From nobody Sat Apr 20 10:06:11 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49769+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49769+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525095; cv=none; d=zoho.com; s=zohoarc; b=oCp8RXguRO+mR7vkLQwSbKa3YIXQv0Q0YO5hxhByOeDU2OCiTf/0iPYmvXhJaq+ZwVRpTarrOj1PcZiowvD1VSHwE7HUGUMfbjbcoo+5aD3/q5fI+0cpLgqe3v5rf24wMJR5nOI0uLpDXuy5l8SKuIe1/jhW70kQLaeEL/a0MGA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525095; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=BmHpYXwsAQJUDZ3g00lX819dP4F+oF16H+WmFLfIbWY=; b=U2rike9KdTvGVjHMnwj2tE00QPcm2u1a2c1ONWV790g7HB46weXY9atRBhss6a/6Yu9HzQW3Oqz3mc5O2V1+ozqdySpFynYTl0l34BITOV9tHBOcl2pmaLOfMPcYDpY5hHY747BfMoTThQOjZiSFboFT3LQ8Ix2OlFUSmqduSVw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49769+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525095750156.31240277778056; Thu, 31 Oct 2019 05:31:35 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id gEwIYY1788612xKWOaOuWug0; Thu, 31 Oct 2019 05:31:35 -0700 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5236.1572525094034209064 for ; Thu, 31 Oct 2019 05:31:34 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:31:34 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875670" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:31:33 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V2 1/6] IntelSiliconPkg/Include: Add Intel PciSecurity definition. Date: Thu, 31 Oct 2019 20:31:22 +0800 Message-Id: <20191031123127.10900-2-jiewen.yao@intel.com> In-Reply-To: <20191031123127.10900-1-jiewen.yao@intel.com> References: <20191031123127.10900-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: ySuAamaGoQ0auIoAUIYck6c2x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525095; bh=tsTMMUH9iprgKv5WEkUzATKccaYwXgp9dFLWiwY3eic=; h=Cc:Date:From:Reply-To:Subject:To; b=GImcHcSF7TPlnyx5CLRWjZCKzjtj4XBEAWjV8OpApfKU349PIVy/V4sZF+mdnjTSlZ6 fw/otM86geTsSwALkbdaDfre1YUAYLYU2WNQNjSzMECNBWF4zDXT3qvLdt+qaHQZHdmYk fewjA+YNvOK0ll1YxI0SgAVaNd04JyhELkk= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao --- Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h = | 66 ++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPc= iSecurity.h b/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelP= ciSecurity.h new file mode 100644 index 0000000000..a8c5483165 --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecuri= ty.h @@ -0,0 +1,66 @@ +/** @file + Intel PCI security data structure + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __INTEL_PCI_SECURITY_H__ +#define __INTEL_PCI_SECURITY_H__ + +#pragma pack(1) + +typedef struct { + UINT16 CapId; // 0x23: DVSEC + UINT16 CapVersion:4; // 1 + UINT16 NextOffset:12; + UINT16 DvSecVendorId; // 0x8086 + UINT16 DvSecRevision:4; // 1 + UINT16 DvSecLength:12; + UINT16 DvSecId; // 0x3E: Measure +} INTEL_PCI_DIGEST_CAPABILITY_HEADER; + +#define INTEL_PCI_CAPID_DVSEC 0x23 +#define INTEL_PCI_DVSEC_VENDORID_INTEL 0x8086 +#define INTEL_PCI_DVSEC_DVSECID_MEASUREMENT 0x3E + +typedef union { + struct { + UINT8 DigestModified:1; // RW1C + UINT8 Reserved0:7; + } Bits; + UINT8 Data; +} INTEL_PCI_DIGEST_DATA_MODIFIED; + +#define INTEL_PCI_DIGEST_MODIFIED BIT0 + +typedef union { + struct { + UINT8 Digest0Valid:1; // RO + UINT8 Digest0Locked:1; // RO + UINT8 Digest1Valid:1; // RO + UINT8 Digest1Locked:1; // RO + UINT8 Reserved1:4; + } Bits; + UINT8 Data; +} INTEL_PCI_DIGEST_DATA_VALID; + +#define INTEL_PCI_DIGEST_0_VALID BIT0 +#define INTEL_PCI_DIGEST_0_LOCKED BIT1 +#define INTEL_PCI_DIGEST_1_VALID BIT2 +#define INTEL_PCI_DIGEST_1_LOCKED BIT3 + +typedef struct { + INTEL_PCI_DIGEST_DATA_MODIFIED Modified; // RW1C + INTEL_PCI_DIGEST_DATA_VALID Valid; // RO + UINT16 TcgAlgId; // RO + UINT8 FirmwareID; // RO + UINT8 Reserved; +//UINT8 Digest[]; +} INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE; + +#pragma pack() + +#endif + --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49769): https://edk2.groups.io/g/devel/message/49769 Mute This Topic: https://groups.io/mt/40117796/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:06:11 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49770+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49770+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525097; cv=none; d=zoho.com; s=zohoarc; b=lbTDUtZ3HV85gOunK/sBG1uAzmj2meHHpTgCYypaQragXAxDA0eqj83HshcXP+9K5RhQL+zccLzAt0W4/zXjQcgJXg41HQXl6Oaca1Z9mFsAdswbCA1TMUMFATGpr8f0nIh9/SzT4IJvSEwJx4MTgspb6Qe75CSKhCpbYYgLqTQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525097; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=XAmLCbdOK1Rjb60dFgxBLNWFmck4v7o6bjp0S4npADA=; b=lp0KGVGbP1ZPFo5sS7uSYXsEJgP4uWdHq5oE0XsI3Wc59BveqQc+J9poJW/YMt3Hvu7crAeIgURh/5t5DPx3kXf18bYSFNs3jIvhAdzzSQdsYYn5lEWjLyNlQuY3hELAMoLoWs7xHqNoGKScO9sc5YpA8O5zfrWuNOaOhzA7SOQ= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49770+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525097391230.9049700881709; Thu, 31 Oct 2019 05:31:37 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id iig4YY1788612xKCaKS4Ya8G; Thu, 31 Oct 2019 05:31:36 -0700 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5236.1572525094034209064 for ; Thu, 31 Oct 2019 05:31:36 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:31:35 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875688" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:31:34 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V2 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol Date: Thu, 31 Oct 2019 20:31:23 +0800 Message-Id: <20191031123127.10900-3-jiewen.yao@intel.com> In-Reply-To: <20191031123127.10900-1-jiewen.yao@intel.com> References: <20191031123127.10900-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: GwM2MaIii6UQWGGUeqAIgMKwx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525096; bh=lNMZEZlRTQLshID5guUAy8iYkxxZxg7yEA1r8BU0VTc=; h=Cc:Date:From:Reply-To:Subject:To; b=Uz1jBZ8O5x/j5wFva6x2qUchaXINw8JayV0fKvZD6PebNGTgRI/dRv1YjS5hp1fXu8V qvqAa9t4D5Nvqf7HMs95UQFz0hFtoG9KDs18PCa1gppdrtqHMTFHzPCHe6LCEmZqmTyAR V2fnGWNsh5yb/BKM5bt40EBfaToGJ+QW/t8= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao --- Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic= y.h | 84 ++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceS= ecurityPolicy.h b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDe= viceSecurityPolicy.h new file mode 100644 index 0000000000..cb5a71ad41 --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurity= Policy.h @@ -0,0 +1,84 @@ +/** @file + Device Security Policy Protocol definition + + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +#ifndef __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__ +#define __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__ + +#include +#include + +typedef struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL EDKII_DEVICE_SECURIT= Y_POLICY_PROTOCOL; + +typedef struct { + UINT32 Version; // 0x1 + UINT32 MeasurementPolicy; + UINT32 AuthenticationPolicy; +} EDKII_DEVICE_SECURITY_POLICY; + +// BIT0 means if the action is needed or NOT +#define EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED BIT0 +#define EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED BIT0 + +typedef struct { + UINT32 Version; // 0x1 + UINT32 MeasurementState; + UINT32 AuthenticationState; +} EDKII_DEVICE_SECURITY_STATE; + +// All zero means success +#define EDKII_DEVICE_SECURITY_STATE_SUCCESS 0 +#define EDKII_DEVICE_SECURITY_STATE_ERROR BIT31 +#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED (EDKI= I_DEVICE_SECURITY_STATE_ERROR + 0x0) +#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL (EDKI= I_DEVICE_SECURITY_STATE_ERROR + 0x1) +#define EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES (EDKI= I_DEVICE_SECURITY_STATE_ERROR + 0x10) +#define EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR (EDKI= I_DEVICE_SECURITY_STATE_ERROR + 0x20) + +/** + This function returns the device security policy associated with the dev= ice. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[out] DeviceSecurityPolicy The Device Security Policy associated= with the device. + + @retval EFI_SUCCESS The device security policy is returned +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY) ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + OUT EDKII_DEVICE_SECURITY_POLICY **DeviceSecurityPolicy + ); + +/** + This function sets the device state based upon the authentication result. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[in] DeviceSecurityState The Device Security state associated = with the device. + + @retval EFI_SUCCESS The device state is set +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_DEVICE_SECURITY_SET_DEVICE_STATE) ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + IN EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ); + +struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL { + UINT32 Version; // 0x1 + EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY GetDevicePolicy; + EDKII_DEVICE_SECURITY_SET_DEVICE_STATE SetDeviceState; +}; + +extern EFI_GUID gEdkiiDeviceSecurityPolicyProtocolGuid; + +#endif --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49770): https://edk2.groups.io/g/devel/message/49770 Mute This Topic: https://groups.io/mt/40117802/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:06:11 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49771+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49771+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525098; cv=none; d=zoho.com; s=zohoarc; b=B/jAJF/4Axyf/a1ATE4ZiwaGLQIgbGXdaE5lsgZ9FpSZq+XyEOSvLrwSSN8/eMxTSoeTjDSexBj6uoh0SQbHCxnLJQJp9SRfAaoDpJ2Yu9M/AAZLq6WlxQTajRupqDqypYDzh2Ki8bOs0r6vos+yNGzI8gcfrB4MQChoOQf0ot8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525098; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=zbVTjzyZsCP55WkqJFrlhBKJvCv/H5GYbQV64+W3/vU=; b=eFNEMjaAr48bVkoPixHCN9rpW3vZbCGCUoU+sYICIB5exDtUCuJHFEGqm8ys2ir4dJCtBdCuJND7PL3L3A0ae2g1T6IHo9KwWX0vRVAlqw2HzjWrDQmUhr1QsvPNauBAzMiNS4uIVJyhD6hTF6qRCFNFp32+3vjzUa6k2pHk9hA= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49771+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525098152836.5809082116956; Thu, 31 Oct 2019 05:31:38 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id Q2eMYY1788612xacy2e0mYYC; Thu, 31 Oct 2019 05:31:37 -0700 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5236.1572525094034209064 for ; Thu, 31 Oct 2019 05:31:37 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:31:37 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875703" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:31:36 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V2 3/6] IntelSiliconPkg/dec: Add ProtocolGuid definition. Date: Thu, 31 Oct 2019 20:31:24 +0800 Message-Id: <20191031123127.10900-4-jiewen.yao@intel.com> In-Reply-To: <20191031123127.10900-1-jiewen.yao@intel.com> References: <20191031123127.10900-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: qw6E2qye8KswMA4uqqkWQI8Gx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525097; bh=Ga8EVU9ZHcaO2hl+EFTrnEQeWz0h8dmJ8txeYWX2nCs=; h=Cc:Date:From:Reply-To:Subject:To; b=UPQSKSHQ6IUouYMJpNX9Arj6/K/sr+BgwlmSS0Aw9ytWXLg2f4Qe6sW83fHiQFNySAV J14rcREhmghN1Dq6a2hX6pfugKl92yOltTaJFz1OVMbr8ztZMTLsDz3/ujI7MBBlhUN6O rC5ZM1SI58BKb2M5dvAejh8IwdnEZ2QkIGM= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao Reviewed-by: Sai Chaganty --- Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 1 + 1 file changed, 1 insertion(+) diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec b/Silicon/In= tel/IntelSiliconPkg/IntelSiliconPkg.dec index 3079fc2869..8c8cd9f49d 100644 --- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec +++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec @@ -53,6 +53,7 @@ =20 [Protocols] gEdkiiPlatformVTdPolicyProtocolGuid =3D { 0x3d17e448, 0x466, 0x4e20, { 0= x99, 0x9f, 0xb2, 0xe1, 0x34, 0x88, 0xee, 0x22 }} + gEdkiiDeviceSecurityPolicyProtocolGuid =3D {0x7ea41a99, 0x5e32, 0x4c97, = {0x88, 0xc4, 0xd6, 0xe7, 0x46, 0x84, 0x9, 0xd4}} =20 [PcdsFixedAtBuild, PcdsPatchableInModule] ## Error code for VTd error.

--=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49771): https://edk2.groups.io/g/devel/message/49771 Mute This Topic: https://groups.io/mt/40117807/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:06:11 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49772+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49772+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525101; cv=none; d=zoho.com; s=zohoarc; b=G2OSp3Y9x0E5GNmZXPRjNIp2cp3jwR4VRR8q4FMHdsFhCbXNR9KW955vNdOA9JiQNTCzY4WFO3gEPWy94DA/OIKg/JaI4oSao/r0iezxjfuksyPeexxKI/n2YnlhFU0uNUb0VAxk/PI1D9pvcMyvGvFVf3TnKW3A5CHCZnatehg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525101; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=waLIwDwO/fTaTaFEN04b+XDbyc36eNFpk31r5XGaAQk=; b=lEB0RbpO71WBvlsdvwXina2S+OpIIudhiXc4QWnz4+vrmvR+CtPltRcSyfCIqiibrr8x6KV2wtUXgUcCpfdXHq8MZhs+Yv032gq5yD5VOQj5RlMCAK1Oz92hEyURwkqc6QVxPyR6bWvvLTHmi+NsUmMS9YNfHFHYYfuW0UqJMzE= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49772+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525101090617.1748667019604; Thu, 31 Oct 2019 05:31:41 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id CUYMYY1788612xYcQCW60OWa; Thu, 31 Oct 2019 05:31:40 -0700 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5236.1572525094034209064 for ; Thu, 31 Oct 2019 05:31:39 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:31:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875731" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:31:37 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V2 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity. Date: Thu, 31 Oct 2019 20:31:25 +0800 Message-Id: <20191031123127.10900-5-jiewen.yao@intel.com> In-Reply-To: <20191031123127.10900-1-jiewen.yao@intel.com> References: <20191031123127.10900-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: o0uAm2EQEm6Cekca4oEe06Icx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525100; bh=pnDp8akYv0ZdKUPrMUWARTsv1i9pADFbRvbmAA3Qap8=; h=Cc:Date:From:Reply-To:Subject:To; b=TH1JfPQZN3G5bjisxYhwlxzbjyqPLEAdPGMSTgOSiSR+2aKF9d4lZYImIVakFnCXMor VrxLhrkXpOTZcVXF4iDrcPAuBc0EktTTgz7gqQjYpSEpUKYyGYlG+xxVsZqrv95vHQ72U ciHgtE+O9AI+iBYO9Nn6W5H6kLAa0o6GR2E= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 This driver is to do the PCI device authentication based upon Intel PCIe Security Specification. Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao Signed-off-by: Yun Lou --- Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD= xe/IntelPciDeviceSecurityDxe.c | 701 ++++++++++++++++++++ Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD= xe/IntelPciDeviceSecurityDxe.inf | 45 ++ Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD= xe/TcgDeviceEvent.h | 193 ++++++ 3 files changed, 939 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDev= iceSecurityDxe/IntelPciDeviceSecurityDxe.c b/Silicon/Intel/IntelSiliconPkg/= Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c new file mode 100644 index 0000000000..f1859c2715 --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecu= rityDxe/IntelPciDeviceSecurityDxe.c @@ -0,0 +1,701 @@ +/** @file + EDKII Device Security library for PCI device. + It follows the Intel PCIe Security Specification. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "TcgDeviceEvent.h" + +typedef struct { + UINT8 Measurement[SHA512_DIG= EST_SIZE]; +} EDKII_DEVICE_SECURITY_EVENT_MEASUREMENT_CONTENT_MAX_HASH; + +typedef struct { + UINTN Signature; + LIST_ENTRY Link; + UINTN PciSegment; + UINTN PciBus; + UINTN PciDevice; + UINTN PciFunction; +} PCI_DEVICE_INSTANCE; + +#define PCI_DEVICE_INSTANCE_SIGNATURE SIGNATURE_32 ('P', 'D', 'I', 'S') +#define PCI_DEVICE_INSTANCE_FROM_LINK(a) CR (a, PCI_DEVICE_INSTANCE, Link= , PCI_DEVICE_INSTANCE_SIGNATURE) + +LIST_ENTRY mSecurityEventMeasurementDeviceList =3D INITIALIZE_LIST_HEAD_VA= RIABLE(mSecurityEventMeasurementDeviceList);; +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *mDeviceSecurityPolicy; + +/** + Record a PCI device into device list. + + @param PciIo PciIo instance of the device + @param PciDeviceList The list to record the the device +**/ +VOID +RecordPciDeviceInList( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN LIST_ENTRY *PciDeviceList + ) +{ + UINTN PciSegment; + UINTN PciBus; + UINTN PciDevice; + UINTN PciFunction; + EFI_STATUS Status; + PCI_DEVICE_INSTANCE *NewPciDevice; + + Status =3D PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice, = &PciFunction); + ASSERT_EFI_ERROR(Status); + + NewPciDevice =3D AllocateZeroPool(sizeof(*NewPciDevice)); + ASSERT_EFI_ERROR(NewPciDevice !=3D NULL); + + NewPciDevice->Signature =3D PCI_DEVICE_INSTANCE_SIGNATURE; + NewPciDevice->PciSegment =3D PciSegment; + NewPciDevice->PciBus =3D PciBus; + NewPciDevice->PciDevice =3D PciDevice; + NewPciDevice->PciFunction =3D PciFunction; + + InsertTailList(PciDeviceList, &NewPciDevice->Link); +} + +/** + Check if a PCI device is recorded in device list. + + @param PciIo PciIo instance of the device + @param PciDeviceList The list to record the the device + + @retval TRUE The PCI device is in the list. + @retval FALSE The PCI device is NOT in the list. +**/ +BOOLEAN +IsPciDeviceInList( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN LIST_ENTRY *PciDeviceList + ) +{ + UINTN PciSegment; + UINTN PciBus; + UINTN PciDevice; + UINTN PciFunction; + EFI_STATUS Status; + LIST_ENTRY *Link; + PCI_DEVICE_INSTANCE *CurrentPciDevice; + + Status =3D PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice, = &PciFunction); + ASSERT_EFI_ERROR(Status); + + Link =3D GetFirstNode(PciDeviceList); + while (!IsNull(PciDeviceList, Link)) { + CurrentPciDevice =3D PCI_DEVICE_INSTANCE_FROM_LINK(Link); + + if (CurrentPciDevice->PciSegment =3D=3D PciSegment && CurrentPciDevice= ->PciBus =3D=3D PciBus && + CurrentPciDevice->PciDevice =3D=3D PciDevice && CurrentPciDevice->= PciFunction =3D=3D PciFunction) { + DEBUG((DEBUG_INFO, "PCI device duplicated (Loc - %04x:%02x:%02x:%02x= )\n", PciSegment, PciBus, PciDevice, PciFunction)); + return TRUE; + } + + Link =3D GetNextNode(PciDeviceList, Link); + } + + return FALSE; +} + +/* + return Offset of the PCI Cap ID. + + @param PciIo PciIo instance of the device + @param CapId The Capability ID of the Pci device + + @return The PCI Capability ID Offset +*/ +UINT32 +GetPciCapId ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT8 CapId + ) +{ + EFI_PCI_CAPABILITY_HDR PciCapIdHdr; + UINT32 PciCapIdOffset; + EFI_STATUS Status; + + PciCapIdHdr.CapabilityID =3D ~CapId; + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, PCI_CAPBILITY_POI= NTER_OFFSET, 1, &PciCapIdHdr.NextItemPtr); + ASSERT_EFI_ERROR(Status); + if (PciCapIdHdr.NextItemPtr =3D=3D 0 || PciCapIdHdr.NextItemPtr =3D=3D 0= xFF) { + return 0; + } + PciCapIdOffset =3D 0; + do { + if (PciCapIdHdr.CapabilityID =3D=3D CapId) { + break; + } + PciCapIdOffset =3D PciCapIdHdr.NextItemPtr; + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PciCapIdOffset= , 1, &PciCapIdHdr); + ASSERT_EFI_ERROR(Status); + } while (PciCapIdHdr.NextItemPtr !=3D 0 && PciCapIdHdr.NextItemPtr !=3D = 0xFF); + + if (PciCapIdHdr.CapabilityID =3D=3D CapId) { + return PciCapIdOffset; + } else { + return 0; + } +} + +/* + return Offset of the PCIe Ext Cap ID. + + @param PciIo PciIo instance of the device + @param CapId The Ext Capability ID of the Pci device + + @return The PCIe Ext Capability ID Offset +*/ +UINT32 +GetPciExpressExtCapId ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT16 CapId + ) +{ + UINT32 PcieCapIdOffset; + PCI_EXPRESS_EXTENDED_CAPABILITIES_HEADER PciExpressExtCapIdHdr; + EFI_STATUS Status; + + PcieCapIdOffset =3D GetPciCapId (PciIo, EFI_PCI_CAPABILITY_ID_PCIEXP); + if (PcieCapIdOffset =3D=3D 0) { + return 0; + } + + PciExpressExtCapIdHdr.CapabilityId =3D ~CapId; + PciExpressExtCapIdHdr.CapabilityVersion =3D 0xF; + PciExpressExtCapIdHdr.NextCapabilityOffset =3D 0x100; + PcieCapIdOffset =3D 0; + do { + if (PciExpressExtCapIdHdr.CapabilityId =3D=3D CapId) { + break; + } + PcieCapIdOffset =3D PciExpressExtCapIdHdr.NextCapabilityOffset; + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint32, PcieCapIdOffse= t, 1, &PciExpressExtCapIdHdr); + ASSERT_EFI_ERROR(Status); + } while (PciExpressExtCapIdHdr.NextCapabilityOffset !=3D 0 && PciExpress= ExtCapIdHdr.NextCapabilityOffset !=3D 0xFFF); + + if (PciExpressExtCapIdHdr.CapabilityId =3D=3D CapId) { + return PcieCapIdOffset; + } else { + return 0; + } +} + +/** + Read byte of the PCI device configuration space. + + @param PciIo PciIo instance of the device + @param Offset The offset of the Pci device configuration space + + @return Byte value of the PCI device configuration space. +**/ +UINT8 +DvSecPciRead8 ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT32 Offset + ) +{ + EFI_STATUS Status; + UINT8 Data; + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, Offset, 1, &Data); + ASSERT_EFI_ERROR(Status); + + return Data; +} + +/** + Write byte of the PCI device configuration space. + + @param PciIo PciIo instance of the device + @param Offset The offset of the Pci device configuration space + @param Data Byte value of the PCI device configuration space. +**/ +VOID +DvSecPciWrite8 ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT32 Offset, + IN UINT8 Data + ) +{ + EFI_STATUS Status; + + Status =3D PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, Offset, 1, &Data= ); + ASSERT_EFI_ERROR(Status); +} + +/** + Get the Digest size from the TCG hash Algorithm ID. + + @param TcgAlgId TCG hash Algorithm ID + + @return Digest size of the TCG hash Algorithm ID +**/ +UINTN +DigestSizeFromTcgAlgId ( + IN UINT16 TcgAlgId + ) +{ + switch (TcgAlgId) { + case TPM_ALG_SHA256: + return SHA256_DIGEST_SIZE; + case TPM_ALG_SHA384: + return SHA384_DIGEST_SIZE; + case TPM_ALG_SHA512: + return SHA512_DIGEST_SIZE; + case TPM_ALG_SM3_256: + default: + break; + } + return 0; +} + +/** + Convert the SPDM hash algo ID from the TCG hash Algorithm ID. + + @param TcgAlgId TCG hash Algorithm ID + + @return SPDM hash algo ID +**/ +UINT8 +TcgAlgIdToSpdmHashAlgo ( + IN UINT16 