-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[202405][Rebase&&FF] Variable Policy Changes #978
Merged
Flickdm
merged 14 commits into
microsoft:release/202405
from
Flickdm:cherry-pick/release/202405/feature/variable-policy
Jul 23, 2024
Merged
[202405][Rebase&&FF] Variable Policy Changes #978
Flickdm
merged 14 commits into
microsoft:release/202405
from
Flickdm:cherry-pick/release/202405/feature/variable-policy
Jul 23, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
impact:non-functional
Does not have a functional impact
label
Jun 26, 2024
Flickdm
force-pushed
the
cherry-pick/release/202405/feature/variable-policy
branch
from
July 3, 2024 22:57
e3a4abc
to
cc33e42
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## release/202405 #978 +/- ##
=================================================
Coverage ? 0.98%
=================================================
Files ? 940
Lines ? 316802
Branches ? 3630
=================================================
Hits ? 3128
Misses ? 313596
Partials ? 78
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Flickdm
force-pushed
the
cherry-pick/release/202405/feature/variable-policy
branch
11 times, most recently
from
July 18, 2024 17:23
82f8ca0
to
ba12a1c
Compare
Flickdm
force-pushed
the
cherry-pick/release/202405/feature/variable-policy
branch
5 times, most recently
from
July 19, 2024 21:11
768d8ad
to
d576ba9
Compare
apop5
reviewed
Jul 19, 2024
apop5
reviewed
Jul 19, 2024
os-d
reviewed
Jul 19, 2024
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/Readme.md
Outdated
Show resolved
Hide resolved
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestInternal.h
Outdated
Show resolved
Hide resolved
apop5
reviewed
Jul 19, 2024
apop5
reviewed
Jul 19, 2024
apop5
reviewed
Jul 19, 2024
apop5
reviewed
Jul 19, 2024
apop5
reviewed
Jul 19, 2024
os-d
reviewed
Jul 19, 2024
apop5
reviewed
Jul 19, 2024
MdeModulePkg/Test/ShellTest/VariablePolicyFuncTestApp/VariablePolicyFuncTestInternal.h
Outdated
Show resolved
Hide resolved
makubacki
approved these changes
Jul 19, 2024
Flickdm
force-pushed
the
cherry-pick/release/202405/feature/variable-policy
branch
5 times, most recently
from
July 22, 2024 21:53
bf8561a
to
66a4684
Compare
Flickdm
force-pushed
the
cherry-pick/release/202405/feature/variable-policy
branch
from
July 22, 2024 22:40
66a4684
to
daf3342
Compare
VivianNK
reviewed
Jul 22, 2024
VivianNK
reviewed
Jul 22, 2024
MdeModulePkg/Universal/Variable/RuntimeDxe/VariablePolicyLockingCommon.c
Show resolved
Hide resolved
VivianNK
approved these changes
Jul 22, 2024
Flickdm
force-pushed
the
cherry-pick/release/202405/feature/variable-policy
branch
from
July 23, 2024 20:15
daf3342
to
a5de7ad
Compare
When VariablePolicyFuncTestApp ends, the variable policy engine has been disabled. To accommodate automated testing, reboot the system at the end of the test suite to reset the variable policy state. The app already reboots several times during execution to reset the variable policy enablement/lock state. - [x] Impacts functionality? - **Functionality** - Does the change ultimately impact how firmware functions? - Examples: Add a new library, publish a new PPI, update an algorithm, ... - [ ] Impacts security? - **Security** - Does the change have a direct security impact on an application, flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter validation improvement, ... - [ ] Breaking change? - **Breaking change** - Will anyone consuming this change experience a break in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call a function in a new library class in a pre-existing module, ... - [ ] Includes tests? - **Tests** - Does the change include any explicit test code? - Examples: Unit tests, integration tests, robot tests, ... - [ ] Includes documentation? - **Documentation** - Does the change contain explicit documentation additions outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation on an a separate Web page, ... Tested on Q35 N/A
Default to allow Engine disablement. Platform can override in DSC. Lock interface at ReadyToBoot. Currently -- in Mu -- ReadyToBoot is our TCB, not EndOfDxe. Don't notify ExitBootServices until after Notify and Callback.
…nterface Define a NULL library class that can OPTIONALLY be linked against the DXE VariableServices component to provide platform hooks before and after VariablePolicy is locked.
This code also dispatches to the callback, if registered.
This change uses newly defined interface to validate communicate buffer. The new interface is abstracted to Standalone and traditional MM implementations, respectively to keep the invocation of this interface the same.
Update Variable Services to allow simple deletion of auth vars when VarPolicy is disabled.
