From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.22687.1605862942398034108 for ; Fri, 20 Nov 2020 01:02:22 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ard.biesheuvel@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 1AA0C1042; Fri, 20 Nov 2020 01:02:12 -0800 (PST) Received: from [192.168.1.81] (unknown [10.37.8.12]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 50B3B3F70D; Fri, 20 Nov 2020 01:02:06 -0800 (PST) Subject: =?UTF-8?B?UmU6IOWbnuWkjTogW2VkazItZGV2ZWxdIEEgcHJvcG9zYWwgdG8gcmVkdWNlIGluY29tcGF0aWJsZSBjYXNl?= To: gaoliming , devel@edk2.groups.io, jiewen.yao@intel.com, "'Liu, Zhiguang'" , michael.kubacki@outlook.com, awarkentin@vmware.com, debtech@gmail.com, "'Feng, Bob C'" , "'Tian, Hot'" Cc: 'Bret Barkelew' , "'Bi, Dandan'" , 'Chao Zhang' , "'Wang, Jian J'" , "'Wu, Hao A'" , 'Liming Gao' , "'Justen, Jordan L'" , 'Laszlo Ersek' , 'Andrew Fish' , "'Ni, Ray'" , 'Bret Barkelew' , "'Kinney, Michael D'" References: <018a01d6bf0e$9a499810$cedcc830$@byosoft.com.cn> From: "Ard Biesheuvel" Message-ID: Date: Fri, 20 Nov 2020 10:02:04 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <018a01d6bf0e$9a499810$cedcc830$@byosoft.com.cn> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 11/20/20 8:27 AM, gaoliming wrote: > Zhiguang: > This proposal can reduce the potential library class dependency. Each= package has its xxxPkgLib.dsc.inc file that includes the library instances= from this package. > Platform DSC can include the required package lib.dsc.inc file for th= e library instances. Can you work out the code changes to demonstrate this = idea? >=20 +1 for this idea. This would allow us to remove a *lot* of boilerplate=20 in the .DSC files, and focus on the libraries that actually matter for=20 the platform at hand. >> -----=E9=82=AE=E4=BB=B6=E5=8E=9F=E4=BB=B6----- >> =E5=8F=91=E4=BB=B6=E4=BA=BA: bounce+27952+67752+4905953+8761045@groups.= io >> =E4=BB=A3=E8=A1=A8 Yao, = Jiewen >> =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2020=E5=B9=B411=E6=9C=8820=E6=97= =A5 15:20 >> =E6=94=B6=E4=BB=B6=E4=BA=BA: Liu, Zhiguang ; de= vel@edk2.groups.io; >> michael.kubacki@outlook.com; awarkentin@vmware.com; Ard Biesheuvel >> ; debtech@gmail.com; Feng, Bob C >> ; Tian, Hot >> =E6=8A=84=E9=80=81: Bret Barkelew ; Bi, Dandan >> ; Chao Zhang ; Wang, Jian >> J ; Wu, Hao A ; Liming Gao >> ; Justen, Jordan L ; L= aszlo >> Ersek ; Andrew Fish ; Ni, Ray >> ; Bret Barkelew ; Kinney, >> Michael D ; Liming Gao >> >> =E4=B8=BB=E9=A2=98: Re: [edk2-devel] A proposal to reduce incompatible = case >> >> I like this idea. MinPlatform also adopt the same strategy - define com= mon >> stuff in a dsc include file @ >> https://github.com/tianocore/edk2-platforms/tree/master/Platform/Intel/= Mi >> nPlatformPkg/Include/Dsc >> >> >> A minor clarification: >> For VariablePolicyLib, I think we just need add to MdeModulePkgLib.dsc.= inc. >> We don=E2=80=99t need update UefiPayloadPkgLib.dsc.inc or SecurityPkgLi= b.dsc.inc, >> right? They are just consumer, not producer. >> >> Thank you >> Yao Jiewen >> >> >>> -----Original Message----- >>> From: Liu, Zhiguang >>> Sent: Friday, November 20, 2020 2:52 PM >>> To: devel@edk2.groups.io; michael.kubacki@outlook.com; >>> awarkentin@vmware.com; Ard Biesheuvel ; >>> debtech@gmail.com; Feng, Bob C ; Tian, Hot >>> >>> Cc: Bret Barkelew ; Yao, Jiewen >>> ; Bi, Dandan ; Chao Zhang >>> ; Wang, Jian J ; Wu, Ha= o >>> A ; Liming Gao ; Justen, >>> Jordan L ; Laszlo Ersek = ; >>> Andrew Fish ; Ni, Ray ; Bret >> Barkelew >>> ; Kinney, Michael D >>> ; Liming Gao >>> Subject: A proposal to reduce incompatible case >>> >>> Hi all, >>> >>> As Michael mentioned, there are some platforms do not build and some i= s >>> because incompatible code change like this one. >>> I think it is a burden for both contributor and maintainer to fix plat= form code >>> when meeting such incompatible change. >>> I want to proposal one solution to minimum the effort of such code cha= nge. >>> >>> We could add a package library instance dsc include file under each >> package, >>> like XXXPkgLib.dsc.inc >>> It will specify the default library instance that will be used by modu= les in this >>> package. >>> For example, we add MdeModulePkgLib.dsc.inc file in MdeModulePkg. >>> Some package already has similar dsc include file, such as >>> ArmVirtPkg/ArmVirt.dsc.inc and NetworkPkg\Network.dsc.inc. >>> In platform dsc file, we include the XXXPkgLib.dsc.inc file at the beg= inning, >> if >>> the platform uses component from the package. >>> We place the inc file in the beginning because we can override the lib= rary >>> instance in other part of the platform dsc file. >>> >>> Whenever the contributor adds a new library dependency in one module, = he >>> should also add a default library instance in the package library inst= ance dsc >>> include file. >>> >>> For example, in this case, >>> Contributor will add the below information in UefiPayloadPkgLib.dsc.in= c, >>> SecurityPkgLib.dsc.inc and MdeModulePkgLib.dsc.inc >>> >>> [LibraryClasses] >>> >>> >> VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicy= Li >>> b.inf >>> >>> >> VariablePolicyHelperLib|MdeModulePkg/Library/VariablePolicyHelperLib/Va >>> riablePolicyHelperLib.inf >>> [LibraryClasses.common.DXE_RUNTIME_DRIVER] >>> >>> >> VariablePolicyLib|MdeModulePkg/Library/VariablePolicyLib/VariablePolicy= Li >>> bRuntimeDxe.inf >>> >>> If the platform already includes these inc files, the code change won'= t break >>> any build. >>> If the platform wants to choose another library instance, it can speci= fy in the >>> dsc file, and will override the configuration in inc files. >>> This feature can even reduce the code in platform dsc file if platform= choose >>> to use default library instance. >>> The problem is that it may compiles redundant modules if the >>> >>> Please give comments about this proposal. >>> >>> Thanks >>> Zhiguang >>> >>> >>>> -----Original Message----- >>>> From: devel@edk2.groups.io On Behalf Of >>> Michael >>>> Kubacki >>>> Sent: Friday, November 20, 2020 4:16 AM >>>> To: devel@edk2.groups.io; awarkentin@vmware.com; Ard Biesheuvel >>>> ; debtech@gmail.com >>>> Cc: Bret Barkelew ; Yao, Jiewen >>> ; >>>> Bi, Dandan ; Chao Zhang >>> ; >>>> Wang, Jian J ; Wu, Hao A ; >>>> Liming Gao ; Justen, Jordan L >>>> ; Laszlo Ersek ; Andrew >>> Fish >>>> ; Ni, Ray ; Bret Barkelew >>>> >>>> Subject: Re: [edk2-devel] [PATCH v9 00/13] Add the VariablePolicy fea= ture >>>> >>>> While I'm not currently a maintainer in either repo, I believe the cu= rrent >>>> process is not ideal. I highlighted some of my observations >>>> here: https://edk2.groups.io/g/devel/message/65902. >>>> >>>> Again, I don't have a strong vested interest in this but I do think s= ome level >>> of a >>>> more well defined process needs to be reached between repo maintiners >>> to >>>> ease feature development in the future. >>>> >>>> Thanks, >>>> Michael >>>> >>>> On 11/19/2020 12:02 PM, Andrei Warkentin