TcgAlgId + ) +{ + switch (TcgAlgId) { + case TPM_ALG_SHA256: + return SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA2_256; + case TPM_ALG_SHA384: + return SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA2_384; + case TPM_ALG_SHA512: + return SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA2_512; + case TPM_ALG_SM3_256: + default: + break; + } + return 0; +} + +/** + This function extend the PCI digest from the DvSec register. + + @param[in] PciIo The PciIo of the device. + @param[in] DeviceSecurityPolicy The Device Security Policy associated= with the device. + @param[in] TcgAlgId TCG hash Algorithm ID + @param[in] DigestSel The digest selector + @param[in] Digest The digest buffer + @param[out] DeviceSecurityState The Device Security state associated = with the device. +**/ +VOID +ExtendDigestRegister ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy, + IN UINT16 TcgAlgId, + IN UINT8 DigestSel, + IN UINT8 *Digest, + OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + UINT32 PcrIndex; + UINT32 EventType; + EDKII_DEVICE_SECURITY_PCI_EVENT_DATA EventLog; + EDKII_DEVICE_SECURITY_EVENT_MEASUREMENT_CONTENT_MAX_HASH HashData; + UINT64 HashDataLen; + UINTN DigestSize; + EFI_STATUS Status; + PCI_TYPE00 PciData; + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, 0, sizeof(PciData= ), &PciData); + ASSERT_EFI_ERROR(Status); + + PcrIndex =3D EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX; + EventType =3D EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE; + + CopyMem (EventLog.EventData.Signature, EDKII_DEVICE_SECURITY_EVENT_DATA_= SIGNATURE, sizeof(EventLog.EventData.Signature)); + EventLog.EventData.Version =3D EDKII_DEVICE_SECURITY_EV= ENT_DATA_VERSION; + EventLog.EventData.Length =3D sizeof(EDKII_DEVICE_SECU= RITY_PCI_EVENT_DATA); + EventLog.EventData.SpdmMeasurementBlock.Index =3D Dig= estSel; + EventLog.EventData.SpdmMeasurementBlock.MeasurementType =3D SPD= M_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MUTABLE_FIRMWARE; + EventLog.EventData.SpdmMeasurementBlock.MeasurementSpecification =3D 0xF= F; + EventLog.EventData.SpdmMeasurementBlock.Reserved =3D 0; + EventLog.EventData.SpdmHashAlgo =3D TcgAlgIdToSpdmHashAlgo (TcgAlg= Id); + EventLog.EventData.DeviceType =3D EDKII_DEVICE_SECURITY_EVENT_DA= TA_DEVICE_TYPE_PCI; + ZeroMem (EventLog.EventData.Reserved, sizeof(EventLog.EventData.Reserved= )); + EventLog.PciContext.Version =3D EDKII_DEVICE_SECURITY_EVENT_DA= TA_PCI_CONTEXT_VERSION; + EventLog.PciContext.Length =3D sizeof(EDKII_DEVICE_SECURITY_E= VENT_DATA_PCI_CONTEXT); + EventLog.PciContext.VendorId =3D PciData.Hdr.VendorId; + EventLog.PciContext.DeviceId =3D PciData.Hdr.DeviceId; + EventLog.PciContext.RevisionID =3D PciData.Hdr.RevisionID; + EventLog.PciContext.ClassCode[0] =3D PciData.Hdr.ClassCode[0]; + EventLog.PciContext.ClassCode[1] =3D PciData.Hdr.ClassCode[1]; + EventLog.PciContext.ClassCode[2] =3D PciData.Hdr.ClassCode[2]; + if ((PciData.Hdr.HeaderType & HEADER_LAYOUT_CODE) =3D=3D HEADER_TYPE_DEV= ICE) { + EventLog.PciContext.SubsystemVendorID =3D PciData.Device.SubsystemVend= orID; + EventLog.PciContext.SubsystemID =3D PciData.Device.SubsystemID; + } else { + EventLog.PciContext.SubsystemVendorID =3D 0; + EventLog.PciContext.SubsystemID =3D 0; + } + + DigestSize =3D DigestSizeFromTcgAlgId (TcgAlgId); + CopyMem (&HashData.Measurement, Digest, DigestSize); + + HashDataLen =3D DigestSize; + Status =3D TpmMeasureAndLogData ( + PcrIndex, + EventType, + &EventLog, + EventLog.EventData.Length, + &HashData, + HashDataLen + ); + DEBUG((DEBUG_INFO, "TpmMeasureAndLogData - %r\n", Status)); + if (EFI_ERROR(Status)) { + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= ERROR_TCG_EXTEND_TPM_PCR; + } else { + RecordPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList); + } +} + +/** + This function reads the PCI digest from the DvSec register and extend to= TPM. + + @param[in] PciIo The PciIo of the device. + @param[in] DvSecOffset The DvSec register offset of the devi= ce. + @param[in] DeviceSecurityPolicy The Device Security Policy associated= with the device. + @param[out] DeviceSecurityState The Device Security state associated = with the device. +**/ +VOID +DoMeasurementsFromDigestRegister ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT32 DvSecOffset, + IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy, + OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + UINT8 Modified; + UINT8 Valid; + UINT16 TcgAlgId; + UINT8 NumDigest; + UINT8 DigestSel; + UINT8 Digest[SHA512_DIGEST_SIZE]; + UINTN DigestSize; + EFI_STATUS Status; + + TcgAlgId =3D DvSecPciRead8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + = OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, TcgAlgId) + ); + DEBUG((DEBUG_INFO, " TcgAlgId - 0x%04x\n", TcgAlgId)); + DigestSize =3D DigestSizeFromTcgAlgId (TcgAlgId); + if (DigestSize =3D=3D 0) { + DEBUG((DEBUG_INFO, "Unsupported Algorithm - 0x%04x\n", TcgAlgId)); + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= ERROR_PCI_NO_CAPABILITIES; + return ; + } + DEBUG((DEBUG_INFO, " (DigestSize: 0x%x)\n", DigestSize)); + + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_SU= CCESS; + + NumDigest =3D DvSecPciRead8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) += OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, FirmwareID) + ); + DEBUG((DEBUG_INFO, " NumDigest - 0x%02x\n", NumDigest)); + + Valid =3D DvSecPciRead8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFF= SET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Valid) + ); + DEBUG((DEBUG_INFO, " Valid - 0x%02x\n", Valid)); + + // + // Only 2 are supported as maximum. + // But hardware may report 3. + // + if (NumDigest > 2) { + NumDigest =3D 2; + } + + for (DigestSel =3D 0; DigestSel < NumDigest; DigestSel++) { + DEBUG((DEBUG_INFO, " DigestSel - 0x%02x\n", DigestSel)); + if ((DigestSel =3D=3D 0) && ((Valid & INTEL_PCI_DIGEST_0_VALID) =3D=3D= 0)) { + continue; + } + if ((DigestSel =3D=3D 1) && ((Valid & INTEL_PCI_DIGEST_1_VALID) =3D=3D= 0)) { + continue; + } + while (TRUE) { + // + // Host MUST clear DIGEST_MODIFIED before read DIGEST. + // + DvSecPciWrite8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFFSET_= OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified), + INTEL_PCI_DIGEST_MODIFIED + ); + + Status =3D PciIo->Pci.Read ( + PciIo, + EfiPciIoWidthUint8, + (UINT32)(DvSecOffset + sizeof(INTEL_PCI_DIGEST= _CAPABILITY_HEADER) + sizeof(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE) + Diges= tSize * DigestSel), + DigestSize, + Digest + ); + ASSERT_EFI_ERROR(Status); + + // + // After read DIGEST, Host MUST consult DIGEST_MODIFIED. + // + Modified =3D DvSecPciRead8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER= ) + OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified) + ); + if ((Modified & INTEL_PCI_DIGEST_MODIFIED) =3D=3D 0) { + break; + } + } + + // + // Dump Digest + // + { + UINTN Index; + DEBUG((DEBUG_INFO, " Digest - ")); + for (Index =3D 0; Index < DigestSize; Index++) { + DEBUG((DEBUG_INFO, "%02x", *(Digest + Index))); + } + DEBUG((DEBUG_INFO, "\n")); + } + + DEBUG((DEBUG_INFO, "ExtendDigestRegister...