From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (NAM12-MW2-obe.outbound.protection.outlook.com [40.92.23.85]) by mx.groups.io with SMTP id smtpd.web10.15154.1605816989415618833 for ; Thu, 19 Nov 2020 12:16:29 -0800 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@outlook.com header.s=selector1 header.b=CVte2qLV; spf=pass (domain: outlook.com, ip: 40.92.23.85, mailfrom: michael.kubacki@outlook.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OuHXrdEcD+fsDVhJocUGB+Mi3/Hua35zqovUTskXpmZLc8qpH3Ara7kFqjSRVCJ4GE+6MNmJagcxq/Htr7ZgLntozOQ27x+OoCa45vafLciTSM3TanVCc+f1ufLcNO+3UmqWdm5X0nVhnOttrcY4qcsuh2UpmAVmGLKMFTzzSu0W2vGLAduuWFMk50SjAsHhc/ZyICh/95DYBTP9o2AOjWrifKfJWrGhsi2dIoWYGeWu7Y5ZeYAOF90vWmnQS7Tw1oFcbUmE4P+Ewz3hUMrX3F1YZ5+EElxY3O8lvTdFcLzuGqhnxV/zqAjuWjR8nj/zF59dtrXpIzakUWnSIJmffQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BBDRkWZ7FV3PzsO7OAITOsTwWyLnyOP9c/wNY7wssjk=; b=SnKwVnNlO7EeuCYW6r0+KoqmvaMC724/v8EdkxTxhKg4EItH9HHTvs5b5axwXK3m+ZwiIBh5z3vtMm9WWFU77BDkNgu9A7ZYR9vwN8dGBg2vEud1n1hdNVVNmj5l1mf9fv95RM5Qy8ErLeXzLmfrerpRHt1J+lznCAzQ5QwRI+1vaX0qmQbckVD60B5i+6W0bcWhwp3lhZ++IRxae6mcd3GfI7GlCinCBBXexA0sgIBVUOJ8Vqmyv+GQ2QMqky8tcgHRsgm+cjFWRH7n12tqClZ6lGsp3nIWT1eYhlwTQmhDw+LbtBQ0TVRHLxrJCF06knNNc+uLS0wC+5p5qxUg+A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BBDRkWZ7FV3PzsO7OAITOsTwWyLnyOP9c/wNY7wssjk=; b=CVte2qLVZCD6FBktqoioS+b2NevRcB0o6EFFl91/pLC61wjS7O0WM7YlQiO1jJZDoKBVDgt8VNvxSRI00nErq2K1mHIfTxDNeZl2vOxV77G/HmYYFAX6BbIWni4XEMtpAprdFIKw7g0g5bjqHX/zP4v2QBla2f6OXC+/O+QAoyECs/1B5bSP92+zeJM5k2GUn3Z82MsWz8Qk+wv65p/1nXI9xlV8fX/iQrmgcAANa/Tl6uJwoXNlwzL0CENtUqVZWS9j4CNhxoaFg1pwTPMRjWDsOgBTxFVv1pkxEh0uUV9rGTSzBPGcbriuW03qfyr0MIvPDQCCe1th6hPwF8HDGA== Received: from MW2NAM12FT024.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::51) by MW2NAM12HT077.eop-nam12.prod.protection.outlook.com (2a01:111:e400:fc65::255) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.12; Thu, 19 Nov 2020 20:16:27 +0000 Received: from MWHPR07MB3440.namprd07.prod.outlook.com (2a01:111:e400:fc65::4a) by MW2NAM12FT024.mail.protection.outlook.com (2a01:111:e400:fc65::91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.11 via Frontend Transport; Thu, 19 Nov 2020 20:16:27 +0000 X-IncomingTopHeaderMarker: OriginalChecksum:E6EDE65C79F18D0796CA72592D8180D7ACE8AB754102950630173399A373623C;UpperCasedChecksum:F2D21FF6F52B6269FA7985E1F748667AAF802EE32E70EB77A9D95D3947F98149;SizeAsReceived:9485;Count:48 Received: from MWHPR07MB3440.namprd07.prod.outlook.com ([fe80::858f:bd50:1b65:e803]) by MWHPR07MB3440.namprd07.prod.outlook.com ([fe80::858f:bd50:1b65:e803%7]) with mapi id 15.20.3564.028; Thu, 19 Nov 2020 20:16:27 +0000 Subject: Re: [edk2-devel] [PATCH v9 00/13] Add the VariablePolicy feature To: devel@edk2.groups.io, awarkentin@vmware.com, Ard Biesheuvel , "debtech@gmail.com" CC: Bret Barkelew , Jiewen Yao , Dandan Bi , Chao Zhang , Jian J Wang , Hao A Wu , Liming Gao , Jordan Justen , Laszlo Ersek , Andrew Fish , Ray Ni , Bret Barkelew References: <0c1ea26d-e7f2-11d7-b7d1-66cd5def51b3@arm.com> <345CC9C5-CCDB-4F76-A636-238B116DE217@gmail.com> From: "Michael Kubacki" Message-ID: Date: Thu, 19 Nov 2020 12:16:26 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.4.3 In-Reply-To: X-TMN: [Sqm5bia0n9ZPDbaQ5KeCQDfnAgjg2BS//cyAp8pqAiYqENCQ5u8U7Z7D7216TrU7] X-ClientProxiedBy: MWHPR22CA0056.namprd22.prod.outlook.com (2603:10b6:300:12a::18) To MWHPR07MB3440.namprd07.prod.outlook.com (2603:10b6:301:69::28) Return-Path: michael.kubacki@outlook.com X-Microsoft-Original-Message-ID: <7b384177-6aaa-c48c-ef1a-49f317137949@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [IPv6:2001:4898:d8:39:b9ef:6f8d:b7a8:b85a] (2001:4898:80e8:a:3a0e:6f8d:b7a8:b85a) by MWHPR22CA0056.namprd22.prod.outlook.com (2603:10b6:300:12a::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.20 via Frontend Transport; Thu, 19 Nov 2020 20:16:27 +0000 X-MS-PublicTrafficType: Email X-IncomingHeaderCount: 48 