From nobody Wed Apr 24 01:30:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50220+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50220+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133919; cv=none; d=zoho.com; s=zohoarc; b=HwIxq18ZQ1rOexmGLfbV7RZIUPO8hJkYIHh2rULQiA/2cpqOHGIEQbJPT1H+2rOnp3H7ic2EKbsulIppvmCM3beCllVQAjh3Y9SWZg4HLpclxJS+CmKjhZisLCws5KoX/kUIuIWFK+Ty3R+ILAsGsvetMh2nJTBYDYVzf3jXm2k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133919; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=1PngJ2g5V653UF8/zG+QX2oxOcoVQOyZoghsQkJsLiM=; b=I6gYjHr5FaZ2X0Gx6cqPV8q7dlx7FkGcEclKEQv5n5Hsz+7+uO8xARL8PPjYZkvbJS5/KD+35H3vHYrHz1GG4ogt76QdsgqZmU2WTDgxS9WONRFqk7oihPBeTHNvhM9+fQbiuOiD8jAbWOT5Qob8O9v5Hn4EMbhyn6OsjTzac5s= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50220+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133919867268.91093477316576; Thu, 7 Nov 2019 05:38:39 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id oYlqYY1788612xK9w0IjhrTW; Thu, 07 Nov 2019 05:38:39 -0800 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106 for ; Thu, 07 Nov 2019 05:38:38 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678747" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:37 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V3 1/6] IntelSiliconPkg/Include: Add Intel PciSecurity definition. Date: Thu, 7 Nov 2019 21:38:26 +0800 Message-Id: <20191107133831.22412-2-jiewen.yao@intel.com> In-Reply-To: <20191107133831.22412-1-jiewen.yao@intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: g5trOOGLVvOhEyjHlNIAgkfwx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133919; bh=GRROKtDHW5kVBWtGAmaTVyEuFihdT7EVOjrp2U+HlK4=; h=Cc:Date:From:Reply-To:Subject:To; b=LfgsatzdtFtqeROZKL5Sdn8JM7DyOmXxSgNu67oiFcWybmdsdL/aBKDajRa2wRdJLoz 9GTUPah/GCdQOt0bkCjIS1ZDZUdH9HUjXaFsPoqXMx34DeHZdQMundu5cKnBIWENUfi0P W7FWXJ3IjnBaR4sdn3+IBrljnmLIvBzuBTY= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao Reviewed-by: Ray Ni --- .../IndustryStandard/IntelPciSecurity.h | 92 +++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/= IntelPciSecurity.h diff --git a/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPc= iSecurity.h b/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelP= ciSecurity.h new file mode 100644 index 0000000000..f2bdb7ee2d --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecuri= ty.h @@ -0,0 +1,92 @@ +/** @file + Intel PCI security data structure definition from + PCIe* Device Security Enhancements Specification. + + https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-secur= ity-enhancements-spec.html + + NOTE: The data structure is not fully match the current specification, + because it is aligned with the real hardware implementation with minor a= djustment + on INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, INTEL_PCI_DIGEST_DATA_MODIFIED= and + INTEL_PCI_DIGEST_DATA_VALID. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __INTEL_PCI_SECURITY_H__ +#define __INTEL_PCI_SECURITY_H__ + +#pragma pack(1) + +/// +/// The PCIE capability structure header for Intel PCI DVSEC extension. +/// +typedef struct { + UINT16 CapId; // 0x23: DVSEC + UINT16 CapVersion:4; // 1 + UINT16 NextOffset:12; + UINT16 DvSecVendorId; // 0x8086 + UINT16 DvSecRevision:4; // 1 + UINT16 DvSecLength:12; + UINT16 DvSecId; // 0x3E: Measure +} INTEL_PCI_DIGEST_CAPABILITY_HEADER; + +#define INTEL_PCI_CAPID_DVSEC 0x23 +#define INTEL_PCI_DVSEC_VENDORID_INTEL 0x8086 +#define INTEL_PCI_DVSEC_DVSECID_MEASUREMENT 0x3E + +/// +/// The Intel PCI digest modified macro. +/// +#define INTEL_PCI_DIGEST_MODIFIED BIT0 + +/// +/// The Intel PCI DVSEC digest data modified structure. +/// +typedef union { + struct { + UINT8 DigestModified:1; // RW1C + UINT8 Reserved0:7; + } Bits; + UINT8 Data; +} INTEL_PCI_DIGEST_DATA_MODIFIED; + +/// +/// The Intel PCI digest valid macro. +/// +#define INTEL_PCI_DIGEST_0_VALID BIT0 +#define INTEL_PCI_DIGEST_0_LOCKED BIT1 +#define INTEL_PCI_DIGEST_1_VALID BIT2 +#define INTEL_PCI_DIGEST_1_LOCKED BIT3 + +/// +/// The Intel PCI DVSEC digest data valid structure. +/// +typedef union { + struct { + UINT8 Digest0Valid:1; // RO + UINT8 Digest0Locked:1; // RO + UINT8 Digest1Valid:1; // RO + UINT8 Digest1Locked:1; // RO + UINT8 Reserved1:4; + } Bits; + UINT8 Data; +} INTEL_PCI_DIGEST_DATA_VALID; + +/// +/// The PCIE capability structure for Intel PCI DVSEC extension with diges= t. +/// +typedef struct { + INTEL_PCI_DIGEST_DATA_MODIFIED Modified; // RW1C + INTEL_PCI_DIGEST_DATA_VALID Valid; // RO + UINT16 TcgAlgId; // RO + UINT8 FirmwareID; // RO + UINT8 Reserved; +//UINT8 Digest[]; +} INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE; + +#pragma pack() + +#endif + --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50220): https://edk2.groups.io/g/devel/message/50220 Mute This Topic: https://groups.io/mt/46027867/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 01:30:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50221+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50221+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133920; cv=none; d=zoho.com; s=zohoarc; b=UdwujcMoGggFIZGXrvB270feqYCkHT93vEgaHJWpHsupEUFbF8eu6D2rIs+Tej8w0MDoQ1dfGCKNaYzXRNTf2fbakl7qf+/+1g/8iTqT06cnSjCPWhWoL9U5Cl0UGucD0zWWaL4BkNOYiykCHYUlo2scrQ+mucj2+YKk9kCJRiI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133920; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=iPl+BJZAmyMxb/8V8ERjQSSNg965bvSUkC5XmMm9otA=; b=WnVAJIBu9Drgt3sa7DljDifxjqeo4KN0tLFs+9d2kR7J+2ClMnXnJt7p8VZMRGrImzAY6bqJmPu5otHXpvefZkP4VshSM3/ZoysiWF1PRacQOjO9j+ACfXu0nw4rB5PW9+rzQQo8J3XCyq17PBTzUmszX+EKaBMBanGO3ZW7DHw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50221+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133920860655.2647908899276; Thu, 7 Nov 2019 05:38:40 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id PWKyYY1788612x2SFRetDRYw; Thu, 07 Nov 2019 05:38:40 -0800 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106 for ; Thu, 07 Nov 2019 05:38:39 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:39 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678750" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:38 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol Date: Thu, 7 Nov 2019 21:38:27 +0800 Message-Id: <20191107133831.22412-3-jiewen.yao@intel.com> In-Reply-To: <20191107133831.22412-1-jiewen.yao@intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: DS0MTWrSAHm6v2L2cgJPVNI9x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133920; bh=LkckRSegNiiAEKT4wV4iStHa35y9/vdCgRq8Z+KwJkk=; h=Cc:Date:From:Reply-To:Subject:To; b=VhlwBsiGgcMlSquTEForZfDYnPHQE+FwvYaoXQNF3RbhO6rAQuoAgMBF2pWaqqp38DO 7ydrNyFUSb0mm7kZ4vFykfmKGdBmUpu9fGgkYClqBjgzSq9jr7eAM6SCbuWQuOeNr8GTh 0eQU2tbBrlMLkyLwZATSRmnclIJL399h9/o= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao --- .../Protocol/PlatformDeviceSecurityPolicy.h | 128 ++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/Protocol/Platform= DeviceSecurityPolicy.h diff --git a/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceS= ecurityPolicy.h b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDe= viceSecurityPolicy.h new file mode 100644 index 