Hi Judah,
Do you have reference information for the following?
1. Overall boot time impact for a sample variable store?
- In particular:
- Initial HMAC calculation/verification time.
- Non-volatile write impact time to caluclate new store HMAC value
and update MetaDataHmacVar.
- Variable reclaim before and after time.
2. Overall non-volatile store size overhead impact with AES-CBC
encrypted variables?
I understand these will vary based on system properties like SPI flash
parameters, cryptographic processor details, etc. I'm trying to get an
idea of the impact from sample data or averages on a particular system
configuration. Also to learn whether the native encryption instruction
(AES-NI) was used and if that could provide any benefit given the
potential number of encryption/decryption operations introduced.
For the code design, I feel the ProtectedVariableLib interface is a bit
too coupled against internal implementation details of the variable
driver. I generally understand why the code is split out to wrap
operations around the new functionality and it follows the AuthVarLib
pattern but changing the library or driver will continue to require
large changes across both like this due to the coupling.
Small things I noticed:
1. VariableKeyLib.inf should not be "BASE", it directly depends on PEI
services
2. Typo "varabile" in some files
3. Does ProtectedVariableLibNull actually need to depend on BaseMemoryLib?
Thanks,
Michael
On 4/29/2022 2:04 PM, Judah Vang wrote:
> For a more detail description of the UEFI variable protected feature you can
> view the Readme.md located at the following location:
> https://github.com/judahvang/edk2/tree/rpmc-update
>
>
> Judah Vang (28):
> MdeModulePkg: Add new GUID for Variable Store Info
> SecurityPkg: Add new GUIDs for
> MdeModulePkg: Update AUTH_VARIABLE_INFO struct
> MdeModulePkg: Add reference to new Ppi Guid
> MdeModulePkg: Add new ProtectedVariable GUIDs
> MdeModulePkg: Add new include files
> MdeModulePkg: Add Null ProtectedVariable Library
> MdeModulePkg: Add new Variable functionality
> MdeModulePkg: Add support for Protected Variables
> SecurityPkg: Add new KeyService types and defines
> SecurityPkg: Update RPMC APIs with index
> SecurityPkg: Add new variable types and functions
> SecurityPkg: Fix GetVariableKey API
> SecurityPkg: Add null encryption variable libs
> SecurityPkg: Add VariableKey library function
> SecurityPkg: Add EncryptionVariable lib with AES
> SecurityPkg: Add Protected Variable Services
> MdeModulePkg: Reference Null ProtectedVariableLib
> SecurityPkg: Add references to new *.inf files
> ArmVirtPkg: Add reference to ProtectedVariableNull
> UefiPayloadPkg: Add ProtectedVariable reference
> EmulatorPkg: Add ProtectedVariable reference
> OvmfPkg: Add ProtectedVariable reference
> OvmfPkg: Add ProtectedVariableLib reference
> OvmfPkg: Add ProtectedVariableLib reference
> OvmfPkg: Add ProtectedVariableLib reference
> OvmfPkg: Add ProtectedVariable reference
> CryptoPkg: Enable cypto HMAC KDF library
>
> MdeModulePkg/MdeModulePkg.dec | 13 +-
> SecurityPkg/SecurityPkg.dec | 43 +-
> ArmVirtPkg/ArmVirtQemu.dsc | 3 +-
> EmulatorPkg/EmulatorPkg.dsc | 3 +-
> MdeModulePkg/MdeModulePkg.dsc | 4 +-
> OvmfPkg/AmdSev/AmdSevX64.dsc | 3 +-
> OvmfPkg/Bhyve/BhyveX64.dsc | 3 +-
> OvmfPkg/CloudHv/CloudHvX64.dsc | 1 +
> OvmfPkg/Microvm/MicrovmX64.dsc | 3 +-
> OvmfPkg/OvmfPkgIa32.dsc | 1 +
> OvmfPkg/OvmfPkgIa32X64.dsc | 1 +
> OvmfPkg/OvmfPkgX64.dsc | 1 +
> OvmfPkg/OvmfXen.dsc | 3 +-
> SecurityPkg/SecurityPkg.dsc | 13 +-
> UefiPayloadPkg/UefiPayloadPkg.dsc | 2 +
> CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf | 2 +-
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf | 34 +
> MdeModulePkg/Universal/Variable/Pei/VariablePei.inf | 10 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeDxe.inf | 3 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.inf | 3 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.inf | 4 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableStandaloneMm.inf | 3 +-
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf | 43 +
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf | 38 +
> SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf | 64 +
> SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf | 68 +
> SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf | 67 +
> SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf | 62 +
> SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf | 36 +
> MdeModulePkg/Include/Guid/ProtectedVariable.h | 22 +
> MdeModulePkg/Include/Library/AuthVariableLib.h | 4 +-
> MdeModulePkg/Include/Library/EncryptionVariableLib.h | 165 ++
> MdeModulePkg/Include/Library/ProtectedVariableLib.h | 700 +++++++
> MdeModulePkg/Universal/Variable/Pei/Variable.h | 80 +-
> MdeModulePkg/Universal/Variable/Pei/VariableParsing.h | 309 +++
> MdeModulePkg/Universal/Variable/Pei/VariableStore.h | 116 ++
> MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.h | 126 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.h | 91 +-
> MdePkg/Include/Ppi/ReadOnlyVariable2.h | 4 +-
> SecurityPkg/Include/Library/RpmcLib.h | 15 +-
> SecurityPkg/Include/Library/VariableKeyLib.h | 37 +-
> SecurityPkg/Include/Ppi/KeyServicePpi.h | 57 +
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h | 49 +
> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h | 611 ++++++
> MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c | 449 ++++
> MdeModulePkg/Universal/Variable/Pei/Variable.c | 886 ++------
> MdeModulePkg/Universal/Variable/Pei/VariableParsing.c | 941 +++++++++
> MdeModulePkg/Universal/Variable/Pei/VariableStore.c | 305 +++
> MdeModulePkg/Universal/Variable/RuntimeDxe/Reclaim.c | 349 +++-
> MdeModulePkg/Universal/Variable/RuntimeDxe/Variable.c | 2139 +++++++++++---------
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableDxe.c | 26 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableExLib.c | 167 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableNonVolatile.c | 194 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableParsing.c | 320 ++-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableRuntimeCache.c | 2 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmm.c | 39 +-
> MdeModulePkg/Universal/Variable/RuntimeDxe/VariableSmmRuntimeDxe.c | 41 +-
> SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c | 728 +++++++
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c | 107 +
> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c | 2095 +++++++++++++++++++
> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c | 163 ++
> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c | 1331 ++++++++++++
> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c | 209 ++
> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c | 975 +++++++++
> SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c | 233 +++
> SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 8 +-
> SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c | 59 +
> SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c | 6 +-
> SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni | 16 +
> 69 files changed, 12845 insertions(+), 1863 deletions(-)
> create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariableLibNull.inf
> create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariableLib.inf
> create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.inf
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/DxeProtectedVariableLib.inf
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/PeiProtectedVariableLib.inf
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmProtectedVariableLib.inf
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/SmmRuntimeProtectedVariableLib.inf
> create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.inf
> create mode 100644 MdeModulePkg/Include/Guid/ProtectedVariable.h
> create mode 100644 MdeModulePkg/Include/Library/EncryptionVariableLib.h
> create mode 100644 MdeModulePkg/Include/Library/ProtectedVariableLib.h
> create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.h
> create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.h
> create mode 100644 SecurityPkg/Include/Ppi/KeyServicePpi.h
> create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.h
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableInternal.h
> create mode 100644 MdeModulePkg/Library/ProtectedVariableLibNull/ProtectedVariable.c
> create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableParsing.c
> create mode 100644 MdeModulePkg/Universal/Variable/Pei/VariableStore.c
> create mode 100644 SecurityPkg/Library/EncryptionVariableLib/EncryptionVariable.c
> create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariable.c
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableCommon.c
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableDxe.c
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariablePei.c
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmm.c
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmDxeCommon.c
> create mode 100644 SecurityPkg/Library/ProtectedVariableLib/ProtectedVariableSmmRuntime.c
> create mode 100644 SecurityPkg/Library/VariableKeyLib/VariableKeyLib.c
> create mode 100644 SecurityPkg/Library/EncryptionVariableLibNull/EncryptionVariableLibNull.uni
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#89791): https://edk2.groups.io/g/devel/message/89791
Mute This Topic: https://groups.io/mt/90781879/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-