X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-Correlation-Id: c7794634-fffa-4fa4-a424-08d88cc7fed0 X-MS-TrafficTypeDiagnostic: MW2NAM12HT077: X-MS-Exchange-MinimumUrlDomainAge: groups.io#3664 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Y5AXJBpwss+prEdV6cC01qstiYQGm0CE3SsXY7WC5kkPphm8qLklLlTSPn6dkBndMhCE/Oq+C4/9iuU46HuurDq2+ZJ0SqCmIRexDCRT9D2H27gvXkp6p2PNlOzOjkJQOXs690TuFV9xKpYiHX7j2vgboMpU9g1Ujv+MzsTQZCSrsMb3G9rIJW3pUMvSg5WKiCgDefx9zVlmMFsTGMOLlVawIwMHC/wfukUs+zkj/ZOzAspbTpxEaA74lzuEzvZw X-MS-Exchange-AntiSpam-MessageData: H0GpfCtVrPKk67rZP31ZEPSjnQwFsWMqYbOTxq+NTKumzz2BpBzP47/zsKiPjS567VkUwrIcwrhkGYOSZjtXjFkTvnffB/W73wOq5obCdxNasoBbEGBHrb4Rp9ery0U1nJvKb741DXdyiQXyrlaQambahyQoeJ29hg9uI4nbdSxgm9PoWNxlmZE1RGC0+aogxCtlWIJqzORtzQN9KykfZA== X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c7794634-fffa-4fa4-a424-08d88cc7fed0 X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Nov 2020 20:16:27.8529 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-AuthSource: MW2NAM12FT024.eop-nam12.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: Internet X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2NAM12HT077 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable While I'm not currently a maintainer in either repo, I believe the=20 current process is not ideal. I highlighted some of my observations=20 here: https://edk2.groups.io/g/devel/message/65902. Again, I don't have a strong vested interest in this but I do think some= =20 level of a more well defined process needs to be reached between repo=20 maintiners to ease feature development in the future. Thanks, Michael On 11/19/2020 12:02 PM, Andrei Warkentin wrote: > Hi Bret, >=20 > To be honest, I don't recall seeing anything. Again, maybe I should have= = =20 > been more proactive, but that's probably the net reality for most=20 > people. It would be unreasonable to expect you to test every platform,= =20 > but it is very reasonable to assume that if you know you're adding build= = =20 > breakage to every platform (that is trivial to fix), that you would be= =20 > taking care of it... Principle of least surprise. And yes, in some weird= = =20 > corner case perhaps that would be insufficient (again, I don't think=20 > anyone would expect you to compile test every platform), but it would=20 > take care of 99% of obvious fall-out. >=20 > For reference, there are occasional clean-ups that happen to the edk2=20 > tree, and I've never seen anyone claim "not my problem" to deal with the= = =20 > obvious fall-out resulting from renames and such. >=20 > A > ------------------------------------------------------------------------ > *From:* devel@edk2.groups.io on behalf of Bret=20 > Barkelew via groups.io > *Sent:* Thursday, November 19, 2020 10:15 AM > *To:* Ard Biesheuvel > *Cc:* Bret Barkelew ; devel@edk2.groups.io=20 > ; Jiewen Yao ; Dandan Bi=20 > ; Chao Zhang ; Jian J Wang= =20 > ; Hao A Wu ; Liming Gao=20 > ; Jordan Justen ;=20 > Laszlo Ersek ; Andrew Fish ; Ray Ni= =20 > ; Bret Barkelew > *Subject:* Re: [edk2-devel] [PATCH v9 00/13] Add the VariablePolicy feat= ure > Those bugs and recommendations were sent out months ago. Several=20 > platforms have staged the changes already. >=20 > You need to add the library class to your DSC. >=20 > -- > [ Insert obscure pop-culture reference here. ] >=20 >> On Nov 19, 2020, at 4:46 AM, Ard Biesheuvel wr= ote: >>=20 >> =EF=BB=BFOn 11/9/20 7:45 AM, Bret Barkelew wrote: >>> The 14 patches in this series add the VariablePolicy feature to the co= re, >>> deprecate Edk2VarLock (while adding a compatibility layer to reduce co= de >>> churn), and integrate the VariablePolicy libraries and protocols into >>> Variable Services. >>> Since the integration requires multiple changes, including adding libr= aries, >>> a protocol, an SMI communication handler, and VariableServices integra= tion, >>> the patches are broken up by individual library additions and then a