0000000000..b151781de2 --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurity= Policy.h @@ -0,0 +1,128 @@ +/** @file + Platform Device Security Policy Protocol definition + + Copyright (c) 2019, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + + +#ifndef __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__ +#define __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__ + +#include +#include + +typedef struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL EDKII_DEVICE_SECURIT= Y_POLICY_PROTOCOL; + +// +// Revision The revision to which the DEVICE_SECURITY_POLICY protocol inte= rface adheres. +// All future revisions must be backwards compatible. +// If a future version is not back wards compatible it is not the= same GUID. +// +#define EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION 0x00010000 + +// +// Revision The revision to which the DEVICE_SECURITY_POLICY structure adh= eres. +// All future revisions must be backwards compatible. +// +#define EDKII_DEVICE_SECURITY_POLICY_REVISION 0x00010000 + +/// +/// The macro for the policy defined in EDKII_DEVICE_SECURITY_POLICY +/// +#define EDKII_DEVICE_MEASUREMENT_REQUIRED BIT0 +#define EDKII_DEVICE_AUTHENTICATION_REQUIRED BIT0 + +/// +/// The device security policy data structure +/// +typedef struct { + UINT32 Version; + UINT32 MeasurementPolicy; + UINT32 AuthenticationPolicy; +} EDKII_DEVICE_SECURITY_POLICY; + +// +// Revision The revision to which the DEVICE_SECURITY_STATE structure adhe= res. +// All future revisions must be backwards compatible. +// +#define EDKII_DEVICE_SECURITY_STATE_REVISION 0x00010000 + +/// +/// The macro for the state defined in EDKII_DEVICE_SECURITY_STATE +/// +#define EDKII_DEVICE_SECURITY_STATE_SUCCESS 0 +#define EDKII_DEVICE_SECURITY_STATE_ERROR BIT31 +#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED (EDKI= I_DEVICE_SECURITY_STATE_ERROR + 0x0) +#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL (EDKI= I_DEVICE_SECURITY_STATE_ERROR + 0x1) +#define EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES (EDKI= I_DEVICE_SECURITY_STATE_ERROR + 0x10) +#define EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR (EDKI= I_DEVICE_SECURITY_STATE_ERROR + 0x20) + +/// +/// The device security state data structure +/// +typedef struct { + UINT32 Version; + UINT32 MeasurementState; + UINT32 AuthenticationState; +} EDKII_DEVICE_SECURITY_STATE; + +/** + This function returns the device security policy associated with the dev= ice. + + The device security driver may call this interface to get the platform p= olicy + for the specific device and determine if the measurement or authenticati= on + is required. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[out] DeviceSecurityPolicy The Device Security Policy associated= with the device. + + @retval EFI_SUCCESS The device security policy is returned + @retval EFI_UNSUPPORTED The function is unsupported for the s= pecific Device. +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY) ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + OUT EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy + ); + +/** + This function sets the device state based upon the authentication result. + + The device security driver may call this interface to give the platform + a notify based upon the measurement or authentication result. + If the authentication or measurement fails, the platform may choose: + 1) Do nothing. + 2) Disable this device or slot temporarily and continue boot. + 3) Reset the platform and retry again. + 4) Disable this device or slot permanently. + 5) Any other platform specific action. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[in] DeviceSecurityState The Device Security state associated = with the device. + + @retval EFI_SUCCESS The device state is set. + @retval EFI_UNSUPPORTED The function is unsupported for the s= pecific Device. +**/ +typedef +EFI_STATUS +(EFIAPI *EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE) ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + IN EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ); + +struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL { + UINT32 Version; + EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY GetDevicePolicy; + EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE NotifyDeviceState; +}; + +extern EFI_GUID gEdkiiDeviceSecurityPolicyProtocolGuid; + +#endif --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50221): https://edk2.groups.io/g/devel/message/50221 Mute This Topic: https://groups.io/mt/46027906/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 01:30:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50222+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50222+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133921; cv=none; d=zoho.com; s=zohoarc; b=LMwk79oNSE6MS0As9yNQ3mdGAXR4rNrv92+iiBZkvMO0e6PeyObb20NClAzi1nmhMKn303tPfS2hUr8lmrQhwZeSUwoqcTFGOtvd8eeLm6z5HZ02Kk49UHjGfm9khJNlKz58vw8EdlSCQZBRrilA1IiBLTNYlKGwGCRrPS1k4K0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133921; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=aKqrYoA5MT4a7RUuLc5F5u1QUh/yhdqwR/Kuad5/17Q=; b=UFwagbUsDpHBhtKCkVIG8wmdPEn0V3XUHWXaMMvD4NKrojSMMY2kp9ekkDyPAAhbVBhXm9kpTRWL7kSQ5neG26tPSEpfLH10z2VAxtpdxtxcAaEiKvZ2qau8sKBoPUrOT6vmZ4XIBdxHNP7E9HpmRc5y0OQSai4y/vQI0mllsRY= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50222+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133921819654.2812684041778; Thu, 7 Nov 2019 05:38:41 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id RWUyYY1788612xk1lwuHxFFc; Thu, 07 Nov 2019 05:38:41 -0800 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106 for ; Thu, 07 Nov 2019 05:38:40 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:40 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678756" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:39 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V3 3/6] IntelSiliconPkg/dec: Add ProtocolGuid definition. Date: Thu, 7 Nov 2019 21:38:28 +0800 Message-Id: <20191107133831.22412-4-jiewen.yao@intel.com> In-Reply-To: <20191107133831.22412-1-jiewen.yao@intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: kTT5mLm5HMXV9OrxsltLodbEx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133921; bh=ay/M/foPS+XBJIkvXvl1kLAyxFh5GTnW/En1Oqd8/zM=; h=Cc:Date:From:Reply-To:Subject:To; b=k/oln10M0tLXzDpH8aKCrEtnv066Ilr3hH36Fhn5gJf5pU7IGe6s4v2Vu1/fRBpOGZo IYkCFccz5JYe6FVq53QUxAIPgb96DUBh+rpFBMwJEZcTGeszhEqBPQhVf0Es3DPBY7U5v 1dM516WfqRCOmBf/3asojN/lZ6KcGGWtTRI= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao Reviewed-by: Ray Ni --- Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec b/Silicon/In= tel/IntelSiliconPkg/IntelSiliconPkg.dec index 3079fc2869..22ebf19c4e 100644 --- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec +++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec @@ -54,6 +54,10 @@ [Protocols] gEdkiiPlatformVTdPolicyProtocolGuid =3D { 0x3d17e448, 0x466, 0x4e20, { 0= x99, 0x9f, 0xb2, 0xe1, 0x34, 0x88, 0xee, 0x22 }} =20 + ## Protocol for device security policy. + # Include/Protocol/PlatformDeviceSecurityPolicy.h + gEdkiiDeviceSecurityPolicyProtocolGuid =3D {0x7ea41a99, 0x5e32, 0x4c97, = {0x88, 0xc4, 0xd6, 0xe7, 0x46, 0x84, 0x9, 0xd4}} + [PcdsFixedAtBuild, PcdsPatchableInModule] ## Error code for VTd error.

