<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="EN-US" link="blue" vlink="#954F72"> <div class="WordSection1"> Hi Bret,<o:p></o:p> <o:p> </o:p> I plan to review it and give feedback before 7/31.<o:p></o:p> <o:p> </o:p> Thanks and Sorry for inconveniences.<o:p></o:p> <o:p> </o:p> Best Regards.<o:p></o:p> <div> <div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in"> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Bret Barkelew via groups.io Sent: Tuesday, June 9, 2020 1:52 PM To: devel@edk2.groups.io; bret@corthon.com Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B <chao.b.zhang@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Wu, Hao A <hao.a.wu@intel.com>; Gao, Liming <liming.gao@intel.com>; Justen, Jordan L <jordan.l.justen@intel.com>; Laszlo Ersek <lersek@redhat.com>; Ard Biesheuvel <ard.biesheuvel@arm.com>; Andrew Fish <afish@apple.com>; Ni, Ray <ray.ni@intel.com> Subject: Re: [EXTERNAL] [edk2-devel] [PATCH v5 00/14] Add the VariablePolicy feature<o:p></o:p> </div> </div> <o:p> </o:p> Bump.<o:p></o:p> Now that the stable tag is behind us, I’d like to get this in to have maximum time before the next stable tag.<o:p></o:p> <o:p> </o:p> I think the only reviews I’ve seen so far are for the platform integrations (Arm, Ovmf, and Embedded). Need more eyeballs, please and thank you!<o:p></o:p> <o:p> </o:p> - Bret<o:p></o:p> <o:p> </o:p> <div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in"> From: <a href="mailto:bret=corthon.com@groups.io">Bret Barkelew via groups.io</a> Sent: Wednesday, June 3, 2020 2:52 AM To: <a href="mailto:devel@edk2.groups.io">devel@edk2.groups.io</a> Cc: <a href="mailto:jiewen.yao@intel.com">Yao, Jiewen</a>; <a href="mailto:chao.b.zhang@intel.com"> Chao Zhang</a>; <a href="mailto:jian.j.wang@intel.com">Jian J Wang</a>; <a href="mailto:hao.a.wu@intel.com"> Hao A Wu</a>; <a href="mailto:liming.gao@intel.com">liming.gao</a>; <a href="mailto:jordan.l.justen@intel.com"> Jordan Justen</a>; <a href="mailto:lersek@redhat.com">Laszlo Ersek</a>; <a href="mailto:ard.biesheuvel@arm.com"> Ard Biesheuvel</a>; <a href="mailto:afish@apple.com">Andrew Fish</a>; <a href="mailto:ray.ni@intel.com"> Ni, Ray</a> Subject: [EXTERNAL] [edk2-devel] [PATCH v5 00/14] Add the VariablePolicy feature<o:p></o:p> </div> <o:p> </o:p> REF:https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C90bcb822fa054686203008d807a3e4ee%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747784879051&sdata=k9X9qPTDTQlno5%2Ff4koMn6bE9s6nTOIlJ886PQRw%2Bzc%3D&reserved=0 The 14 patches in this series add the VariablePolicy feature to the core, deprecate Edk2VarLock (while adding a compatibility layer to reduce code churn), and integrate the VariablePolicy libraries and protocols into Variable Services. Since the integration requires multiple changes, including adding libraries, a protocol, an SMI communication handler, and VariableServices integration, the patches are broken up by individual library additions and then a final integration. Security-sensitive changes like bypassing Authenticated Variable enforcement are also broken out into individual patches so that attention can be called directly to them. Platform porting instructions are described in this wiki entry: <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Ftianocore.github.io%2Fwiki%2FVariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables%23platform-porting&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C90bcb822fa054686203008d807a3e4ee%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747784879051&sdata=eIQjfZJQGTECXzETa1iZ3T9vOdNiNEjIzVrjhDR%2B2CE%3D&reserved=0">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Ftianocore%2Ftianocore.github.io%2Fwiki%2FVariablePolicy-Protocol---Enhanced-Method-for-Managing-Variables%23platform-porting&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C90bcb822fa054686203008d807a3e4ee%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747784879051&sdata=eIQjfZJQGTECXzETa1iZ3T9vOdNiNEjIzVrjhDR%2B2CE%3D&reserved=0</a> Discussion of the feature can be found in multiple places throughout the last year on the RFC channel, staging branches, and in devel. Most recently, this subject was discussed in this thread: <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C90bcb822fa054686203008d807a3e4ee%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747784879051&sdata=rhwUXzkU%2B71sFkomJvPzi4IN6hz2JKIbDBnNt0wCJS8%3D&reserved=0">https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fedk2.groups.io%2Fg%2Fdevel%2Fmessage%2F53712&data=02%7C01%7Cbret.barkelew%40microsoft.com%7C90bcb822fa054686203008d807a3e4ee%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637267747784879051&sdata=rhwUXzkU%2B71sFkomJvPzi4IN6hz2JKIbDBnNt0wCJS8%3D&reserved=0</a> (the code branches shared in that discussion are now out of date, but the whitepapers and discussion are relevant). Cc: Jiewen Yao <<a href="mailto:jiewen.yao@intel.com">jiewen.yao@intel.com</a>> Cc: Chao Zhang <<a href="mailto:chao.b.zhang@intel.com">chao.b.zhang@intel.com</a>> Cc: Jian J Wang <<a href="mailto:jian.j.wang@intel.com">jian.j.wang@intel.com</a>> Cc: Hao A Wu <<a href="mailto:hao.a.wu@intel.com">hao.a.wu@intel.com</a>> Cc: Liming Gao <<a href="mailto:liming.gao@intel.com">liming.gao@intel.com</a>> Cc: Jordan Justen <<a href="mailto:jordan.l.justen@intel.com">jordan.l.justen@intel.com</a>> Cc: Laszlo Ersek <<a href="mailto:lersek@redhat.com">lersek@redhat.com</a>> Cc: Ard Biesheuvel <<a href="mailto:ard.biesheuvel@arm.com">ard.biesheuvel@arm.com</a>> Cc: Andrew Fish <<a href="mailto:afish@apple.com">afish@apple.com</a>> Cc: Ray Ni <<a href="mailto:ray.ni@intel.com">ray.ni@intel.com</a>> Cc: Bret Barkelew <<a href="mailto:brbarkel@microsoft.com">brbarkel@microsoft.com</a>> Signed-off-by: Bret Barkelew <<a href="mailto:brbarkel@microsoft.com">brbarkel@microsoft.com</a>> v5 changes: * Fix the CONST mismatch in VariablePolicy.h and VariablePolicySmmDxe.c * Fix EFIAPI mismatches in the functional unittest * Rebase on latest origin/master v4 changes: * Remove Optional PcdAllowVariablePolicyEnforcementDisable PCD from platforms * Rebase on master * Migrate to new MmCommunicate2 protocol * Fix an oversight in the default return value for InitMmCommonCommBuffer * Fix in VariablePolicyLib to allow ExtraInitRuntimeDxe to consume variables V3 changes: * Address all non-unittest issues with ECC * Make additional style changes * Include section name in hunk headers in "ini-style" files * Remove requirement for the EdkiiPiSmmCommunicationsRegionTable driver (now allocates its own buffer) * Change names from VARIABLE_POLICY_PROTOCOL and gVariablePolicyProtocolGuid to EDKII_VARIABLE_POLICY_PROTOCOL and gEdkiiVariablePolicyProtocolGuid * Fix GCC warning about initializing externs * Add UNI strings for new PCD * Add patches for ArmVirtPkg, OvmfXen, and UefiPayloadPkg * Reorder patches according to Liming's feedback about adding to platforms before changing variable driver V2 changes: * Fixed implementation for RuntimeDxe * Add PCD to block DisableVariablePolicy * Fix the DumpVariablePolicy pagination in SMM Bret Barkelew (14): MdeModulePkg: Define the VariablePolicy protocol interface MdeModulePkg: Define the VariablePolicyLib MdeModulePkg: Define the VariablePolicyHelperLib MdeModulePkg: Define the VarCheckPolicyLib and SMM interface OvmfPkg: Add VariablePolicy engine to OvmfPkg platform EmulatorPkg: Add VariablePolicy engine to EmulatorPkg platform ArmVirtPkg: Add VariablePolicy engine to ArmVirtPkg platform UefiPayloadPkg: Add VariablePolicy engine to UefiPayloadPkg platform MdeModulePkg: Connect VariablePolicy business logic to VariableServices MdeModulePkg: Allow VariablePolicy state to delete protected variables SecurityPkg: Allow VariablePolicy state to delete authenticated variables MdeModulePkg: Change TCG MOR variables to use VariablePolicy MdeModulePkg: Drop VarLock from RuntimeDxe variable driver MdeModulePkg: Add a shell-based functional test for VariablePolicy MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c | 320 +++ MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c | 396 ++++ MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c | 46 + MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDxe.c | 85 + MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c | 813 +++++++ MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.c | 2436 ++++++++++++++++++++ MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestApp.c | 1978 ++++++++++++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockDxe.c | 52 +- MdeModulePkg/Universal/Variable/RuntimeDxe/TcgMorLockSmm.c | 60 