<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Cool. Thank you Bret!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Bret Barkelew <Bret.Barkelew@microsoft.com> <br>
<b>Sent:</b> Tuesday, April 14, 2020 1:25 PM<br>
<b>To:</b> Michael Kubacki <michael.kubacki@outlook.com>; Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io<br>
<b>Cc:</b> Zhang, Chao B <chao.b.zhang@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A <hao.a.wu@intel.com>; Gao, Liming <liming.gao@intel.com><br>
<b>Subject:</b> RE: [EXTERNAL] Re: [PATCH v1 0/9] Add the VariablePolicy feature<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Jiewen,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks (as always <span style="font-family:"Segoe UI Emoji",sans-serif">
😉</span>) for the feedback! I’ll consider how best to address this and provide an update later this week after some others have had a chance to look at it.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">- Bret<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From: </b><a href="mailto:michael.kubacki@outlook.com">Michael Kubacki</a><br>
<b>Sent: </b>Monday, April 13, 2020 10:17 AM<br>
<b>To: </b><a href="mailto:jiewen.yao@intel.com">Yao, Jiewen</a>; <a href="mailto:devel@edk2.groups.io">
devel@edk2.groups.io</a><br>
<b>Cc: </b><a href="mailto:chao.b.zhang@intel.com">Zhang, Chao B</a>; <a href="mailto:jian.j.wang@intel.com">
Wang, Jian J</a>; <a href="mailto:hao.a.wu@intel.com">Wu, Hao A</a>; <a href="mailto:liming.gao@intel.com">
Gao, Liming</a>; <a href="mailto:Bret.Barkelew@microsoft.com">Bret Barkelew</a><br>
<b>Subject: </b>[EXTERNAL] Re: [PATCH v1 0/9] Add the VariablePolicy feature<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This particular series was Bret's work so I'll let him speak to it.<br>
<br>
Thanks,<br>
Michael<br>
<br>
On 4/10/2020 7:24 PM, Yao, Jiewen wrote:<br>
> Hi Michael<br>
> Thanks for the work.<br>
> <br>
> I remember the feedback before that I have concern on having an API to *DisableVariablePolicy*, and I prefer we have a way to disable the *DisableVariablePolicy*.<br>
> <br>
> May I know how that is addressed in this patch?<br>
> <br>
> Thank you<br>
> Yao Jiewen<br>
> <br>
> <br>
> <br>
> <br>
>> -----Original Message-----<br>
>> From: <a href="mailto:michael.kubacki@outlook.com">michael.kubacki@outlook.com</a> <<a href="mailto:michael.kubacki@outlook.com">michael.kubacki@outlook.com</a>><br>
>> Sent: Saturday, April 11, 2020 2:36 AM<br>
>> To: <a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a><br>
>> Cc: Yao, Jiewen <<a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a>>; Zhang, Chao B<br>
>> <<a href="mailto:chao.b.zhang@intel.com">chao.b.zhang@intel.com</a>>; Wang, Jian J <<a href="mailto:jian.j.wang@intel.com">jian.j.wang@intel.com</a>>; Wu, Hao A<br>
>> <<a href="mailto:hao.a.wu@intel.com">hao.a.wu@intel.com</a>>; Gao, Liming <<a href="mailto:liming.gao@intel.com">liming.gao@intel.com</a>><br>
>> Subject: [PATCH v1 0/9] Add the VariablePolicy feature<br>
>><br>
>> From: Michael Kubacki <<a href="mailto:michael.kubacki@microsoft.com">michael.kubacki@microsoft.com</a>><br>
>><br>
>> REF:https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&data=02%7C01%7CBret.Barkelew%40microsoft.com%7Ce2e70011eb234e05925108d7dfce776d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637223950173802418&sdata=qALCkFg05umllXL46sG5nAMmst99oyLYbyGSsqEWYtY%3D&reserved=0<br>
>><br>
>> The 9 patches in this series add the VariablePolicy feature to the core,<br>
>> deprecate Edk2VarLock (while adding a compatibility layer to reduce code<br>
>> churn), and integrate the VariablePolicy libraries and protocols into<br>
>> Variable Services.<br>
>><br>
>> Since the integration requires multiple changes, including adding libraries,<br>
>> a protocol, an SMI communication handler, and VariableServices integration,<br>
>> the patches are broken up by individual library additions and then a final<br>
>> integration. Security-sensitive changes like bypassing Authenticated<br>
>> Variable enforcement are also broken out into individual patches so that<br>
>> attention can be called directly to them.<br>
>><br>
>> The discussion of the feature can be found in multiple places throughout<br>
>> the last year on the RFC channel, staging branches, and in devel.<br>
>><br>
>> Most recently, this subject was discussed in this thread:<br>
>> <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=02%7C01%7CBret.Barkelew%40microsoft.com%7Ce2e70011eb234e05925108d7dfce776d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637223950173802418&sdata=HupEk9iq0qxeXA5NYCNFoUV0uXa%2BvqYV81UX76bH9eQ%3D&reserved=0">
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=02%7C01%7CBret.Barkelew%40microsoft.com%7Ce2e70011eb234e05925108d7dfce776d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637223950173802418&sdata=HupEk9iq0qxeXA5NYCNFoUV0uXa%2BvqYV81UX76bH9eQ%3D&reserved=0</a><br>
>> (the code branches shared in that discussion are now out of date, but the<br>
>> whitepapers and discussion are relevant).<br>
>><br>
>> On a separate note, shallow threading might not work on this patch series<br>
