[edk2-devel] [PATCH v5 00/19] UEFI variable protection
Judah Vang
judah.vang at intel.com
Sun Nov 6 07:34:50 UTC 2022
Patch 07 - Add PEI Variable Protection into a new directory and leave the
existing PEI Variable unchanged.
Patch 08 - Add RuntimeDxe Variable Protection into a new directory and
keep existing Variable for RuntimeDxe unchanged.
Patch 09 - Add reference to new Protected Variable libs.
Patch 16 - Applied code review comments by adding PEIM to library class
Patch 18 - Applied code review comments by removing unused API.
Notes:
The CryptoPkg changes are now being tracked separately.
Patches 21 on is no longer needed due to reorganization of the new
protected variable modules.
Judah Vang (19):
MdePkg: Add reference to new Ppi Guid
MdeModulePkg: Update AUTH_VARIABLE_INFO struct
MdeModulePkg: Add new ProtectedVariable GUIDs
MdeModulePkg: Add new include files
MdeModulePkg: Add new GUID for Variable Store Info
MdeModulePkg: Add Null ProtectedVariable Library
MdeModulePkg: Add new Variable functionality
MdeModulePkg: Add support for Protected Variables
MdeModulePkg: Reference Null ProtectedVariableLib
SecurityPkg: Add new GUIDs for
SecurityPkg: Add new KeyService types and defines
SecurityPkg: Add new variable types and functions
SecurityPkg: Update RPMC APIs with index
SecurityPkg: Fix GetVariableKey API
SecurityPkg: Add null encryption variable libs
SecurityPkg: Add VariableKey library function
SecurityPkg: Add EncryptionVariable lib with AES
SecurityPkg: Add Protected Variable Services
SecurityPkg: Add references to new *.inf files
MdeModulePkg/MdeModulePkg.dec | 13 +-
SecurityPkg/SecurityPkg.dec | 43 +-
MdeModulePkg/MdeModulePkg.dsc | 20 +-
MdeModulePkg/Test/MdeModulePkgHostTest.dsc | 8 +
SecurityPkg/SecurityPkg.dsc | 13 +-
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf | 34 +
MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf | 79 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/RuntimeDxeUnitTest/VariableLockRequestToLockUnitTest.inf | 36 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxe.inf | 151 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.inf | 153 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxe.inf | 119 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableStandaloneMm.inf | 143 +
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 +
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf | 34 +
SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf | 64 +
SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf | 68 +
SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf | 67 +
SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf | 62 +
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36 +
MdeModulePkg/Include/Guid/ProtectedVariable.h | 22 +
MdeModulePkg/Include/Library/AuthVariableLib.h | 4 +-
MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 +
MdeModulePkg/Include/Library/ProtectedVariableLib.h | 607 +++
MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h | 225 ++
MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.h | 309 ++
MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.h | 116 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/PrivilegePolymorphic.h | 158 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Variable.h | 948 +++++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableNonVolatile.h | 67 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableParsing.h | 424 ++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeCache.h | 51 +
MdePkg/Include/Ppi/ReadOnlyVariable2.h | 4 +-
SecurityPkg/Include/Library/RpmcLib.h | 15 +-
SecurityPkg/Include/Library/VariableKeyLib.h | 37 +-
SecurityPkg/Include/Ppi/KeyServicePpi.h | 57 +
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 +
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h | 589 +++
MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c | 336 ++
MdeModulePkg/Universal/Variable/Protected/Pei/Variable.c | 628 +++
MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.c | 941 +++++
MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.c | 307 ++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Measurement.c | 343 ++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Reclaim.c | 504 +++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/RuntimeDxeUnitTest/VariableLockRequestToLockUnitTest.c | 607 +++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/SpeculationBarrierDxe.c | 27 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/SpeculationBarrierSmm.c | 26 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/TcgMorLockDxe.c | 153 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/TcgMorLockSmm.c | 569 +++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VarCheck.c | 101 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Variable.c | 4037 ++++++++++++++++++++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableDxe.c | 670 ++++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableExLib.c | 417 ++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableLockRequestToLock.c | 96 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableNonVolatile.c | 537 +++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableParsing.c | 1110 ++++++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariablePolicySmmDxe.c | 575 +++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeCache.c | 158 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.c | 1268 ++++++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxe.c | 1895 +++++++++
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableStandaloneMm.c | 89 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableTraditionalMm.c | 130 +
SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 734 ++++
SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c | 92 +
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c | 2103 ++++++++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c | 163 +
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c | 1327 +++++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c | 209 +
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c | 967 +++++
SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c | 233 ++
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 8 +-
SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c | 59 +
SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 8 +-
MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariable.uni | 16 +
MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariableExtra.uni | 14 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxe.uni | 22 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxeExtra.uni | 14 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.uni | 27 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmExtra.uni | 14 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxe.uni | 23 +
MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxeExtra.uni | 14 +
80 files changed, 26556 insertions(+), 48 deletions(-)
create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/VariablePei.inf
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/RuntimeDxeUnitTest/VariableLockRequestToLockUnitTest.inf
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxe.inf
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.inf
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxe.inf
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableStandaloneMm.inf
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf
create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
create mode 100644 MdeModulePkg/Include/Guid/ProtectedVariable.h
create mode 100644 MdeModulePkg/Include/Library/EncryptionVariableLib.h
create mode 100644 MdeModulePkg/Include/Library/ProtectedVariableLib.h
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/Variable.h
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.h
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.h
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/PrivilegePolymorphic.h
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Variable.h
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableNonVolatile.h
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableParsing.h
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeCache.h
create mode 100644 SecurityPkg/Include/Ppi/KeyServicePpi.h
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h
create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/Variable.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/VariableParsing.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/VariableStore.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Measurement.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Reclaim.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/RuntimeDxeUnitTest/VariableLockRequestToLockUnitTest.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/SpeculationBarrierDxe.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/SpeculationBarrierSmm.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/TcgMorLockDxe.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/TcgMorLockSmm.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VarCheck.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/Variable.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableDxe.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableExLib.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableLockRequestToLock.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableNonVolatile.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableParsing.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariablePolicySmmDxe.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeCache.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxe.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableStandaloneMm.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableTraditionalMm.c
create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c
create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c
create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariable.uni
create mode 100644 MdeModulePkg/Universal/Variable/Protected/Pei/PeiVariableExtra.uni
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxe.uni
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableRuntimeDxeExtra.uni
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmm.uni
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmExtra.uni
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxe.uni
create mode 100644 MdeModulePkg/Universal/Variable/Protected/RuntimeDxe/VariableSmmRuntimeDxeExtra.uni
--
2.35.1.windows.2
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#95981): https://edk2.groups.io/g/devel/message/95981
Mute This Topic: https://groups.io/mt/94840817/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-
More information about the edk2-devel-archive
mailing list