\n", ExtendDigestRegister)); + ExtendDigestRegister (PciIo, DeviceSecurityPolicy, TcgAlgId, DigestSel= , Digest, DeviceSecurityState); + } +} + +/** + The device driver uses this service to measure a PCI device. + + @param[in] PciIo The PciIo of the device. + @param[in] DeviceSecurityPolicy The Device Security Policy associated= with the device. + @param[out] DeviceSecurityState The Device Security state associated = with the device. +**/ +VOID +DoDeviceMeasurement ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy, + OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + UINT32 DvSecOffset; + INTEL_PCI_DIGEST_CAPABILITY_HEADER DvSecHdr; + EFI_STATUS Status; + + if (IsPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList)) { + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= SUCCESS; + return ; + } + + DvSecOffset =3D GetPciExpressExtCapId (PciIo, INTEL_PCI_CAPID_DVSEC); + DEBUG((DEBUG_INFO, "DvSecOffset - 0x%x\n", DvSecOffset)); + if (DvSecOffset =3D=3D 0) { + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= ERROR_PCI_NO_CAPABILITIES; + return ; + } + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, DvSecOffset, siz= eof(DvSecHdr)/sizeof(UINT16), &DvSecHdr); + ASSERT_EFI_ERROR(Status); + DEBUG((DEBUG_INFO, " CapId - 0x%04x\n", DvSecHdr.CapId)); + DEBUG((DEBUG_INFO, " CapVersion - 0x%01x\n", DvSecHdr.CapVersion)); + DEBUG((DEBUG_INFO, " NextOffset - 0x%03x\n", DvSecHdr.NextOffset)); + DEBUG((DEBUG_INFO, " DvSecVendorId - 0x%04x\n", DvSecHdr.DvSecVendorId)= ); + DEBUG((DEBUG_INFO, " DvSecRevision - 0x%01x\n", DvSecHdr.DvSecRevision)= ); + DEBUG((DEBUG_INFO, " DvSecLength - 0x%03x\n", DvSecHdr.DvSecLength)); + DEBUG((DEBUG_INFO, " DvSecId - 0x%04x\n", DvSecHdr.DvSecId)); + if ((DvSecHdr.DvSecVendorId !=3D INTEL_PCI_DVSEC_VENDORID_INTEL) && + (DvSecHdr.DvSecId !=3D INTEL_PCI_DVSEC_DVSECID_MEASUREMENT)) { + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= ERROR_PCI_NO_CAPABILITIES; + return ; + } + + DoMeasurementsFromDigestRegister (PciIo, DvSecOffset, DeviceSecurityPoli= cy, DeviceSecurityState); +} + +/** + The device driver uses this service to verify a PCI device. + + @param[in] PciIo The PciIo of the device. + @param[in] DeviceSecurityPolicy The Device Security Policy associated= with the device. + @param[out] DeviceSecurityState The Device Security state associated = with the device. +**/ +VOID +DoDeviceAuthentication ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy, + OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + DeviceSecurityState->AuthenticationState =3D EDKII_DEVICE_SECURITY_STATE= _ERROR_UEFI_UNSUPPORTED; +} + +/** + The device driver uses this service to measure and/or verify a device. + + The flow in device driver is: + 1) Device driver discovers a new device. + 2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL. + 3) Device driver creates a device access protocol. e.g. + EFI_PCI_IO_PROTOCOL for PCI device. + EFI_USB_IO_PROTOCOL for USB device. + EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device. + EFI_ATA_PASS_THRU_PROTOCOL for ATA device. + EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device. + EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device. + 4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_P= ATH_PROTOCOL_GUID, + and the device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_= GUID. + Once it is done, a DeviceHandle is returned. + 5) Device driver creates EDKII_DEVICE_IDENTIFIER with EDKII_DEVICE_IDENT= IFIER_TYPE_xxx_GUID + and the DeviceHandle. + 6) Device driver calls DeviceAuthenticate(). + 7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device dr= iver uninstalls + all protocols on this handle. + 8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver instal= ls the device access + protocol with a real protocol GUID. e.g. + EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID. + EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + + @retval EFI_SUCCESS The device specified by the DeviceId pa= ssed the measurement + and/or authentication based upon the pl= atform policy. + If TCG measurement is required, the mea= surement is extended to TPM PCR. + @retval EFI_SECURITY_VIOLATION The device fails to return the measurem= ent data. + @retval EFI_SECURITY_VIOLATION The device fails to response the authen= tication request. + @retval EFI_SECURITY_VIOLATION The system fails to verify the device b= ased upon the authentication response. + @retval EFI_SECURITY_VIOLATION The system fails to extend the measurem= ent to TPM PCR. +**/ +EFI_STATUS +EFIAPI +DeviceAuthentication ( + IN EDKII_DEVICE_SECURITY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId + ) +{ + EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy; + EDKII_DEVICE_SECURITY_STATE DeviceSecurityState; + EFI_PCI_IO_PROTOCOL *PciIo; + EFI_STATUS Status; + + if (mDeviceSecurityPolicy =3D=3D NULL) { + return EFI_SUCCESS; + } + + if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciG= uid)) { + return EFI_SUCCESS; + } + + Status =3D gBS->HandleProtocol ( + DeviceId->DeviceHandle, + &gEdkiiDeviceIdentifierTypePciGuid, + (VOID **)&PciIo + ); + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status= )); + return EFI_SUCCESS; + } + + DeviceSecurityState.Version =3D 0x1; + DeviceSecurityState.MeasurementState =3D 0x0; + DeviceSecurityState.AuthenticationState =3D 0x0; + + Status =3D mDeviceSecurityPolicy->GetDevicePolicy (mDeviceSecurityPolicy= , DeviceId, &DeviceSecurityPolicy); + if (EFI_ERROR(Status)) { + DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->GetDevicePolicy - %r\n", S= tatus)); + DeviceSecurityState.MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_E= RROR_UEFI_GET_POLICY_PROTOCOL; + DeviceSecurityState.AuthenticationState =3D EDKII_DEVICE_SECURITY_STAT= E_ERROR_UEFI_GET_POLICY_PROTOCOL; + } else { + if ((DeviceSecurityPolicy->MeasurementPolicy & EDKII_DEVICE_MEASUREMEN= T_POLICY_REQUIRED) !=3D 0) { + DoDeviceMeasurement (PciIo, DeviceSecurityPolicy, &DeviceSecuritySta= te); + DEBUG((DEBUG_ERROR, "MeasurementState - 0x%08x\n", DeviceSecuritySta= te.MeasurementState)); + } + if ((DeviceSecurityPolicy->AuthenticationPolicy & EDKII_DEVICE_AUTHENT= ICATION_POLICY_REQUIRED) !=3D 0) { + DoDeviceAuthentication (PciIo, DeviceSecurityPolicy, &DeviceSecurity= State); + DEBUG((DEBUG_ERROR, "AuthenticationState - 0x%08x\n", DeviceSecurity= State.AuthenticationState)); + } + } + + Status =3D mDeviceSecurityPolicy->SetDeviceState (mDeviceSecurityPolicy,= DeviceId, &DeviceSecurityState); + if (EFI_ERROR(Status)) { + DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->SetDeviceState - %r\n", St= atus)); + } + + if ((DeviceSecurityState.MeasurementState =3D=3D 0) && + (DeviceSecurityState.AuthenticationState =3D=3D 0)) { + return EFI_SUCCESS; + } else { + return EFI_SECURITY_VIOLATION; + } +} + +EDKII_DEVICE_SECURITY_PROTOCOL mDeviceSecurity =3D { + EDKII_DEVICE_SECURITY_PROTOCOL_REVISION, + DeviceAuthentication +}; + +/** + Entrypoint of the device security driver. + + @param[in] ImageHandle ImageHandle of the loaded driver + @param[in] SystemTable Pointer to the System Table + + @retval EFI_SUCCESS The Protocol is installed. + @retval EFI_OUT_OF_RESOURCES Not enough resources available to initial= ize driver. + @retval EFI_DEVICE_ERROR A device error occurred attempting to ini= tialize the driver. + +**/ +EFI_STATUS +EFIAPI +MainEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_HANDLE Handle; + EFI_STATUS Status; + + Status =3D gBS->LocateProtocol (&gEdkiiDeviceSecurityPolicyProtocolGuid,= NULL, (VOID **)&mDeviceSecurityPolicy); + ASSERT_EFI_ERROR(Status); + + Handle =3D NULL; + Status =3D gBS->InstallProtocolInterface ( + &Handle, + &gEdkiiDeviceSecurityProtocolGuid, + EFI_NATIVE_INTERFACE, + (VOID **)&mDeviceSecurity + ); + ASSERT_EFI_ERROR(Status); + + return Status; +} diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDev= iceSecurityDxe/IntelPciDeviceSecurityDxe.inf b/Silicon/Intel/IntelSiliconPk= g/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.