From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Liu, Linus" <linus.liu@intel.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: FST-FIR-PRC <fst-fir-prc@intel.com>,
FST FIR Server <fst.fir.server@intel.com>,
"Chu, Maggie" <maggie.chu@intel.com>
Subject: Re: [PATCH] Securitypkg/hddpassword: Update HddPasswordDxeInit to use Variable Policy
Date: Thu, 4 May 2023 23:49:56 +0000 [thread overview]
Message-ID: <MW4PR11MB5872F90A5F70FA73155886418C6D9@MW4PR11MB5872.namprd11.prod.outlook.com> (raw)
In-Reply-To: <PH7PR11MB588843006A63AFD5518B8C03FC6D9@PH7PR11MB5888.namprd11.prod.outlook.com>
Sounds good. Thank you very much!
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
> -----Original Message-----
> From: Liu, Linus <linus.liu@intel.com>
> Sent: Thursday, May 4, 2023 11:51 AM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: FST-FIR-PRC <fst-fir-prc@intel.com>; FST FIR Server
> <fst.fir.server@intel.com>; Chu, Maggie <maggie.chu@intel.com>
> Subject: RE: [PATCH] Securitypkg/hddpassword: Update HddPasswordDxeInit
> to use Variable Policy
>
> Hi Jieewn
> Please refer the below reply.
>
> Have you done any function test? For example:
> 1) The HDD password feature still works?
> Linus : yes , HDD password feature still works.
>
> 2) The variable is really locked?
> Linus : I've tried using dmpstore command to write HDDPassword in UEFI
> Shell. Can't override it.
>
> Please refer to the below log.
> [2023-05-04 11:42:11.046] FS1:\> dmpstore -guid 737cded7-448b-4801-
> b57d-b19483ec606F -s HDDHDDPwd.txt
> [2023-05-04 11:42:18.835] Save variable to file: HDDPwd.txt.
> [2023-05-04 11:42:18.909] Variable NV+BS '737CDED7-448B-4801-B57D-
> B19483EC606F:HddPassword' DataSize = 0x48
> [2023-05-04 11:42:42.859] Load and set variables from file: HDDPwd.txt.
> [2023-05-04 11:42:42.934] Variable NV+BS '737CDED7-448B-4801-B57D-
> B19483EC606F:HddPassword' DataSize = 0x48
> [2023-05-04 11:42:43.082] dmpstore: Failed to set variable HddPassword:
> Write Protected.
>
>
> Thanks.
>
> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Wednesday, May 3, 2023 9:21 AM
> To: Liu, Linus <linus.liu@intel.com>; devel@edk2.groups.io
> Cc: FST-FIR-PRC <fst-fir-prc@intel.com>; FST FIR Server
> <fst.fir.server@intel.com>; Chu, Maggie <maggie.chu@intel.com>
> Subject: RE: [PATCH] Securitypkg/hddpassword: Update HddPasswordDxeInit
> to use Variable Policy
>
> That only proves that you did change the interface. But that cannot prove
> you change it right.
>
> Have you done any function test? For example:
> 1) The HDD password feature still works?
> 2) The variable is really locked?
>
>
> > -----Original Message-----
> > From: Liu, Linus <linus.liu@intel.com>
> > Sent: Wednesday, May 3, 2023 8:40 AM
> > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> > Cc: FST-FIR-PRC <fst-fir-prc@intel.com>; FST FIR Server
> > <fst.fir.server@intel.com>; Chu, Maggie <maggie.chu@intel.com>
> > Subject: RE: [PATCH] Securitypkg/hddpassword: Update
> > HddPasswordDxeInit to use Variable Policy
> >
> > Hi Jiewen
> > I add this patch into MTLS platform and collect the log.
> > The below is before adding patch and after adding patch. There is no
> > warring message.
> >
> >
> > Before
> >
> > InstallProtocolInterface: 09576E91-6D3F-11D2-8E39-00A0C969723B
> > 67E4C490
> > InstallProtocolInterface: 330D4706-F2A0-4E4F-A369-B66FA8D54385
> > 68180030
> > !!! DEPRECATED INTERFACE !!! VariableLockRequestToLock() will go away
> > soon!
> > !!! DEPRECATED INTERFACE !!! Please move to use Variable Policy!
> > !!! DEPRECATED INTERFACE !!! Variable: 737CDED7-448B-4801-B57D-
> > B19483EC606F HddPassword
> > HddPasswordDxeInit(): Lock HddPassword variable (Success)
> >
> >
> > After
> >
> > InstallProtocolInterface: 09576E91-6D3F-11D2-8E39-00A0C969723B
> > 67EA1370
> > InstallProtocolInterface: 330D4706-F2A0-4E4F-A369-B66FA8D54385
> > 68153DB0
> > HddPasswordDxeInit(): Lock HddPassword variable (Success)
> >
> >
> > Thanks
> >
> >
> >
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Wednesday, May 3, 2023 12:11 AM
> > To: Liu, Linus <linus.liu@intel.com>; devel@edk2.groups.io
> > Cc: FST-FIR-PRC <fst-fir-prc@intel.com>; FST FIR Server
> > <fst.fir.server@intel.com>; Chu, Maggie <maggie.chu@intel.com>
> > Subject: RE: [PATCH] Securitypkg/hddpassword: Update
> > HddPasswordDxeInit to use Variable Policy
> >
> > Thanks. The patch loos good to me.
