Re: [EXTERNAL] Re: [edk2-devel] [PATCH v3 05/14] OvmfPkg: Add VariablePolicy engine to OvmfPkg platform

["Laszlo Ersek" <lersek@redhat.com>]

Hi Bret,

On 05/23/20 00:35, Bret Barkelew wrote:
> 'Maybe you entirely missed my message that I posted in response to
> version 2 of this specific patch (i.e. you may have fully missed the
> message I link at the top). That could be the case because I mentioned
> "OvmfXen.dsc" under the v2 blurb as well.'
>
> Yup. That's the one. Saw this request, but not the patch feedback.
> Will address in the next version.

Thanks.

> You want the PCD dropped just for Xen?

No; I'd like it to be removed from all ArmVirtPkg and OvmfPkg DSC files.

>
> I would posit that dropping it for all of OVMF would negate the
> ability to use the unittest test to confirm the functionality in CI,
> which is something I would like to light up in future revisions, so I
> would need to hear the argument against it.

I spelled it out in the message you missed:

http://mid.mail-archive.com/a0e0e3d4-6712-078a-4d95-29408109b0b0@redhat.com
https://edk2.groups.io/g/devel/message/59271

To summarize briefly, the wiki page relating to this feature makes the
valid general argument that the PCD default should be secure. And that
applies specifically to the ArmVirtPkg and OvmfPkg platforms as well;
their upstream DSC files too should be as production-ready as possible.

Regarding the CI tests, I addressed them in the same message. I named
two options. One, we can build OVMF (specifically in the CI system too)
with the "--pcd" build option, to override the PCD from the DEC default.
Two, if we want just one binary, and override the PCD at boot time
(rather than at build time), we can do that as well, with a bit more
work -- make the PCD dynamic-access, and put a recently introduced
OvmfPkg and ArmVirtPkg feature (from TianoCore#2681) to use, for letting
users change the dynamic boolean PCD from the QEMU command line.

Hm... I can in fact quote it for you:

> Now, I realize that people might want to set this PCD to TRUE in OVMF,
> for testing various things. Maybe the unit tests / functional tests
> introduced in this series even *depend* on the PCD being TRUE (I can't
> tell, I haven't checked). That's OK; for accommodating that, we have
> two options:
>
> (2a) build OVMF with the appropriate --pcd=... switch passed to
>      "build",
>
> (2b) for controlling the PCD dynamically (on the QEMU command line):
>
> - the PCD would have permit the dynamic access method in the DEC file,
>
> - the modules consuming the PCD would have to do so in their entry
>   point functions / library constructors, and use the cached copy
>   thenceforth,
>
> - the OVMF DSC files would have to get a dynamic default (value
>   FALSE),
>
> - and OVMF would need another NULL class library for setting the PCD
>   from fw_cfg. Please refer to
>   <https://bugzilla.tianocore.org/show_bug.cgi?id=2681> for details on
>   that.

Thanks
Laszlo