m9MV+jcRmn3ycIhIZGBnsnNZPCf6ZoiS6mxqWzMYqpH7DDHJlo8UozBif6GupO9L8LJelOsOe/M8RZ6DLR8Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d+bfNKLvXqGHBlPg2cJW6UitmLbueZRFApG9o/ed/2Y=; b=GhHmE3mofowxn8lQ8KwOjF2XKGgcn9txInklEUZFMVwr1X0eB69sFfGMAjg4fOmssjgE9tkM8weNXcvQnXUar5nBh4/NWhmxuqum/mTDacdnSQkCCfTMyjty9H5EaPS/QqwicH5V+CBIcOMVqCzQym9WoMwdeiK09rirxQeNu+0= Received: from DM6PR11MB2955.namprd11.prod.outlook.com (2603:10b6:5:65::31) by DM6PR11MB3706.namprd11.prod.outlook.com (2603:10b6:5:13e::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23; Tue, 26 May 2020 01:20:22 +0000 Received: from DM6PR11MB2955.namprd11.prod.outlook.com ([fe80::ccd4:4b0d:535a:58be]) by DM6PR11MB2955.namprd11.prod.outlook.com ([fe80::ccd4:4b0d:535a:58be%7]) with mapi id 15.20.3021.029; Tue, 26 May 2020 01:20:22 +0000 From: "Guomin Jiang" To: "devel@edk2.groups.io" , "michael.kubacki@outlook.com" CC: "Yao, Jiewen" , "Zhang, Chao B" , "Wang, Jian J" , "Wu, Hao A" , "Gao, Liming" , "Justen, Jordan L" , Laszlo Ersek , "Ard Biesheuvel" , Andrew Fish , "Ni, Ray" , Bret Barkelew Subject: Re: [edk2-devel] [PATCH v3 00/14] Add the VariablePolicy feature Thread-Topic: [edk2-devel] [PATCH v3 00/14] Add the VariablePolicy feature Thread-Index: AQHWL8FjvZiF+L6GZ0iAF+EOQ6ySpKi5l6Dg Date: Tue, 26 May 2020 01:20:22 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-version: 11.2.0.6 dlp-product: dlpe-windows dlp-reaction: no-action authentication-results: edk2.groups.io; dkim=none (message not signed) header.d=none;edk2.groups.io; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.55.52.196] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d0fbe0cf-6858-4e86-cfb2-08d80112f653 x-ms-traffictypediagnostic: DM6PR11MB3706: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:6790; x-forefront-prvs: 041517DFAB x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: K6iavqR+0IrVC8DXc96VLy4WJfrFOZQLQW4LrunZS+sWsSEERaS0EemqQgUvr6ieDKNwvlLxlOgQyTJpeL4s1Ij7FPIPZBuSO/NcIk6IOPHsFE4uV82bY+rblRojHgXYU57tzG8vmuOwFSPr9lDok9uY55LXUFA1tH2v+KM8hyYksKG6UGdjVT6vPlqmPSGbrOCwzDj7Uh4usGx54KPoyfB8A0cvqmGYVhlA2yGS/qrSQoWgXHNaTVl7zl0Gkav1CYsU+vRuuBFH+zpibd27r5wGtGt9tJdkwNxxvFoKgmJ21K5FkSNRqOP67iYcOssmJFt4ybHwF8nz5CgtBb9V0WTriDghIGi9HDoGvhrjZ00jeUrNfD1gQdoAgE6OCBtb4/olEb4S3oTJHW29Hc5r6A== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR11MB2955.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:(136003)(346002)(39860400002)(376002)(366004)(396003)(52536014)(55016002)(966005)(110136005)(54906003)(478600001)(9686003)(19627235002)(71200400001)(8676002)(186003)(5660300002)(8936002)(316002)(2906002)(26005)(86362001)(7696005)(4326008)(6506007)(33656002)(66446008)(66476007)(66556008)(76116006)(64756008)(53546011)(66946007);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata: m2112uz9c0FSzM0EIBu5qLQEm6CoimkeXf/EylaMw2wveNmbYYFnBTQQPOp4T9rTQlvFL/8xhj8y2DBO7IF/Tz/jlisB8emVantKZ3MFkRlgIg9pYrafN038ZocmMFK8yxfmofRL9j7h9KkR2E7/qy67SN5W9I9ZoCU5U/vpwoLBg8dDAWGsFDiL+KKn+Mz27ng7Yf6pnAtC9B1O/5/o7jf1oLjrttuQC4V5L8uhnIS0T0u7yCTYrvhRVMQ2V4OCVslxoz5ieDkU4U8dSVrH/8fYkxF5v53I9kDPwRrGFJwZZFJyhHTU1KYaorEppeLB9exDhpz2QFUec/leoX2N7yiAMFt2o1a7Ywy3kgJKLvsNEBjhJMy127B40OthD+Ch/0KlUVFE+gIh8jEd5atdiZax7PWhwqhtHRguzEtWnBhxWRu4ejMvk2vZeljR7rtHmGakC15myCe1K3qaQC7v27eIx4WeKYQk4eYIeM3RFgM= MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: d0fbe0cf-6858-4e86-cfb2-08d80112f653 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2020 01:20:22.4913 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: WX4U4by3Zpq3pDqSLMYJUNLMpIdQuzs/JsI3zJaOFdNCigp0Bz2xdpNII5fngtss/8R3Yd2jTrr/AOr7ZLWN2A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB3706 Return-Path: guomin.jiang@intel.com X-OriginatorOrg: intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Kubacki, I am reviewing the patch series, I will need 2 weeks to review it and will= comment it after review it. Best Regards Guomin > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Michael > Kubacki > Sent: Friday, May 22, 2020 6:43 AM > To: devel@edk2.groups.io > Cc: Yao, Jiewen ; Zhang, Chao B > ; Wang, Jian J ; Wu, Hao > A ; Gao, Liming ; Justen, > Jordan L ; Laszlo Ersek ; > Ard Biesheuvel ; Andrew Fish > ; Ni, Ray ; Bret Barkelew > > Subject: [edk2-devel] [PATCH v3 00/14] Add the VariablePolicy feature >=20 > From: Michael Kubacki >=20 > REF:https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 >=20 > The 14 patches in this series add the VariablePolicy feature to the core= , > deprecate Edk2VarLock (while adding a compatibility layer to reduce code > churn), and integrate the VariablePolicy libraries and protocols into Va= riable > Services. >=20 > Since the integration requires multiple changes, including adding librar= ies, a > protocol, an SMI communication handler, and VariableServices integration= , > the patches are broken up by individual library additions and then a fin= al > integration. Security-sensitive changes like bypassing Authenticated Var= iable > enforcement are also broken out into individual patches so that attentio= n can > be called directly to them. >=20 > Platform porting instructions are described in this wiki entry: > https://github.com/tianocore/tianocore.github.io/wiki/VariablePolicy- > Protocol---Enhanced-Method-for-Managing-Variables#platform-porting >=20 > Discussion of the feature can be found in multiple places throughout the= last > year on the RFC channel, staging branches, and in devel. >=20 > Most recently, this subject was discussed in this thread: > https://edk2.groups.io/g/devel/message/53712 > (the code branches shared in that discussion are now out of date, but th= e > whitepapers and discussion are relevant). >=20 > Cc: Jiewen Yao > Cc: Chao Zhang > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Liming Gao > Cc: Jordan Justen > Cc: Laszlo Ersek > Cc: Ard Biesheuvel > Cc: Andrew Fish > Cc: Ray Ni > Cc: Bret Barkelew > Signed-off-by: Michael Kubacki >=20 > V3 changes: > * Address all non-unittest issues with ECC > * Make additional style changes > * Include section name in hunk headers in "ini-style" files > * Remove requirement for the EdkiiPiSmmCommunicationsRegionTable > driver > (now allocates its own buffer) > * Change names from VARIABLE_POLICY_PROTOCOL and > gVariablePolicyProtocolGuid > to EDKII_VARIABLE_POLICY_PROTOCOL and > gEdkiiVariablePolicyProtocolGuid > * Fix GCC warning about initializing externs > * Add UNI strings for new PCD > * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg > * Reorder patches according to Liming's feedback about adding to platfor= ms > before changing variable driver >=20 > V2 changes: > * Fixed implementation for RuntimeDxe > * Add PCD to block DisableVariablePolicy > * Fix the DumpVariablePolicy pagination in SMM >=20 > On a separate note, shallow threading might not work on this patch serie= s > due to changes made by the SMTP server. I apologize for any inconvenienc= e. >=20 > Bret Barkelew (14): > MdeModulePkg: Define the VariablePolicy protocol interface > MdeModulePkg: Define the VariablePolicyLib > MdeModulePkg: Define the VariablePolicyHelperLib > MdeModulePkg: Define the VarCheckPolicyLib and SMM interface > OvmfPkg: Add VariablePolicy engine to OvmfPkg platform > EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform > ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform > UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform > MdeModulePkg: Connect VariablePolicy business logic to > VariableServices > MdeModulePkg: Allow VariablePolicy state to delete protected variables > SecurityPkg: Allow VariablePolicy state to delete authenticated > variables > MdeModulePkg: Change TCG MOR variables to use VariablePolicy > MdeModulePkg: Drop VarLock from RuntimeDxe variable driver > MdeModulePkg: Add a shell-based functional test for VariablePolicy >=20 > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c > | 324 +++ > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c > | 404 ++++ > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c > | 46 + >=20 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDx > e.c | 86 + > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c > | 830 +++++++ >=20 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > licyUnitTest.c | 2533 ++++++++++++++++++++ >=20 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > ncTestApp.c | 1950 +++++++++++++++ > MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c > | 56 +- > MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c > | 64 +- > MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c > | 49 +- > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > | 53 + >=20 > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequestToLoc > k.c | 73 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c > | 649 +++++ >=20 > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe. > c | 14 + > SecurityPkg/Library/AuthVariableLib/AuthService.c = | 24 > +- > ArmVirtPkg/ArmVirt.dsc.inc = | 7 + > EmulatorPkg/EmulatorPkg.dsc = | 6 + > MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h = | > 54 + > MdeModulePkg/Include/Library/VariablePolicyHelperLib.h > | 164 ++ > MdeModulePkg/Include/Library/VariablePolicyLib.h = | > 207 ++ > MdeModulePkg/Include/Protocol/VariablePolicy.h = | > 157 ++ > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf > | 42 + > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni > | 12 + > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.in= f > | 35 + > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.un= i > | 12 + > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > | 44 + > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni > | 12 + > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf > | 51 + >=20 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > licyUnitTest.inf | 40 + > MdeModulePkg/MdeModulePkg.ci.yaml = | 4 +- > MdeModulePkg/MdeModulePkg.dec = | 26 +- > MdeModulePkg/MdeModulePkg.dsc = | 15 + > MdeModulePkg/MdeModulePkg.uni = | 7 + > MdeModulePkg/Test/MdeModulePkgHostTest.dsc = | > 11 + > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md > | 55 + >=20 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > ncTestApp.inf | 42 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > | 5 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf > | 4 + >=20 > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i > nf | 11 + >=20 > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf > | 4 + > OvmfPkg/OvmfPkgIa32.dsc = | 8 + > OvmfPkg/OvmfPkgIa32X64.dsc = | 8 + > OvmfPkg/OvmfPkgX64.dsc = | 8 + > OvmfPkg/OvmfXen.dsc = | 7 + > SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf = | > 2 + > UefiPayloadPkg/UefiPayloadPkgIa32.dsc = | 7 + > UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc = | 7 + > 47 files changed, 8151 insertions(+), 78 deletions(-) create mode 1006= 44 > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDx > e.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > licyUnitTest.c > create mode 100644 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > ncTestApp.c > create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequestToLoc > k.c > create mode 100644 > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c > create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h > create mode 100644 > MdeModulePkg/Include/Library/VariablePolicyHelperLib.h > create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h > create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h > create mode 100644 > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf > create mode 100644 > MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni > create mode 100644 > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf > create mode 100644 > MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf > create mode 100644 > MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePo > licyUnitTest.inf > create mode 100644 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md > create mode 100644 > MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFu > ncTestApp.inf >=20 > -- > 2.16.3.windows.1 >=20 >=20 >=20