Re: [edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices
1. [Dandan]: I see other APIs in the VariablePolicyProtocol are using the APIs in VariablePolicyLib directly, expect this one. Could we make the IsVariablePolicyEnabled API aligned in protocol and Lib? This is because of an incongruity between the protocol definition and the library definition. For a simpler interface the library returns a BOOLEAN, but the Protocol returns EFI_STATUS (to align with the majority of Protocol calls). Could update the library to match the protocol, if it’s important, but it would touch a number of places. - Bret From: Dandan Bi via groups.io<mailto:dandan.bi=intel@groups.io> Sent: Wednesday, July 1, 2020 7:13 PM To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>; b...@corthon.com<mailto:b...@corthon.com> Cc: Wang, Jian J<mailto:jian.j.w...@intel.com>; Wu, Hao A<mailto:hao.a...@intel.com>; liming.gao<mailto:liming@intel.com> Subject: [EXTERNAL] Re: [edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices 1 comment inline, please check. Thanks, Dandan > -Original Message- > From: devel@edk2.groups.io On Behalf Of Bret > Barkelew > Sent: Tuesday, June 23, 2020 2:41 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Wu, Hao A ; > Gao, Liming > Subject: [edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect > VariablePolicy business logic to VariableServices > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.tianocore.org%2Fshow_bug.cgi%3Fid%3D2522data=02%7C01%7CBret.Barkelew%40microsoft.com%7C3cebf618dafa4cfee99d08d81e2d7eea%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637292528041413678sdata=MqZbcBcrPmvajnjVnc8Ohmvq1s3u4OaUQB0d1wrdvLw%3Dreserved=0 > > VariablePolicy is an updated interface to > replace VarLock and VarCheckProtocol. > > Add connective code to publish the VariablePolicy protocol > and wire it to either the SMM communication interface > or directly into the VariablePolicyLib business logic. > > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Liming Gao > Cc: Bret Barkelew > Signed-off-by: Bret Barkelew > --- > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 53 > ++ > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c > | 642 > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe. > c | 14 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > | 2 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 > + > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i > nf | 10 + > 6 files changed, 724 insertions(+) > > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > index 7d2b6c8e1fad..d404d4763e54 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > @@ -5,18 +5,34 @@ > Copyright (C) 2013, Red Hat, Inc. > > Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved. > > (C) Copyright 2015 Hewlett Packard Enterprise Development LP > > +Copyright (c) Microsoft Corporation. > > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > **/ > > > > #include "Variable.h" > > > > +#include > > +#include > > + > > +EFI_STATUS > > +EFIAPI > > +ProtocolIsVariablePolicyEnabled ( > > + OUT BOOLEAN *State > > + ); > > + > > EFI_HANDLE mHandle= NULL; > > EFI_EVENT mVirtualAddressChangeEvent = NULL; > > VOID*mFtwRegistration = NULL; > > VOID***mVarCheckAddressPointer = NULL; > > UINTN mVarCheckAddressPointerCount = 0; > > EDKII_VARIABLE_LOCK_PROTOCOLmVariableLock = > { VariableLockRequestToLock }; > > +EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol= > { EDKII_VARIABLE_POLICY_PROTOCOL_REVISION, > > + > DisableVariablePolicy, > > + > ProtocolIsVariablePolicyEnabled, > > + > RegisterVariablePolicy, > > + > DumpVariablePolicy, > > + > LockVariablePolicy }; > > EDKII_VAR_CHECK_PROTOCOLmVarCheck = > {
Re: [edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices
1 comment inline, please check. Thanks, Dandan > -Original Message- > From: devel@edk2.groups.io On Behalf Of Bret > Barkelew > Sent: Tuesday, June 23, 2020 2:41 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J ; Wu, Hao A ; > Gao, Liming > Subject: [edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect > VariablePolicy business logic to VariableServices > > https://bugzilla.tianocore.org/show_bug.cgi?id=2522 > > VariablePolicy is an updated interface to > replace VarLock and VarCheckProtocol. > > Add connective code to publish the VariablePolicy protocol > and wire it to either the SMM communication interface > or directly into the VariablePolicyLib business logic. > > Cc: Jian J Wang > Cc: Hao A Wu > Cc: Liming Gao > Cc: Bret Barkelew > Signed-off-by: Bret Barkelew > --- > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 53 > ++ > MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c > | 642 > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe. > c | 14 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf > | 2 + > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 > + > > MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.i > nf | 10 + > 6 files changed, 724 insertions(+) > > diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > index 7d2b6c8e1fad..d404d4763e54 100644 > --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c > @@ -5,18 +5,34 @@ > Copyright (C) 2013, Red Hat, Inc. > > Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved. > > (C) Copyright 2015 Hewlett Packard Enterprise Development LP > > +Copyright (c) Microsoft Corporation. > > SPDX-License-Identifier: BSD-2-Clause-Patent > > > > **/ > > > > #include "Variable.h" > > > > +#include > > +#include > > + > > +EFI_STATUS > > +EFIAPI > > +ProtocolIsVariablePolicyEnabled ( > > + OUT BOOLEAN *State > > + ); > > + > > EFI_HANDLE mHandle= NULL; > > EFI_EVENT mVirtualAddressChangeEvent = NULL; > > VOID*mFtwRegistration = NULL; > > VOID***mVarCheckAddressPointer = NULL; > > UINTN mVarCheckAddressPointerCount = 0; > > EDKII_VARIABLE_LOCK_PROTOCOLmVariableLock = > { VariableLockRequestToLock }; > > +EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol= > { EDKII_VARIABLE_POLICY_PROTOCOL_REVISION, > > + > DisableVariablePolicy, > > + > ProtocolIsVariablePolicyEnabled, > > + > RegisterVariablePolicy, > > + > DumpVariablePolicy, > > + > LockVariablePolicy }; > > EDKII_VAR_CHECK_PROTOCOLmVarCheck = > { VarCheckRegisterSetVariableCheckHandler, > > > VarCheckVariablePropertySet, > > > VarCheckVariablePropertyGet }; > > @@ -303,6 +319,8 @@ OnReadyToBoot ( > } > >} > > > > + ASSERT_EFI_ERROR (LockVariablePolicy ()); > > + > >gBS->CloseEvent (Event); > > } > > > > @@ -466,6 +484,28 @@ FtwNotificationEvent ( > } > > > > > > +/** > > + This API function returns whether or not the policy engine is > > + currently being enforced. > > + > > + @param[out] State Pointer to a return value for whether the policy > enforcement > > +is currently enabled. > > + > > + @retval EFI_SUCCESS > > + @retval OthersAn error has prevented this command from > completing. > > + > > +**/ > > +EFI_STATUS > > +EFIAPI > > +ProtocolIsVariablePolicyEnabled ( > > + OUT BOOLEAN *State > > + ) > > +{ > > + *State = IsVariablePolicyEnabled (); >
[edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices
https://bugzilla.tianocore.org/show_bug.cgi?id=2522 VariablePolicy is an updated interface to replace VarLock and VarCheckProtocol. Add connective code to publish the VariablePolicy protocol and wire it to either the SMM communication interface or directly into the VariablePolicyLib business logic. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 53 ++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c| 642 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 14 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf| 2 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf | 10 + 6 files changed, 724 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c index 7d2b6c8e1fad..d404d4763e54 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c @@ -5,18 +5,34 @@ Copyright (C) 2013, Red Hat, Inc. Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved. (C) Copyright 2015 Hewlett Packard Enterprise Development LP +Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "Variable.h" +#include +#include + +EFI_STATUS +EFIAPI +ProtocolIsVariablePolicyEnabled ( + OUT BOOLEAN *State + ); + EFI_HANDLE mHandle= NULL; EFI_EVENT mVirtualAddressChangeEvent = NULL; VOID*mFtwRegistration = NULL; VOID***mVarCheckAddressPointer = NULL; UINTN mVarCheckAddressPointerCount = 0; EDKII_VARIABLE_LOCK_PROTOCOLmVariableLock = { VariableLockRequestToLock }; +EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol= { EDKII_VARIABLE_POLICY_PROTOCOL_REVISION, + DisableVariablePolicy, + ProtocolIsVariablePolicyEnabled, + RegisterVariablePolicy, + DumpVariablePolicy, + LockVariablePolicy }; EDKII_VAR_CHECK_PROTOCOLmVarCheck = { VarCheckRegisterSetVariableCheckHandler, VarCheckVariablePropertySet, VarCheckVariablePropertyGet }; @@ -303,6 +319,8 @@ OnReadyToBoot ( } } + ASSERT_EFI_ERROR (LockVariablePolicy ()); + gBS->CloseEvent (Event); } @@ -466,6 +484,28 @@ FtwNotificationEvent ( } +/** + This API function returns whether or not the policy engine is + currently being enforced. + + @param[out] State Pointer to a return value for whether the policy enforcement +is currently enabled. + + @retval EFI_SUCCESS + @retval OthersAn error has prevented this command from completing. + +**/ +EFI_STATUS +EFIAPI +ProtocolIsVariablePolicyEnabled ( + OUT BOOLEAN *State + ) +{ + *State = IsVariablePolicyEnabled (); + return