# EDKII_ERROR_CODE_VTD_ERROR =3D (EFI_IO_BUS_UNSPECIFIED | (EFI_OEM_SPE= CIFIC | 0x00000000)) =3D 0x02008000
--=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50222): https://edk2.groups.io/g/devel/message/50222 Mute This Topic: https://groups.io/mt/46027948/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 01:30:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50223+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50223+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133926; cv=none; d=zoho.com; s=zohoarc; b=ew84vuH68iVK9hG1oFiMKezDUJYnBNfV4WhhQzZH4d+q0C+Cjvu0rio4cvIOIx6Ln1hyTBSBsf44kC6C1V6rc8V9R8wRUP19zEPmp3rt1HSQKy2eGC2kjpPLKRues13OFp3zuRLLVqaZ8ATLDSyvu2fEy7kvaYL6Yr2s4vhCwvQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133926; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=lNTW6C50Gom6HPxM/lqxZEjF3i7QESBEYxXhvf7Sug8=; b=UekdCYpBN8jOa5OH/UTQMUXnAKqwnmhMtXDm4BshxGx5n0fTsPXNzyyfoolcyZqfVXZdrPyNNnZ5u7kt7c+aLr5f5+ckDKDv3BSXjeo45ipwyu/9vEdhccwnJPpSoS+vYrlLMYt9h+G2Fxfh1cqNqZhNMR0SK3EmEbS9ZGa38xg= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50223+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133926534899.7873173948415; Thu, 7 Nov 2019 05:38:46 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id xsH2YY1788612xh1O2mslGag; Thu, 07 Nov 2019 05:38:46 -0800 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106 for ; Thu, 07 Nov 2019 05:38:43 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:42 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678760" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:40 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity. Date: Thu, 7 Nov 2019 21:38:29 +0800 Message-Id: <20191107133831.22412-5-jiewen.yao@intel.com> In-Reply-To: <20191107133831.22412-1-jiewen.yao@intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: GxllhmImCkIKbt15FuqTw0k0x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133926; bh=GbIVfkh1K1I31XUXFzZoIGNsMt+FzcHY7EUOG/CTXfc=; h=Cc:Date:From:Reply-To:Subject:To; b=TOJA9XI+kmg4HQFSGx6Ok02bwi67HNdG0fiZbyJeVV8XdtTWacuJBJwDkLc3t54UeMr Hf8f8m1nVJILanBw/kWylMt8sPWfSSd4crXVFN+Z2igkgykha8MF9JhOrXD+g6gsnXskm v3lbss+beKnVN+Wy8OrDqTiMaUVA181d1KA= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 This driver is to do the PCI device authentication based upon Intel PCIe Security Specification. Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao Signed-off-by: Yun Lou --- .../IntelPciDeviceSecurityDxe.c | 697 ++++++++++++++++++ .../IntelPciDeviceSecurityDxe.inf | 45 ++ .../TcgDeviceEvent.h | 178 +++++ 3 files changed, 920 insertions(+) create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/Inte= lPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/Inte= lPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/Inte= lPciDeviceSecurityDxe/TcgDeviceEvent.h diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDev= iceSecurityDxe/IntelPciDeviceSecurityDxe.c b/Silicon/Intel/IntelSiliconPkg/= Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c new file mode 100644 index 0000000000..8838d5635a --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecu= rityDxe/IntelPciDeviceSecurityDxe.c @@ -0,0 +1,697 @@ +/** @file + EDKII Device Security library for PCI device. + It follows the Intel PCIe Security Specification. + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "TcgDeviceEvent.h" + +typedef struct { + EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER EventData; + SPDM_MEASUREMENT_BLOCK_COMMON_HEADER CommonHeader; + SPDM_MEASUREMENT_BLOCK_DMTF_HEADER DmtfHeader; + UINT8 Digest[SHA256_DIGEST_SIZE]; + EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT PciContext; +} EDKII_DEVICE_SECURITY_PCI_EVENT_DATA; + +typedef struct { + UINTN Signature; + LIST_ENTRY Link; + UINTN PciSegment; + UINTN PciBus; + UINTN PciDevice; + UINTN PciFunction; +} PCI_DEVICE_INSTANCE; + +#define PCI_DEVICE_INSTANCE_SIGNATURE SIGNATURE_32 ('P', 'D', 'I', 'S') +#define PCI_DEVICE_INSTANCE_FROM_LINK(a) CR (a, PCI_DEVICE_INSTANCE, Link= , PCI_DEVICE_INSTANCE_SIGNATURE) + +LIST_ENTRY mSecurityEventMeasurementDeviceList =3D INITIALIZE_LIST_HEAD_VA= RIABLE(mSecurityEventMeasurementDeviceList);; +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *mDeviceSecurityPolicy; + +/** + Record a PCI device into device list. + + @param PciIo PciIo instance of the device + @param PciDeviceList The list to record the the device +**/ +VOID +RecordPciDeviceInList( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN LIST_ENTRY *PciDeviceList + ) +{ + UINTN PciSegment; + UINTN PciBus; + UINTN PciDevice; + UINTN PciFunction; + EFI_STATUS Status; + PCI_DEVICE_INSTANCE *NewPciDevice; + + Status =3D PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice, = &PciFunction); + ASSERT_EFI_ERROR(Status); + + NewPciDevice =3D AllocateZeroPool(sizeof(*NewPciDevice)); + ASSERT_EFI_ERROR(NewPciDevice !=3D NULL); + + NewPciDevice->Signature =3D PCI_DEVICE_INSTANCE_SIGNATURE; + NewPciDevice->PciSegment =3D PciSegment; + NewPciDevice->PciBus =3D PciBus; + NewPciDevice->PciDevice =3D PciDevice; + NewPciDevice->PciFunction =3D PciFunction; + + InsertTailList(PciDeviceList, &NewPciDevice->Link); +} + +/** + Check if a PCI device is recorded in device list. + + @param PciIo PciIo instance of the device + @param PciDeviceList The list to record the the device + + @retval TRUE The PCI device is in the list. + @retval FALSE The PCI device is NOT in the list. +**/ +BOOLEAN +IsPciDeviceInList( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN LIST_ENTRY *PciDeviceList + ) +{ + UINTN PciSegment; + UINTN PciBus; + UINTN PciDevice; + UINTN PciFunction; + EFI_STATUS Status; + LIST_ENTRY *Link; + PCI_DEVICE_INSTANCE *CurrentPciDevice; + + Status =3D PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice, = &PciFunction); + ASSERT_EFI_ERROR(Status); + + Link =3D GetFirstNode(PciDeviceList); + while (!IsNull(PciDeviceList, Link)) { + CurrentPciDevice =3D PCI_DEVICE_INSTANCE_FROM_LINK(Link); + + if (CurrentPciDevice->PciSegment =3D=3D PciSegment && CurrentPciDevice= ->PciBus =3D=3D PciBus && + CurrentPciDevice->PciDevice =3D=3D PciDevice && CurrentPciDevice->= PciFunction =3D=3D PciFunction) { + DEBUG((DEBUG_INFO, "PCI device duplicated (Loc - %04x:%02x:%02x:%02x= )\n", PciSegment, PciBus, PciDevice, PciFunction)); + return TRUE; + } + + Link =3D GetNextNode(PciDeviceList, Link); + } + + return FALSE; +} + +/* + return Offset of the PCI Cap ID. + + @param PciIo PciIo instance of the device + @param CapId The Capability ID of the Pci device + + @return The PCI Capability ID Offset +*/ +UINT32 +GetPciCapId ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT8 CapId + ) +{ + EFI_PCI_CAPABILITY_HDR PciCapIdHdr; + UINT32 PciCapIdOffset; + EFI_STATUS Status; + + PciCapIdHdr.CapabilityID =3D ~CapId; + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, PCI_CAPBILITY_POI= NTER_OFFSET, 1, &PciCapIdHdr.NextItemPtr); + ASSERT_EFI_ERROR(Status); + if (PciCapIdHdr.NextItemPtr =3D=3D 0 || PciCapIdHdr.NextItemPtr =3D=3D 0= xFF) { + return 0; + } + PciCapIdOffset =3D 0; + do { + if (PciCapIdHdr.CapabilityID =3D=3D CapId) { + break; + } + PciCapIdOffset =3D PciCapIdHdr.NextItemPtr; + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PciCapIdOffset= , 1, &PciCapIdHdr); + ASSERT_EFI_ERROR(Status); + } while (PciCapIdHdr.NextItemPtr !=3D 0 && PciCapIdHdr.NextItemPtr !=3D = 0xFF); + + if (PciCapIdHdr.CapabilityID =3D=3D CapId) { + return PciCapIdOffset; + } else { + return 0; + } +} + +/* + return Offset of the PCIe Ext Cap ID. + + @param PciIo PciIo instance of the device + @param CapId The Ext Capability ID of the Pci device + + @return The PCIe Ext Capability ID Offset +*/ +UINT32 +GetPciExpressExtCapId ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT16 CapId + ) +{ + UINT32 PcieCapIdOffset; + PCI_EXPRESS_EXTENDED_CAPABILITIES_HEADER PciExpressExtCapIdHdr; + EFI_STATUS Status; + + PcieCapIdOffset =3D GetPciCapId (PciIo, EFI_PCI_CAPABILITY_ID_PCIEXP); + if (PcieCapIdOffset =3D=3D 0) { + return 0; + } + + PciExpressExtCapIdHdr.CapabilityId =3D ~CapId; + PciExpressExtCapIdHdr.CapabilityVersion =3D 0xF; + PciExpressExtCapIdHdr.NextCapabilityOffset =3D 0x100; + PcieCapIdOffset =3D 0; + do { + if (PciExpressExtCapIdHdr.CapabilityId =3D=3D CapId) { + break; + } + PcieCapIdOffset =3D PciExpressExtCapIdHdr.NextCapabilityOffset; + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint32, PcieCapIdOffse= t, 1, &PciExpressExtCapIdHdr); + ASSERT_EFI_ERROR(Status); + } while (PciExpressExtCapIdHdr.NextCapabilityOffset !=3D 0 && PciExpress= ExtCapIdHdr.NextCapabilityOffset !=3D 0xFFF); + + if (PciExpressExtCapIdHdr.CapabilityId =3D=3D CapId) { + return PcieCapIdOffset; + } else { + return 0; + } +} + +/** + Read byte of the PCI device configuration space. + + @param PciIo PciIo instance of the device + @param Offset The offset of the Pci device configuration space + + @return Byte value of the PCI device configuration space. +**/ +UINT8 +DvSecPciRead8 ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT32 Offset + ) +{ + EFI_STATUS Status; + UINT8 Data; + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, Offset, 1, &Data); + ASSERT_EFI_ERROR(Status); + + return Data; +} + +/** + Write byte of the PCI device configuration space. + + @param PciIo PciIo instance of the device + @param Offset The offset of the Pci device configuration space + @param Data Byte value of the PCI device configuration space. +**/ +VOID +DvSecPciWrite8 ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT32 Offset, + IN UINT8 Data + ) +{ + EFI_STATUS Status; + + Status =3D PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, Offset, 1, &Data= ); + ASSERT_EFI_ERROR(Status); +} + +/** + Get the Digest size from the TCG hash Algorithm ID. + + @param TcgAlgId TCG hash Algorithm ID + + @return Digest size of the TCG hash Algorithm ID +**/ +UINTN +DigestSizeFromTcgAlgId ( + IN UINT16 TcgAlgId + ) +{ + switch (TcgAlgId) { + case TPM_ALG_SHA256: + return SHA256_DIGEST_SIZE; + case TPM_ALG_SHA384: + case TPM_ALG_SHA512: + case TPM_ALG_SM3_256: + default: + break; + } + return 0; +} + +/** + Convert the SPDM hash algo ID from the TCG hash Algorithm ID. + + @param TcgAlgId TCG hash Algorithm ID + + @return SPDM hash algo ID +**/ +UINT32 +TcgAlgIdToSpdmHashAlgo ( + IN UINT16 TcgAlgId + ) +{ + switch (TcgAlgId) { + case TPM_ALG_SHA256: + return SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256; + case TPM_ALG_SHA384: + case TPM_ALG_SHA512: + case TPM_ALG_SM3_256: + default: + break; + } + return 0; +} + +/** + This function extend the PCI digest from the DvSec register. + + @param[in] PciIo The PciIo of the device. + @param[in] DeviceSecurityPolicy The Device Security Policy associated= with the device. + @param[in] TcgAlgId TCG hash Algorithm ID + @param[in] DigestSel The digest selector + @param[in] Digest The digest buffer + @param[out] DeviceSecurityState The Device Security state associated = with the device. +**/ +VOID +ExtendDigestRegister ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy, + IN UINT16 TcgAlgId, + IN UINT8 DigestSel, + IN UINT8 *Digest, + OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + UINT32 PcrIndex; + UINT32 EventType; + EDKII_DEVICE_SECURITY_PCI_EVENT_DATA EventLog; + EFI_STATUS Status; + PCI_TYPE00 PciData; + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, 0, sizeof(PciData= ), &PciData); + ASSERT_EFI_ERROR(Status); + + PcrIndex =3D EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX; + EventType =3D EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE; + + CopyMem (EventLog.EventData.Signature, EDKII_DEVICE_SECURITY_EVENT_DATA_= SIGNATURE, sizeof(EventLog.EventData.Signature)); + EventLog.EventData.Version =3D EDKII_DEVICE_SECURITY_EV= ENT_DATA_VERSION; + EventLog.EventData.Length =3D sizeof(EDKII_DEVICE_SECU= RITY_PCI_EVENT_DATA); + EventLog.EventData.SpdmHashAlgo =3D TcgAlgIdToSpdmHashAlgo (= TcgAlgId); + EventLog.EventData.DeviceType =3D EDKII_DEVICE_SECURITY_EV= ENT_DATA_DEVICE_TYPE_PCI; + + EventLog.CommonHeader.Index =3D DigestSel; + EventLog.CommonHeader.MeasurementSpecification =3D SPDM_MEASUREMENT_BL= OCK_HEADER_SPECIFICATION_DMTF; + EventLog.CommonHeader.MeasurementSize =3D sizeof(SPDM_MEASURE= MENT_BLOCK_DMTF_HEADER) + SHA256_DIGEST_SIZE; + EventLog.DmtfHeader.DMTFSpecMeasurementValueType =3D SPDM_MEASUREMENT_BL= OCK_MEASUREMENT_TYPE_MUTABLE_FIRMWARE; + EventLog.DmtfHeader.DMTFSpecMeasurementValueSize =3D SHA256_DIGEST_SIZE; + CopyMem (&EventLog.Digest, Digest, SHA256_DIGEST_SIZE); + + EventLog.PciContext.Version =3D EDKII_DEVICE_SECURITY_EVENT_DA= TA_PCI_CONTEXT_VERSION; + EventLog.PciContext.Length =3D sizeof(EDKII_DEVICE_SECURITY_E= VENT_DATA_PCI_CONTEXT); + EventLog.PciContext.VendorId =3D PciData.Hdr.VendorId; + EventLog.PciContext.DeviceId =3D PciData.Hdr.DeviceId; + EventLog.PciContext.RevisionID =3D PciData.Hdr.RevisionID; + EventLog.PciContext.ClassCode[0] =3D PciData.Hdr.ClassCode[0]; + EventLog.PciContext.ClassCode[1] =3D PciData.Hdr.ClassCode[1]; + EventLog.PciContext.ClassCode[2] =3D PciData.Hdr.ClassCode[2]; + if ((PciData.Hdr.HeaderType & HEADER_LAYOUT_CODE) =3D=3D HEADER_TYPE_DEV= ICE) { + EventLog.PciContext.SubsystemVendorID =3D PciData.Device.SubsystemVend= orID; + EventLog.PciContext.SubsystemID =3D PciData.Device.SubsystemID; + } else { + EventLog.PciContext.SubsystemVendorID =3D 0; + EventLog.PciContext.SubsystemID =3D 0; + } + + Status =3D TpmMeasureAndLogData ( + PcrIndex, + EventType, + &EventLog, + EventLog.EventData.Length, + Digest, + SHA256_DIGEST_SIZE + ); + DEBUG((DEBUG_INFO, "TpmMeasureAndLogData - %r\n", Status)); + if (EFI_ERROR(Status)) { + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= ERROR_TCG_EXTEND_TPM_PCR; + } else { + RecordPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList); + } +} + +/** + This function reads the PCI digest from the DvSec register and extend to= TPM. + + @param[in] PciIo The PciIo of the device. + @param[in] DvSecOffset The DvSec register offset of the devi= ce. + @param[in] DeviceSecurityPolicy The Device Security Policy associated= with the device. + @param[out] DeviceSecurityState The Device Security state associated = with the device. +**/ +VOID +DoMeasurementsFromDigestRegister ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN UINT32 DvSecOffset, + IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy, + OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + UINT8 Modified; + UINT8 Valid; + UINT16 TcgAlgId; + UINT8 NumDigest; + UINT8 DigestSel; + UINT8 Digest[SHA256_DIGEST_SIZE]; + UINTN DigestSize; + EFI_STATUS Status; + + TcgAlgId =3D DvSecPciRead8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + = OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, TcgAlgId) + ); + DEBUG((DEBUG_INFO, " TcgAlgId - 0x%04x\n", TcgAlgId)); + DigestSize =3D DigestSizeFromTcgAlgId (TcgAlgId); + if (DigestSize =3D=3D 0) { + DEBUG((DEBUG_INFO, "Unsupported Algorithm - 0x%04x\n", TcgAlgId)); + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= ERROR_PCI_NO_CAPABILITIES; + return ; + } + DEBUG((DEBUG_INFO, " (DigestSize: 0x%x)\n", DigestSize)); + + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_SU= CCESS; + + NumDigest =3D DvSecPciRead8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) += OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, FirmwareID) + ); + DEBUG((DEBUG_INFO, " NumDigest - 0x%02x\n", NumDigest)); + + Valid =3D DvSecPciRead8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFF= SET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Valid) + ); + DEBUG((DEBUG_INFO, " Valid - 0x%02x\n", Valid)); + + // + // Only 2 are supported as maximum. + // But hardware may report 3. + // + if (NumDigest > 2) { + NumDigest =3D 2; + } + + for (DigestSel =3D 0; DigestSel < NumDigest; DigestSel++) { + DEBUG((DEBUG_INFO, " DigestSel - 0x%02x\n", DigestSel)); + if ((DigestSel =3D=3D 0) && ((Valid & INTEL_PCI_DIGEST_0_VALID) =3D=3D= 0)) { + continue; + } + if ((DigestSel =3D=3D 1) && ((Valid & INTEL_PCI_DIGEST_1_VALID) =3D=3D= 0)) { + continue; + } + while (TRUE) { + // + // Host MUST clear DIGEST_MODIFIED before read DIGEST. + // + DvSecPciWrite8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFFSET_= OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified), + INTEL_PCI_DIGEST_MODIFIED + ); + + Status =3D PciIo->Pci.Read ( + PciIo, + EfiPciIoWidthUint8, + (UINT32)(DvSecOffset + sizeof(INTEL_PCI_DIGEST= _CAPABILITY_HEADER) + sizeof(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE) + Diges= tSize * DigestSel), + DigestSize, + Digest + ); + ASSERT_EFI_ERROR(Status); + + // + // After read DIGEST, Host MUST consult DIGEST_MODIFIED. + // + Modified =3D DvSecPciRead8 ( + PciIo, + DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER= ) + OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified) + ); + if ((Modified & INTEL_PCI_DIGEST_MODIFIED) =3D=3D 0) { + break; + } + } + + // + // Dump Digest + // + { + UINTN Index; + DEBUG((DEBUG_INFO, " Digest - ")); + for (Index =3D 0; Index < DigestSize; Index++) { + DEBUG((DEBUG_INFO, "%02x", *(Digest + Index))); + } + DEBUG((DEBUG_INFO, "\n")); + } + + DEBUG((DEBUG_INFO, "ExtendDigestRegister...\n", ExtendDigestRegister)); + ExtendDigestRegister (PciIo, DeviceSecurityPolicy, TcgAlgId, DigestSel= , Digest, DeviceSecurityState); + } +} + +/** + The device driver uses this service to measure a PCI device. + + @param[in] PciIo The PciIo of the device. + @param[in] DeviceSecurityPolicy The Device Security Policy associated= with the device. + @param[out] DeviceSecurityState The Device Security state associated = with the device. +**/ +VOID +DoDeviceMeasurement ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy, + OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + UINT32 DvSecOffset; + INTEL_PCI_DIGEST_CAPABILITY_HEADER DvSecHdr; + EFI_STATUS Status; + + if (IsPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList)) { + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= SUCCESS; + return ; + } + + DvSecOffset =3D GetPciExpressExtCapId (PciIo, INTEL_PCI_CAPID_DVSEC); + DEBUG((DEBUG_INFO, "DvSec Capability - 0x%x\n", DvSecOffset)); + if (DvSecOffset =3D=3D 0) { + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= ERROR_PCI_NO_CAPABILITIES; + return ; + } + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, DvSecOffset, siz= eof(DvSecHdr)/sizeof(UINT16), &DvSecHdr); + ASSERT_EFI_ERROR(Status); + DEBUG((DEBUG_INFO, " CapId - 0x%04x\n", DvSecHdr.CapId)); + DEBUG((DEBUG_INFO, " CapVersion - 0x%01x\n", DvSecHdr.CapVersion)); + DEBUG((DEBUG_INFO, " NextOffset - 0x%03x\n", DvSecHdr.NextOffset)); + DEBUG((DEBUG_INFO, " DvSecVendorId - 0x%04x\n", DvSecHdr.DvSecVendorId)= ); + DEBUG((DEBUG_INFO, " DvSecRevision - 0x%01x\n", DvSecHdr.DvSecRevision)= ); + DEBUG((DEBUG_INFO, " DvSecLength - 0x%03x\n", DvSecHdr.DvSecLength)); + DEBUG((DEBUG_INFO, " DvSecId - 0x%04x\n", DvSecHdr.DvSecId)); + if ((DvSecHdr.DvSecVendorId !=3D INTEL_PCI_DVSEC_VENDORID_INTEL) && + (DvSecHdr.DvSecId !=3D INTEL_PCI_DVSEC_DVSECID_MEASUREMENT)) { + DeviceSecurityState->MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_= ERROR_PCI_NO_CAPABILITIES; + return ; + } + + DoMeasurementsFromDigestRegister (PciIo, DvSecOffset, DeviceSecurityPoli= cy, DeviceSecurityState); +} + +/** + The device driver uses this service to verify a PCI device. + + @param[in] PciIo The PciIo of the device. + @param[in] DeviceSecurityPolicy The Device Security Policy associated= with the device. + @param[out] DeviceSecurityState The Device Security state associated = with the device. +**/ +VOID +DoDeviceAuthentication ( + IN EFI_PCI_IO_PROTOCOL *PciIo, + IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy, + OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + DeviceSecurityState->AuthenticationState =3D EDKII_DEVICE_SECURITY_STATE= _ERROR_UEFI_UNSUPPORTED; +} + +/** + The device driver uses this service to measure and/or verify a device. + + The flow in device driver is: + 1) Device driver discovers a new device. + 2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL. + 3) Device driver creates a device access protocol. e.g. + EFI_PCI_IO_PROTOCOL for PCI device. + EFI_USB_IO_PROTOCOL for USB device. + EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device. + EFI_ATA_PASS_THRU_PROTOCOL for ATA device. + EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device. + EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device. + 4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_P= ATH_PROTOCOL_GUID, + and the device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_= GUID. + Once it is done, a DeviceHandle is returned. + 5) Device driver creates EDKII_DEVICE_IDENTIFIER with EDKII_DEVICE_IDENT= IFIER_TYPE_xxx_GUID + and the DeviceHandle. + 6) Device driver calls DeviceAuthenticate(). + 7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device dr= iver uninstalls + all protocols on this handle. + 8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver instal= ls the device access + protocol with a real protocol GUID. e.g. + EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID. + EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + + @retval EFI_SUCCESS The device specified by the DeviceId pa= ssed the measurement + and/or authentication based upon the pl= atform policy. + If TCG measurement is required, the mea= surement is extended to TPM PCR. + @retval EFI_SECURITY_VIOLATION The device fails to return the measurem= ent data. + @retval EFI_SECURITY_VIOLATION The device fails to response the authen= tication request. + @retval EFI_SECURITY_VIOLATION The system fails to verify the device b= ased upon the authentication response. + @retval EFI_SECURITY_VIOLATION The system fails to extend the measurem= ent to TPM PCR. +**/ +EFI_STATUS +EFIAPI +DeviceAuthentication ( + IN EDKII_DEVICE_SECURITY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId + ) +{ + EDKII_DEVICE_SECURITY_POLICY DeviceSecurityPolicy; + EDKII_DEVICE_SECURITY_STATE DeviceSecurityState; + EFI_PCI_IO_PROTOCOL *PciIo; + EFI_STATUS Status; + + if (mDeviceSecurityPolicy =3D=3D NULL) { + return EFI_SUCCESS; + } + + if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciG= uid)) { + return EFI_SUCCESS; + } + + Status =3D gBS->HandleProtocol ( + DeviceId->DeviceHandle, + &gEdkiiDeviceIdentifierTypePciGuid, + (VOID **)&PciIo + ); + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status= )); + return EFI_SUCCESS; + } + + DeviceSecurityState.Version =3D EDKII_DEVICE_SECURITY_STATE_REVISION; + DeviceSecurityState.MeasurementState =3D 0x0; + DeviceSecurityState.AuthenticationState =3D 0x0; + + Status =3D mDeviceSecurityPolicy->GetDevicePolicy (mDeviceSecurityPolicy= , DeviceId, &DeviceSecurityPolicy); + if (EFI_ERROR(Status)) { + DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->GetDevicePolicy - %r\n", S= tatus)); + DeviceSecurityState.MeasurementState =3D EDKII_DEVICE_SECURITY_STATE_E= RROR_UEFI_GET_POLICY_PROTOCOL; + DeviceSecurityState.AuthenticationState =3D EDKII_DEVICE_SECURITY_STAT= E_ERROR_UEFI_GET_POLICY_PROTOCOL; + } else { + if ((DeviceSecurityPolicy.MeasurementPolicy & EDKII_DEVICE_MEASUREMENT= _REQUIRED) !=3D 0) { + DoDeviceMeasurement (PciIo, &DeviceSecurityPolicy, &DeviceSecuritySt= ate); + DEBUG((DEBUG_ERROR, "MeasurementState - 0x%08x\n", DeviceSecuritySta= te.MeasurementState)); + } + if ((DeviceSecurityPolicy.AuthenticationPolicy & EDKII_DEVICE_AUTHENTI= CATION_REQUIRED) !=3D 0) { + DoDeviceAuthentication (PciIo, &DeviceSecurityPolicy, &DeviceSecurit= yState); + DEBUG((DEBUG_ERROR, "AuthenticationState - 0x%08x\n", DeviceSecurity= State.AuthenticationState)); + } + } + + Status =3D mDeviceSecurityPolicy->NotifyDeviceState (mDeviceSecurityPoli= cy, DeviceId, &DeviceSecurityState); + if (EFI_ERROR(Status)) { + DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->NotifyDeviceState - %r\n",= Status)); + } + + if ((DeviceSecurityState.MeasurementState =3D=3D 0) && + (DeviceSecurityState.AuthenticationState =3D=3D 0)) { + return EFI_SUCCESS; + } else { + return EFI_SECURITY_VIOLATION; + } +} + +EDKII_DEVICE_SECURITY_PROTOCOL mDeviceSecurity =3D { + EDKII_DEVICE_SECURITY_PROTOCOL_REVISION, + DeviceAuthentication +}; + +/** + Entrypoint of the device security driver. + + @param[in] ImageHandle ImageHandle of the loaded driver + @param[in] SystemTable Pointer to the System Table + + @retval EFI_SUCCESS The Protocol is installed. + @retval EFI_OUT_OF_RESOURCES Not enough resources available to initial= ize driver. + @retval EFI_DEVICE_ERROR A device error occurred attempting to ini= tialize the driver. + +**/ +EFI_STATUS +EFIAPI +MainEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_HANDLE Handle; + EFI_STATUS Status; + + Status =3D gBS->LocateProtocol (&gEdkiiDeviceSecurityPolicyProtocolGuid,= NULL, (VOID **)&mDeviceSecurityPolicy); + ASSERT_EFI_ERROR(Status); + + Handle =3D NULL; + Status =3D gBS->InstallProtocolInterface ( + &Handle, + &gEdkiiDeviceSecurityProtocolGuid, + EFI_NATIVE_INTERFACE, + (VOID **)&mDeviceSecurity + ); + ASSERT_EFI_ERROR(Status); + + return Status; +} diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDev= iceSecurityDxe/IntelPciDeviceSecurityDxe.inf b/Silicon/Intel/IntelSiliconPk= g/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.= inf new file mode 100644 index 0000000000..89a4c8fadd --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecu= rityDxe/IntelPciDeviceSecurityDxe.inf @@ -0,0 +1,45 @@ +## @file +# EDKII Device Security library for PCI device +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D IntelPciDeviceSecurityDxe + FILE_GUID =3D D9569195-ED94-47D2-9523-38BF2D201371 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D MainEntryPoint + +[Sources] + IntelPciDeviceSecurityDxe.c + TcgDeviceEvent.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + IntelSiliconPkg/IntelSiliconPkg.dec + +[LibraryClasses] + UefiRuntimeServicesTableLib + UefiBootServicesTableLib + UefiDriverEntryPoint + MemoryAllocationLib + DevicePathLib + BaseMemoryLib + PrintLib + DebugLib + UefiLib + PcdLib + TpmMeasurementLib + +[Protocols] + gEdkiiDeviceSecurityPolicyProtocolGuid ## CONSUMES + gEdkiiDeviceSecurityProtocolGuid ## PRODUCES + gEdkiiDeviceIdentifierTypePciGuid ## COMSUMES + +[Depex] + gEdkiiDeviceSecurityPolicyProtocolGuid diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDev= iceSecurityDxe/TcgDeviceEvent.h b/Silicon/Intel/IntelSiliconPkg/Feature/Pci= eSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h new file mode 100644 index 0000000000..5b642b3ecc --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecu= rityDxe/TcgDeviceEvent.h @@ -0,0 +1,178 @@ +/** @file + TCG Device Event data structure +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + + +#ifndef __TCG_EVENT_DATA_H__ +#define __TCG_EVENT_DATA_H__ + +#include + +#pragma pack(1) + +// ------------------------------------------- +// TCG Measurement for SPDM Device Measurement +// ------------------------------------------- + +// +// Device Firmware Component (including immutable ROM or mutable firmware) +// +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX 2 +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE 0x800000E1 +// +// Device Firmware Configuration (including hardware configuration or firm= ware configuration) +// +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_PCR_INDEX 4 +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_EVENT_TYPE 0x800000E2 + +// +// Device Firmware Measurement Measurement Data +// The measurement data is the device firmware measurement. +// +// In order to support crypto agile, the firmware will hash the DeviceMeas= urement again. +// As such the device measurement algo might be different with host firmwa= re measurement algo. +// + +// +// Device Firmware Measurement Event Data +// +#define EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE "SPDM Device Sec\0" +#define EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION 0 + +// +// Device Type +// 0x03 ~ 0xDF reserved by TCG. +// 0xE0 ~ 0xFF reserved by OEM. +// +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_NULL 0 +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI 1 +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_USB 2 + +// +// Device Firmware Measurement Event Data Common Part +// The device specific part should follow this data structure. +// +typedef struct { + // + // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE. + // + UINT8 Signature[16]; + // + // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION. + // + UINT16 Version; + // + // The length