= inf new file mode 100644 index 0000000000..89a4c8fadd --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecu= rityDxe/IntelPciDeviceSecurityDxe.inf @@ -0,0 +1,45 @@ +## @file +# EDKII Device Security library for PCI device +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D IntelPciDeviceSecurityDxe + FILE_GUID =3D D9569195-ED94-47D2-9523-38BF2D201371 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D MainEntryPoint + +[Sources] + IntelPciDeviceSecurityDxe.c + TcgDeviceEvent.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + IntelSiliconPkg/IntelSiliconPkg.dec + +[LibraryClasses] + UefiRuntimeServicesTableLib + UefiBootServicesTableLib + UefiDriverEntryPoint + MemoryAllocationLib + DevicePathLib + BaseMemoryLib + PrintLib + DebugLib + UefiLib + PcdLib + TpmMeasurementLib + +[Protocols] + gEdkiiDeviceSecurityPolicyProtocolGuid ## CONSUMES + gEdkiiDeviceSecurityProtocolGuid ## PRODUCES + gEdkiiDeviceIdentifierTypePciGuid ## COMSUMES + +[Depex] + gEdkiiDeviceSecurityPolicyProtocolGuid diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDev= iceSecurityDxe/TcgDeviceEvent.h b/Silicon/Intel/IntelSiliconPkg/Feature/Pci= eSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h new file mode 100644 index 0000000000..8b1227dace --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecu= rityDxe/TcgDeviceEvent.h @@ -0,0 +1,193 @@ +/** @file + TCG Device Event data structure +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + + +#ifndef __TCG_EVENT_DATA_H__ +#define __TCG_EVENT_DATA_H__ + +#include + +#pragma pack(1) + +// ------------------------------------------- +// TCG Measurement for SPDM Device Measurement +// ------------------------------------------- + +// +// Device Firmware Component (including immutable ROM or mutable firmware) +// +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX 2 +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE 0x800000E1 +// +// Device Firmware Configuration (including hardware configuration or firm= ware configuration) +// +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_PCR_INDEX 4 +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_EVENT_TYPE 0x800000E2 + +// +// Device Firmware Measurement Measurement Data +// The measurement data is the device firmware measurement. +// +// TBD: Open: +// In order to support crypto agile, the firmware will hash the DeviceMeas= urement again. +// As such the device measurement algo might be different with host firmwa= re measurement algo. +// + +// +// Device Firmware Measurement Event Data +// +#define EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE "SPDM Device Sec\0" +#define EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION 0 + +// +// Device Type +// 0x03 ~ 0xDF reserved by TCG. +// 0xE0 ~ 0xFF reserved by OEM. +// +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_NULL 0 +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI 1 +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_USB 2 + +// +// Device Firmware Measurement Event Data Common Part +// The device specific part should follow this data structure. +// +typedef struct { + // + // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE. + // + UINT8 Signature[16]; + // + // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION. + // + UINT16 Version; + // + // The length of whole data structure, including Device Context. + // + UINT16 Length; + // + // The SPDM measurement block header. + // + SPDM_MEASUREMENT_BLOCK_HEADER SpdmMeasurementBlock; + // + // The SpdmHashAlgo + // + UINT8 SpdmHashAlgo; + // + // The type of device. This field is to determine the Device Context fol= lowed by. + // + UINT8 DeviceType; + // + // reserved. Make UINT64 aligned. + // + UINT8 Reserved[6]; +} EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER; + +// +// PCI device specific context +// +#define EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION 0 +typedef struct { + UINT16 Version; + UINT16 Length; + UINT16 VendorId; + UINT16 DeviceId; + UINT8 RevisionID; + UINT8 ClassCode[3]; + UINT16 SubsystemVendorID; + UINT16 SubsystemID; +} EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT; + +typedef struct { + EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER EventData; + EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT PciContext; +} EDKII_DEVICE_SECURITY_PCI_EVENT_DATA; + +// +// USB device specific context +// +#define EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT_VERSION 0 +typedef struct { + UINT16 Version; + UINT16 Length; +//UINT8 DeviceDescriptor[DescLen]; +//UINT8 BodDescriptor[DescLen]; +//UINT8 ConfigurationDescriptor[DescLen][NumOfConfiguration]; +} EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT; + +typedef struct { + EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER EventData; + EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT PciContext; +} EDKII_DEVICE_SECURITY_USB_EVENT_DATA; + +// ---------------------------------------------- +// TCG Measurement for SPDM Device Authentication +// ---------------------------------------------- + +// +// Device Root cert is stored into a UEFI authenticated variable. +// It is non-volatile, boot service, runtime service, and time based authe= nticated variable. +// The "devdb" includes a list of allowed device root cert. +// The "devdbx" includes a list of forbidden device root cert. +// The usage of "devdb" and "devdbx" is same as "db" and "dbx" in UEFI sec= ure boot. +// +// NOTE: We choose not to mix "db"/"dbx" for better management purpose. +// + +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME L"devdb" +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME L"devdbx" + +#define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \ + {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d, 0x= ad} + +// +// Platform Firmware adhering to the policy MUST therefore measure the fol= lowing values into PCR[7]: +// 1. The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE= _ROOT_CERT_VARAIBLE_NAME variable. +// 2. The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE= _ROOT_CERT_VARAIBLE2_NAME variable. +// 3. Entries in the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROO= T_CERT_VARAIBLE_NAME variable to +// authenticate the device. +// +// For all UEFI variable value events, the eventType SHALL be EV_EFI_VARIA= BLE_DRIVER_CONFIG and the Event +// value SHALL be the value of the UEFI_VARIABLE_DATA structure (this stru= cture SHALL be considered byte-aligned). +// The measurement digest MUST be tagged Hash for each supported PCR bank = of the event data which is the +// UEFI_VARIABLE_DATA structure. The UEFI_VARIABLE_DATA.UnicodeNameLength = value is the number of CHAR16 +// characters (not the number of bytes). The UEFI_VARIABLE_DATA.UnicodeNam= e contents MUST NOT include a NUL. +// If reading a UEFI variable returns UEFI_NOT_FOUND, the UEFI_VARIABLE_DA= TA.VariableDataLength field MUST +// be set to zero and UEFI_VARIABLE_DATA.VariableData field will have a si= ze