Adds unit tests to test the following two new APIs introduced: 1. GetVariablePolicyInfo() 2. GetLockOnVariableStateVariablePolicyInfo()
...if SetVariable Failed A variable policy is automatically applied when EfiBootManagerLoadOptionToVariable() is used to set the PlatformRecovery#### variable. If the attempt to set the PlatformRecovery#### fails, we should not register a variable policy. - [x] Impacts functionality? - **Functionality** - Does the change ultimately impact how firmware functions? - Examples: Add a new library, publish a new PPI, update an algorithm, ... - [x] Impacts security? - **Security** - Does the change have a direct security impact on an application, flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter validation improvement, ... - [ ] Breaking change? - **Breaking change** - Will anyone consuming this change experience a break in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call a function in a new library class in a pre-existing module, ... - [ ] Includes tests? - **Tests** - Does the change include any explicit test code? - Examples: Unit tests, integration tests, robot tests, ... - [ ] Includes documentation? - **Documentation** - Does the change contain explicit documentation additions outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation on an a separate Web page, ... Tested using the BootAuditTestApp on Q35 N/A
Makes the `#` character used for comparison against wildcard characters in `CHAR16` strings to be prefixed with `L` so the character is treated as a wide character constant. - [ ] Impacts functionality? - **Functionality** - Does the change ultimately impact how firmware functions? - Examples: Add a new library, publish a new PPI, update an algorithm, ... - [ ] Impacts security? - **Security** - Does the change have a direct security impact on an application, flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter validation improvement, ... - [ ] Breaking change? - **Breaking change** - Will anyone consuming this change experience a break in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call a function in a new library class in a pre-existing module, ... - [x] Includes tests? - **Tests** - Does the change include any explicit test code? - Examples: Unit tests, integration tests, robot tests, ... - [ ] Includes documentation? - **Documentation** - Does the change contain explicit documentation additions outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation on an a separate Web page, ... Verified using C/C++ debugger that the character comparison is tested and the expected result is returned. N/A Signed-off-by: Michael Kubacki <[email protected]>
To enable testing variable policy functionality in the shell, it needs to be unlocked when the test starts. This PR adds a check to the system device state and avoids locking if it is in unit test mode. - [x] Impacts functionality? - **Functionality** - Does the change ultimately impact how firmware functions? - Examples: Add a new library, publish a new PPI, update an algorithm, ... - [x] Impacts security? - **Security** - Does the change have a direct security impact on an application, flow, or firmware? - Examples: Crypto algorithm change, buffer overflow fix, parameter validation improvement, ... - [ ] Breaking change? - **Breaking change** - Will anyone consuming this change experience a break in build or boot behavior? - Examples: Add a new library class, move a module to a different repo, call a function in a new library class in a pre-existing module, ... - [ ] Includes tests? - **Tests** - Does the change include any explicit test code? - Examples: Unit tests, integration tests, robot tests, ... - [ ] Includes documentation? - **Documentation** - Does the change contain explicit documentation additions outside direct code modifications (and comments)? - Examples: Update readme file, add feature readme file, link to documentation on an a separate Web page, ... Tested by running the variable policy test app in Q35. N/A
Flickdm
force-pushed
the
cherry-pick/release/202405/feature/variable-policy
branch
from
July 23, 2024 20:18
a5de7ad
to
accf2d8
Compare
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Preface
[!NOTE] Depends on #961
Description
Cherry Picks:
This pull request primarily focuses on modifying the UEFI boot manager library and the variable policy library to improve variable policy enforcement and boot option handling. The most significant changes include the addition of new load option types, the implementation of variable policy locking, and the modification of several methods to ensure better policy enforcement and error handling.
Changes to UEFI Boot Manager Library:
MdeModulePkg/Include/Library/UefiBootManagerLib.h
: Expanded theCreate
method to handle additional load option types likeSysPrep####
andPlatformRecovery####
. Also, added a lock now variable policy for thePlatformRecovery####
variable if theSetVariable
call was successful. [1] [2]MdeModulePkg/Library/UefiBootManagerLib/BmBoot.c
: Added a constructor forUefiBootManagerLib
that locates theVariablePolicy
protocol and registers a basic variable policy.MdeModulePkg/Library/UefiBootManagerLib/BmLoadOption.c
: Modified theBmGetFreeOptionNumber
method to register a lock now variable policy for thePlatformRecovery####
variable if theSetVariable
call was successful. Also, movedRegisterBasicVariablePolicy
afterSetVariable
forOptionName
.MdeModulePkg/Library/UefiBootManagerLib/InternalBm.h
: IncludedProtocol/VariablePolicy.h
andLibrary/VariablePolicyHelperLib.h
for variable policy enforcement. [1] [2]Changes to Variable Policy Library:
MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.c
: Fixed character comparison inIsValidVariablePolicyStructure
andEvaluatePolicyMatch
methods. Also, added a security lock report event when the variable policy locks. [1] [2] [3]MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLib.h
,MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibStandaloneMm.c
,MdeModulePkg/Library/VarCheckPolicyLib/VarCheckPolicyLibTraditional.c
: Added a wrapper function to validate the communicate buffer. [1] [2] [3]MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.c
: Reported a security lock audit event when the variable policy locks.MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLib.inf
,MdeModulePkg/Library/VariablePolicyLib/VariablePolicyLibRuntimeDxe.inf
: AddedSecurityLockAuditLib
to report when the variable policy locks. [1] [2]Additions and Modifications:
MdeModulePkg/Include/Library/VariablePolicyLockingExLib.h
: A new file was added that contains definitions necessary for a platform to register a pre- and post-lock callback on the VariablePolicy interface.MdeModulePkg/Library/VariablePolicyLib/VariablePolicyUnitTest/VariablePolicyUnitTest.inf
: A new unit test file was added for business logic for Variable Policy enforcement.MdeModulePkg/MdeModulePkg.dec
: AddedVariablePolicyLockingExLib
library class and modifiedPcdAllowVariablePolicyEnforcementDisable
PCD to allow policy to be disabled by default. [1] [2]MdeModulePkg/MdeModulePkg.dsc
: IncludedMemoryProtectionHobLib
and addedSecurityLockAuditLib
to report when the variable policy locks.For each item, place an "x" in between
[
and]
if true. Example:[x]
.(you can also check items in the GitHub UI)
flow, or firmware?
validation improvement, ...
in build or boot behavior?
a function in a new library class in a pre-existing module, ...
outside direct code modifications (and comments)?
on an a separate Web page, ...
How This Was Tested
Release/20311
Integration Instructions
N/A