MdeModulePkg/VariablePolicy: Add more granular variable policy querying

Introduces two new APIs to EDKII_VARIABLE_POLICY_PROTOCOL:
  1. GetVariablePolicyInfo()
  2. GetLockOnVariableStateVariablePolicyInfo()

These allow a caller to retrieve policy information associated with
a UEFI variable given the variable name and vendor GUID.

GetVariablePolicyInfo() - Returns the variable policy applied to the
UEFI variable. If the variable policy is applied toward an individual
UEFI variable, that name can optionally be returned.

GetLockOnVariableStateVariablePolicyInfo() - Returns the Lock on
Variable State policy applied to the UEFI variable. If the Lock on
Variable State policy is applied to a specific variable name, that
name can optionally be returned.

These functions can be useful for a variety of purposes such as
auditing, testing, and functional flows.

Also fixed some variable name typos in code touched by the changes.

Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Signed-off-by: Michael Kubacki <michael.kubacki@microsoft.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
Message-Id: <20231030203112.736-2-mikuback@linux.microsoft.com>

1 files changed, 34 insertions, 5 deletions

diff --git a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
index ff3d4a1fd6..a692fa40c9 100644
--- a/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
+++ b/MdeModulePkg/Include/Guid/VarCheckPolicyMmi.h
@@ -32,23 +32,52 @@ typedef struct _VAR_CHECK_POLICY_COMM_DUMP_PARAMS {
   BOOLEAN    HasMore;

 } VAR_CHECK_POLICY_COMM_DUMP_PARAMS;

 

+typedef union {

+  VARIABLE_POLICY_ENTRY                VariablePolicy;

+  VARIABLE_LOCK_ON_VAR_STATE_POLICY    LockOnVarStatePolicy;

+} VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY;

+

+typedef struct _VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS {

+  EFI_GUID                                InputVendorGuid;

+  UINT32                                  InputVariableNameSize;

+  UINT32                                  OutputVariableNameSize;

+  VAR_CHECK_POLICY_OUTPUT_POLICY_ENTRY    OutputPolicyEntry;

+  CHAR16                                  InputVariableName[1];

+} VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS;

+

 #pragma pack(pop)

 

+#define   VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS_END \

+            (OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName))

+

 // Make sure that we will hold at least the headers.

 #define   VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE  MAX((OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + sizeof (VAR_CHECK_POLICY_COMM_HEADER) + EFI_PAGES_TO_SIZE(1)), EFI_PAGES_TO_SIZE(4))

 #define   VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE  (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \

                                                     (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \

                                                       sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \

                                                       sizeof(VAR_CHECK_POLICY_COMM_DUMP_PARAMS)))

+

+#define   VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE  (VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE - \

+                                                      (OFFSET_OF(EFI_MM_COMMUNICATE_HEADER, Data) + \

+                                                        sizeof(VAR_CHECK_POLICY_COMM_HEADER) + \

+                                                        OFFSET_OF(VAR_CHECK_POLICY_COMM_GET_INFO_PARAMS, InputVariableName)))

+

 STATIC_ASSERT (

   VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,

   "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_DUMP_BUFFER_SIZE"

   );

 

-#define   VAR_CHECK_POLICY_COMMAND_DISABLE     0x0001

-#define   VAR_CHECK_POLICY_COMMAND_IS_ENABLED  0x0002

-#define   VAR_CHECK_POLICY_COMMAND_REGISTER    0x0003

-#define   VAR_CHECK_POLICY_COMMAND_DUMP        0x0004

-#define   VAR_CHECK_POLICY_COMMAND_LOCK        0x0005

+STATIC_ASSERT (

+  VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE < VAR_CHECK_POLICY_MM_COMM_BUFFER_SIZE,

+  "an integer underflow may have occurred calculating VAR_CHECK_POLICY_MM_GET_INFO_BUFFER_SIZE"

+  );

+

+#define   VAR_CHECK_POLICY_COMMAND_DISABLE                  0x0001

+#define   VAR_CHECK_POLICY_COMMAND_IS_ENABLED               0x0002

+#define   VAR_CHECK_POLICY_COMMAND_REGISTER                 0x0003

+#define   VAR_CHECK_POLICY_COMMAND_DUMP                     0x0004

+#define   VAR_CHECK_POLICY_COMMAND_LOCK                     0x0005

+#define   VAR_CHECK_POLICY_COMMAND_GET_INFO                 0x0006

+#define   VAR_CHECK_POLICY_COMMAND_GET_LOCK_VAR_STATE_INFO  0x0007

 

 #endif // _VAR_CHECK_POLICY_MMI_COMMON_H_