wrote: >>>>> Hi Bret, >>>>> >>>>> To be honest, I don't recall seeing anything. Again, maybe I should >>>>> have been more proactive, but that's probably the net reality for mo= st >>>>> people. It would be unreasonable to expect you to test every platfor= m, >>>>> but it is very reasonable to assume that if you know you're adding >>>>> build breakage to every platform (that is trivial to fix), that you >>>>> would be taking care of it... Principle of least surprise. And yes, = in >>>>> some weird corner case perhaps that would be insufficient (again, I >>>>> don't think anyone would expect you to compile test every platform), >>>>> but it would take care of 99% of obvious fall-out. >>>>> >>>>> For reference, there are occasional clean-ups that happen to the edk= 2 >>>>> tree, and I've never seen anyone claim "not my problem" to deal with >>>>> the obvious fall-out resulting from renames and such. >>>>> >>>>> A >>>>> --------------------------------------------------------------------= -- >>>>> -- >>>>> *From:* devel@edk2.groups.io on behalf of >>> Bret >>>>> Barkelew via groups.io >>>>> *Sent:* Thursday, November 19, 2020 10:15 AM >>>>> *To:* Ard Biesheuvel >>>>> *Cc:* Bret Barkelew ; devel@edk2.groups.io >>>>> ; Jiewen Yao ; Dandan >>> Bi >>>>> ; Chao Zhang ; Jian J >>>>> Wang ; Hao A Wu ; >>> Liming >>>>> Gao ; Jordan Justen >> ; >>>>> Laszlo Ersek ; Andrew Fish ; >> Ray >>>>> Ni ; Bret Barkelew >>>>> *Subject:* Re: [edk2-devel] [PATCH v9 00/13] Add the VariablePolicy >>>>> feature Those bugs and recommendations were sent out months ago. >>>>> Several platforms have staged the changes already. >>>>> >>>>> You need to add the library class to your DSC. >>>>> >>>>> -- >>>>> [ Insert obscure pop-culture reference here. ] >>>>> >>>>>> On Nov 19, 2020, at 4:46 AM, Ard Biesheuvel >> >>>> wrote: >>>>>> >>>>>> =EF=BB=BFOn 11/9/20 7:45 AM, Bret Barkelew wrote: >>>>>>> The 14 patches in this series add the VariablePolicy feature to th= e >>>>>>> core, deprecate Edk2VarLock (while adding a compatibility layer to >>>>>>> reduce code churn), and integrate the VariablePolicy libraries and >>>>>>> protocols into Variable Services. >>>>>>> Since the integration requires multiple changes, including adding >>>>>>> libraries, a protocol, an SMI communication handler, and >>>>>>> VariableServices integration, the patches are broken up by >>>>>>> individual library additions and then a final integration. >>>>>>> Security-sensitive changes like bypassing Authenticated Variable >>>>>>> enforcement are also broken out into individual patches so that >>> attention >>>> can be called directly to them. >>>>>>> Platform porting instructions are described in this wiki entry: >>>>>>> >>> https://nam04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fgi >>>>>>> >>> thub.com%2Ftianocore%2Ftianocore.github.io%2Fwiki%2FVariablePolicy-P >>>>>>> rotocol---Enhanced-Method-for-Managing-Variables%23platform- >>> porting& >>>>>>> >>>> >>> >> amp;data=3D04%7C01%7Cawarkentin%40vmware.com%7C594f15b45aaf476bf >> f >>> 7e >>>> 08d >>>>>>> >>>> >>> >> 88cb57390%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637414 >> 0 >>> 5 >>>> 82471 >>>>>>> >>>> >>> >> 28819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2l >> u >>> M >>>> zIiLC >>>>>>> >>>> >>> >> JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=3DLLKZ7qeffR0WCvLbY >>> uH >>>> tQI >>>>>>> uwJGhXY0mVqB2w9B0q180%3D&reserved=3D0 >>>>> >>> >>>> hub.com%2Ftianocore%2Ftianocore.github.io%2Fwiki%2FVariablePolicy- >>> Prot >>>>> ocol---Enhanced-Method-for-Managing-Variables%23platform- >>>> porting&d >>>>> >>>> >>> >> ata=3D04%7C01%7Cawarkentin%40vmware.com%7C594f15b45aaf476bff7e08d >>> 88 >>>> cb573 >>>>> >>>> >>> >> 90%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C6374140582471 >> 2 >>> 8 >>>> 819%7CU >>>>> >>>> >>> >> nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI >>> 6Ik >>>> 1ha >>>>> >>>> >>> >> WwiLCJXVCI6Mn0%3D%7C1000&sdata=3DLLKZ7qeffR0WCvLbYuHtQIuwJG >>> hX >>>> Y0mVqB2 >>>>> w9B0q180%3D&reserved=3D0> >>>>>>> Discussion of the feature can be found in multiple places througho= ut >>>>>>> the last year on the RFC channel, staging branches, and in devel. >>>>>>> Most recently, this subject was discussed in this thread: >>>>>>> >>> https://nam04.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F%2Fed >>>>>>> >>>> >>> >> k2.groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=3D04%7C01%7C >> a >>> wa >>>> rke >>>>>>> >>>> >>> >> ntin%40vmware.com%7C594f15b45aaf476bff7e08d88cb57390%7Cb39138ca >>> 3c >>>> ee4 >>>>>>> >>>> >>> >> b4aa4d6cd83d9dd62f0%7C0%7C0%7C637414058247133820%7CUnknown% >> 7 >>> CT >>>> WFpbGZ >>>>>>> >>>> >>> >> sb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6M >>> n0 >>>>>>> %3D%7C1000&sdata=3DGYY52rlsPxw07vfdu%2BVbWhzRjtHWXlIG >> ve >>> CTT >>>> 17mlfc%3 >>>>>>> D&reserved=3D0 >>>>> >>> >> >>>> >>>> >>> >> 2.groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=3D04%7C01%7Ca >>> war >>>> kenti >>>>> >>>> >>> >> n%40vmware.com%7C594f15b45aaf476bff7e08d88cb57390%7Cb39138ca3c >> e >>> e >>>> 4b4aa4 >>>>> >>>> >>> >> d6cd83d9dd62f0%7C0%7C0%7C637414058247133820%7CUnknown%7CTW >> F >>> pb >>>> GZsb3d8ey >>>>> >>>> >>> >> JWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D >> % >>> 7 >>>> C100 >>>>> >>>> >>> >> 0&sdata=3DGYY52rlsPxw07vfdu%2BVbWhzRjtHWXlIGveCTT17mlfc%3D&a >>> mp >>>> ;reser >>>>> ved=3D0> >>>>>>> (the code branches shared in that discussion are now out of date, >>>>>>> but the whitepapers and discussion are relevant). >>>>>>> Cc: Jiewen Yao >>>>>>> Cc: Dandan Bi >>>>>>> Cc: Chao Zhang >>>>>>> Cc: Jian J Wang >>>>>>> Cc: Hao A Wu >>>>>>> Cc: Liming Gao >>>>>>> Cc: Jordan Justen >>>>>>> Cc: Laszlo Ersek >>>>>>> Cc: Ard Biesheuvel >>>>>>> Cc: Andrew Fish >>>>>>> Cc: Ray Ni >>>>>>> Cc: Bret Barkelew >>>>>>> Signed-off-by: Bret Barkelew >>>>>> >>>>>> This series has now made it into edk2, and has subsequently broken >>> every >>>> single platform in edk2-platforms. Is anyone intending to propose any= fixes >>> for >>>> this? >>>>>> >>>>>> >>>>>>> v9 changes: >>>>>>> * Rebase >>>>>>> * Address the event ordering issues around MorLock at EndOfDxe >>>>>>> * Drop problematic tests >>>>>>> * Address ECC issues >>>>>>> v8 changes: >>>>>>> * Rebase >>>>>>> * Small tweaks from final PRs >>>>>>> * Drank a lot >>>>>>> * Enrolled several members and a steward in CatFacts >>>>>>> v7 changes: >>>>>>> * Address comments from Dandan about security of the MM handler >>>>>>> * Add readme >>>>>>> * Fix bug around hex characters in BOOT####, etc >>>>>>> * Add additional testing for hex characters >>>>>>> * Add additional testing for authenticated variables >>>>>>> v6 changes: >>>>>>> * Fix an issue with uninitialized Status in InitVariablePolicyLib(= ) >>>>>>> and DeinitVariablePolicyLib() >>>>>>> * Fix GCC building in shell-based functional test >>>>>>> * Rebase on latest origin/master >>>>>>> v5 changes: >>>>>>> * Fix the CONST mismatch in VariablePolicy.h