MdeModulePkg/VariablePolicy: Add more granular variable policy querying

Introduces two new APIs to EDKII_VARIABLE_POLICY_PROTOCOL: 1. GetVariablePolicyInfo() 2. GetLockOnVariableStateVariablePolicyInfo() These allow a caller to retrieve policy information associated with a UEFI variable given the variable name and vendor GUID. GetVariablePolicyInfo() - Returns the variable policy applied to the UEFI variable. If the variable policy is applied toward an individual UEFI variable, that name can optionally be returned. GetLockOnVariableStateVariablePolicyInfo() - Returns the Lock on Variable State policy applied to the UEFI variable. If the Lock on Variable State policy is applied to a specific variable name, that name can optionally be returned. These functions can be useful for a variety of purposes such as auditing, testing, and functional flows. Also fixed some variable name typos in code touched by the changes. Cc: Dandan Bi <dandan.bi@intel.com> Cc: Hao A Wu <hao.a.wu@intel.com> Cc: Jian J Wang <jian.j.wang@intel.com> Cc: Liming Gao <gaoliming@byosoft.com.cn> Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com> Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn> Message-Id: <20231030203112.736-2-mikuback@linux.microsoft.com>
2023-10-30 16:31:09 -04:00
parent 8e74629070
commit f3b2187d55
8 changed files with 1062 additions and 46 deletions
--- a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
+++ b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
@@ -32,23 +32,52 @@ typedef struct _VAR_CHECK_POLICY_COMM_DUMP_PARAMS {
  BOOLEAN    HasMore;
 } VAR_CHECK_POLICY_COMM_DUMP_PARAMS;

+typedef union {
+  VARIABLE_POLICY_ENTRY                VariablePolicy;
+  VARIABLE_LOCK_ON_VAR_STATE_POLICY    LockOnVarStatePolicy;
+} VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY;
+
+typedef struct _VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS {
+  EFI_GUID                                InputVendorGuid;
+  UINT32                                  InputVariableNameSize;
+  UINT32                                  OutputVariableNameSize;
+  VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY    OutputPolicyEntry;
+  CHAR16                                  InputVariableName[1];
+} VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS;
+
 #pragma pack(pop)

+#define   VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END \
+            (OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName))
+
 // Make sure that we will hold at least the headers.
 #define   VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE  MAX((OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + sizeof (VAR_CHECK_POLICY_COMM_HEADER) + EFI_PAGES_TO_SIZE(1)), EFI_PAGES_TO_SIZE(4))
 #define   VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE  (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \
                                                    (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \
                                                      sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \
                                                      sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS)))
+
+#define   VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE  (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \
+                                                      (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \
+                                                        sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \
+                                                        OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName)))
+
 STATIC_ASSERT (
  VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,
  "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE"
  );

-#define   VAR_CHECK_POLICY_COMMAND_DISABLE     0x0001
-#define   VAR_CHECK_POLICY_COMMAND_IS_ENABLED  0x0002
-#define   VAR_CHECK_POLICY_COMMAND_REGISTER    0x0003
-#define   VAR_CHECK_POLICY_COMMAND_DUMP        0x0004
-#define   VAR_CHECK_POLICY_COMMAND_LOCK        0x0005
+STATIC_ASSERT (
+  VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,
+  "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE"
+  );
+
+#define   VAR_CHECK_POLICY_COMMAND_DISABLE                  0x0001
+#define   VAR_CHECK_POLICY_COMMAND_IS_ENABLED               0x0002
+#define   VAR_CHECK_POLICY_COMMAND_REGISTER                 0x0003
+#define   VAR_CHECK_POLICY_COMMAND_DUMP                     0x0004
+#define   VAR_CHECK_POLICY_COMMAND_LOCK                     0x0005
+#define   VAR_CHECK_POLICY_COMMAND_GET_INFO                 0x0006
+#define   VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO  0x0007

 #endif // _VAR_CHECK_POLICY_MMI_COMMON_H_