>> due to changes made by the SMTP server. Please bear with me while I am<br>
>> investigating if this can be changed.<br>
>><br>
>> Cc: Jiewen Yao <<a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a>><br>
>> Cc: Chao Zhang <<a href="mailto:chao.b.zhang@intel.com">chao.b.zhang@intel.com</a>><br>
>> Cc: Jian J Wang <<a href="mailto:jian.j.wang@intel.com">jian.j.wang@intel.com</a>><br>
>> Cc: Hao A Wu <<a href="mailto:hao.a.wu@intel.com">hao.a.wu@intel.com</a>><br>
>> Cc: Liming Gao <<a href="mailto:liming.gao@intel.com">liming.gao@intel.com</a>><br>
>> Signed-off-by: Bret Barkelew <<a href="mailto:brbarkel@microsoft.com">brbarkel@microsoft.com</a>><br>
>> Signed-off-by: Michael Kubacki <<a href="mailto:michael.kubacki@microsoft.com">michael.kubacki@microsoft.com</a>><br>
>><br>
>> Bret Barkelew (9):<br>
>> MdeModulePkg: Define the VariablePolicy protocol interface<br>
>> MdeModulePkg: Define the VariablePolicyLib<br>
>> MdeModulePkg: Define the VariablePolicyHelperLib<br>
>> MdeModulePkg: Define the VarCheckPolicyLib and SMM interface<br>
>> MdeModulePkg: Connect VariablePolicy business logic to<br>
>> VariableServices<br>
>> MdeModulePkg: Allow VariablePolicy state to delete protected variables<br>
>> SecurityPkg: Allow VariablePolicy state to delete authenticated<br>
>> variables<br>
>> MdeModulePkg: Change TCG MOR variables to use VariablePolicy<br>
>> MdeModulePkg: Drop VarLock from RuntimeDxe variable driver<br>
>><br>
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c<br>
>> | 211 ++<br>
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c<br>
>> | 396 ++++<br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c |<br>
>> 773 +++++++<br>
>><br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy<br>
>> UnitTest.c | 2285 ++++++++++++++++++++<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c<br>
>> | 52 +-<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c<br>
>> | 60 +-<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c<br>
>> | 49 +-<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c<br>
>> | 51 +<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c<br>
>> | 71 +<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c<br>
>> | 445 ++++<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c<br>
>> | 15 +<br>
>> SecurityPkg/Library/AuthVariableLib/AuthService.c | 22<br>
>> +-<br>
>> MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h |<br>
>> 43 +<br>
>> MdeModulePkg/Include/Library/VariablePolicyHelperLib.h |<br>
>> 164 ++<br>
>> MdeModulePkg/Include/Library/VariablePolicyLib.h | 206<br>
>> ++<br>
>> MdeModulePkg/Include/Protocol/VariablePolicy.h | 156<br>
>> ++<br>
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf<br>
>> | 44 +<br>
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni<br>
>> | 12 +<br>
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf<br>
>> | 36 +<br>
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni<br>
>> | 12 +<br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf |<br>
>> 38 +<br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni<br>
>> | 12 +<br>
>><br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy<br>
>> UnitTest.inf | 41 +<br>
>> MdeModulePkg/MdeModulePkg.dec | 17 +-<br>
>> MdeModulePkg/MdeModulePkg.dsc | 7 +<br>
>> MdeModulePkg/Test/MdeModulePkgHostTest.dsc |<br>
>> 8 +<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf<br>
>> | 5 +<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf<br>
>> | 4 +<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf<br>
>> | 8 +<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf<br>
>> | 4 +<br>
>> SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2<br>
>> +<br>
>> 31 files changed, 5172 insertions(+), 77 deletions(-)<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy<br>
>> UnitTest.c<br>
>> create mode 100644<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c<br>
>> create mode 100644<br>
>> MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c<br>
>> create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h<br>
>> create mode 100644 MdeModulePkg/Include/Library/VariablePolicyHelperLib.h<br>
>> create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h<br>
>> create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni<br>
>> create mode 100644<br>
>> MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicy<br>
>> UnitTest.inf<br>
>><br>
>> --<br>
>> 2.16.3.windows.1<br>
> <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>
<div width="1" style="color:white;clear:both">_._,_._,_</div>
<hr>
Groups.io Links:<p>
You receive all messages sent to this group.
<p>
<a target="_blank" href="https://edk2.groups.io/g/devel/message/57392">View/Reply Online (#57392)</a> |
|
<a target="_blank" href="https://groups.io/mt/73004650/1813853">Mute This Topic</a>
| <a href="https://edk2.groups.io/g/devel/post">New Topic</a><br>
<br>
<a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> |
<a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> |
<a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a>
[edk2-devel-archive@redhat.com]<br>
<div width="1" style="color:white;clear:both">_._,_._,_</div>