and >>>>>>> VariablePolicySmmDxe.c >>>>>>> * Fix EFIAPI mismatches in the functional unittest >>>>>>> * Rebase on latest origin/master >>>>>>> v4 changes: >>>>>>> * Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD >>> from >>>>>>> platforms >>>>>>> * Rebase on master >>>>>>> * Migrate to new MmCommunicate2 protocol >>>>>>> * Fix an oversight in the default return value for >>>>>>> InitMmCommonCommBuffer >>>>>>> * Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume >>>>>>> variables >>>>>>> V3 changes: >>>>>>> * Address all non-unittest issues with ECC >>>>>>> * Make additional style changes >>>>>>> * Include section name in hunk headers in "ini-style" files >>>>>>> * Remove requirement for the >>> EdkiiPiSmmCommunicationsRegionTable >>>>>>> driver >>>>>>> (now allocates its own buffer) >>>>>>> * Change names from VARIABLE_POLICY_PROTOCOL and >>>>>>> gVariablePolicyProtocolGuid >>>>>>> to EDKII_VARIABLE_POLICY_PROTOCOL and >>>>>>> gEdkiiVariablePolicyProtocolGuid >>>>>>> * Fix GCC warning about initializing externs >>>>>>> * Add UNI strings for new PCD >>>>>>> * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg >>>>>>> * Reorder patches according to Liming's feedback about adding to >>>>>>> platforms >>>>>>> before changing variable driver >>>>>>> V2 changes: >>>>>>> * Fixed implementation for RuntimeDxe >>>>>>> * Add PCD to block DisableVariablePolicy >>>>>>> * Fix the DumpVariablePolicy pagination in SMM Bret Barkelew >> (13): >>>>>>> MdeModulePkg: Define the VariablePolicy protocol interface >>>>>>> MdeModulePkg: Define the VariablePolicyLib >>>>>>> MdeModulePkg: Define the VariablePolicyHelperLib >>>>>>> MdeModulePkg: Define the VarCheckPolicyLib and SMM interface >>>>>>> OvmfPkg: Add VariablePolicy engine to OvmfPkg platform >>>>>>> EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform >>>>>>> ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform >>>>>>> UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg >>>>>>> platform >>>>>>> MdeModulePkg: Connect VariablePolicy business logic to >>>>>>> VariableServices >>>>>>> MdeModulePkg: Allow VariablePolicy state to delete protected >>>>>>> variables >>>>>>> SecurityPkg: Allow VariablePolicy state to delete authenticated >>>>>>> variables >>>>>>> MdeModulePkg: Change TCG MOR variables to use VariablePolicy >>>>>>> MdeModulePkg: Drop VarLock from RuntimeDxe variable driver >>>>>>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c >>>>>>> | 346 ++++++++ >>>>>>> >>>>>>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelper >> Li >>> b. >>>>>>> c | 396 ++++++++++ >>>>>>> >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull= . >> c >>>>>>> | 46 ++ >>>>>>> >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRunt= i >>> me >>>>>>> Dxe.c | 85 ++ >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c >>>>>>> | 830 ++++++++++++++++++++ >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c >>>> >>>>>>> | 52 +- >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm. >> c >>>> >>>>>>> | 60 +- >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c >>>>>>> | 49 +- >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c >>>>>>> | 60 ++ >>>>>>> >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequest >> T >>> oLo >>>> ck. >>>>>>> c | 71 ++ >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySm >> mD >>> xe.c >>>> >>>>>>> | 573 ++++++++++++++ >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c >>>> >>>>>>> | 7 + >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRunt >> im >>> eDx >>>> e.c >>>>>>> | 14 + >>>>>>> SecurityPkg/Library/AuthVariableLib/AuthService.c >>>>>>> | 30 +- >>>>>>> ArmVirtPkg/ArmVirt.dsc.inc >>>>>>> | 4 + >>>>>>> EmulatorPkg/EmulatorPkg.dsc >>>>>>> | 3 + >>>>>>> MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h >>>>>>> | 54 ++ >>>>>>> MdeModulePkg/Include/Library/VariablePolicyHelperLib.h >>>>>>> | 164 ++++ >>>>>>> MdeModulePkg/Include/Library/VariablePolicyLib.h >>>>>>> | 207 +++++ >>>>>>> MdeModulePkg/Include/Protocol/VariablePolicy.h >>>>>>> | 157 ++++ >>>>>>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf >>>>>>> | 42 + >>>>>>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni >>>>>>> | 12 + >>>>>>> >>>>>>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelper >> Li >>> b. >>>>>>> inf | 35 + >>>>>>> >>>>>>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelper >> Li >>> b. >>>>>>> uni | 12 + >>>>>>> MdeModulePkg/Library/VariablePolicyLib/ReadMe.md >>>>>>> | 406 ++++++++++ >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf >>>>>>> | 48 ++ >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni >>>>>>> | 12 + >>>>>>> >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDx >> e >>> .in >>>>>>> f | 51 ++ >>>>>>> MdeModulePkg/MdeModulePkg.ci.yaml >>>>>>> | 4 +- >>>>>>> MdeModulePkg/MdeModulePkg.dec >>>>>>> | 26 +- >>>>>>> MdeModulePkg/MdeModulePkg.dsc >>>>>>> | 9 + >>>>>>> MdeModulePkg/MdeModulePkg.uni >>>>>>> | 7 + >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeD >> xe >>> .inf >>>> >>>>>>> | 5 + >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf >>>> >>>>>>> | 4 + >>>>>>> >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntim >> e >>> Dxe. >>>> inf >>>>>>> | 11 + >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandalon >> e >>> Mm.i >>>> nf >>>>>>> | 4 + >>>>>>> OvmfPkg/OvmfPkgIa32.dsc >>>>>>> | 5 + >>>>>>> OvmfPkg/OvmfPkgIa32X64.dsc >>>>>>> | 5 + >>>>>>> OvmfPkg/OvmfPkgX64.dsc >>>>>>> | 5 + >>>>>>> OvmfPkg/OvmfXen.dsc >>>>>>> | 4 + >>>>>>> SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf >>>>>>> | 2 + >>>>>>> UefiPayloadPkg/UefiPayloadPkgIa32.dsc >>>>>>> | 4 + >>>>>>> UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc >>>>>>> | 4 + >>>>>>> 43 files changed, 3845 insertions(+), 80 deletions(-) >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelper >> Li >>> b. >>>>>>> c >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull= . >> c >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRunt= i >>> me >>>>>>> Dxe.c >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequest >> T >>> oLo >>>> ck. >>>>>>> c >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmD >> x >>> e.c >>>>>>> create mode 100644 >>> MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Include/Library/VariablePolicyHelperLib.h >>>>>>> create mode 100644 >>> MdeModulePkg/Include/Library/VariablePolicyLib.h >>>>>>> create mode 100644 >>> MdeModulePkg/Include/Protocol/VariablePolicy.h >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelper >> Li >>> b. >>>>>>> inf >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelper >> Li >>> b. >>>>>>> uni >>>>>>> create mode 100644 >>>> MdeModulePkg/Library/VariablePolicyLib/ReadMe.md >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni >>>>>>> create mode 100644 >>>>>>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDx >> e >>> .in >>>>>>> f >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >> >> >> >>=20 >> >=20 >=20 >=20