of zero. +// + +// +// Entities that MUST be measured if the TPM is enabled: +// 1. Before executing any code not cryptographically authenticated as bei= ng provided by the Platform Manufacturer, +// the Platform Manufacturer firmware MUST measure the following values= , in the order listed using the +// EV_EFI_VARIABLE_DRIVER_CONFIG event type to PCR[7]: +// a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DE= VICE_ROOT_CERT_VARAIBLE_NAME variable. +// b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DE= VICE_ROOT_CERT_VARAIBLE2_NAME variable. +// 2. If the platform supports changing any of the following UEFI policy v= ariables after they are initially measured +// in PCR[7] and before ExitBootServices() has completed, the platform = MAY be restarted OR the variables MUST be +// remeasured into PCR[7]. Additionally the normal update process for s= etting any of the UEFI variables below SHOULD +// occur before the initial measurement in PCR[7] or after the call to = ExitBootServices() has completed. +// a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DE= VICE_ROOT_CERT_VARAIBLE_NAME variable. +// b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DE= VICE_ROOT_CERT_VARAIBLE2_NAME variable. +// 3. The system SHALL measure the EV_SEPARATOR event in PCR[7]. (This occ= urs at the same time the separator is +// measured to PCR[0-7].) +// Before setting up a device, the UEFI firmware SHALL determine if the= entry in the +// EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DEVICE_ROOT_CERT_VARAIBL= E_NAME variable that was used to validate +// the device has previously been measured in PCR[7]. If it has not bee= n, it MUST be measured into PCR[7] as follows. +// If it has been measured previously, it MUST NOT be measured again. T= he measurement SHALL occur in conjunction +// with device setup. +// a) The eventType SHALL be EV_EFI_VARIABLE_AUTHORITY. +// b) The event value SHALL be the value of the UEFI_VARIABLE_DATA stru= cture. +// i. The UEFI_VARIABLE_DATA.VariableData value SHALL be the UEFI_= SIGNATURE_DATA value from the +// UEFI_SIGNATURE_LIST that contained the authority that was us= ed to validate the image. +// ii. The UEFI_VARIABLE_DATA.VariableName SHALL be set to UEFI_IMA= GE_SECURITY_DATABASE_GUID. +// iii. The UEFI_VARIABLE_DATA.UnicodeName SHALL be set to the value= of UEFI_IMAGE_SECURITY_DATABASE. +// The value MUST NOT include the terminating NUL. +// + +#pragma pack() + +#endif --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49772): https://edk2.groups.io/g/devel/message/49772 Mute This Topic: https://groups.io/mt/40117822/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:06:11 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49773+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49773+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525102; cv=none; d=zoho.com; s=zohoarc; b=g82I+9igqfYEGetHXDKS5QfIQPr0QDPt5I09s11wytdIeu9Rnx8edolEXrd3zqsVgYlLjF6oWFbRamxevsCKnU35dWURwBLrZIH14fC19EGgCFCXizwSAoc5P16hlAknyDM8hLQ6HximIvKBf45Fi96BK1OSmyTgesQjE1/Z9A8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525102; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=sDkatHEPpxqjD7dZvIi6ahOkSBwMpyv+3Xqk1hgybdU=; b=O7aGkCssjvIrFz2tfFXP5wySNoM+gAzqmh+BitYo51Of8FHJnf3l4ksTZtBNQTmG475KUiISEi+pESJObLcX3S2sksJTZHvURd6yQEQ/i2No90ONvc2B1A2PYgwNq288euMPqZslHMn5WXEJ7D15ojKJlMW3eb7aUrCgEGra1hw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49773+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525102212798.6531899330906; Thu, 31 Oct 2019 05:31:42 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id sqEOYY1788612xAeAiQCyqIS; Thu, 31 Oct 2019 05:31:41 -0700 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5236.1572525094034209064 for ; Thu, 31 Oct 2019 05:31:40 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:31:40 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875745" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:31:39 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V2 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy. Date: Thu, 31 Oct 2019 20:31:26 +0800 Message-Id: <20191031123127.10900-6-jiewen.yao@intel.com> In-Reply-To: <20191031123127.10900-1-jiewen.yao@intel.com> References: <20191031123127.10900-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: CceyumKKeMS2IyukW4cgCyugx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525101; bh=GPNZqRzITCaBbPIzb/a08UqpkhxBS5PR58nuCyy5BCw=; h=Cc:Date:From:Reply-To:Subject:To; b=snHMtC8for0by+WbFL+OlcJniayv12dL/TkHstkHTJIMYWYKiNNathjJZxb/aqVxJt+ ItNlfYTWjaGoFZuUlzIsgcMo64yULmIDp7HMUN/tNMRupW65AwQgoPTcIOoSMwfAHYdhE FJaAtb4riZONM02QWU7CdgN84RvN82GkXUM= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 This driver provides the platform sample policy to measure a NVMe card. Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao --- Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePol= icyDxe/SamplePlatformDevicePolicyDxe.c | 189 ++++++++++++++++++++ Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePol= icyDxe/SamplePlatformDevicePolicyDxe.inf | 40 +++++ 2 files changed, 229 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatf= ormDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c b/Silicon/Intel/IntelSil= iconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDe= vicePolicyDxe.c new file mode 100644 index 0000000000..1f01b961a8 --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevi= cePolicyDxe/SamplePlatformDevicePolicyDxe.c @@ -0,0 +1,189 @@ +/** @file + EDKII Device Security library for PCI device + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +EDKII_DEVICE_SECURITY_POLICY mDeviceSecurityPolicyNone =3D { + 0x1, + 0, + 0, +}; +EDKII_DEVICE_SECURITY_POLICY mDeviceSecurityPolicyMeasurement = =3D { + 0x1, + EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED, + 0, +}; + +/** + This function returns the device security policy associated with the dev= ice. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[out] DeviceSecurityPolicy The Device Security Policy associated= with the device. + + @retval EFI_SUCCESS The device security policy is returned +**/ +EFI_STATUS +EFIAPI +GetDevicePolicy ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + OUT EDKII_DEVICE_SECURITY_POLICY **DeviceSecurityPolicy + ) +{ + EFI_STATUS Status; + EFI_PCI_IO_PROTOCOL *PciIo; + UINT16 PciVendorId; + UINT16 PciDeviceId; + + *DeviceSecurityPolicy =3D &mDeviceSecurityPolicyNone; + + DEBUG ((DEBUG_INFO, "GetDevicePolicy - 0x%g\n", &DeviceId->DeviceType)); + + if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciG= uid)) { + return EFI_SUCCESS; + } + + Status =3D gBS->HandleProtocol ( + DeviceId->DeviceHandle, + &gEdkiiDeviceIdentifierTypePciGuid, + (VOID **)&PciIo + ); + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status= )); + return EFI_SUCCESS; + } + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OF= FSET, 1, &PciVendorId); + ASSERT_EFI_ERROR(Status); + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OF= FSET, 1, &PciDeviceId); + ASSERT_EFI_ERROR(Status); + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, PciDeviceId)); + + if ((PciVendorId =3D=3D 0x8086) && (PciDeviceId =3D=3D 0x0B60)) { + *DeviceSecurityPolicy =3D &mDeviceSecurityPolicyMeasurement; + } + + return EFI_SUCCESS; +} + +/** + This function sets the device state based upon the authentication result. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[in] DeviceSecurityState The Device Security state associated = with the device. + + @retval EFI_SUCCESS The device state is set +**/ +EFI_STATUS +EFIAPI +SetDeviceState ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + IN EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + EFI_STATUS Status; + EFI_PCI_IO_PROTOCOL *PciIo; + UINT16 PciVendorId; + UINT16 PciDeviceId; + UINTN Segment; + UINTN Bus; + UINTN Device; + UINTN Function; + + DEBUG ((DEBUG_INFO, "SetDeviceState - 0x%g\n", &DeviceId->DeviceType)); + + if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciG= uid)) { + return EFI_SUCCESS; + } + + Status =3D gBS->HandleProtocol ( + DeviceId->DeviceHandle, + &gEdkiiDeviceIdentifierTypePciGuid, + (VOID **)&PciIo + ); + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status= )); + return EFI_SUCCESS; + } + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OF= FSET, 1, &PciVendorId); + ASSERT_EFI_ERROR(Status); + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OF= FSET, 1, &PciDeviceId); + ASSERT_EFI_ERROR(Status); + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, PciDeviceId)); + + Status =3D PciIo->GetLocation ( + PciIo, + &Segment, + &Bus, + &Device, + &Function + ); + if (!EFI_ERROR(Status)) { + DEBUG ((DEBUG_INFO, "PCI Loc - %04x:%02x:%02x:%02x\n", + Segment, Bus, Device, Function)); + } + + DEBUG ((DEBUG_INFO, "State - Measurement - 0x%08x, Authentication - 0x%0= 8x\n", + DeviceSecurityState->MeasurementState, + DeviceSecurityState->AuthenticationState + )); + + return EFI_SUCCESS; +} + +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL mDeviceSecurityPolicy =3D { + 0x1, + GetDevicePolicy, + SetDeviceState, +}; + +/** + Entrypoint of the device security driver. + + @param[in] ImageHandle ImageHandle of the loaded driver + @param[in] SystemTable Pointer to the System Table + + @retval EFI_SUCCESS The Protocol is installed. + @retval EFI_OUT_OF_RESOURCES Not enough resources available to initial= ize driver. + @retval EFI_DEVICE_ERROR A device error occurred attempting to ini= tialize the driver. + +**/ +EFI_STATUS +EFIAPI +MainEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_HANDLE Handle; + EFI_STATUS Status; + + Handle =3D NULL; + Status =3D gBS->InstallProtocolInterface ( + &Handle, + &gEdkiiDeviceSecurityPolicyProtocolGuid, + EFI_NATIVE_INTERFACE, + &mDeviceSecurityPolicy + ); + ASSERT_EFI_ERROR(Status); + + return Status; +} diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatf= ormDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf b/Silicon/Intel/IntelS= iliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatform= DevicePolicyDxe.inf new file mode 100644 index 0000000000..a9b77d8371 --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevi= cePolicyDxe/SamplePlatformDevicePolicyDxe.inf @@ -0,0 +1,40 @@ +## @file +# EDKII Device Security library for PCI device +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SamplePlatformDevicePolicyDxe + FILE_GUID =3D 7EA7AACF-7ED3-4166-8271-B21156523620 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D MainEntryPoint + +[Sources] + SamplePlatformDevicePolicyDxe.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + IntelSiliconPkg/IntelSiliconPkg.dec + +[LibraryClasses] + UefiRuntimeServicesTableLib + UefiBootServicesTableLib + UefiDriverEntryPoint + MemoryAllocationLib + DevicePathLib + BaseMemoryLib + PrintLib + DebugLib + +[Protocols] + gEdkiiDeviceSecurityPolicyProtocolGuid ## PRODUCES + gEdkiiDeviceIdentifierTypePciGuid ## COMSUMES + +[Depex] + TRUE --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49773): https://edk2.groups.io/g/devel/message/49773 Mute This Topic: https://groups.io/mt/40117827/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Sat Apr 20 10:06:11 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+49774+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49774+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1572525103; cv=none; d=zoho.com; s=zohoarc; b=ZlcP6z4o8KVasECuglj1rLS+V0l955n5i37EVNpBTMjoMawrilhxiO09MDmJ0gwGQbR0OJVKi45Emq6U8y4KT1qRVY9AzebScQ042qbvVYcb8AL1dp9AU6HG16TT8/JBtE+HkxLFT0AkKwKzvXXII3QJS/8eU/i8E0ZmJpvjAfs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1572525103; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=hyEAT+CM6UT/fnAul9YnLPYNIvo74HdTwcNqnExfSv8=; b=go+Jym0LTWaPnxyM+FnFYtpQ7LUCHhz6NdWfNkvyGnZwqpqD8w1coNfnMeGGt6kWO9AdJ5t9VzoTAcP4qSYrSxkiljCa1CSFUPQCKHeHP59cISzwj7h1bk6VwbDZRA2Ir27PdgBnmkqGINIi0/kFYMito7GQ8oiG8ZeD5YWk88Y= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+49774+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1572525103135752.0785638728322; Thu, 31 Oct 2019 05:31:43 -0700 (PDT) Return-Path: X-Received: by 127.0.0.2 with SMTP id MeKMYY1788612x2C2m2QsS0w; Thu, 31 Oct 2019 05:31:42 -0700 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web11.5236.1572525094034209064 for ; Thu, 31 Oct 2019 05:31:41 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 Oct 2019 05:31:41 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,250,1569308400"; d="scan'208";a="283875758" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.211.198]) by orsmga001.jf.intel.com with ESMTP; 31 Oct 2019 05:31:40 -0700 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V2 6/6] IntelSiliconPkg/dsc: Add Device Security component. Date: Thu, 31 Oct 2019 20:31:27 +0800 Message-Id: <20191031123127.10900-7-jiewen.yao@intel.com> In-Reply-To: <20191031123127.10900-1-jiewen.yao@intel.com> References: <20191031123127.10900-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: cKC0GgAEKscEoWkkI4YY4qosx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1572525102; bh=rYANb14x7EtiVXKkZEyvEqj9jd7gBjRGrlDOZp+XEaM=; h=Cc:Date:From:Reply-To:Subject:To; b=vGPUNa3Q5//GUfJRrLawYDPBzxv0ObFQQeX2fLVgnytNSKN5UATYXvm+yLUbA9d9czL 2nknxcTwoBOExJYy7HjHSfZwgLy6Vw5xMreFJfFQ2nz/EInjczISTGe1AP15G1PhDKzsJ cQ0xY9grPBQp2jERljYe4Elvtl/mB5bEdJE= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao --- Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc b/Silicon/In= tel/IntelSiliconPkg/IntelSiliconPkg.dsc index df8984a606..0a6509d8b3 100644 --- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc +++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc @@ -35,6 +35,7 @@ CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMain= tenanceLib.inf MicrocodeFlashAccessLib|IntelSiliconPkg/Feature/Capsule/Library/Microcod= eFlashAccessLibNull/MicrocodeFlashAccessLibNull.inf PeiGetVtdPmrAlignmentLib|IntelSiliconPkg/Library/PeiGetVtdPmrAlignmentLi= b/PeiGetVtdPmrAlignmentLib.inf + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf =20 [LibraryClasses.common.PEIM] PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf @@ -75,6 +76,8 @@ =20 [Components] IntelSiliconPkg/Library/DxeSmbiosDataHobLib/DxeSmbiosDataHobLib.inf + IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciD= eviceSecurityDxe.inf + IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/Sampl= ePlatformDevicePolicyDxe.inf IntelSiliconPkg/Feature/VTd/IntelVTdDxe/IntelVTdDxe.inf IntelSiliconPkg/Feature/VTd/IntelVTdPmrPei/IntelVTdPmrPei.inf IntelSiliconPkg/Feature/VTd/PlatformVTdSampleDxe/PlatformVTdSampleDxe.inf --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49774): https://edk2.groups.io/g/devel/message/49774 Mute This Topic: https://groups.io/mt/40117834/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-