f= inal >>> integration. Security-sensitive changes like bypassing Authenticated >>> Variable enforcement are also broken out into individual patches so th= at >>> attention can be called directly to them. >>> Platform porting instructions are described in this wiki entry: >>> https://nam04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgi= thub.com%2Ftianocore%2Ftianocore.github.io%2Fwiki%2FVariablePolicy-Protocol= ---Enhanced-Method-for-Managing-Variables%23platform-porting&data=3D04%= 7C01%7Cawarkentin%40vmware.com%7C594f15b45aaf476bff7e08d88cb57390%7Cb39138c= a3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637414058247128819%7CUnknown%7CTWFpbGZs= b3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C10= 00&sdata=3DLLKZ7qeffR0WCvLbYuHtQIuwJGhXY0mVqB2w9B0q180%3D&reserved= =3D0=20 > >>> Discussion of the feature can be found in multiple places throughout >>> the last year on the RFC channel, staging branches, and in devel. >>> Most recently, this subject was discussed in this thread: >>> https://nam04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fed= k2.groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=3D04%7C01%7Cawarkentin%= 40vmware.com%7C594f15b45aaf476bff7e08d88cb57390%7Cb39138ca3cee4b4aa4d6cd83d= 9dd62f0%7C0%7C0%7C637414058247133820%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj= AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3DGYY= 52rlsPxw07vfdu%2BVbWhzRjtHWXlIGveCTT17mlfc%3D&reserved=3D0=20 > >>> (the code branches shared in that discussion are now out of date, but = the >>> whitepapers and discussion are relevant). >>> Cc: Jiewen Yao >>> Cc: Dandan Bi >>> Cc: Chao Zhang >>> Cc: Jian J Wang >>> Cc: Hao A Wu >>> Cc: Liming Gao >>> Cc: Jordan Justen >>> Cc: Laszlo Ersek >>> Cc: Ard Biesheuvel >>> Cc: Andrew Fish >>> Cc: Ray Ni >>> Cc: Bret Barkelew >>> Signed-off-by: Bret Barkelew >>=20 >> This series has now made it into edk2, and has subsequently broken ever= y single platform in edk2-platforms. Is anyone intending to propose any fix= es for this? >>=20 >>=20 >>> v9 changes: >>> * Rebase >>> * Address the event ordering issues around MorLock at EndOfDxe >>> * Drop problematic tests >>> * Address ECC issues >>> v8 changes: >>> * Rebase >>> * Small tweaks from final PRs >>> * Drank a lot >>> * Enrolled several members and a steward in CatFacts >>> v7 changes: >>> * Address comments from Dandan about security of the MM handler >>> * Add readme >>> * Fix bug around hex characters in BOOT####, etc >>> * Add additional testing for hex characters >>> * Add additional testing for authenticated variables >>> v6 changes: >>> * Fix an issue with uninitialized Status in InitVariablePolicyLib() an= d DeinitVariablePolicyLib() >>> * Fix GCC building in shell-based functional test >>> * Rebase on latest origin/master >>> v5 changes: >>> * Fix the CONST mismatch in VariablePolicy.h and VariablePolicySmmDxe.= c >>> * Fix EFIAPI mismatches in the functional unittest >>> * Rebase on latest origin/master >>> v4 changes: >>> * Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from pl= atforms >>> * Rebase on master >>> * Migrate to new MmCommunicate2 protocol >>> * Fix an oversight in the default return value for InitMmCommonCommBuf= fer >>> * Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume var= iables >>> V3 changes: >>> * Address all non-unittest issues with ECC >>> * Make additional style changes >>> * Include section name in hunk headers in "ini-style" files >>> * Remove requirement for the EdkiiPiSmmCommunicationsRegionTable drive= r >>>=C2=A0=C2=A0 (now allocates its own buffer) >>> * Change names from VARIABLE_POLICY_PROTOCOL and gVariablePolicyProtoc= olGuid >>>=C2=A0=C2=A0 to EDKII_VARIABLE_POLICY_PROTOCOL and gEdkiiVariablePolicy= ProtocolGuid >>> * Fix GCC warning about initializing externs >>> * Add UNI strings for new PCD >>> * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg >>> * Reorder patches according