EFI_SUCCESS; +} + + /** Variable Driver main entry point. The Variable driver places the 4 EFI runtime services in the EFI System Table and installs arch protocols @@ -576,6 +616,19 @@ VariableServiceInitialize ( ); ASSERT_EFI_ERROR (Status); + // Register and initialize the VariablePolicy engine. + Status = InitVariablePolicyLib (VariableServiceGetVariable); + ASSERT_EFI_ERROR (Status); + Status = VarCheckRegisterSetVariableCheckHandler (ValidateSetVariable); + ASSERT_EFI_ERROR (Status); + Status = gBS->InstallMultipleProtocolInterfaces ( +, +, +, +NULL +); + ASSERT_EFI_ERROR (Status); + return EFI_SUCCESS; } diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c new file mode 100644 index ..e2d4cf4cec1a --- /dev/null +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c @@ -0,0 +1,642 @@ +/** @file -- VariablePolicySmmDxe.c +This protocol allows communication with Variable Policy Engine. + +Copyright (c) Microsoft Corporation. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include
[edk2-devel] [PATCH v6 09/14] MdeModulePkg: Connect VariablePolicy business logic to VariableServices
https://bugzilla.tianocore.org/show_bug.cgi?id=2522 VariablePolicy is an updated interface to replace VarLock and VarCheckProtocol. Add connective code to publish the VariablePolicy protocol and wire it to either the SMM communication interface or directly into the VariablePolicyLib business logic. Cc: Jian J Wang Cc: Hao A Wu Cc: Liming Gao Cc: Bret Barkelew Signed-off-by: Bret Barkelew --- MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 53 ++ MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c| 642 MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 14 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf| 2 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 + MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf | 10 + 6 files changed, 724 insertions(+) diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c index 7d2b6c8e1fad..d404d4763e54 100644 --- a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c @@ -5,18 +5,34 @@ Copyright (C) 2013, Red Hat, Inc. Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved. (C) Copyright 2015 Hewlett Packard Enterprise Development LP +Copyright (c) Microsoft Corporation. SPDX-License-Identifier: BSD-2-Clause-Patent **/ #include "Variable.h" +#include +#include + +EFI_STATUS +EFIAPI +ProtocolIsVariablePolicyEnabled ( + OUT BOOLEAN *State + ); + EFI_HANDLE mHandle= NULL; EFI_EVENT mVirtualAddressChangeEvent = NULL; VOID*mFtwRegistration = NULL; VOID***mVarCheckAddressPointer = NULL; UINTN mVarCheckAddressPointerCount = 0; EDKII_VARIABLE_LOCK_PROTOCOLmVariableLock = { VariableLockRequestToLock }; +EDKII_VARIABLE_POLICY_PROTOCOL mVariablePolicyProtocol= { EDKII_VARIABLE_POLICY_PROTOCOL_REVISION, + DisableVariablePolicy, + ProtocolIsVariablePolicyEnabled, + RegisterVariablePolicy, + DumpVariablePolicy, + LockVariablePolicy }; EDKII_VAR_CHECK_PROTOCOLmVarCheck = { VarCheckRegisterSetVariableCheckHandler, VarCheckVariablePropertySet, VarCheckVariablePropertyGet }; @@ -303,6 +319,8 @@ OnReadyToBoot ( } } + ASSERT_EFI_ERROR (LockVariablePolicy ()); + gBS->CloseEvent (Event); } @@ -466,6 +484,28 @@ FtwNotificationEvent ( } +/** + This API function returns whether or not the policy engine is + currently being enforced. + + @param[out] State Pointer to a return value for whether the policy enforcement +is currently enabled. + + @retval EFI_SUCCESS + @retval OthersAn error has prevented this command from completing. + +**/ +EFI_STATUS +EFIAPI +ProtocolIsVariablePolicyEnabled ( + OUT BOOLEAN *State + ) +{ + *State = IsVariablePolicyEnabled (); + return EFI_SUCCESS; +} + + /** Variable Driver main entry point. The Variable driver places the 4 EFI runtime services in the EFI System Table and installs arch protocols @@ -576,6 +616,19 @@ VariableServiceInitialize ( ); ASSERT_EFI_ERROR (Status); + // Register and initialize the VariablePolicy engine. + Status = InitVariablePolicyLib (VariableServiceGetVariable); + ASSERT_EFI_ERROR (Status); + Status = VarCheckRegisterSetVariableCheckHandler (ValidateSetVariable); + ASSERT_EFI_ERROR (Status); + Status = gBS->InstallMultipleProtocolInterfaces ( +, +, +, +NULL +); + ASSERT_EFI_ERROR (Status); + return EFI_SUCCESS; } diff --git a/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c new file mode 100644 index ..e2d4cf4cec1a --- /dev/null +++ b/MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicySmmDxe.c @@ -0,0 +1,642 @@ +/** @file -- VariablePolicySmmDxe.c +This protocol allows communication with Variable Policy Engine. + +Copyright (c) Microsoft Corporation. +SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include