From nobody Fri Apr 26 11:48:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50214+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50214+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133873; cv=none; d=zoho.com; s=zohoarc; b=aVreSe7Ge2o0PK9wuAn8bBrGV2BxMRFEui6hyN+8U5/Ao8Vrw0WOINrQNKSLcbO9zGFCVIOWkp/ObG74PIj+nhogtKv/+d32uafVTS53PYkn03rycYLaHQck55IWJcmLtbKTvA2d+nYeU507wnSgJvA/H6b3rWS4sC8DV3RPfd0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133873; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=nnsjkqS6B6IlyhA4rMt1U8HO3cKpnsYmCYnydER7bsU=; b=Oo1QOQmJjckLJCwQ09+4ddz3KIlZMW2hQPWiUwwOi0Jm+nODDLoL13M91UZDMF16A82wvjF40uwNfKDBp4qiXHgog9xgFTQSbCRc4kDDZCW8QoKiXaT6RdJO6EOB56f6zDJIPfDpoLbbMDQH/9s3wcNsJU57RfdFaj8cSwxQ0JU= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50214+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133873028341.0645708606729; Thu, 7 Nov 2019 05:37:53 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id qALGYY1788612xwklWXoHXBQ; Thu, 07 Nov 2019 05:37:52 -0800 X-Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mx.groups.io with SMTP id smtpd.web09.4093.1573133872202967224 for ; Thu, 07 Nov 2019 05:37:52 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:37:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678511" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:37:49 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Michael D Kinney , Liming Gao , Yun Lou Subject: [edk2-devel] [PATCH V3 1/4] MdePkg/Include: Add DMTF SPDM definition. Date: Thu, 7 Nov 2019 21:37:35 +0800 Message-Id: <20191107133738.23824-2-jiewen.yao@intel.com> In-Reply-To: <20191107133738.23824-1-jiewen.yao@intel.com> References: <20191107133738.23824-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: TRknGRzyPfUKxuOQwXs3tWfix1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133872; bh=VUkWKD0EvmW0csb6REXyEbg/ZEdmYT5u45QQ3pYOLZU=; h=Cc:Date:From:Reply-To:Subject:To; b=MhALIW7pK6EVm7YKdu9JGxhSiCatpAVrfOaJO08QE+TuO68ZUNs6nbPPSPDjLsrRFPK 7PjM6ir79RvmblmssZg/PD3whrlbGarMjPikNSbE3k3Kmuqp0lJ9nI5tZvCVClKFkqrog qsD/HrhNcROdG8H59r7SQWa0nvlCgKs8sOI= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Michael D Kinney Cc: Liming Gao Cc: Yun Lou Signed-off-by: Jiewen Yao Reviewed by: Liming Gao --- MdePkg/Include/IndustryStandard/Spdm.h | 320 +++++++++++++++++++++++++ 1 file changed, 320 insertions(+) create mode 100644 MdePkg/Include/IndustryStandard/Spdm.h diff --git a/MdePkg/Include/IndustryStandard/Spdm.h b/MdePkg/Include/Indust= ryStandard/Spdm.h new file mode 100644 index 0000000000..c05395fea7 --- /dev/null +++ b/MdePkg/Include/IndustryStandard/Spdm.h @@ -0,0 +1,320 @@ +/** @file + Definitions of Security Protocol & Data Model Specification (SPDM) + version 0.99a in Distributed Management Task Force (DMTF). + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +#ifndef __SPDM_H__ +#define __SPDM_H__ + +#pragma pack(1) + +/// +/// SPDM response code +/// +#define SPDM_DIGESTS 0x01 +#define SPDM_CERTIFICATE 0x02 +#define SPDM_CHALLENGE_AUTH 0x03 +#define SPDM_VERSION 0x04 +#define SPDM_MEASUREMENTS 0x60 +#define SPDM_CAPABILITIES 0x61 +#define SPDM_SET_CERT_RESPONSE 0x62 +#define SPDM_ALGORITHMS 0x63 +#define SPDM_ERROR 0x7F +/// +/// SPDM request code +/// +#define SPDM_GET_DIGESTS 0x81 +#define SPDM_GET_CERTIFICATE 0x82 +#define SPDM_CHALLENGE 0x83 +#define SPDM_GET_VERSION 0x84 +#define SPDM_GET_MEASUREMENTS 0xE0 +#define SPDM_GET_CAPABILITIES 0xE1 +#define SPDM_NEGOTIATE_ALGORITHMS 0xE3 +#define SPDM_RESPOND_IF_READY 0xFF + +/// +/// SPDM message header +/// +typedef struct { + UINT8 SPDMVersion; + UINT8 RequestResponseCode; + UINT8 Param1; + UINT8 Param2; +} SPDM_MESSAGE_HEADER; + +#define SPDM_MESSAGE_VERSION 0x10 + +/// +/// SPDM GET_VERSION request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; +} SPDM_GET_VERSION_REQUEST; + +/// +/// SPDM GET_VERSION response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT8 Reserved; + UINT8 VersionNumberEntryCount; +//SPDM_VERSION_NUMBER VersionNumberEntry[VersionNumberEntryCount]; +} SPDM_VERSION_RESPONSE; + +/// +/// SPDM VERSION structure +/// +typedef struct { + UINT16 Alpha:4; + UINT16 UpdateVersionNumber:4; + UINT16 MinorVersion:4; + UINT16 MajorVersion:4; +} SPDM_VERSION_NUMBER; + +/// +/// SPDM GET_CAPABILITIES request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; +} SPDM_GET_CAPABILITIES_REQUEST; + +/// +/// SPDM GET_CAPABILITIES response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT8 Reserved; + UINT8 CTExponent; + UINT16 Reserved2; + UINT32 Flags; +} SPDM_CAPABILITIES_RESPONSE; + +/// +/// SPDM GET_CAPABILITIES response Flags +/// +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CACHE_CAP BIT0 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_CAP BIT1 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CHAL_CAP BIT2 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP (BIT3 | BIT4) +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP_NO_SIG BIT3 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP_SIG BIT4 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_FRESH_CAP BIT5 + +/// +/// SPDM NEGOTIATE_ALGORITHMS request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT16 Length; + UINT8 MeasurementSpecification; + UINT8 Reserved; + UINT32 BaseAsymAlgo; + UINT32 BaseHashAlgo; + UINT8 Reserved2[12]; + UINT8 ExtAsymCount; + UINT8 ExtHashCount; + UINT16 Reserved3; +//UINT32 ExtAsym[ExtAsymCount]; +//UINT32 ExtHash[ExtHashCount]; +} SPDM_NEGOTIATE_ALGORITHMS_REQUEST; + +/// +/// SPDM NEGOTIATE_ALGORITHMS request BaseAsymAlgo +/// +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048 BIT0 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSAPSS_2048 BIT1 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_3072 BIT2 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSAPSS_3072 BIT3 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256 BIT4 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_4096 BIT5 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSAPSS_4096 BIT6 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P384 BIT7 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P521 BIT8 + +/// +/// SPDM NEGOTIATE_ALGORITHMS request BaseHashAlgo +/// +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256 BIT0 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_384 BIT1 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_512 BIT2 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_256 BIT3 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_384 BIT4 +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_512 BIT5 + +/// +/// SPDM NEGOTIATE_ALGORITHMS response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT16 Length; + UINT8 MeasurementSpecificationSel; + UINT8 Reserved; + UINT32 MeasurementHashAlgo; + UINT32 BaseAsymSel; + UINT32 BaseHashSel; + UINT8 Reserved2[12]; + UINT8 ExtAsymSelCount; + UINT8 ExtHashSelCount; + UINT16 Reserved3; +//UINT32 ExtAsymSel[ExtAsymSelCount]; +//UINT32 ExtHashSel[ExtHashSelCount]; +} SPDM_ALGORITHMS_RESPONSE; + +/// +/// SPDM NEGOTIATE_ALGORITHMS response MeasurementHashAlgo +/// +#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_RAW_BIT_STREAM_ONLY BIT0 +#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA_256 BIT1 +#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA_384 BIT2 +#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA_512 BIT3 +#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA3_256 BIT4 +#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA3_384 BIT5 +#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA3_512 BIT6 + +/// +/// SPDM GET_DIGESTS request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; +} SPDM_GET_DIGESTS_REQUEST; + +/// +/// SPDM GET_DIGESTS response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; +//UINT8 Digest[DigestSize]; +} SPDM_DIGESTS_RESPONSE; + +/// +/// SPDM GET_DIGESTS request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT16 Offset; + UINT16 Length; +} SPDM_GET_CERTIFICATE_REQUEST; + +/// +/// SPDM GET_DIGESTS response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT16 PortionLength; + UINT16 RemainderLength; +//UINT8 CertChain[CertChainSize]; +} SPDM_CERTIFICATE_RESPONSE; + +/// +/// SPDM CHALLENGE request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT32 Nonce; +} SPDM_CHALLENGE_REQUEST; + +/// +/// SPDM CHALLENGE response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; +//UINT8 CertChainHash[DigestSize]; +//UINT32 Nonce; +//UINT8 MeasurementSummaryHash[DigestSize]; +//UINT16 OpaqueLength; +//UINT8 OpaqueData[OpaqueLength]; +//UINT8 Signature[KeySize]; +} SPDM_CHALLENGE_AUTH_RESPONSE; + +/// +/// SPDM GET_MEASUREMENTS request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT32 Nonce; +} SPDM_GET_MEASUREMENTS_REQUEST; + +/// +/// SPDM MEASUREMENTS block common header +/// +typedef struct { + UINT8 Index; + UINT8 MeasurementSpecification; + UINT16 MeasurementSize; +//UINT8 Measurement[MeasurementSize]; +} SPDM_MEASUREMENT_BLOCK_COMMON_HEADER; + +#define SPDM_MEASUREMENT_BLOCK_HEADER_SPECIFICATION_DMTF BIT0 + +/// +/// SPDM MEASUREMENTS block DMTF header +/// +typedef struct { + UINT8 DMTFSpecMeasurementValueType; + UINT16 DMTFSpecMeasurementValueSize; +//UINT8 DMTFSpecMeasurementValue[DMTFSpecMeasurementValueSi= ze]; +} SPDM_MEASUREMENT_BLOCK_DMTF_HEADER; + +/// +/// SPDM MEASUREMENTS block MeasurementValueType +/// +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_IMMUTABLE_ROM 0 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MUTABLE_FIRMWARE 1 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_HARDWARE_CONFIGURATION 2 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_FIRMWARE_CONFIGURATION 3 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_RAW_BIT_STREAM BI= T7 + +/// +/// SPDM GET_MEASUREMENTS response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT8 NumberOfBlocks; + UINT8 MeasurementRecordLength[3]; +//UINT8 MeasurementRecord[MeasurementRecordLength]; +//UINT32 Nonce; +//UINT16 OpaqueLength; +//UINT8 OpaqueData[OpaqueLength]; +//UINT8 Signature[KeySize]; +} SPDM_MEASUREMENTS_RESPONSE; + +/// +/// SPDM ERROR response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + // Param1 =3D=3D Error Code + // Param2 =3D=3D Error Data +//UINT8 ExtendedErrorData[]; +} SPDM_ERROR_RESPONSE; + +/// +/// SPDM error code +/// +#define SPDM_ERROR_CODE_INVALID_REQUEST 0x01 +#define SPDM_ERROR_CODE_BUSY 0x03 +#define SPDM_ERROR_CODE_UNEXPECTED_REQUEST 0x04 +#define SPDM_ERROR_CODE_UNSPECIFIED 0x05 +#define SPDM_ERROR_CODE_UNSUPPORTED_REQUEST 0x07 +#define SPDM_ERROR_CODE_MAJOR_VERSION_MISMATCH 0x41 +#define SPDM_ERROR_CODE_RESPONSE_NOT_READY 0x42 +#define SPDM_ERROR_CODE_REQUEST_RESYNCH 0x43 + +/// +/// SPDM RESPONSE_IF_READY request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + // Param1 =3D=3D RequestCode + // Param2 =3D=3D Token +} SPDM_RESPONSE_IF_READY_REQUEST; + +#pragma pack() + +#endif + --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50214): https://edk2.groups.io/g/devel/message/50214 Mute This Topic: https://groups.io/mt/46026417/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri Apr 26 11:48:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50215+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50215+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133873; cv=none; d=zoho.com; s=zohoarc; b=UZvLu1nn8W/qEIQuOn2Kf2qrgUeWpeQK6X/jGoCB91mjotwlGEy1+LTjYTRyKlnyFcZwfR8DWYNof8QK3o5AwNQUIi9M0eaFkVxms2Kla07KnIi3J9mYJv0yQyAfGMw33Uz8LDXXVQoj4FH+6+kKl6j1FjawoL1RIwat2JX5SfY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133873; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=qxMWO3j4cjklR+28S5UCWLNWTgrGoYbab0H1EHkK+VI=; b=avFIRcT+EuLkd4ywGhHnlxtoq48LoxKyYy0ODayQidMqvx0JjpwHCKF7AyNMX4/md06dT1RjSDB9iZz7LmDn+Se2SmnUcwWrceGTmuH8wUibGGTJ1JTq1pXasw/FZzbnc3dGEN8FW7GtLVPy46YM+okLuBp0VM9PRzpIFqckEuc= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50215+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133873343202.60713860821966; Thu, 7 Nov 2019 05:37:53 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id DKOHYY1788612x8agHBIze0Z; Thu, 07 Nov 2019 05:37:53 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web09.4093.1573133872202967224 for ; Thu, 07 Nov 2019 05:37:52 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:37:52 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678516" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:37:50 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Yun Lou Subject: [edk2-devel] [PATCH V3 2/4] MdeModulePkg/Include: Add DeviceSecurity.h Date: Thu, 7 Nov 2019 21:37:36 +0800 Message-Id: <20191107133738.23824-3-jiewen.yao@intel.com> In-Reply-To: <20191107133738.23824-1-jiewen.yao@intel.com> References: <20191107133738.23824-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: S9N41xD3nGj4msryVYAFm0Gqx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133873; bh=o41paubmjYaYQwOQQH6B3huUw4BWgvcLGWLQJLEMP3s=; h=Cc:Date:From:Reply-To:Subject:To; b=Hr5Tgp6r94iaJ1/Gm59VbWChWp6ZjWBCKWtwB2+aopKhMhSG6jkqcH6v2fCrbWbefzg jhTMDGp+DvdHpR7+V5lu9bpg6Ygaaf5tZ4mBTPOWTHrCO/pqeQjU1E10FN8FbNjV/zg1W qB3isKWFwwo9GFq7EDiIEuPH4d3oLvx5drA= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 EDKII_DEVICE_SECURITY_PROTOCOL is used for device measurement and/or authentication. It is similar to EFI_SECURITY_ARCH_PROTOCOL. Cc: Jian J Wang Cc: Hao A Wu Cc: Yun Lou Signed-off-by: Jiewen Yao --- .../Include/Protocol/DeviceSecurity.h | 162 ++++++++++++++++++ 1 file changed, 162 insertions(+) create mode 100644 MdeModulePkg/Include/Protocol/DeviceSecurity.h diff --git a/MdeModulePkg/Include/Protocol/DeviceSecurity.h b/MdeModulePkg/= Include/Protocol/DeviceSecurity.h new file mode 100644 index 0000000000..c3bf624cac --- /dev/null +++ b/MdeModulePkg/Include/Protocol/DeviceSecurity.h @@ -0,0 +1,162 @@ +/** @file + Device Security Protocol definition. + + It is used to authenticate a device based upon the platform policy. + It is similar to the EFI_SECURITY_ARCH_PROTOCOL, which is used to verify= a image. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +#ifndef __DEVICE_SECURITY_H__ +#define __DEVICE_SECURITY_H__ + +// +// Device Security Protocol GUID value +// +#define EDKII_DEVICE_SECURITY_PROTOCOL_GUID \ + { \ + 0x5d6b38c8, 0x5510, 0x4458, { 0xb4, 0x8d, 0x95, 0x81, 0xcf, 0xa7, 0x= b0, 0xd } \ + } + +// +// Forward reference for pure ANSI compatability +// +typedef struct _EDKII_DEVICE_SECURITY_PROTOCOL EDKII_DEVICE_SECURITY_PROT= OCOL; + +// +// Revision The revision to which the DEVICE_SECURITY interface adheres. +// All future revisions must be backwards compatible. +// If a future version is not back wards compatible it is not the= same GUID. +// +#define EDKII_DEVICE_SECURITY_PROTOCOL_REVISION 0x00010000 + +// +// The device identifier. +// +typedef struct { + /// + /// Version of this data structure. + /// + UINT32 Version; + /// + /// Type of the device. + /// This field is also served as a device Access protocol GUID. + /// The device access protocol is installed on the DeviceHandle. + /// The device access protocol is device specific. + /// EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID means the device access prot= ocol is PciIo. + /// EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID means the device access prot= ocol is UsbIo. + /// + EFI_GUID DeviceType; + /// + /// The handle created for this device. + /// NOTE: This might be a temporary handle. + /// If the device is not authenticated, this handle shall be unins= talled. + /// + /// As minimal requirement, there should be 2 protocols installed on the= device handle. + /// 1) An EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_PATH_PROTOCOL_GUID. + /// 2) A device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GU= ID. + /// If the device is PCI device, the EFI_PCI_IO_PROTOCOL is installed= with + /// EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID. + /// If the device is USB device, the EFI_USB_IO_PROTOCOL is installed= with + /// EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID. + /// + /// The device access protocol is required, because the verifier need= have a way + /// to communciate with the device hardware to get the measurement or= do the + /// challenge/response for the device authentication. + /// + /// NOTE: We don't use EFI_PCI_IO_PROTOCOL_GUID or EFI_USB_IO_PROTOCOL_G= UID here, + /// because we don't want to expose a real protocol. A platform ma= y have driver + /// register a protocol notify function. Installing a real protoco= l may cause + /// the callback function being executed before the device is auth= enticated. + /// + EFI_HANDLE DeviceHandle; +} EDKII_DEVICE_IDENTIFIER; + +// +// Revision The revision to which the DEVICE_IDENTIFIER interface adheres. +// All future revisions must be backwards compatible. +// +#define EDKII_DEVICE_IDENTIFIER_REVISION 0x00010000 + +// +// Device Identifier GUID value +// +#define EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID \ + { \ + 0x2509b2f1, 0xa022, 0x4cca, { 0xaf, 0x70, 0xf9, 0xd3, 0x21, 0xfb, 0x= 66, 0x49 } \ + } + +#define EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID \ + { \ + 0x7394f350, 0x394d, 0x488c, { 0xbb, 0x75, 0xc, 0xab, 0x7b, 0x12, 0xa= , 0xc5 } \ + } + +/** + The device driver uses this service to measure and/or verify a device. + + The flow in device driver is: + 1) Device driver discovers a new device. + 2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL. + 3) Device driver creates a device access protocol. e.g. + EFI_PCI_IO_PROTOCOL for PCI device. + EFI_USB_IO_PROTOCOL for USB device. + EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device. + EFI_ATA_PASS_THRU_PROTOCOL for ATA device. + EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device. + EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device. + 4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_P= ATH_PROTOCOL_GUID, + and the device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_= GUID. + Once it is done, a DeviceHandle is returned. + 5) Device driver creates EDKII_DEVICE_IDENTIFIER with EDKII_DEVICE_IDENT= IFIER_TYPE_xxx_GUID + and the DeviceHandle. + 6) Device driver calls DeviceAuthenticate(). + 7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device dr= iver uninstalls + all protocols on this handle. + 8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver instal= ls the device access + protocol with a real protocol GUID. e.g. + EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID. + EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + + @retval EFI_SUCCESS The device specified by the DeviceId pa= ssed the measurement + and/or authentication based upon the pl= atform policy. + If TCG measurement is required, the mea= surement is extended to TPM PCR. + @retval EFI_SECURITY_VIOLATION The device fails to return the measurem= ent data. + @retval EFI_SECURITY_VIOLATION The device fails to response the authen= tication request. + @retval EFI_SECURITY_VIOLATION The system fails to verify the device b= ased upon the authentication response. + @retval EFI_SECURITY_VIOLATION The system fails to extend the measurem= ent to TPM PCR. +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_DEVICE_AUTHENTICATE)( + IN EDKII_DEVICE_SECURITY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId + ); + +/// +/// Device Security Protocol structure. +/// It is similar to the EFI_SECURITY_ARCH_PROTOCOL, which is used to veri= fy a image. +/// This protocol is used to authenticate a device based upon the platform= policy. +/// +struct _EDKII_DEVICE_SECURITY_PROTOCOL { + UINT64 Revision; + EDKII_DEVICE_AUTHENTICATE DeviceAuthenticate; +}; + +/// +/// Device Security Protocol GUID variable. +/// +extern EFI_GUID gEdkiiDeviceSecurityProtocolGuid; + +/// +/// Device Identifier tpye GUID variable. +/// +extern EFI_GUID gEdkiiDeviceIdentifierTypePciGuid; +extern EFI_GUID gEdkiiDeviceIdentifierTypeUsbGuid; + +#endif --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50215): https://edk2.groups.io/g/devel/message/50215 Mute This Topic: https://groups.io/mt/46026427/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri Apr 26 11:48:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50216+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50216+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133873; cv=none; d=zoho.com; s=zohoarc; b=DNhao9yfCpWocsNgl1SrDl6krrPovuZ90kfD2ZECNZiWRuWoK3vNqUNAgi8PgUTsyuUG/rGSJtK0jnHPb/niKBLszepnyB8OdZVaQrjZ6CSFM9Q6wgZVO6xIrzj3+F0br5drCSgG+3HU+7w7xvHlORxLH78cHOezRb2DpL7OTKg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133873; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=HBRG9vp7WQmVpmcIk2ssNOGjKemYpru9wiHrIz49C+g=; b=W9ziFx/j4BUNZ8wBZEoEA15YlTyzVXqQ5zjqu0GJCdNZVUnqAIe+jeeGmXwjKWnStLHYCS1h/+JynAiim7mww3CaHpo7sXwERiGFQePZvUEvZe3c1jFDYzaajOprbMBLGJUq5L/u/u2uxoqmw4WIB+2DmWntmE0Ub6jzRGO+yKs= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50216+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133873731631.6499634859321; Thu, 7 Nov 2019 05:37:53 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id JoAGYY1788612xuzst0qRqdK; Thu, 07 Nov 2019 05:37:53 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web09.4093.1573133872202967224 for ; Thu, 07 Nov 2019 05:37:52 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:37:52 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678521" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:37:51 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Yun Lou Subject: [edk2-devel] [PATCH V3 3/4] MdeModulePkg/dec: Add EdkiiDeviceSecurityProtocolGuid. Date: Thu, 7 Nov 2019 21:37:37 +0800 Message-Id: <20191107133738.23824-4-jiewen.yao@intel.com> In-Reply-To: <20191107133738.23824-1-jiewen.yao@intel.com> References: <20191107133738.23824-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: 5h4g62mhrvRJUl6FLTc8l38Mx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133873; bh=SbYDT9Vr/P33ewqVftmL+SB/vtjMmOSB8SGf7LYEVhE=; h=Cc:Date:From:Reply-To:Subject:To; b=UahWSYW+uxOs2u5T3bIfHPQUXtiUpcPBwPIjmoIiyYvZtTyBF/Go52Es7VFN6rlLrF+ J4J4exZgHhbBfMvXwcik0J9zYIBXpb/iUArR4wh96KnOU4n7jSt8SV5UqeGeIJ7W3QSvj Mtn6UNUf30R089Yg7yLZP21wt6BbIKJ2pK8= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Jian J Wang Cc: Hao A Wu Cc: Yun Lou Signed-off-by: Jiewen Yao --- MdeModulePkg/MdeModulePkg.dec | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec index d6bac974da..b7356aa4ed 100644 --- a/MdeModulePkg/MdeModulePkg.dec +++ b/MdeModulePkg/MdeModulePkg.dec @@ -584,6 +584,11 @@ ## Include/Protocol/IoMmu.h gEdkiiIoMmuProtocolGuid =3D { 0x4e939de9, 0xd948, 0x4b0f, { 0x88, 0xed, = 0xe6, 0xe1, 0xce, 0x51, 0x7c, 0x1e } } =20 + ## Include/Protocol/DeviceSecurity.h + gEdkiiDeviceSecurityProtocolGuid =3D { 0x5d6b38c8, 0x5510, 0x4458, { 0x= b4, 0x8d, 0x95, 0x81, 0xcf, 0xa7, 0xb0, 0xd } } + gEdkiiDeviceIdentifierTypePciGuid =3D { 0x2509b2f1, 0xa022, 0x4cca, { 0x= af, 0x70, 0xf9, 0xd3, 0x21, 0xfb, 0x66, 0x49 } } + gEdkiiDeviceIdentifierTypeUsbGuid =3D { 0x7394f350, 0x394d, 0x488c, { 0x= bb, 0x75, 0xc, 0xab, 0x7b, 0x12, 0xa, 0xc5 } } + ## Include/Protocol/SmmMemoryAttribute.h gEdkiiSmmMemoryAttributeProtocolGuid =3D { 0x69b792ea, 0x39ce, 0x402d, {= 0xa2, 0xa6, 0xf7, 0x21, 0xde, 0x35, 0x1d, 0xfe } } =20 --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50216): https://edk2.groups.io/g/devel/message/50216 Mute This Topic: https://groups.io/mt/46026440/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Fri Apr 26 11:48:35 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50217+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50217+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133874; cv=none; d=zoho.com; s=zohoarc; b=SPm36SJ4jdigXi0Wc7o1zpVamoPqRAYaisIR5zpH+AVWiw9VKtp/wsfKeq2GjUJt7Nwj8qN+OolZqh5GEG0WhqntGUxaTh5uyZDFOpGPZt86WGcZyd2qApDLR1xjBOVCmrlrd+ILShe3SfVPp5evzXn/7C9Vs9d8muwz7TgNblo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133874; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=qpDAklIA9DWwzeNSjLlbm+mdiGeq4eP5bE9mYcuX1Ck=; b=MXWVu+G4f8LH5GlAmerlCwlrzzMb87THc8yoNk/3SoBbQfPmSBqogn6VTGk8JgqoT5lG5MgmVeWVflWE9BFBE+Y/PK3WNIdN6UBaaExBEovaptHLiYqeRYY6qZTGOyg/1CngfaUqhus2wUFov+wHKdFUMZgo62ktmzDh6h+Prtw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50217+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133874825490.81363272732995; Thu, 7 Nov 2019 05:37:54 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id qAR2YY1788612xqOIWilwhsr; Thu, 07 Nov 2019 05:37:54 -0800 X-Received: from mga04.intel.com (mga04.intel.com []) by mx.groups.io with SMTP id smtpd.web09.4093.1573133872202967224 for ; Thu, 07 Nov 2019 05:37:54 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:37:53 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678538" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:37:52 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Jian J Wang , Hao A Wu , Ray Ni , Yun Lou Subject: [edk2-devel] [PATCH V3 4/4] MdeModulePkg/Pci: Add DeviceSecurity support. Date: Thu, 7 Nov 2019 21:37:38 +0800 Message-Id: <20191107133738.23824-5-jiewen.yao@intel.com> In-Reply-To: <20191107133738.23824-1-jiewen.yao@intel.com> References: <20191107133738.23824-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: YXVG8QvCxRf0dmslg4YnaFKax1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133874; bh=DZiM+msSf3McO1OEetHz75khsfNr9NZBuXe+A+x9LoI=; h=Cc:Date:From:Reply-To:Subject:To; b=J+DpwvG3HZj5GLm4esZtk9luq+33GZQ/yLkjbMj2ekF7OvFa1rNF5nm9NJuAoJM7bTM sRFLtY2NkAs9wsbJHUr+z4DAr1GyUvRHLDqx2DWi2kzoImo3MX8YNF7SdsGRByWwHKHMR yjfIToA2Divszgr4J0IvuG1kBkhoT1LFSFc= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Whenever a PCI device is discovered, PCI bus calls the EDKII_DEVICE_SECURITY_PROTOCOL to authenticate it. If the function returns success, the PCI bus allocates the resource and installs the PCI_IO for the device. If the function returns fail, the PCI bus skips the device. It is similar to EFI_SECURITY_ARCH_PROTOCOL, which is used to verify an EFI image. Cc: Jian J Wang Cc: Hao A Wu Cc: Ray Ni Cc: Yun Lou Signed-off-by: Jiewen Yao Reviewed-by: Ray Ni --- MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c | 12 ++- MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h | 1 + MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf | 4 +- .../Bus/Pci/PciBusDxe/PciEnumeratorSupport.c | 77 +++++++++++++++++++ MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c | 4 +- 5 files changed, 94 insertions(+), 4 deletions(-) diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c b/MdeModulePkg/Bus/Pci= /PciBusDxe/PciBus.c index b020ce50ce..64284ac825 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c @@ -8,7 +8,7 @@ PCI Root Bridges. So it means platform needs install PCI Root Bridge IO = protocol for each PCI Root Bus and install PCI Host Bridge Resource Allocation Protocol. =20 -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
SPDX-License-Identifier: BSD-2-Clause-Patent =20 **/ @@ -37,7 +37,7 @@ UINT64 gAllZero = =3D 0; EFI_PCI_PLATFORM_PROTOCOL *gPciPlatformProtocol; EFI_PCI_OVERRIDE_PROTOCOL *gPciOverrideProtocol; EDKII_IOMMU_PROTOCOL *mIoMmuProtocol; - +EDKII_DEVICE_SECURITY_PROTOCOL *mDeviceSecurityProtocol; =20 GLOBAL_REMOVE_IF_UNREFERENCED EFI_PCI_HOTPLUG_REQUEST_PROTOCOL mPciHotPlug= Request =3D { PciHotPlugRequestNotify @@ -293,6 +293,14 @@ PciBusDriverBindingStart ( ); } =20 + if (mDeviceSecurityProtocol =3D=3D NULL) { + gBS->LocateProtocol ( + &gEdkiiDeviceSecurityProtocolGuid, + NULL, + (VOID **) &mDeviceSecurityProtocol + ); + } + if (PcdGetBool (PcdPciDisableBusEnumeration)) { gFullEnumeration =3D FALSE; } else { diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h b/MdeModulePkg/Bus/Pci= /PciBusDxe/PciBus.h index 504a1b1c12..d4113993c8 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h @@ -27,6 +27,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include #include #include +#include =20 #include #include diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf b/MdeModulePkg/Bu= s/Pci/PciBusDxe/PciBusDxe.inf index 05c22025b8..9284998f36 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf @@ -2,7 +2,7 @@ # The PCI bus driver will probe all PCI devices and allocate MMIO and IO = space for these devices. # Please use PCD feature flag PcdPciBusHotplugDeviceSupport to enable hot= plug supporting. # -# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.
+# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.
# # SPDX-License-Identifier: BSD-2-Clause-Patent # @@ -90,6 +90,8 @@ gEfiIncompatiblePciDeviceSupportProtocolGuid ## SOMETIMES_CONSUMES gEfiLoadFile2ProtocolGuid ## SOMETIMES_PRODUCES gEdkiiIoMmuProtocolGuid ## SOMETIMES_CONSUMES + gEdkiiDeviceSecurityProtocolGuid ## SOMETIMES_CONSUMES + gEdkiiDeviceIdentifierTypePciGuid ## SOMETIMES_CONSUMES gEfiLoadedImageDevicePathProtocolGuid ## CONSUMES =20 [FeaturePcd] diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c b/MdeMod= ulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c index c7eafff593..f8020f4e72 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #include "PciBus.h" =20 extern CHAR16 *mBarTypeStr[]; +extern EDKII_DEVICE_SECURITY_PROTOCOL *mDeviceSec= urityProtocol; =20 #define OLD_ALIGN 0xFFFFFFFFFFFFFFFFULL #define EVEN_ALIGN 0xFFFFFFFFFFFFFFFEULL @@ -2070,6 +2071,67 @@ InitializeP2C ( PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, 0x3C, 1, &gAllZero); } =20 +/* + Authenticate the PCI device by using DeviceSecurityProtocol. + + @param PciIoDevice PCI device. + + @retval EFI_SUCCESS The device passes the authentication. + @return not EFI_SUCCESS The device failes the authentication or + unexpected error happen during authentication. +*/ +EFI_STATUS +AuthenticatePciDevice ( + IN PCI_IO_DEVICE *PciIoDevice + ) +{ + EDKII_DEVICE_IDENTIFIER DeviceIdentifier; + EFI_STATUS Status; + + if (mDeviceSecurityProtocol !=3D NULL) { + // + // Prepare the parameter + // + DeviceIdentifier.Version =3D EDKII_DEVICE_IDENTIFIER_REVISION; + CopyGuid (&DeviceIdentifier.DeviceType, &gEdkiiDeviceIdentifierTypePci= Guid); + DeviceIdentifier.DeviceHandle =3D NULL; + Status =3D gBS->InstallMultipleProtocolInterfaces ( + &DeviceIdentifier.DeviceHandle, + &gEfiDevicePathProtocolGuid, + PciIoDevice->DevicePath, + &gEdkiiDeviceIdentifierTypePciGuid, + &PciIoDevice->PciIo, + NULL + ); + if (EFI_ERROR(Status)) { + return Status; + } + + // + // Do DeviceAuthentication + // + Status =3D mDeviceSecurityProtocol->DeviceAuthenticate (mDeviceSecurit= yProtocol, &DeviceIdentifier); + // + // Always uninstall, because they are only for Authentication. + // No need to check return Status. + // + gBS->UninstallMultipleProtocolInterfaces ( + DeviceIdentifier.DeviceHandle, + &gEfiDevicePathProtocolGuid, + PciIoDevice->DevicePath, + &gEdkiiDeviceIdentifierTypePciGuid, + &PciIoDevice->PciIo, + NULL + ); + return Status; + } + + // + // Device Security Protocol is not found, just return success + // + return EFI_SUCCESS; +} + /** Create and initialize general PCI I/O device instance for PCI device/bridge device/hotplug bridge device. @@ -2156,6 +2218,21 @@ CreatePciIoDevice ( PciIoDevice->IsPciExp =3D TRUE; } =20 + // + // Now we can do the authentication check for the device. + // + Status =3D AuthenticatePciDevice (PciIoDevice); + // + // If authentication fails, skip this device. + // + if (EFI_ERROR(Status)) { + if (PciIoDevice->DevicePath !=3D NULL) { + FreePool (PciIoDevice->DevicePath); + } + FreePool (PciIoDevice); + return NULL; + } + if (PcdGetBool (PcdAriSupport)) { // // Check if the device is an ARI device. diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c b/MdeModulePkg/Bus/Pci= /PciBusDxe/PciLib.c index 5b55fb5d3b..72690ab647 100644 --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c @@ -1054,7 +1054,9 @@ PciScanBus ( &PciDevice ); =20 - ASSERT (!EFI_ERROR (Status)); + if (EFI_ERROR (Status)) { + continue; + } =20 PciAddress =3D EFI_PCI_ADDRESS (StartBusNumber, Device, Func, 0); =20 --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50217): https://edk2.groups.io/g/devel/message/50217 Mute This Topic: https://groups.io/mt/46026489/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-