> >
> > Would you please share with us, how you validate the patch?
> >
> >
> >
> > > -----Original Message-----
> > > From: Liu, Linus <linus.liu@intel.com>
> > > Sent: Tuesday, April 11, 2023 5:55 PM
> > > To: devel@edk2.groups.io
> > > Cc: Yao, Jiewen <jiewen.yao@intel.com>; FST-FIR-PRC <fst-fir-
> > > prc@intel.com>; FST FIR Server <fst.fir.server@intel.com>; Chu,
> > > Maggie <maggie.chu@intel.com>
> > > Subject: [PATCH] Securitypkg/hddpassword: Update HddPasswordDxeInit
> > to
> > > use Variable Policy
> > >
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=4408
> > >
> > > Change-Id: I3c4b466ef318766d6d70c9f73e36b94b5f10832c
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: FST-FIR-PRC <fst-fir-prc@intel.com>
> > > Cc: FST FIR Server C <fst.fir.server@intel.com>
> > > Cc: Maggie Chu <maggie.chu@intel.com>
> > > Signed-off-by: Linus Liu <linus.liu@intel.com>
> > > ---
> > > SecurityPkg/HddPassword/HddPasswordDxe.c | 16 +++++++++++-----
> > > SecurityPkg/HddPassword/HddPasswordDxe.h | 1 -
> > > SecurityPkg/HddPassword/HddPasswordDxe.inf | 3 ++-
> > > SecurityPkg/SecurityPkg.dsc | 1 +
> > > 4 files changed, 14 insertions(+), 7 deletions(-)
> > >
> > > diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.c
> > > b/SecurityPkg/HddPassword/HddPasswordDxe.c
> > > index a1a63b67a4..c20fdbe83f 100644
> > > --- a/SecurityPkg/HddPassword/HddPasswordDxe.c
> > > +++ b/SecurityPkg/HddPassword/HddPasswordDxe.c
> > > @@ -9,6 +9,7 @@
> > > **/
> > >
> > >
> > >
> > > #include "HddPasswordDxe.h"
> > >
> > > +#include <Library/VariablePolicyHelperLib.h>
> > >
> > >
> > >
> > > EFI_GUID mHddPasswordVendorGuid =
> > > HDD_PASSWORD_CONFIG_GUID;
> > >
> > > CHAR16 mHddPasswordVendorStorageName[] =
> > > L"HDD_PASSWORD_CONFIG";
> > >
> > > @@ -2822,7 +2823,7 @@ HddPasswordDxeInit (
> > > HDD_PASSWORD_DXE_PRIVATE_DATA *Private;
> > >
> > > VOID *Registration;
> > >
> > > EFI_EVENT EndOfDxeEvent;
> > >
> > > - EDKII_VARIABLE_LOCK_PROTOCOL *VariableLock;
> > >
> > > + EDKII_VARIABLE_POLICY_PROTOCOL *VariablePolicy;
> > >
> > >
> > >
> > > Private = NULL;
> > >
> > >
> > >
> > > @@ -2858,12 +2859,17 @@ HddPasswordDxeInit (
> > > //
> > >
> > > // Make HDD_PASSWORD_VARIABLE_NAME variable read-only.