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VarCheck.c | 49 +- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 53 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c | 71 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c | 642 ++++++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 14 + SecurityPkg/Library/AuthVariableLib/AuthService.c | 22 +- ArmVirtPkg/ArmVirt.dsc.inc | 4 + EmulatorPkg/EmulatorPkg.dsc | 3 + MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h | 54 + MdeModulePkg/Include/Library/VariablePolicyHelperLib.h | 164 ++ MdeModulePkg/Include/Library/VariablePolicyLib.h | 207 ++ MdeModulePkg/Include/Protocol/VariablePolicy.h | 157 ++ MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf | 42 + MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni | 12 + MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf | 35 + MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni | 12 + MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf | 44 + MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni | 12 + MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf | 51 + MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.inf | 40 + MdeModulePkg/MdeModulePkg.ci.yaml | 4 +- MdeModulePkg/MdeModulePkg.dec | 26 +- MdeModulePkg/MdeModulePkg.dsc | 15 + MdeModulePkg/MdeModulePkg.uni | 7 + MdeModulePkg/Test/MdeModulePkgHostTest.dsc | 11 + MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md | 55 + MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestApp.inf | 42 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 5 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 4 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf | 10 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 4 + OvmfPkg/OvmfPkgIa32.dsc | 5 + OvmfPkg/OvmfPkgIa32X64.dsc | 5 + OvmfPkg/OvmfPkgX64.dsc | 5 + OvmfPkg/OvmfXen.dsc | 4 + SecurityPkg/Library/AuthVariableLib/AuthVariableLib.inf | 2 + UefiPayloadPkg/UefiPayloadPkgIa32.dsc | 4 + UefiPayloadPkg/UefiPayloadPkgIa32X64.dsc | 4 + 47 files changed, 8008 insertions(+), 78 deletions(-) create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.c create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitNull.c create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyExtraInitRuntimeDxe.c create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.c create mode 100644 MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestApp.c create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableLockRequstToLock.c create mode 100644 MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c create mode 100644 MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h create mode 100644 MdeModulePkg/Include/Library/VariablePolicyHelperLib.h create mode 100644 MdeModulePkg/Include/Library/VariablePolicyLib.h create mode 100644 MdeModulePkg/Include/Protocol/VariablePolicy.h create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.inf create mode 100644 MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.uni create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.inf create mode 100644 MdeModulePkg/Library/VariablePolicyHelperLib/VariablePolicyHelperLib.uni create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.uni create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf create mode 100644 MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.inf create mode 100644 MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md create mode 100644 MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestApp.inf -- 2.26.2.windows.1.8.g01c50adf56.20200515075929 <o:p></o:p> <o:p> </o:p> <div> </o:p> </div> </div> </body> </html> <div width="1" style="color:white;clear:both">_._,_._,_</div> <hr> Groups.io Links: You receive all messages sent to this group. <a target="_blank" href="https://edk2.groups.io/g/devel/message/61388">View/Reply Online (#61388)</a> | | <a target="_blank" href="https://groups.io/mt/74768732/1813853">Mute This Topic</a> | <a href="https://edk2.groups.io/g/devel/post">New Topic</a> <a href="https://edk2.groups.io/g/devel/editsub/1813853">Your Subscription</a> | <a href="mailto:devel+owner@edk2.groups.io">Contact Group Owner</a> | <a href="https://edk2.groups.io/g/devel/unsub">Unsubscribe</a> [edk2-devel-archive@redhat.com] <div width="1" style="color:white;clear:both">_._,_._,_</div>