From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.92.23.89]) by mx.groups.io with SMTP id smtpd.web12.3044.1590101069084767657 for ; Thu, 21 May 2020 15:44:29 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@outlook.com header.s=selector1 header.b=nu+ozN88; spf=pass (domain: outlook.com, ip: 40.92.23.89, mailfrom: michael.kubacki@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eEsL/v7qUvZCfo30staMth4PelQSVy7NLoz4yy8nWQ59vyH/AyRdSVbEqWmuh8g2PLf1bPXPyJ6oCV1N/Onh7cA5D7OsEaXhWMqe5S7+LPpUeZlLpGymMPnSRKHTAMocFUiyfKcJs/VSElmWMhAlRQYeiitTQs6plGafsJY5Rk33Vm2/u0HcRLwvujZYHdx6mrlr196KiXfvvF8QNsjaapEWHV8pEOKf1cdftYYf04A2OrB1nanGMFWp7pRg8UVsxzDqZ6j/jnGCZmb1sly80S+IQ7Ow6Gb5UzURGB+cnYkEvduqXMdE1etQuvWNZEwALGTOjqkPfWqxBP6u/ERQ6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mlrbhkOht4bdevv4fwaBPH1uALnfA3ZEx5UNNXg1XyM=; b=As4SIJl1cAAuJqBty2b6miZKoHefgf1Q9GJ/q49402m7gQMPrrOE2Bx6H7qN7KDdELHIf8lEmGi7AYgUO1VtP0cUWSOwFT0KnjcDbkMMLbd+FECod/MgDvMS8UZbJLcLIIw6jd3tXAibyHsPI9MXJSt9p3m7l3r1S2MaYwF8etYASobvamqBWg3sUQD41yqQnrjbkcqkyo+ZcYAVJHKzfYQo9VGHs3WrRwHnWyDzGqxx7SXDTJ1ZdB4EVAtZO4Y8BfL97Ao6K+aiP80SZY/XB5Eze9pFuXfQ9mcVZjDP0Op8RA49yPvJNRPh1wfp4f21HJ2fm/FR8Md4sMNUIz0dsQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=outlook.com; dmarc=pass action=none header.from=outlook.com; dkim=pass header.d=outlook.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mlrbhkOht4bdevv4fwaBPH1uALnfA3ZEx5UNNXg1XyM=; b=nu+ozN88Sqxr3CC8uYdLQ1ZeRPWWTqK36MfIvkAAwwtMvg5MOvM/qLA4uzj3tWikvqGcihH+5tjjWSvK1r4RYlLrEhEiyvIFkmJvMEGyUqmskB9OY0XdVoz+c1Pj7An1FwKwmkjqvsnosLY7mCERC/fnq1tI/bVTMCUP37+l69x9tKKe4BGPvPEEkyGbrfO3aZ/YCYMi9VP+t7IaXLMZgh2OK/UKCjI9CdUEGZI9ahzGiM0X045t9lKoEUynfVGz1AXGTXYPt/CaOTOvzSbJCHLuZWVRH/KkX9kKuT5xJuN0fuLu7XyuVNTtJMsgHh9Pkl1Cctw9hITJ+YxJeXyB2w== Received: from MW2NAM12FT062.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::40) by MW2NAM12HT226.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.11; Thu, 21 May 2020 22:44:28 +0000 Received: from MWHPR07MB3440.namprd07.prod.outlook.com (2a01:111:e400:fc65::50) by MW2NAM12FT062.mail.protection.outlook.com (2a01:111:e400:fc65::370) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.11 via Frontend Transport; Thu, 21 May 2020 22:44:28 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:9D9DCCB198BB430C52CC5799A0C725C22327DBBD60D6C5ADC42289F3DB6B9FFF;UpperCasedChecksum:ED21E375A1E420A9833DA505A6E5EEA8DC76EC70E492A96DC44FB9AED38473F0;SizeAsReceived:7885;Count:50 Received: from MWHPR07MB3440.namprd07.prod.outlook.com ([fe80::bcc9:271b:20db:52e3]) by MWHPR07MB3440.namprd07.prod.outlook.com ([fe80::bcc9:271b:20db:52e3%6]) with mapi id 15.20.3021.020; Thu, 21 May 2020 22:44:28 +0000 From: "Michael Kubacki" To: devel@edk2.groups.io CC: Jordan Justen , Laszlo Ersek , Ard Biesheuvel , Bret Barkelew Subject: [PATCH v3 05/14] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform Date: Thu, 21 May 2020 15:43:22 -0700 Message-ID: X-Mailer: git-send-email 2.16.3.windows.1 In-Reply-To: <20200521224331.15616-1-michael.kubacki@outlook.com> References: <20200521224331.15616-1-michael.kubacki@outlook.com> X-ClientProxiedBy: MWHPR12CA0071.namprd12.prod.outlook.com (2603:10b6:300:103::33) To MWHPR07MB3440.namprd07.prod.outlook.com (2603:10b6:301:69::28) Return-Path: michael.kubacki@outlook.com X-Microsoft-Original-Message-ID: <20200521224331.15616-6-michael.kubacki@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from localhost.localdomain (2001:4898:80e8:1:2c94:8481:fffa:8ac5) by MWHPR12CA0071.namprd12.prod.outlook.com (2603:10b6:300:103::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23 via Frontend Transport; Thu, 21 May 2020 22:44:27 +0000 X-Mailer: git-send-email 2.16.3.windows.1 X-Microsoft-Original-Message-ID: <20200521224331.15616-6-michael.kubacki@outlook.com> X-TMN: [g8GdJzE1f7Uo8o0ZsJxCnNg8lgdFhktM0KfKWvu0IOccnxIXv1BEnXpYtXLBnI2G] X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 50 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: e13b6e1e-5997-4d5d-6355-08d7fdd8845b X-MS-TrafficTypeDiagnostic: MW2NAM12HT226: X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: mbQ16GGUBpFgWONd5KuOROEuZUZmCTfAvU0F09TTG9m9rekxC4em6oxtbc8oOfCJJcQDtTUXkQR9LF3Cot+698D5COBxDIq6QwpVa/JCL8gIdEl8DawvLykKVrtKDlxzOv27jmzeZigaveZbLL5ubk9Ich+EP/3r1a5I73V5Kj33InDrFaGBdqZWs9SMSMBc9ik8BJTXMvLy/20IeHoayd1oheIyk8uquuQTX73Nu5QSMTmlsbeeFGCkAP9W4onM X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:0;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR07MB3440.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFTY:;SFS:;DIR:OUT;SFP:1901; X-MS-Exchange-AntiSpam-MessageData: ESQ/Pewjbp4lXdxoHziJnyJzV0yT0o8khpTGRRuNhsa7Lmcw6uws68LPXvTXsgHGDPJmSVsAAT0lhFJ6avZce24AXR3xC7gk3l8O6BuSbDj6VAGCgepzvWiwFzyyY7LJhkWZEzU1AyizeUWN8lMK1OCh4lUZghMQVFDYbWfYANQd0Oq6cbCX16jl61KAknomn960fMSTiodqlj7liRbZ6Q== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: e13b6e1e-5997-4d5d-6355-08d7fdd8845b X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2020 22:44:27.8045 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2NAM12HT226 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain From: Bret Barkelew https://bugzilla.tianocore.org/show_bug.cgi?id=3D2522 Cc: Jordan Justen Cc: Laszlo Ersek Cc: Ard Biesheuvel Cc: Bret Barkelew Signed-off-by: Michael Kubacki --- OvmfPkg/OvmfPkgIa32.dsc | 8 ++++++++ OvmfPkg/OvmfPkgIa32X64.dsc | 8 ++++++++ OvmfPkg/OvmfPkgX64.dsc | 8 ++++++++ OvmfPkg/OvmfXen.dsc | 7 +++++++ 4 files changed, 31 insertions(+) diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc index cbc5f0e583bc..2c64591f88a3 100644 --- a/OvmfPkg/OvmfPkgIa32.dsc +++ b/OvmfPkg/OvmfPkgIa32.dsc @@ -3,6 +3,7 @@ # # Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP
+# Copyright (c) Microsoft Corporation.
# # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -194,6 +195,8 @@ [LibraryClasses] AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf =20 =20 # @@ -327,6 +330,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ibRuntimeDxe.inf =20 [LibraryClasses.common.UEFI_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -480,6 +484,9 @@ [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000 !endif =20 + # Optional: Omit if VariablePolicy should be always-on. + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|= TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0 =20 gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07 @@ -921,6 +928,7 @@ [Components] MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf { NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf } MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf =20 diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc index 6d69cc6cb56f..99527e03b9d0 100644 --- a/OvmfPkg/OvmfPkgIa32X64.dsc +++ b/OvmfPkg/OvmfPkgIa32X64.dsc @@ -3,6 +3,7 @@ # # Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP
+# Copyright (c) Microsoft Corporation.
# # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -198,6 +199,8 @@ [LibraryClasses] AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf =20 =20 # @@ -331,6 +334,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ibRuntimeDxe.inf =20 [LibraryClasses.common.UEFI_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -484,6 +488,9 @@ [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000 !endif =20 + # Optional: Omit if VariablePolicy should be always-on. + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|= TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0 =20 gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07 @@ -934,6 +941,7 @@ [Components.X64] MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf { NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf } MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf =20 diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc index 5ad4f461ce52..4a6b18d7899d 100644 --- a/OvmfPkg/OvmfPkgX64.dsc +++ b/OvmfPkg/OvmfPkgX64.dsc @@ -3,6 +3,7 @@ # # Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP
+# Copyright (c) Microsoft Corporation.
# # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -198,6 +199,8 @@ [LibraryClasses] AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf !endif VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf =20 =20 # @@ -331,6 +334,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ibRuntimeDxe.inf =20 [LibraryClasses.common.UEFI_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -484,6 +488,9 @@ [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000 !endif =20 + # Optional: Omit if VariablePolicy should be always-on. + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|= TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0 =20 gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07 @@ -932,6 +939,7 @@ [Components] MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf { NULL|MdeModulePkg/Library/VarCheckUefiLib/VarCheckUefiLib.inf + NULL|MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf } MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf =20 diff --git a/OvmfPkg/OvmfXen.dsc b/OvmfPkg/OvmfXen.dsc index 47ee8db8b884..c2d476133b9d 100644 --- a/OvmfPkg/OvmfXen.dsc +++ b/OvmfPkg/OvmfXen.dsc @@ -3,6 +3,7 @@ # # Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
# (C) Copyright 2016 Hewlett Packard Enterprise Development LP
+# Copyright (c) Microsoft Corporation.
# Copyright (c) 2019, Citrix Systems, Inc. # # SPDX-License-Identifier: BSD-2-Clause-Patent @@ -182,6 +183,8 @@ [LibraryClasses] =20 AuthVariableLib|MdeModulePkg/Library/AuthVariableLibNull/AuthVariableLib= Null.inf VarCheckLib|MdeModulePkg/Library/VarCheckLib/VarCheckLib.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ib.inf + VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Var= iablePolicyHelperLib.inf =20 =20 # @@ -301,6 +304,7 @@ [LibraryClasses.common.DXE_RUNTIME_DRIVER] BaseCryptLib|CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf PciLib|OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf QemuFwCfgS3Lib|OvmfPkg/Library/QemuFwCfgS3Lib/DxeQemuFwCfgS3LibFwCfg.inf + VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicyL= ibRuntimeDxe.inf =20 [LibraryClasses.common.UEFI_DRIVER] PcdLib|MdePkg/Library/DxePcdLib/DxePcdLib.inf @@ -394,6 +398,9 @@ [PcdsFixedAtBuild] gEfiMdeModulePkgTokenSpaceGuid.PcdMaxVolatileVariableSize|0x40000 !endif =20 + # Optional: Omit if VariablePolicy should be always-on. + gEfiMdeModulePkgTokenSpaceGuid.PcdAllowVariablePolicyEnforcementDisable|= TRUE + gEfiMdeModulePkgTokenSpaceGuid.PcdVpdBaseAddress|0x0 =20 gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x07 --=20 2.16.3.windows.1