to Liming's feedback about adding to platf= orms >>>=C2=A0=C2=A0 before changing variable driver >>> V2 changes: >>> * Fixed implementation for RuntimeDxe >>> * Add PCD to block DisableVariablePolicy >>> * Fix the DumpVariablePolicy pagination in SMM >>> Bret Barkelew (13): >>>=C2=A0=C2=A0 MdeModulePkg: Define the VariablePolicy protocol interface >>>=C2=A0=C2=A0 MdeModulePkg: Define the VariablePolicyLib >>>=C2=A0=C2=A0 MdeModulePkg: Define the VariablePolicyHelperLib >>>=C2=A0=C2=A0 MdeModulePkg: Define the VarCheckPolicyLib and SMM interfa= ce >>>=C2=A0=C2=A0 OvmfPkg: Add VariablePolicy engine to OvmfPkg platform >>>=C2=A0=C2=A0 EmulatorPkg: Add VariablePolicy engine to EmulatorPkg plat= form >>>=C2=A0=C2=A0 ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platfo= rm >>>=C2=A0=C2=A0 UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPk= g platform >>>=C2=A0=C2=A0 MdeModulePkg: Connect VariablePolicy business logic to >>>=C2=A0=C2=A0=C2=A0=C2=A0 VariableServices >>>=C2=A0=C2=A0 MdeModulePkg: Allow VariablePolicy state to delete protect= ed variables >>>=C2=A0=C2=A0 SecurityPkg: Allow VariablePolicy state to delete authenti= cated >>>=C2=A0=C2=A0=C2=A0=C2=A0 variables >>>=C2=A0=C2=A0 MdeModulePkg: Change TCG MOR variables to use VariablePoli= cy >>>=C2=A0=C2=A0 MdeModulePkg: Drop VarLock from RuntimeDxe variable driver >>>=C2=A0 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c=C2=A0= = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 | 346 ++++++++ >>>=C2=A0 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelpe= rLib.c=C2=A0=C2=A0=C2=A0=C2=A0 | 396 ++++++++++ >>>=C2=A0 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNu= ll.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 46 ++ >>>=C2=A0 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRu= ntimeDxe.c |=C2=A0 85 ++ >>>=C2=A0 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c=C2=A0= = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 | 830 ++++++++++++++++++++ >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c=C2=A0= = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 |=C2=A0 52 +- >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c=C2=A0= = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 |=C2=A0 60 +- >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 49 +- >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 60 ++ >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequestTo= Lock.c=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 71 ++ >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.= c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 573 +++++++++++++= + >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 7 + >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe= .c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 14 + >>>=C2=A0 SecurityPkg/Library/AuthVariableLib/AuthService.c=C2=A0=C2=A0=C2= = =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 30= +- >>>=C2=A0 ArmVirtPkg/ArmVirt.dsc.inc=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 4 + >>>=C2=A0 EmulatorPkg/EmulatorPkg.dsc=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 3 + >>>=C2=A0 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 |=C2=A0 54 ++ >>>=C2=A0 MdeModulePkg/Include/Library/VariablePolicyHelperLib.h=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 164 ++++ >>>=C2=A0 MdeModulePkg/Include/Library/VariablePolicyLib.h=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 20= 7 +++++ >>>=C2=A0 MdeModulePkg/Include/Protocol/VariablePolicy.h=C2=A0=C2=A0=C2=A0= = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 | 157 ++++ >>>=C2=A0 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 |=C2=A0 42 + >>>=C2=A0 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 |=C2=A0 12 + >>>=C2=A0 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelpe= rLib.inf=C2=A0=C2=A0 |=C2=A0 35 + >>>=C2=A0 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelpe= rLib.uni=C2=A0=C2=A0 |=C2=A0 12 + >>>=C2=A0 MdeModulePkg/Library/VariablePolicyLib/ReadMe.md=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 40= 6 ++++++++++ >>>=C2=A0 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 |=C2=A0 48 ++ >>>=C2=A0 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 |=C2=A0 12 + >>>=C2=A0 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeD= xe.inf=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 51 ++ >>>=C2=A0 MdeModulePkg/MdeModulePkg.ci.yaml=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |= = =C2=A0=C2=A0 4 +- >>>=C2=A0 MdeModulePkg/MdeModulePkg.dec=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 |=C2=A0 26 +- >>>=C2=A0 MdeModulePkg/MdeModulePkg.dsc=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 9 + >>>=C2=A0 MdeModulePkg/MdeModulePkg.uni=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 7 + >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.in= f=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 5 + >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf=C2=A0= = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 4 + >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe= .inf=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 11 + >>>=C2=A0 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.= inf=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 4 + >>>=C2=A0 OvmfPkg/OvmfPkgIa32.dsc=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 5 + >>>=C2=A0 OvmfPkg/OvmfPkgIa32X64.dsc=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 5 + >>>=C2=A0 OvmfPkg/OvmfPkgX64.dsc=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 5 + >>>=C2=A0 OvmfPkg/OvmfXen.dsc=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= = =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2= = =A0=C2=A0 4 + >>>=C2=A0 SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf=C2=A0=C2= = =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 2 + >>>=C2=A0 UefiPayloadPkg/UefiPayloadPkgIa32.dsc=C2=A0=C2=A0=C2=A0=C2=A0=C2= = =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 4 + >>>=C2=A0 UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc=C2=A0=C2=A0=C2=A0=C2=A0= = =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0=C2=A0 4 + >>>=C2=A0 43 files changed, 3845 insertions(+), 80 deletions(-) >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarChe= ckPolicyLib.c >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/= VariablePolicyHelperLib.c >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyLib/Variab= lePolicyExtraInitNull.c >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyLib/Variab= lePolicyExtraInitRuntimeDxe.c >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyLib/Variab= lePolicyLib.c >>>=C2=A0 create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/Va= riableLockRequestToLock.c >>>=C2=A0 create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/Va= riablePolicySmmDxe.c >>>=C2=A0 create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h >>>=C2=A0 create mode 100644 MdeModulePkg/Include/Library/VariablePolicyHe= lperLib.h >>>=C2=A0 create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLi= b.h >>>=C2=A0 create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.= h >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarChe= ckPolicyLib.inf >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarChe= ckPolicyLib.uni >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/= VariablePolicyHelperLib.inf >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/= VariablePolicyHelperLib.uni >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyLib/ReadMe= .md >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyLib/Variab= lePolicyLib.inf >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyLib/Variab= lePolicyLib.uni >>>=C2=A0 create mode 100644 MdeModulePkg/Library/VariablePolicyLib/Variab= lePolicyLibRuntimeDxe.inf >>=20 >=20 >=20 >=20 >=20 >=20 >=20