From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (NAM10-BN7-obe.outbound.protection.outlook.com [40.92.40.46])
 by mx.groups.io with SMTP id smtpd.web11.20270.1586798215802965635
 for <devel@edk2.groups.io>;
 Mon, 13 Apr 2020 10:16:55 -0700
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@outlook.com header.s=selector1 header.b=nXeSiAth;
 spf=pass (domain: outlook.com, ip: 40.92.40.46, mailfrom: michael.kubacki@outlook.com)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=TFabu9z+LevlD4X4wwRGg2Mial/OxrhWgzpsN+/R8X9nQRTpcyJ++N5HkVj7QPKdrCghx53ikP1uC7Xmrpd+xn8sQK4xvI5ue1y1peKGoYpv2wbWD9krutMrWG7LU9DajB6rt53dSVQfcQ2LaEXNdjsXXTULFESRQ17WJZeaEES3yr0Yft+kE/5tqHj1blAlSlGUV53Jyl4rEBLJAXua1+VsR490i+4PwDp6BDFNsT8Pn0QiZortvsNP6nCmjTSzTg8GGBDrs8CzKJ1/47amiCsX65XpSd3zLKuNZcuf3TUCIToMagoZvexX3P+ZAL+UjnvT38FsAV7blx+x1bsJIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=nhcHNx72+2aDconAvy/1Mdo8MSvV4jPFc289NvxUBVQ=;
 b=gsFFA7sz7DX+8prHUqYw9jddmR9IpaMZFLJirKG4W2mynyshBC0H8pjs085WfwkI8ls7ntOgznmwl5ZVvtrjcd4ORY4RJk+QaQkYEG+RlJ+8BPzQkNSJ7m/2/5tsR0m85nACVNQIM0FagFg75GAJ31fLDWw8D4Vhu87RNpqTcek1H5F+MPaG2x53xM35HSRKIHSCmYCBcNwa8z6jz1NORXeB5hmMoJoq4+zkANYryY9fBOkd78Yeu6BYg7LtxLeHXDkzmbmr9xlfA6OkaXE7r8/O/ZqxWor3fYO+BE3oOQ1olNmmr+hD83EQf0RS6zr/4mdkecTKv+43H1spkJzw4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=outlook.com; dmarc=pass action=none header.from=outlook.com;
 dkim=pass header.d=outlook.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=nhcHNx72+2aDconAvy/1Mdo8MSvV4jPFc289NvxUBVQ=;
 b=nXeSiAth4oPvG+ZisEIGmGi61M+6VFnPC7bTmBNGtZ21xHkhNu/vNtLVgsP65GMvimpg+Bcp0EWm0bwSeGAiGSQUvHNnclq3PdSvoXPCSbba+OACHR8wKFuCckWXqk8BwErr5tz2S9+xB3Ajm8KJV0xx9+0QIw4x3WQBPOUVlYtY/fMN+3LQ3xDcygY/RZVBL1Y3oC/T0FQj19atd5OBttFYg2YISySx6jfA1S3oDymR2Tdb6xuCIrXFdCx3WxmDI8lqgsHjhDYhfodgjsAJK7xGrHZ5v8E2LX2UfY8DedKxzuGhWenCXNy5tU7Y3TCM7vTjM+whvehvR0oYynf6mA==
Received: from BN7NAM10FT037.eop-nam10.prod.protection.outlook.com
 (2a01:111:e400:7e8f::4c) by
 BN7NAM10HT037.eop-nam10.prod.protection.outlook.com (2a01:111:e400:7e8f::225)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15; Mon, 13 Apr
 2020 17:16:53 +0000
Received: from MWHPR07MB3440.namprd07.prod.outlook.com
 (2a01:111:e400:7e8f::49) by BN7NAM10FT037.mail.protection.outlook.com
 (2a01:111:e400:7e8f::265) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.15 via Frontend
 Transport; Mon, 13 Apr 2020 17:16:53 +0000
X-IncomingTopHeaderMarker: 
 OriginalChecksum:F96367BDFE37B68C90D792CAF1F2AA599CF7D3BE85D214F64861553331FAB215;UpperCasedChecksum:C33DED52EF721650AEE3A5CBDC6DAD03516F5B9CA0FAD453F404B6D58C4DF5A3;SizeAsReceived:9298;Count:50
Received: from MWHPR07MB3440.namprd07.prod.outlook.com
 ([fe80::bcc9:271b:20db:52e3]) by MWHPR07MB3440.namprd07.prod.outlook.com
 ([fe80::bcc9:271b:20db:52e3%6]) with mapi id 15.20.2900.028; Mon, 13 Apr 2020
 17:16:53 +0000
Subject: Re: [PATCH v1 0/9] Add the VariablePolicy feature
To: "Yao, Jiewen" <jiewen.yao@intel.com>,
 "devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Zhang, Chao B" <chao.b.zhang@intel.com>,
 "Wang, Jian J" <jian.j.wang@intel.com>, "Wu, Hao A" <hao.a.wu@intel.com>,
 "Gao, Liming" <liming.gao@intel.com>,
 Bret Barkelew <Bret.Barkelew@microsoft.com>
References: <MWHPR07MB3440C61EDC28D3447901CAEAE9DE0@MWHPR07MB3440.namprd07.prod.outlook.com>
 <74D8A39837DF1E4DA445A8C0B3885C503F9D76C5@shsmsx102.ccr.corp.intel.com>
From: "Michael Kubacki" <michael.kubacki@outlook.com>
Message-ID: 
 <MWHPR07MB34406A8CCADF8E35DA3C7136E9DD0@MWHPR07MB3440.namprd07.prod.outlook.com>
Date: Mon, 13 Apr 2020 10:16:52 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503F9D76C5@shsmsx102.ccr.corp.intel.com>
X-ClientProxiedBy: CO2PR04CA0194.namprd04.prod.outlook.com
 (2603:10b6:104:5::24) To MWHPR07MB3440.namprd07.prod.outlook.com
 (2603:10b6:301:69::28)
Return-Path: michael.kubacki@outlook.com
X-Microsoft-Original-Message-ID: 
 <1fd6c150-20b6-f794-2fbc-39e2718b3961@outlook.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:4898:d8:39:41f9:a13b:ed8d:9c8a] (2001:4898:80e8:9:c218:a13b:ed8d:9c8a) by CO2PR04CA0194.namprd04.prod.outlook.com (2603:10b6:104:5::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.17 via Frontend Transport; Mon, 13 Apr 2020 17:16:52 +0000
X-Microsoft-Original-Message-ID: 
 <1fd6c150-20b6-f794-2fbc-39e2718b3961@outlook.com>
X-TMN: [N3y/aoKRhikx3VxIm+CbXYZWpqdIWYgcth54cXMpTu5p4VIVQVjxAX4iLXvAf9ud]
X-MS-PublicTrafficType: Email
X-IncomingHeaderCount: 50
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-Correlation-Id: 1a79aab5-822d-4e61-c92c-08d7dfce75e4
X-MS-TrafficTypeDiagnostic: BN7NAM10HT037:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
	pMGoxbTzZNn/f4Gz8JYRGThqyary2r6P9YcwGiuUdQxGm1/mD28X9nptyI1NVrn8AjdGkD1+PTHmwYp0hmvDKRNzRMNGuKxTslcto9Q+GLHBfiXEFq9bSIBbEfZTrZL0au7hcnnRnANwdR8FcyLN/V2SXMFDwLAC2f1VwTleccpr1TBq0iwbAsPAYMzAGcv/Pqn5RH4xoZFePqWl47FpJ2f5I3BxWQCfDkdjULLLbhM=
X-Forefront-Antispam-Report: 
	CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR07MB3440.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901;
X-MS-Exchange-AntiSpam-MessageData: 
	aR7r5MRbq3y7lPmP1SnI81mMu6HfBC9QfygTcESTUovJGXd+uUTv354ne5uWzL5OtV4qJ8gaDTL9nyZKPcSmdppde3I3exb8eya8rHXw2oJIvc30Wdk2pXFZOHNAUbaPOC+v3373mtS5MF6tPr5TG6og/hGMLzg7pcClNoive8otpMuqETvjlFVuBSoi5q5VEIAcWFFtiOXksONzneDayA==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a79aab5-822d-4e61-c92c-08d7dfce75e4
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Apr 2020 17:16:53.7185
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
	00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7NAM10HT037
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit

This particular series was Bret's work so I'll let him speak to it.

Thanks,
Michael

On 4/10/2020 7:24 PM, Yao, Jiewen wrote:
> Hi Michael
> Thanks for the work.
> 
> I remember the feedback before that I have concern on having an API to *DisableVariablePolicy*, and I prefer we have a way to disable the *DisableVariablePolicy*.
> 
> May I know how that is addressed in this patch?
> 
> Thank you
> Yao Jiewen
> 
> 
> 
> 
>> -----Original Message-----
>> From: michael.kubacki@outlook.com <michael.kubacki@outlook.com>
>> Sent: Saturday, April 11, 2020 2:36 AM
>> To: devel@edk2.groups.io
>> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B
>> <chao.b.zhang@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A
>> <hao.a.wu@intel.com>; Gao, Liming <liming.gao@intel.com>
>> Subject: [PATCH v1 0/9] Add the VariablePolicy feature
>>
>> From: Michael Kubacki <michael.kubacki@microsoft.com>
>>
>> REF:https://bugzilla.tianocore.org/show_bug.cgi?id=2522
>>
>> The 9 patches in this series add the VariablePolicy feature to the core,
>> deprecate Edk2VarLock (while adding a compatibility layer to reduce code
>> churn), and integrate the VariablePolicy libraries and protocols into
>> Variable Services.