> > >
> > > //
> > >
> > > - Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid,
> > > NULL, (VOID **)&VariableLock);
> > >
> > > + Status = gBS->LocateProtocol (&gEdkiiVariablePolicyProtocolGuid,
> > > + NULL,
> > > (VOID **)&VariablePolicy);
> > >
> > > if (!EFI_ERROR (Status)) {
> > >
> > > - Status = VariableLock->RequestToLock (
> > >
> > > - VariableLock,
> > >
> > > + Status = RegisterBasicVariablePolicy (
> > >
> > > + VariablePolicy,
> > >
> > > + &mHddPasswordVendorGuid,
> > >
> > > HDD_PASSWORD_VARIABLE_NAME,
> > >
> > > - &mHddPasswordVendorGuid
> > >
> > > + VARIABLE_POLICY_NO_MIN_SIZE,
> > >
> > > + VARIABLE_POLICY_NO_MAX_SIZE,
> > >
> > > + VARIABLE_POLICY_NO_MUST_ATTR,
> > >
> > > + VARIABLE_POLICY_NO_CANT_ATTR,
> > >
> > > + VARIABLE_POLICY_TYPE_LOCK_NOW
> > >
> > > );
> > >
> > > DEBUG ((DEBUG_INFO, "%a(): Lock %s variable (%r)\n",
> > > __FUNCTION__, HDD_PASSWORD_VARIABLE_NAME, Status));
> > >
> > > ASSERT_EFI_ERROR (Status);
> > >
> > > diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.h
> > > b/SecurityPkg/HddPassword/HddPasswordDxe.h
> > > index 231533e737..049a208794 100644
> > > --- a/SecurityPkg/HddPassword/HddPasswordDxe.h
> > > +++ b/SecurityPkg/HddPassword/HddPasswordDxe.h
> > > @@ -17,7 +17,6 @@
> > > #include <Protocol/AtaPassThru.h>
> > >
> > > #include <Protocol/PciIo.h>
> > >
> > > #include <Protocol/HiiConfigAccess.h>
> > >
> > > -#include <Protocol/VariableLock.h>
> > >
> > >
> > >
> > > #include <Guid/MdeModuleHii.h>
> > >
> > > #include <Guid/EventGroup.h>
> > >
> > > diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.inf
> > > b/SecurityPkg/HddPassword/HddPasswordDxe.inf
> > > index 06e8755ffc..2c0ebbcc78 100644
> > > --- a/SecurityPkg/HddPassword/HddPasswordDxe.inf
> > > +++ b/SecurityPkg/HddPassword/HddPasswordDxe.inf
> > > @@ -50,6 +50,7 @@
> > > PrintLib
> > >
> > > UefiLib
> > >
> > > LockBoxLib
> > >
> > > + VariablePolicyHelperLib
> > >
> > > S3BootScriptLib
> > >
> > > PciLib
> > >
> > > BaseCryptLib
> > >
> > > @@ -63,7 +64,7 @@
> > > gEfiHiiConfigAccessProtocolGuid ## PRODUCES
> > >
> > > gEfiAtaPassThruProtocolGuid ## CONSUMES
> > >
> > > gEfiPciIoProtocolGuid ## CONSUMES
> > >
> > > - gEdkiiVariableLockProtocolGuid ## CONSUMES
> > >
> > > + gEdkiiVariablePolicyProtocolGuid ## CONSUMES
> > >
> > >
> > >
> > > [Pcd]
> > >
> > > gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt ##
> > CONSUMES
> > >
> > > diff --git a/SecurityPkg/SecurityPkg.dsc
> > > b/SecurityPkg/SecurityPkg.dsc index 3bad5375c0..3c62205162 100644
> > > --- a/SecurityPkg/SecurityPkg.dsc
> > > +++ b/SecurityPkg/SecurityPkg.dsc
> > > @@ -74,6 +74,7 @@
> > >
> > > PlatformPKProtectionLib|SecurityPkg/Library/PlatformPKProtectionLibV
> > > PlatformPKProtectionLib|ar
> > > PlatformPKProtectionLib|Po
> > > licy/PlatformPKProtectionLibVarPolicy.inf
> > >
> > >
> > > SecureBootVariableProvisionLib|SecurityPkg/Library/SecureBootVariabl
> > > SecureBootVariableProvisionLib|eP
> > > SecureBootVariableProvisionLib|ro
> > > visionLib/SecureBootVariableProvisionLib.inf
> > >
> > > TdxLib|MdePkg/Library/TdxLib/TdxLib.inf
> > >
> > > +
> > > VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib
> > > VariablePolicyHelperLib|/V
> > > VariablePolicyHelperLib|ar
> > > iablePolicyHelperLib.inf
> > >
> > >
> > >
> > > [LibraryClasses.ARM, LibraryClasses.AARCH64]
> > >
> > > #
> > >
> > > --
> > > 2.33.1.windows.1
next prev parent reply other threads:[~2023-05-04 23:50 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-11 9:55 [PATCH] Securitypkg/hddpassword: Update HddPasswordDxeInit to use Variable Policy Linus Liu
2023-05-02 16:10 ` Yao, Jiewen
2023-05-03 0:39 ` Linus Liu
2023-05-03 1:21 ` Yao, Jiewen
2023-05-04 3:50 ` Linus Liu
2023-05-04 23:49 ` Yao, Jiewen [this message]
[not found] ` <175C15AECAAF6F6F.898@groups.io>
2023-05-05 6:30 ` [edk2-devel] " Yao, Jiewen
2023-05-08 1:08 ` Linus Liu
2023-05-08 1:29 ` Yao, Jiewen
2023-05-08 5:53 ` Linus Liu
-- strict thread matches above, loose matches on Subject: below --
2023-04-11 3:53 Linus Liu
2023-04-11 3:47 linus.liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MW4PR11MB5872F90A5F70FA73155886418C6D9@MW4PR11MB5872.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox