Merged PR 5990: Conditionally supply the unsigned xml list to DFCI

This is a platform change to supply the unsigned xml list to DFCI. By default, the system will populate the default dynamic PCD of file GUID during build time. During PEI phase, the `ConfDfciUnsignedListInit` will check the system operation state and potentially invalidate the PCD with a null value to prevent system accepting any incoming unsigned settings.
2022-09-07 17:53:45 +00:00 · 2022-09-07 17:53:45 +00:00 · ed3710712c
--- a/Common/MU_OEM_SAMPLE
+++ b/Common/MU_OEM_SAMPLE
@ -1 +1 @@
-Subproject commit 84aed7aa4433427d40af809f28f5db86d6c513ab
+Subproject commit 20cb4a03df74656e48200f1ff18613fc8679e7b8
--- a/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.c
+++ b/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.c
@ -0,0 +1,29 @@
+/* @file ConfigSystemModeLib.c
+
+  MFCI based library instance for system mode related functions for
+  configuration modules on QEMU Q35 platform.
+
+  Copyright (c) Microsoft Corporation.
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Uefi.h>
+
+#include <Library/OemMfciLib.h>
+
+/**
+  This routine indicates if the system is in Manufacturing Mode.
+  Platforms may have a manufacturing mode. Configuration update
+  will only be allowed in such mode.
+
+  @retval  TRUE   The device is in Manufacturing Mode.
+  @retval  FALSE  The device is in Customer Mode.
+**/
+BOOLEAN
+EFIAPI
+IsSystemInManufacturingMode (
+  VOID
+  )
+{
+  return (GetMfciSystemOperationMode () == OEM_UEFI_MANUFACTURING_MODE);
+}
--- a/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.inf
+++ b/Platforms/QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.inf
@ -0,0 +1,35 @@
+## @file ConfigSystemModeLib.inf
+#
+#  MFCI based library instance for system mode related functions for
+#  configuration modules.
+#
+#  Copyright (c) Microsoft Corporation.
+#  SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+
+[Defines]
+  INF_VERSION         = 0x00010017
+  BASE_NAME           = ConfigSystemModeLib
+  FILE_GUID           = 82554E59-4F01-41EE-A3FF-C6C806761FE5
+  VERSION_STRING      = 1.0
+  MODULE_TYPE         = BASE
+  LIBRARY_CLASS       = ConfigSystemModeLib
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+#  VALID_ARCHITECTURES           = ANY
+#
+
+[Sources]
+  ConfigSystemModeLib.c
+
+[LibraryClasses]
+  OemMfciLib
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MfciPkg/MfciPkg.dec
+  OemPkg/OemPkg.dec
--- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.ci.yaml
+++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.ci.yaml
@ -40,8 +40,9 @@
            "PcBdsPkg/PcBdsPkg.dec",
            "PolicyServicePkg/PolicyServicePkg.dec",
            "SetupDataPkg/SetupDataPkg.dec",
+            "MfciPkg/MfciPkg.dec",
+            "OemPkg/OemPkg.dec",
            "QemuQ35Pkg/QemuQ35Pkg.dec"
-
        ],
        # For host based unit tests
        "AcceptableDependencies-HOST_APPLICATION":[
--- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.dec
+++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.dec
@ -31,6 +31,9 @@
  ## The Generic Profile (flavor) will be stored in FV under this GUID
  gQemuQ35PkgGenericProfileGuid = { 0xa53c06b5, 0x669f, 0x4b5f, {0x93, 0x86, 0x47, 0x12, 0x12, 0xf5, 0x41, 0xdb } }

+  ## The Platform DFCI Unsigned list file GUID
+  gQemuQ35PkgDfciUnsignedXmlGuid = { 0x62cf29ad, 0xfeee, 0x4930, { 0xb7, 0x1b, 0x48, 0x6, 0xc7, 0x87, 0xc6, 0xaa } }
+
 [Ppis]

 [Protocols]
--- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc
+++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.dsc
@ -286,6 +286,7 @@
  ConfigBlobBaseLib    |SetupDataPkg/Library/ConfigBlobBaseLib/ConfigBlobBaseLib.inf
  ConfigDataLib        |SetupDataPkg/Library/ConfigDataLib/ConfigDataLib.inf
  ConfigVariableListLib|SetupDataPkg/Library/ConfigVariableListLib/ConfigVariableListLib.inf
+  ConfigSystemModeLib  |QemuQ35Pkg/Library/ConfigSystemModeLibQ35/ConfigSystemModeLib.inf

  # Network libraries
  NetLib                 |NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
@ -599,6 +600,7 @@
  QemuFwCfgLib               |OvmfPkg/Library/QemuFwCfgLib/QemuFwCfgPeiLib.inf
  BaseCryptLib               |CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
  PcdDatabaseLoaderLib       |MdeModulePkg/Library/PcdDatabaseLoaderLib/Pei/PcdDatabaseLoaderLibPei.inf
+  OemMfciLib                 |OemPkg/Library/OemMfciLib/OemMfciLibPei.inf
 !if $(SOURCE_DEBUG_ENABLE) == TRUE
  DebugAgentLib              |SourceLevelDebugPkg/Library/DebugAgent/SecPeiDebugAgentLib.inf
 !endif
@ -638,6 +640,8 @@
  RngLib   |MdePkg/Library/BaseRngLibTimerLib/BaseRngLibTimerLib.inf # MU_CHANGE use timer lib as the source of random
  PciLib   |OvmfPkg/Library/DxePciLibI440FxQ35/DxePciLibI440FxQ35.inf

+  OemMfciLib  |OemPkg/Library/OemMfciLib/OemMfciLibDxe.inf
+
 [LibraryClasses.common.DXE_CORE]
  HobLib                  |MdePkg/Library/DxeCoreHobLib/DxeCoreHobLib.inf
  MemoryAllocationLib     |MdeModulePkg/Library/DxeCoreMemoryAllocationLib/DxeCoreMemoryAllocationLib.inf
@ -915,7 +919,10 @@ PlatformSmmProtectionsTestLib|UefiTestingPkg/Library/PlatformSmmProtectionsTestL

 [PcdsDynamicExDefault]
  # Default this to gQemuQ35PkgGenericProfileGuid
-  gSetupDataPkgTokenSpaceGuid.PcdSetupConfigActiveProfileFile|{ 0xb5, 0x06, 0x3c, 0xa5, 0x9f, 0x66, 0x5f, 0x4b, 0x93, 0x86, 0x47, 0x12, 0x12, 0xf5, 0x41, 0xdb }
+  gSetupDataPkgTokenSpaceGuid.PcdSetupConfigActiveProfileFile|{GUID("A53C06B5-669F-4B5F-9386-471212F541DB")}
+
+  # Default this to gQemuQ35PkgDfciUnsignedXmlGuid
+  gDfciPkgTokenSpaceGuid.PcdUnsignedPermissionsFile|{GUID("62CF29AD-FEEE-4930-B71B-4806C787C6AA")}

 [PcdsDynamicHii]
 !if $(TPM_ENABLE) == TRUE && $(TPM_CONFIG_ENABLE) == TRUE
@ -1015,6 +1022,7 @@ PlatformSmmProtectionsTestLib|UefiTestingPkg/Library/PlatformSmmProtectionsTestL
  OemPkg/DeviceStatePei/DeviceStatePei.inf
  MfciPkg/MfciPei/MfciPei.inf

+  SetupDataPkg/ConfDfciUnsignedListInit/ConfDfciUnsignedListInit.inf
  PolicyServicePkg/PolicyService/Pei/PolicyPei.inf
  QemuQ35Pkg/ConfigDataGfx/ConfigDataGfx.inf

--- a/Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf
+++ b/Platforms/QemuQ35Pkg/QemuQ35Pkg.fdf
@ -263,6 +263,7 @@ INF  MsGraphicsPkg/MsUiTheme/Pei/MsUiThemePpi.inf
 INF  MsGraphicsPkg/MsEarlyGraphics/Pei/MsEarlyGraphics.inf
 INF  MdeModulePkg/Universal/Acpi/FirmwarePerformanceDataTablePei/FirmwarePerformancePei.inf

+INF  SetupDataPkg/ConfDfciUnsignedListInit/ConfDfciUnsignedListInit.inf
 INF  PolicyServicePkg/PolicyService/Pei/PolicyPei.inf
 INF  QemuQ35Pkg/ConfigDataGfx/ConfigDataGfx.inf

@ -567,7 +568,7 @@ FILE FREEFORM = PCD(gZeroTouchPkgTokenSpaceGuid.PcdZeroTouchCertificateFile) {
  FILE FREEFORM = gQemuQ35PkgGenericProfileGuid {
    SECTION RAW = $(CONF_BIN_FILE)
  }
-  FILE FREEFORM = PCD(gDfciPkgTokenSpaceGuid.PcdUnsignedPermissionsFile) {
+  FILE FREEFORM = gQemuQ35PkgDfciUnsignedXmlGuid {
        SECTION RAW = QemuQ35Pkg/UnsignedPermissions.xml
  }

--- a/mu_config_ext_dep.yaml
+++ b/mu_config_ext_dep.yaml
@ -9,6 +9,6 @@
  "name": "FEATURE_CONFIG",
  "var_name": "FEATURE_CONFIG_PATH",
  "source": "https://github.com/microsoft/mu_feature_config.git",
-  "version": "ccd5eb19c07cfb16508b93824e4f3edd8c18dee8",
+  "version": "d2a08dcc2d09a34a7c3a13fcc534138f6efe08aa",
  "flags": ["set_build_var"]
 }