>>
>> Since the integration requires multiple changes, including adding libraries,
>> a protocol, an SMI communication handler, and VariableServices integration,
>> the patches are broken up by individual library additions and then a final
>> integration. Security-sensitive changes like bypassing Authenticated
>> Variable enforcement are also broken out into individual patches so that
>> attention can be called directly to them.
>>
>> The discussion of the feature can be found in multiple places throughout
>> the last year on the RFC channel, staging branches, and in devel.
>>
>> Most recently, this subject was discussed in this thread:
>> https://edk2.groups.io/g/devel/message/53712
>> (the code branches shared in that discussion are now out of date, but the
>> whitepapers and discussion are relevant).
>>
>> On a separate note, shallow threading might not work on this patch series
>> due to changes made by the SMTP server. Please bear with me while I am
>> investigating if this can be changed.
>>
>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>> Cc: Chao Zhang <chao.b.zhang@intel.com>
>> Cc: Jian J Wang <jian.j.wang@intel.com>
>> Cc: Hao A Wu <hao.a.wu@intel.com>
>> Cc: Liming Gao <liming.gao@intel.com>
>> Signed-off-by: Bret Barkelew <brbarkel@microsoft.com>
>> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
>>
>> Bret Barkelew (9):
>>    MdeModulePkg: Define the VariablePolicy protocol interface
>>    MdeModulePkg: Define the VariablePolicyLib
>>    MdeModulePkg: Define the VariablePolicyHelperLib
>>    MdeModulePkg: Define the VarCheckPolicyLib and SMM interface
>>    MdeModulePkg: Connect VariablePolicy business logic to
>>      VariableServices
>>    MdeModulePkg: Allow VariablePolicy state to delete protected variables
>>    SecurityPkg: Allow VariablePolicy state to delete authenticated
>>      variables
>>    MdeModulePkg: Change TCG MOR variables to use VariablePolicy
>>    MdeModulePkg: Drop VarLock from RuntimeDxe variable driver
>>
>>   MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
>> |  211 ++
>>   MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c
>> |  396 ++++
>>   MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c                               |
>> 773 +++++++
>>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy
>> UnitTest.c   | 2285 ++++++++++++++++++++
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c
>> |   52 +-
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c
>> |   60 +-
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c
>> |   49 +-
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c
>> |   51 +
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c
>> |   71 +
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
>> |  445 ++++
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c
>> |   15 +
>>   SecurityPkg/Library/AuthVariableLib/AuthService.c                                        |   22
>> +-
>>   MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h                                            |
>> 43 +
>>   MdeModulePkg/Include/Library/VariablePolicyHelperLib.h                                   |
>> 164 ++
>>   MdeModulePkg/Include/Library/VariablePolicyLib.h                                         |  206
>> ++
>>   MdeModulePkg/Include/Protocol/VariablePolicy.h                                           |  156
>> ++
>>   MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
>> |   44 +
>>   MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
>> |   12 +
>>   MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
>> |   36 +
>>   MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni
>> |   12 +
>>   MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf                             |
>> 38 +
>>   MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
>> |   12 +
>>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy
>> UnitTest.inf |   41 +
>>   MdeModulePkg/MdeModulePkg.dec                                                            |   17 +-
>>   MdeModulePkg/MdeModulePkg.dsc                                                            |    7 +
>>   MdeModulePkg/Test/MdeModulePkgHostTest.dsc                                               |
>> 8 +
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf
>> |    5 +
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf
>> |    4 +
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf
>> |    8 +
>>   MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf
>> |    4 +
>>   SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf                                  |    2
>> +
>>   31 files changed, 5172 insertions(+), 77 deletions(-)
>>   create mode 100644
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
>>   create mode 100644
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c
>>   create mode 100644
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
>>   create mode 100644
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy
>> UnitTest.c
>>   create mode 100644
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c
>>   create mode 100644
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c
>>   create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
>>   create mode 100644 MdeModulePkg/Include/Library/VariablePolicyHelperLib.h
>>   create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h
>>   create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h
>>   create mode 100644
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf
>>   create mode 100644
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni
>>   create mode 100644
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf
>>   create mode 100644
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni
>>   create mode 100644
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
>>   create mode 100644
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni
>>   create mode 100644
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy
>> UnitTest.inf
>>
>> --
>> 2.16.3.windows.1
>