public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [edk2-devel] [PATCH v1 0/3] Add Variable Policy Audit and Shell Command
@ 2023-09-19 14:32 Michael Kubacki
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Kubacki @ 2023-09-19 14:32 UTC (permalink / raw)
  To: devel
  Cc: Anatol Belski, Anthony Perard, Dandan Bi, Gerd Hoffmann, Hao A Wu,
	Jian J Wang, Jianyong Wu, Jiewen Yao, Jordan Justen, Julien Grall,
	Liming Gao, Michael D Kinney, Zhichao Gao

From: Michael Kubacki <michael.kubacki@microsoft.com>

Adds a new module (dynamic shell command) to ShellPkg that lists
variable policy information for all UEFI variables on the system.

Some other UEFI variable related functionality is also included to
give a greater sense of platform UEFI variable state.

Like all dynamic shell commands, a platform only needs to include
VariablePolicyDynamicCommand.inf in their flash image to have
the command registered in their UEFI shell.

The shell command is added to OvmfPkg so it is available in an
easily obtainable virtual platform.

This is being made available to ease auditing and enabling of UEFI
variable policy to encourage its adoption for securing UEFI
variables.

---

Command Help:

Lists UEFI variable policy information.

VARPOLICY [-p] [-s] [-v]

  -p - The policy flag will print variable policy info for each variable.

  -s - The stats flag will print overall UEFI variable policy statistics.

  -v - The verbose flag indicates all known information should be printed.

       This includes a dump of the corresponding UEFI variable data in 
       addition to all other UEFI variable policy information.

EXAMPLES:

  * To dump all active UEFI variables: 
    fs0:\> varpolicy

  * To include UEFI variable policy information: 
    varpolicy -p 

  * To include UEFI variable statistics: 
    varpolicy -s

Press ENTER to continue or 'Q' break: 

---

Images showing example output are available in the PR:
https://github.com/tianocore/edk2/pull/4835

Cc: Anatol Belski <anbelski@linux.microsoft.com>
Cc: Anthony Perard <anthony.perard@citrix.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jianyong Wu <jianyong.wu@arm.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Julien Grall <julien@xen.org>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Zhichao Gao <zhichao.gao@intel.com>

Michael Kubacki (3):
  MdeModulePkg/VariablePolicy: Add more granular variable policy
    querying
  ShellPkg: Add varpolicy dynamic shell command
  OvmfPkg: Add varpolicy shell command

 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c                            |  174 +++-
 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c                            |  304 ++++++
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c                              |    4 +-
 MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c                     |  346 ++++++-
 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c   | 1009 ++++++++++++++++++++
 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h                                         |   39 +-
 MdeModulePkg/Include/Library/VariablePolicyLib.h                                      |  107 +++
 MdeModulePkg/Include/Protocol/VariablePolicy.h                                        |  133 ++-
 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf                          |    1 +
 OvmfPkg/CloudHv/CloudHvX64.dsc                                                        |    4 +
 OvmfPkg/Microvm/MicrovmX64.dsc                                                        |    4 +
 OvmfPkg/OvmfPkgIa32.dsc                                                               |    4 +
 OvmfPkg/OvmfPkgIa32X64.dsc                                                            |    4 +
 OvmfPkg/OvmfPkgX64.dsc                                                                |    4 +
 OvmfPkg/OvmfXen.dsc                                                                   |    4 +
 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.h   |   94 ++
 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf |   56 ++
 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.uni |   86 ++
 ShellPkg/ShellPkg.dsc                                                                 |    1 +
 19 files changed, 2332 insertions(+), 46 deletions(-)
 create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.c
 create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.h
 create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.inf
 create mode 100644 ShellPkg/DynamicCommand/VariablePolicyDynamicCommand/VariablePolicyDynamicCommand.uni

-- 
2.42.0.windows.2



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#108840): https://edk2.groups.io/g/devel/message/108840
Mute This Topic: https://groups.io/mt/101457406/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-10-24  0:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <178653656C780AFD.28522@groups.io>
2023-10-23 18:15 ` [edk2-devel] [PATCH v1 0/3] Add Variable Policy Audit and Shell Command Michael Kubacki
2023-10-24  0:31   ` Gao, Zhichao
2023-09-19 14:32 Michael Kubacki

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox