From nobody Fri Apr 26 00:19:20 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49764+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49764+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525025; cv=none; d=zoho.com; s=zohoarc; b=QYxPtBEK9ko1fxCcK1nGLLZm1OeustViTAVJnGwTRmhMBqfn+0bfoaOtftlx2hsFQzFlgNcaYcAVWw9xbjJ0g0EeevV/sp3WLd057YGO9P8lF/+b2OlvYVu/zCREgesp70FOxYwQ+WvLBbSbUnSaEvNj/Sbu1k7MDZ/Wy5ktOtI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525025; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=bH7RqaoOUA/gyD/46RgYrzqhDsia6JpJNWBJtmR6HHo=; b=VDi/RhXd+rOzYcNVzgl4HVhYuvDaIkLYHR+5wwKMKMOJOF9ecNb7ECyVew7pp+8pmkZnh/XyBhnC8Lg0m2oCi3DoYXW7s+Fbg8LpcvlRctiffBGY2llm8XKQ46hslcOPXyl9JG/royj39WNk6hhvAmsP/bgibkBIicp3vsP8kfA= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49764+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 15725250250591001.7075658280537; Thu, 31 Oct 2019 05:30:25 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id EoESYY1788612xGIkOqOKu2U; Thu, 31 Oct 2019 05:30:24 -0700 X-Received: from mga12.intel.com (mga12.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5225.1572525022600146608 for ; Thu, 31 Oct 2019 05:30:23 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:30:23 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875122" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:30:22 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Michael D Kinney , Liming Gao , Yun Lou Subject: [edk2-devel] [PATCH V2 1/4] MdePkg/Include: Add DMTF SPDM definition. Date: Thu, 31 Oct 2019 20:30:09 +0800 Message-Id: <20191031123012.16020-2-jiewen.yao@intel.com> In-Reply-To: <20191031123012.16020-1-jiewen.yao@intel.com> References: <20191031123012.16020-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: Ok2suYQACAwYcuqq6GqAgoUmx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525024; bh=ZnL0MynsAnU09pwiPsKCDIP647xaiGPVSv+fwRgdC4s=; h=Cc:Date:From:Reply-To:Subject:To; b=ZrD7e1Mhyab2bTAlSdEmSrqqSjCp2D0XAc1Ohi6t1DjwUYSP8LNMSMfBmKmB6Qj7k4N v2R5WAYs+PjrnJdEp52vjlfexq/ybNWMCFeR2Q5VHIPUMLU3Avrmftya5PrXkqOsNFiSf 9pi4GoX0uAmD4OYuAn+aJIOspYrDQTyFEAo= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Michael D Kinney Cc: Liming Gao Cc: Yun Lou Signed-off-by: Jiewen Yao --- MdePkg/Include/IndustryStandard/Spdm.h | 203 ++++++++++++++++++++ 1 file changed, 203 insertions(+) diff --git a/MdePkg/Include/IndustryStandard/Spdm.h b/MdePkg/Include/Indust= ryStandard/Spdm.h new file mode 100644 index 0000000000..d62b24e9ef --- /dev/null +++ b/MdePkg/Include/IndustryStandard/Spdm.h @@ -0,0 +1,203 @@ +/** @file + Definitions of Security Protocol & Data Model Specification (SPDM) + in Distributed Management Task Force (DMTF). + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +#ifndef __SPDM_H__ +#define __SPDM_H__ + +#pragma pack(1) + +#define SPDM_DIGESTS 0x01 +#define SPDM_CERTIFICATE 0x02 +#define SPDM_CHALLENGE_AUTH 0x03 +#define SPDM_MEASUREMENTS 0x60 +#define SPDM_CAPABILITIES 0x61 +#define SPDM_SET_CERT_RESPONSE 0x62 +#define SPDM_ALGORITHMS 0x63 +#define SPDM_ERROR 0x7F +#define SPDM_GET_DIGESTS 0x81 +#define SPDM_GET_CERTIFICATE 0x82 +#define SPDM_CHALLENGE 0x83 +#define SPDM_GET_MEASUREMENTS 0xE0 +#define SPDM_GET_CAPABILITIES 0xE1 +#define SPDM_SET_CERTIFICATE 0xE2 +#define SPDM_NEGOTIATE_ALGORITHMS 0xE3 +#define SPDM_RESPOND_IF_READY 0xFF + +typedef struct { + UINT8 SPDMVersion; + UINT8 RequestResponseCode; + UINT8 Param1; + UINT8 Param2; +} SPDM_MESSAGE_HEADER; + +#define SPDM_VERSION 0x10 + +typedef struct { + SPDM_MESSAGE_HEADER Header; +} SPDM_GET_CAPABILITIES_REQUEST; + +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT8 DetailedVersion; + UINT8 CryptographicTimeout; + UINT16 Reserved; + UINT32 Flags; + UINT16 SPDMMajorVersions; + UINT16 Reserved2; +} SPDM_CAPABILITIES_RESPONSE; + +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_AUTH_CAP BIT1 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP BIT3 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_FRESH_CAP BIT4 + +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT16 Length; + UINT8 MeasurementSpecification; + UINT8 Reserved; + UINT32 BaseAsymAlgo; + UINT32 BaseHashAlgo; + UINT64 Reserved2; + UINT8 ExtAsymCount; + UINT8 ExtHashCount; + UINT16 Reserved3; +//UINT32 ExtAsym[ExtAsymCount]; +//UINT32 ExtHash[ExtHashCount]; +} SPDM_NEGOTIATE_ALGORITHMS_REQUEST; + +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048 BIT0 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_3072 BIT1 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256 BIT2 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_4096 BIT3 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P384 BIT4 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P521 BIT5 + +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA2_256 BIT0 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_256 BIT1 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA2_384 BIT2 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_384 BIT3 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA2_512 BIT4 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_512 BIT5 + +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT16 Length; + UINT8 MeasurementSpecification; + UINT8 MeasurementHashAlgo; + UINT32 BaseAsymSel; + UINT32 BaseHashSel; + UINT64 Reserved; + UINT8 ExtAsymSelCount; + UINT8 ExtHashSelCount; + UINT16 Reserved2; +//UINT32 ExtAsymSel[ExtAsymSelCount]; +//UINT32 ExtHashSel[ExtHashSelCount]; +} SPDM_ALGORITHMS_RESPONSE; + +typedef struct { + SPDM_MESSAGE_HEADER Header; +} SPDM_GET_DIGESTS_REQUEST; + +typedef struct { + SPDM_MESSAGE_HEADER Header; +//UINT8 Digest[DigestSize]; +} SPDM_DIGESTS_RESPONSE; + +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT16 Offset; + UINT16 Length; +} SPDM_GET_CERTIFICATE_REQUEST; + +typedef struct { + SPDM_MESSAGE_HEADER Header; +//UINT8 CertChain[CertChainSize]; +} SPDM_CERTIFICATE_RESPONSE; + +typedef struct { + SPDM_MESSAGE_HEADER Header; +//UINT8 Nonce[DigestSize]; +} SPDM_CHALLENGE_REQUEST; + +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT8 MinSPDMVersion; + UINT8 MaxSPDMVersion; + UINT8 Capabilities; + UINT8 Reserved; +//UINT8 CertChainHash[DigestSize]; +//UINT8 Salt[DigestSize]; +//UINT8 ContextHash[DigestSize]; + // + // M1 =3D Concatenate( + // GET_CAPABILITIES_REQUEST1, CAPABILITIES_RESPONSE1, + // NEGOTIATE_ALGORITHMS_REQUEST1, ALGORITHMS_RESPONSE1, CHALLENGE= _REQUEST1, + // CHALLENGE_AUTH_RESPONSE_WITHOUT_SIGNATURE1) + // Signature =3D Sign(SK, Hash1(M1)) + // +//UINT8 Signature[KeySize]; +} SPDM_CHALLENGE_AUTH_RESPONSE; + +typedef struct { + SPDM_MESSAGE_HEADER Header; + // Param1 =3D=3D Request Type + // Param2 =3D=3D Measurement Index (0xFF =3D=3D all) +//UINT8 Nonce[DigestSize]; +} SPDM_GET_MEASUREMENTS_REQUEST; + +typedef struct { + UINT8 Index; + UINT8 MeasurementType; + UINT8 MeasurementSpecification; + UINT8 Reserved; +} SPDM_MEASUREMENT_BLOCK_HEADER; + +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_IMMUTABLE_ROM 1 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MUTABLE_FIRMWARE 2 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_HARDWARE_CONFIGURATION 3 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_FIRMWARE_CONFIGURATION 4 + +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT8 NumberOfBlocks; +//SPDM_MEASUREMENT_BLOCK_STRUCT MeasurementRecord[NumberOfBlocks]; +//UINT8 Salt[DigestSize]; +//UINT8 ContextHash[DigestSize]; + // + // L1 =3D Concatenate( + // GET_MEASUREMENTS_REQUEST1, MEASUREMENTS_RESPONSE_WITHOUT_SIGNA= TURE1) + // Signature =3D Sign(SK, Hash1(L1)) + // +//UINT8 Signature[KeySize]; +} SPDM_MEASUREMENTS_RESPONSE; + +typedef struct { + SPDM_MESSAGE_HEADER Header; + // Param1 =3D=3D Error Code + // Param2 =3D=3D Error Data +//UINT8 ExtendedErrorData[]; +} SPDM_ERROR_RESPONSE; + +#define SPDM_ERROR_CODE_INVALID_REQUEST 0x01 +#define SPDM_ERROR_CODE_BUSY 0x03 +#define SPDM_ERROR_CODE_UNEXPECTED_REQUEST 0x04 +#define SPDM_ERROR_CODE_UNINITIALIZED 0x05 +#define SPDM_ERROR_CODE_REQUESTED_INFO_TOO_LONG 0x40 +#define SPDM_ERROR_CODE_MAJOR_VERSION_MISMATCH 0x41 +#define SPDM_ERROR_CODE_RESPONSE_NOT_READY 0x42 + +typedef struct { + SPDM_MESSAGE_HEADER Header; +} SPDM_RESPONSE_IF_READY_REQUEST; + +#pragma pack() + +#endif + --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49764): https://edk2.groups.io/g/devel/message/49764 Mute This Topic: https://groups.io/mt/40117488/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri Apr 26 00:19:20 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49765+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49765+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525025; cv=none; d=zoho.com; s=zohoarc; b=fa9/0gFjdknRKCyEQwiAN5PtRrCwrKxOm56clJnTLmrRw//9UW22nQMxtuXEkxJBcT0v2uZxu2m2sAboH/xyTcakufowGE7HaKMB9DNEXSQ5hbpQiXXr0vq9Bx+C6sHR3+Mt9GcuBeEyXhGwTmXFWVx/Ct3qClNoH527uSKrWAE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525025; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=t3GDDvYdoKwjUBqlS+lSGpv36eGWoy/mjyvfF6MJ7a0=; b=m92PJ0UOTnKIvte6pnDdQANI9S1Kg8Fz2Tmqz9u9SxcxAnjsRfevLjDQVwsdJ4C59KCdCg30J7od1PM0keJwdL/y4gLjyn5I2fx3cjSTzg3zGHddu0Ryr1e/2LhdggY5iVzuDq1BgXh43hmsREijfIEGLOPSZWzAFQ/urh0/bm8= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49765+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525025898516.7030142787108; Thu, 31 Oct 2019 05:30:25 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id wmoAYY1788612xCGGiUWsQea; Thu, 31 Oct 2019 05:30:25 -0700 X-Received: from mga12.intel.com (mga12.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5225.1572525022600146608 for ; Thu, 31 Oct 2019 05:30:24 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:30:24 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875139" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:30:23 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Yun Lou Subject: [edk2-devel] [PATCH V2 2/4] MdeModulePkg/Include: Add DeviceSecurity.h Date: Thu, 31 Oct 2019 20:30:10 +0800 Message-Id: <20191031123012.16020-3-jiewen.yao@intel.com> In-Reply-To: <20191031123012.16020-1-jiewen.yao@intel.com> References: <20191031123012.16020-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: 0MMic2uksy4McmimA86ME0Gkx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525025; bh=1Sq7Q/mPmqUQ69l4fJsYcy9P0kBFTZlwy+2im8aV6TI=; h=Cc:Date:From:Reply-To:Subject:To; b=PdpdIxL4cO/8x9qyJOVwwpMarbj5e2DHrhPKioqbqVLMh2vs3G1Qf9iKKf5rci7oV51 /KWiwme5j1CZUUdb+AzhFfn5u6M5aw+ukh44Nj00Wtp9j0kDT+L3JGctIQhsDOQnYxkJ7 qnn2CCinbuiQdJvUrj3ywXMEakkKawCJB/U= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 EDKII_DEVICE_SECURITY_PROTOCOL is used for device measurement and/or authentication. It is similar to EFI_SECURITY_ARCH_PROTOCOL. Cc: Jian J Wang Cc: Hao A Wu Cc: Yun Lou Signed-off-by: Jiewen Yao --- MdeModulePkg/Include/Protocol/DeviceSecurity.h | 162 ++++++++++++++++++++ 1 file changed, 162 insertions(+) diff --git a/MdeModulePkg/Include/Protocol/DeviceSecurity.h b/MdeModulePkg/= Include/Protocol/DeviceSecurity.h new file mode 100644 index 0000000000..c3bf624cac --- /dev/null +++ b/MdeModulePkg/Include/Protocol/DeviceSecurity.h @@ -0,0 +1,162 @@ +/** @file + Device Security Protocol definition. + + It is used to authenticate a device based upon the platform policy. + It is similar to the EFI_SECURITY_ARCH_PROTOCOL, which is used to verify= a image. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +#ifndef __DEVICE_SECURITY_H__ +#define __DEVICE_SECURITY_H__ + +// +// Device Security Protocol GUID value +// +#define EDKII_DEVICE_SECURITY_PROTOCOL_GUID \ + { \ + 0x5d6b38c8, 0x5510, 0x4458, { 0xb4, 0x8d, 0x95, 0x81, 0xcf, 0xa7, 0x= b0, 0xd } \ + } + +// +// Forward reference for pure ANSI compatability +// +typedef struct _EDKII_DEVICE_SECURITY_PROTOCOL EDKII_DEVICE_SECURITY_PROT= OCOL; + +// +// Revision The revision to which the DEVICE_SECURITY interface adheres. +// All future revisions must be backwards compatible. +// If a future version is not back wards compatible it is not the= same GUID. +// +#define EDKII_DEVICE_SECURITY_PROTOCOL_REVISION 0x00010000 + +// +// The device identifier. +// +typedef struct { + /// + /// Version of this data structure. + /// + UINT32 Version; + /// + /// Type of the device. + /// This field is also served as a device Access protocol GUID. + /// The device access protocol is installed on the DeviceHandle. + /// The device access protocol is device specific. + /// EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID means the device access prot= ocol is PciIo. + /// EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID means the device access prot= ocol is UsbIo. + /// + EFI_GUID DeviceType; + /// + /// The handle created for this device. + /// NOTE: This might be a temporary handle. + /// If the device is not authenticated, this handle shall be unins= talled. + /// + /// As minimal requirement, there should be 2 protocols installed on the= device handle. + /// 1) An EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_PATH_PROTOCOL_GUID. + /// 2) A device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GU= ID. + /// If the device is PCI device, the EFI_PCI_IO_PROTOCOL is installed= with + /// EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID. + /// If the device is USB device, the EFI_USB_IO_PROTOCOL is installed= with + /// EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID. + /// + /// The device access protocol is required, because the verifier need= have a way + /// to communciate with the device hardware to get the measurement or= do the + /// challenge/response for the device authentication. + /// + /// NOTE: We don't use EFI_PCI_IO_PROTOCOL_GUID or EFI_USB_IO_PROTOCOL_G= UID here, + /// because we don't want to expose a real protocol. A platform ma= y have driver + /// register a protocol notify function. Installing a real protoco= l may cause + /// the callback function being executed before the device is auth= enticated. + /// + EFI_HANDLE DeviceHandle; +} EDKII_DEVICE_IDENTIFIER; + +// +// Revision The revision to which the DEVICE_IDENTIFIER interface adheres. +// All future revisions must be backwards compatible. +// +#define EDKII_DEVICE_IDENTIFIER_REVISION 0x00010000 + +// +// Device Identifier GUID value +// +#define EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID \ + { \ + 0x2509b2f1, 0xa022, 0x4cca, { 0xaf, 0x70, 0xf9, 0xd3, 0x21, 0xfb, 0x= 66, 0x49 } \ + } + +#define EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID \ + { \ + 0x7394f350, 0x394d, 0x488c, { 0xbb, 0x75, 0xc, 0xab, 0x7b, 0x12, 0xa= , 0xc5 } \ + } + +/** + The device driver uses this service to measure and/or verify a device. + + The flow in device driver is: + 1) Device driver discovers a new device. + 2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL. + 3) Device driver creates a device access protocol. e.g. + EFI_PCI_IO_PROTOCOL for PCI device. + EFI_USB_IO_PROTOCOL for USB device. + EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device. + EFI_ATA_PASS_THRU_PROTOCOL for ATA device. + EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device. + EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device. + 4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_P= ATH_PROTOCOL_GUID, + and the device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_= GUID. + Once it is done, a DeviceHandle is returned. + 5) Device driver creates EDKII_DEVICE_IDENTIFIER with EDKII_DEVICE_IDENT= IFIER_TYPE_xxx_GUID + and the DeviceHandle. + 6) Device driver calls DeviceAuthenticate(). + 7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device dr= iver uninstalls + all protocols on this handle. + 8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver instal= ls the device access + protocol with a real protocol GUID. e.g. + EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID. + EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + + @retval EFI_SUCCESS The device specified by the DeviceId pa= ssed the measurement + and/or authentication based upon the pl= atform policy. + If TCG measurement is required, the mea= surement is extended to TPM PCR. + @retval EFI_SECURITY_VIOLATION The device fails to return the measurem= ent data. + @retval EFI_SECURITY_VIOLATION The device fails to response the authen= tication request. + @retval EFI_SECURITY_VIOLATION The system fails to verify the device b= ased upon the authentication response. + @retval EFI_SECURITY_VIOLATION The system fails to extend the measurem= ent to TPM PCR. +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_DEVICE_AUTHENTICATE)( + IN EDKII_DEVICE_SECURITY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId + ); + +/// +/// Device Security Protocol structure. +/// It is similar to the EFI_SECURITY_ARCH_PROTOCOL, which is used to veri= fy a image. +/// This protocol is used to authenticate a device based upon the platform= policy. +/// +struct _EDKII_DEVICE_SECURITY_PROTOCOL { + UINT64 Revision; + EDKII_DEVICE_AUTHENTICATE DeviceAuthenticate; +}; + +/// +/// Device Security Protocol GUID variable. +/// +extern EFI_GUID gEdkiiDeviceSecurityProtocolGuid; + +/// +/// Device Identifier tpye GUID variable. +/// +extern EFI_GUID gEdkiiDeviceIdentifierTypePciGuid; +extern EFI_GUID gEdkiiDeviceIdentifierTypeUsbGuid; + +#endif --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49765): https://edk2.groups.io/g/devel/message/49765 Mute This Topic: https://groups.io/mt/40117495/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri Apr 26 00:19:20 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49766+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49766+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525027; cv=none; d=zoho.com; s=zohoarc; b=Azd1vovBn3ZGWum8tD2J2SRSjFGH6DB8yFd/xJeNJBkzzLPHwIouH+381cumFxf0obk/fpqRmLT4IboZ1OCGRlmbzd/Dfk/rIGcakskG3fA+V2R33HEKQSroBh3xDag2eyMEk1KvNvlmMTPByxO6UA1Nkn3LdsbtDd0InqL/v/A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525027; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=pSKJQPR18Yi7+C7suawBDBYSGUBqr+E3HfHjz21WeIw=; b=V1UkKsHKHJAnIV0KpkwGflme3mShoe7y3N4qPJviiYq5ctys1V1saxrsdmyojJz3LOr3sVt7gyzwLoSxpwulECVbFdb8S1NC2KG08PMkOYlhrLHzPYbAyLNqcXHj81SlrjS35lXjGBnnaK4vBbNFJ4isDkm2JZZJ5r11nEu92Yg= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49766+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525027017863.4153146064663; Thu, 31 Oct 2019 05:30:27 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id gKkMYY1788612xcg2OiEQWIg; Thu, 31 Oct 2019 05:30:26 -0700 X-Received: from mga12.intel.com (mga12.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5225.1572525022600146608 for ; Thu, 31 Oct 2019 05:30:26 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:30:25 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875147" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:30:24 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Yun Lou Subject: [edk2-devel] [PATCH V2 3/4] MdeModulePkg/dec: Add EdkiiDeviceSecurityProtocolGuid. Date: Thu, 31 Oct 2019 20:30:11 +0800 Message-Id: <20191031123012.16020-4-jiewen.yao@intel.com> In-Reply-To: <20191031123012.16020-1-jiewen.yao@intel.com> References: <20191031123012.16020-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: geUE8u6qkYUu4OSqUeikAommx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525026; bh=8CtHmNlI1MwCal5Yd4ye0KNq6VwgvlT8YyoF5JHB/hI=; h=Cc:Date:From:Reply-To:Subject:To; b=j2ZyiwGTYBcGBAW5FTsLLO5W45i0grBSzit79BwvF/MA0SXXrWD8qgG+IPyDPrDLZh4 t7ArinxoeRlqkyqfrKPJO5YLXxC2dDN2euxn9Ck79JL56RvpgDtRmi72SbsS49y0rpA65 uXyIjXiK8XPZXwXtnGgfjVJdFgDKuJSlS6A= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Jian J Wang Cc: Hao A Wu Cc: Yun Lou Signed-off-by: Jiewen Yao --- MdeModulePkg/MdeModulePkg.dec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index d6bac974da..b7356aa4ed 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -584,6 +584,11 @@ ## Include/Protocol/IoMmu.h gEdkiiIoMmuProtocolGuid =3D { 0x4e939de9, 0xd948, 0x4b0f, { 0x88, 0xed, = 0xe6, 0xe1, 0xce, 0x51, 0x7c, 0x1e } } =20 + ## Include/Protocol/DeviceSecurity.h + gEdkiiDeviceSecurityProtocolGuid =3D { 0x5d6b38c8, 0x5510, 0x4458, { 0x= b4, 0x8d, 0x95, 0x81, 0xcf, 0xa7, 0xb0, 0xd } } + gEdkiiDeviceIdentifierTypePciGuid =3D { 0x2509b2f1, 0xa022, 0x4cca, { 0x= af, 0x70, 0xf9, 0xd3, 0x21, 0xfb, 0x66, 0x49 } } + gEdkiiDeviceIdentifierTypeUsbGuid =3D { 0x7394f350, 0x394d, 0x488c, { 0x= bb, 0x75, 0xc, 0xab, 0x7b, 0x12, 0xa, 0xc5 } } + ## Include/Protocol/SmmMemoryAttribute.h gEdkiiSmmMemoryAttributeProtocolGuid =3D { 0x69b792ea, 0x39ce, 0x402d, {= 0xa2, 0xa6, 0xf7, 0x21, 0xde, 0x35, 0x1d, 0xfe } } =20 --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49766): https://edk2.groups.io/g/devel/message/49766 Mute This Topic: https://groups.io/mt/40117499/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri Apr 26 00:19:20 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49767+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49767+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525028; cv=none; d=zoho.com; s=zohoarc; b=a+LuM+lW/9hFJ7RwgEEe2SQx+d18fpEoKyBWfIcA3yIcl23umDEzvpUpr/SmcKQ+WyxmRgHhfBkCiSScOBeoqr90DFcvLkngTgANNUZtC0epyFrGVClTm71Fy3/sy4DzRl1UvQfyQfurnPaiINOhP/tygdamLiyNb1NUX8v5to8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525028; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=6E5RTKSqNdeY+iSS003c+FHnBIPSFBrebs2slIME6cU=; b=g7UeT25GENkNWivD/Hm3VTxz9+OnK3Ypf1SeR5wf0soiak8oTqZKnpXr7IKH8SBNiTooX/58s2kErLtB7QpJ0HPjE4yqgiBsqiONAzKlEUXEgt7NtZMdJ0AWt8SUQLLuMcKTBWHnQEEXSQ3IXt8eYICXBDOPI/HxMBuROXs8QD4= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49767+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525028801339.2783214947847; Thu, 31 Oct 2019 05:30:28 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id 20K6YY1788612x6kGsC0kYAu; Thu, 31 Oct 2019 05:30:27 -0700 X-Received: from mga12.intel.com (mga12.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5225.1572525022600146608 for ; Thu, 31 Oct 2019 05:30:27 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:30:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875158" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:30:26 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Ray Ni , Yun Lou Subject: [edk2-devel] [PATCH V2 4/4] MdeModulePkg/Pci: Add DeviceSecurity support. Date: Thu, 31 Oct 2019 20:30:12 +0800 Message-Id: <20191031123012.16020-5-jiewen.yao@intel.com> In-Reply-To: <20191031123012.16020-1-jiewen.yao@intel.com> References: <20191031123012.16020-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: KCKwEYQc4qi8AOkUiwWeM4mOx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525027; bh=/wLj5rmgF5lJYRFpXwMYe25CEzn6HGyMfFAAlh1FuW0=; h=Cc:Date:From:Reply-To:Subject:To; b=isbYIzhG8elQCaNWi40fp1KfWS3PdYmOaRgWiyQos0AVzCjVAqLarLCcgUmrFaqad+9 lpHuKgJBzFhbTM3FDLkSva/t6dpZ2fd8dYIMowo+U2O1RWN2JNXmPmjQVTXfMxZ3Fssqk o68eI9tvhe3p4PsWp7Xp8vSSAtCI+S5g5qo= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Whenever a PCI device is discovered, PCI bus calls the EDKII_DEVICE_SECURITY_PROTOCOL to authenticate it. If the function returns success, the PCI bus allocates the resource and installs the PCI_IO for the device. If the function returns fail, the PCI bus skips the device. It is similar to EFI_SECURITY_ARCH_PROTOCOL, which is used to verify an EFI image. Cc: Jian J Wang Cc: Hao A Wu Cc: Ray Ni Cc: Yun Lou Signed-off-by: Jiewen Yao --- MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c | 12 +++- MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h | 1 + MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf | 4 +- MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c | 63 +++++++++++++++= ++++- MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c | 4 +- 5 files changed, 77 insertions(+), 7 deletions(-) diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c b/MdeModulePkg/Bus/Pci= /PciBusDxe/PciBus.c index b020ce50ce..64284ac825 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c @@ -8,7 +8,7 @@ PCI Root Bridges. So it means platform needs install PCI Root Bridge IO = protocol for each PCI Root Bus and install PCI Host Bridge Resource Allocation Protocol. =20 -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -37,7 +37,7 @@ UINT64 gAllZero = =3D 0; EFI_PCI_PLATFORM_PROTOCOL *gPciPlatformProtocol; EFI_PCI_OVERRIDE_PROTOCOL *gPciOverrideProtocol; EDKII_IOMMU_PROTOCOL *mIoMmuProtocol; - +EDKII_DEVICE_SECURITY_PROTOCOL *mDeviceSecurityProtocol; =20 GLOBAL_REMOVE_IF_UNREFERENCED EFI_PCI_HOTPLUG_REQUEST_PROTOCOL mPciHotPlug= Request =3D { PciHotPlugRequestNotify @@ -293,6 +293,14 @@ PciBusDriverBindingStart ( ); } =20 + if (mDeviceSecurityProtocol =3D=3D NULL) { + gBS->LocateProtocol ( + &gEdkiiDeviceSecurityProtocolGuid, + NULL, + (VOID **) &mDeviceSecurityProtocol + ); + } + if (PcdGetBool (PcdPciDisableBusEnumeration)) { gFullEnumeration =3D FALSE; } else { diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h b/MdeModulePkg/Bus/Pci= /PciBusDxe/PciBus.h index 504a1b1c12..d4113993c8 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h @@ -27,6 +27,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include =20 #include #include diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf b/MdeModulePkg/Bu= s/Pci/PciBusDxe/PciBusDxe.inf index 05c22025b8..9284998f36 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf @@ -2,7 +2,7 @@ # The PCI bus driver will probe all PCI devices and allocate MMIO and IO = space for these devices. # Please use PCD feature flag PcdPciBusHotplugDeviceSupport to enable hot= plug supporting. # -# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
# # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -90,6 +90,8 @@ gEfiIncompatiblePciDeviceSupportProtocolGuid ## SOMETIMES_CONSUMES gEfiLoadFile2ProtocolGuid ## SOMETIMES_PRODUCES gEdkiiIoMmuProtocolGuid ## SOMETIMES_CONSUMES + gEdkiiDeviceSecurityProtocolGuid ## SOMETIMES_CONSUMES + gEdkiiDeviceIdentifierTypePciGuid ## SOMETIMES_CONSUMES gEfiLoadedImageDevicePathProtocolGuid ## CONSUMES =20 [FeaturePcd] diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c b/MdeMod= ulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c index c7eafff593..df3d1c8fcc 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "PciBus.h" =20 extern CHAR16 *mBarTypeStr[]; +extern EDKII_DEVICE_SECURITY_PROTOCOL *mDeviceSec= urityProtocol; =20 #define OLD_ALIGN 0xFFFFFFFFFFFFFFFFULL #define EVEN_ALIGN 0xFFFFFFFFFFFFFFFEULL @@ -2092,9 +2093,10 @@ CreatePciIoDevice ( IN UINT8 Func ) { - PCI_IO_DEVICE *PciIoDevice; - EFI_PCI_IO_PROTOCOL *PciIo; - EFI_STATUS Status; + PCI_IO_DEVICE *PciIoDevice; + EFI_PCI_IO_PROTOCOL *PciIo; + EFI_STATUS Status; + EDKII_DEVICE_IDENTIFIER DeviceIdentifier; =20 PciIoDevice =3D AllocateZeroPool (sizeof (PCI_IO_DEVICE)); if (PciIoDevice =3D=3D NULL) { @@ -2156,6 +2158,61 @@ CreatePciIoDevice ( PciIoDevice->IsPciExp =3D TRUE; } =20 + // + // Now we can do the authentication check for the device. + // + if (mDeviceSecurityProtocol !=3D NULL) { + // + // Prepare the parameter + // + DeviceIdentifier.Version =3D EDKII_DEVICE_IDENTIFIER_REVISION; + CopyGuid (&DeviceIdentifier.DeviceType, &gEdkiiDeviceIdentifierTypePci= Guid); + DeviceIdentifier.DeviceHandle =3D NULL; + Status =3D gBS->InstallMultipleProtocolInterfaces ( + &DeviceIdentifier.DeviceHandle, + &gEfiDevicePathProtocolGuid, + PciIoDevice->DevicePath, + &gEdkiiDeviceIdentifierTypePciGuid, + &PciIoDevice->PciIo, + NULL + ); + if (EFI_ERROR(Status)) { + if (PciIoDevice->DevicePath !=3D NULL) { + FreePool (PciIoDevice->DevicePath); + } + FreePool (PciIoDevice); + return NULL; + } + + // + // Do DeviceAuthentication + // + Status =3D mDeviceSecurityProtocol->DeviceAuthenticate (mDeviceSecurit= yProtocol, &DeviceIdentifier); + // + // Always uninstall, because they are only for Authentication. + // No need to check return Status. + // + gBS->UninstallMultipleProtocolInterfaces ( + DeviceIdentifier.DeviceHandle, + &gEfiDevicePathProtocolGuid, + PciIoDevice->DevicePath, + &gEdkiiDeviceIdentifierTypePciGuid, + &PciIoDevice->PciIo, + NULL + ); + + // + // If authentication fails, skip this device. + // + if (EFI_ERROR(Status)) { + if (PciIoDevice->DevicePath !=3D NULL) { + FreePool (PciIoDevice->DevicePath); + } + FreePool (PciIoDevice); + return NULL; + } + } + if (PcdGetBool (PcdAriSupport)) { // // Check if the device is an ARI device. diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c b/MdeModulePkg/Bus/Pci= /PciBusDxe/PciLib.c index 5b55fb5d3b..72690ab647 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c @@ -1054,7 +1054,9 @@ PciScanBus ( &PciDevice ); =20 - ASSERT (!EFI_ERROR (Status)); + if (EFI_ERROR (Status)) { + continue; + } =20 PciAddress =3D EFI_PCI_ADDRESS (StartBusNumber, Device, Func, 0); =20 --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49767): https://edk2.groups.io/g/devel/message/49767 Mute This Topic: https://groups.io/mt/40117504/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-