of whole data structure, including Device Context. + // + UINT16 Length; + // + // The SpdmHashAlgo + // + UINT32 SpdmHashAlgo; + // + // The type of device. This field is to determine the Device Context fol= lowed by. + // + UINT32 DeviceType; + // + // The SPDM measurement block. + // +//SPDM_MEASUREMENT_BLOCK SpdmMeasurementBlock; +} EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER; + +// +// PCI device specific context +// +#define EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION 0 +typedef struct { + UINT16 Version; + UINT16 Length; + UINT16 VendorId; + UINT16 DeviceId; + UINT8 RevisionID; + UINT8 ClassCode[3]; + UINT16 SubsystemVendorID; + UINT16 SubsystemID; +} EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT; + +// +// USB device specific context +// +#define EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT_VERSION 0 +typedef struct { + UINT16 Version; + UINT16 Length; +//UINT8 DeviceDescriptor[DescLen]; +//UINT8 BodDescriptor[DescLen]; +//UINT8 ConfigurationDescriptor[DescLen][NumOfConfiguration]; +} EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT; + +// ---------------------------------------------- +// TCG Measurement for SPDM Device Authentication +// ---------------------------------------------- + +// +// Device Root cert is stored into a UEFI authenticated variable. +// It is non-volatile, boot service, runtime service, and time based authe= nticated variable. +// The "devdb" includes a list of allowed device root cert. +// The "devdbx" includes a list of forbidden device root cert. +// The usage of "devdb" and "devdbx" is same as "db" and "dbx" in UEFI sec= ure boot. +// +// NOTE: We choose not to mix "db"/"dbx" for better management purpose. +// + +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME L"devdb" +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME L"devdbx" + +#define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \ + {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d, 0x= ad} + +// +// Platform Firmware adhering to the policy MUST therefore measure the fol= lowing values into PCR[7]: +// 1. The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE= _ROOT_CERT_VARAIBLE_NAME variable. +// 2. The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE= _ROOT_CERT_VARAIBLE2_NAME variable. +// 3. Entries in the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROO= T_CERT_VARAIBLE_NAME variable to +// authenticate the device. +// +// For all UEFI variable value events, the eventType SHALL be EV_EFI_VARIA= BLE_DRIVER_CONFIG and the Event +// value SHALL be the value of the UEFI_VARIABLE_DATA structure (this stru= cture SHALL be considered byte-aligned). +// The measurement digest MUST be tagged Hash for each supported PCR bank = of the event data which is the +// UEFI_VARIABLE_DATA structure. The UEFI_VARIABLE_DATA.UnicodeNameLength = value is the number of CHAR16 +// characters (not the number of bytes). The UEFI_VARIABLE_DATA.UnicodeNam= e contents MUST NOT include a NUL. +// If reading a UEFI variable returns UEFI_NOT_FOUND, the UEFI_VARIABLE_DA= TA.VariableDataLength field MUST +// be set to zero and UEFI_VARIABLE_DATA.VariableData field will have a si= ze of zero. +// + +// +// Entities that MUST be measured if the TPM is enabled: +// 1. Before executing any code not cryptographically authenticated as bei= ng provided by the Platform Manufacturer, +// the Platform Manufacturer firmware MUST measure the following values= , in the order listed using the +// EV_EFI_VARIABLE_DRIVER_CONFIG event type to PCR[7]: +// a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DE= VICE_ROOT_CERT_VARAIBLE_NAME variable. +// b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DE= VICE_ROOT_CERT_VARAIBLE2_NAME variable. +// 2. If the platform supports changing any of the following UEFI policy v= ariables after they are initially measured +// in PCR[7] and before ExitBootServices() has completed, the platform = MAY be restarted OR the variables MUST be +// remeasured into PCR[7]. Additionally the normal update process for s= etting any of the UEFI variables below SHOULD +// occur before the initial measurement in PCR[7] or after the call to = ExitBootServices() has completed. +// a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DE= VICE_ROOT_CERT_VARAIBLE_NAME variable. +// b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DE= VICE_ROOT_CERT_VARAIBLE2_NAME variable. +// 3. The system SHALL measure the EV_SEPARATOR event in PCR[7]. (This occ= urs at the same time the separator is +// measured to PCR[0-7].) +// Before setting up a device, the UEFI firmware SHALL determine if the= entry in the +// EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DEVICE_ROOT_CERT_VARAIBL= E_NAME variable that was used to validate +// the device has previously been measured in PCR[7]. If it has not bee= n, it MUST be measured into PCR[7] as follows. +// If it has been measured previously, it MUST NOT be measured again. T= he measurement SHALL occur in conjunction +// with device setup. +// a) The eventType SHALL be EV_EFI_VARIABLE_AUTHORITY. +// b) The event value SHALL be the value of the UEFI_VARIABLE_DATA stru= cture. +// i. The UEFI_VARIABLE_DATA.VariableData value SHALL be the UEFI_= SIGNATURE_DATA value from the +// UEFI_SIGNATURE_LIST that contained the authority that was us= ed to validate the image. +// ii. The UEFI_VARIABLE_DATA.VariableName SHALL be set to UEFI_IMA= GE_SECURITY_DATABASE_GUID. +// iii. The UEFI_VARIABLE_DATA.UnicodeName SHALL be set to the value= of UEFI_IMAGE_SECURITY_DATABASE. +// The value MUST NOT include the terminating NUL. +// + +#pragma pack() + +#endif --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50223): https://edk2.groups.io/g/devel/message/50223 Mute This Topic: https://groups.io/mt/46028011/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 01:30:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50224+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50224+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133927; cv=none; d=zoho.com; s=zohoarc; b=kbFR2qKDObGNKVV9JZA4sC/+cC4bdB0AvmWp5hkfwB6iaVPuqi1ocZKCwOhn8MUatse6NyyTQIpEg2Zs+K8WCVZcf/fKEMBNgbZN98Hd87AhaWbNiLJWkoFA09+IiGT7cjrgCr8BGPw+Ryc1LZPKGkDEvUcLKLhQKuN/cBW4r4o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133927; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=o3Bs4SZwgKgiw/J2cKkJkvdxTLHAthY7zvnmGqmk70Q=; b=I5sHSOORrQHwv1ehfZ9e97FalzZUV0nodehYL44O7Mtsf6aa2mqEiytWkTc9GoK3ZXuahukJp7gny51eFyMx1hLJyOSaXkNg7/A1Tw0CwLHMHLWSmWEMA2FaeCqEPFuudg2AyuO6wxG6haCseqP/MCw/7RnbY6i7tPiArk1Ys9E= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50224+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133927424371.42910535461715; Thu, 7 Nov 2019 05:38:47 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id uiuVYY1788612xvtk5lQUIGX; Thu, 07 Nov 2019 05:38:47 -0800 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106 for ; Thu, 07 Nov 2019 05:38:44 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:44 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678765" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:42 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V3 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy. Date: Thu, 7 Nov 2019 21:38:30 +0800 Message-Id: <20191107133831.22412-6-jiewen.yao@intel.com> In-Reply-To: <20191107133831.22412-1-jiewen.yao@intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: U9ELVwbmZseY4vhwQh0Pc822x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133927; bh=0BGIL6/5Ak5DZ6PY9cKHNn3QvQceGAK9p0HI+iZF+mg=; h=Cc:Date:From:Reply-To:Subject:To; b=CweVMkcydQ8lRhOAbuD5/l+oDK5pNRqIdlSiB27rT1ZzfDDQvVitA5V8WUlqRxowi2O /QbvgkEsuC5ErWVIFGGpnYZKIm2DtTYzErA2b/6ZfWbaloG7/ku665/zo0zszQdMCgDyH YStwqyQp9xNFsRgDDd+q+VcY0owXLADdYa0= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 This driver provides the platform sample policy to measure a NVMe card. Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao Reviewed-by: Ray Ni --- .../SamplePlatformDevicePolicyDxe.c | 204 ++++++++++++++++++ .../SamplePlatformDevicePolicyDxe.inf | 40 ++++ 2 files changed, 244 insertions(+) create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/Samp= lePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/Samp= lePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatf= ormDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c b/Silicon/Intel/IntelSil= iconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDe= vicePolicyDxe.c new file mode 100644 index 0000000000..5b0897d6af --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevi= cePolicyDxe/SamplePlatformDevicePolicyDxe.c @@ -0,0 +1,204 @@ +/** @file + EDKII Device Security library for PCI device + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +EDKII_DEVICE_SECURITY_POLICY mDeviceSecurityPolicyNone =3D { + EDKII_DEVICE_SECURITY_POLICY_REVISION, + 0, + 0, +}; +EDKII_DEVICE_SECURITY_POLICY mDeviceSecurityPolicyMeasurement = =3D { + EDKII_DEVICE_SECURITY_POLICY_REVISION, + EDKII_DEVICE_MEASUREMENT_REQUIRED, + 0, +}; + +/** + This function returns the device security policy associated with the dev= ice. + + The device security driver may call this interface to get the platform p= olicy + for the specific device and determine if the measurement or authenticati= on + is required. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[out] DeviceSecurityPolicy The Device Security Policy associated= with the device. + + @retval EFI_SUCCESS The device security policy is returned + @retval EFI_UNSUPPORTED The function is unsupported for the s= pecific Device. +**/ +EFI_STATUS +EFIAPI +GetDevicePolicy ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + OUT EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy + ) +{ + EFI_STATUS Status; + EFI_PCI_IO_PROTOCOL *PciIo; + UINT16 PciVendorId; + UINT16 PciDeviceId; + + CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyNone, sizeof(EDKII_= DEVICE_SECURITY_POLICY)); + + DEBUG ((DEBUG_INFO, "GetDevicePolicy - 0x%g\n", &DeviceId->DeviceType)); + + if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciG= uid)) { + return EFI_SUCCESS; + } + + Status =3D gBS->HandleProtocol ( + DeviceId->DeviceHandle, + &gEdkiiDeviceIdentifierTypePciGuid, + (VOID **)&PciIo + ); + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status= )); + return EFI_SUCCESS; + } + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OF= FSET, 1, &PciVendorId); + ASSERT_EFI_ERROR(Status); + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OF= FSET, 1, &PciDeviceId); + ASSERT_EFI_ERROR(Status); + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, PciDeviceId)); + + if ((PciVendorId =3D=3D 0x8086) && (PciDeviceId =3D=3D 0x0B60)) { + CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyMeasurement, size= of(EDKII_DEVICE_SECURITY_POLICY)); + } + + return EFI_SUCCESS; +} + +/** + This function sets the device state based upon the authentication result. + + The device security driver may call this interface to give the platform + a notify based upon the measurement or authentication result. + If the authentication or measurement fails, the platform may choose: + 1) Do nothing. + 2) Disable this device or slot temporarily and continue boot. + 3) Reset the platform and retry again. + 4) Disable this device or slot permanently. + 5) Any other platform specific action. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[in] DeviceSecurityState The Device Security state associated = with the device. + + @retval EFI_SUCCESS The device state is set + @retval EFI_UNSUPPORTED The function is unsupported for the s= pecific Device. +**/ +EFI_STATUS +EFIAPI +NotifyDeviceState ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + IN EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + EFI_STATUS Status; + EFI_PCI_IO_PROTOCOL *PciIo; + UINT16 PciVendorId; + UINT16 PciDeviceId; + UINTN Segment; + UINTN Bus; + UINTN Device; + UINTN Function; + + DEBUG ((DEBUG_INFO, "NotifyDeviceState - 0x%g\n", &DeviceId->DeviceType)= ); + + if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciG= uid)) { + return EFI_SUCCESS; + } + + Status =3D gBS->HandleProtocol ( + DeviceId->DeviceHandle, + &gEdkiiDeviceIdentifierTypePciGuid, + (VOID **)&PciIo + ); + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status= )); + return EFI_SUCCESS; + } + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OF= FSET, 1, &PciVendorId); + ASSERT_EFI_ERROR(Status); + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OF= FSET, 1, &PciDeviceId); + ASSERT_EFI_ERROR(Status); + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, PciDeviceId)); + + Status =3D PciIo->GetLocation ( + PciIo, + &Segment, + &Bus, + &Device, + &Function + ); + if (!EFI_ERROR(Status)) { + DEBUG ((DEBUG_INFO, "PCI Loc - %04x:%02x:%02x:%02x\n", + Segment, Bus, Device, Function)); + } + + DEBUG ((DEBUG_INFO, "State - Measurement - 0x%08x, Authentication - 0x%0= 8x\n", + DeviceSecurityState->MeasurementState, + DeviceSecurityState->AuthenticationState + )); + + return EFI_SUCCESS; +} + +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL mDeviceSecurityPolicy =3D { + EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION, + GetDevicePolicy, + NotifyDeviceState, +}; + +/** + Entrypoint of the device security driver. + + @param[in] ImageHandle ImageHandle of the loaded driver + @param[in] SystemTable Pointer to the System Table + + @retval EFI_SUCCESS The Protocol is installed. + @retval EFI_OUT_OF_RESOURCES Not enough resources available to initial= ize driver. + @retval EFI_DEVICE_ERROR A device error occurred attempting to ini= tialize the driver. + +**/ +EFI_STATUS +EFIAPI +MainEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_HANDLE Handle; + EFI_STATUS Status; + + Handle =3D NULL; + Status =3D gBS->InstallProtocolInterface ( + &Handle, + &gEdkiiDeviceSecurityPolicyProtocolGuid, + EFI_NATIVE_INTERFACE, + &mDeviceSecurityPolicy + ); + ASSERT_EFI_ERROR(Status); + + return Status; +} diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatf= ormDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf b/Silicon/Intel/IntelS= iliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatform= DevicePolicyDxe.inf new file mode 100644 index 0000000000..a9b77d8371 --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevi= cePolicyDxe/SamplePlatformDevicePolicyDxe.inf @@ -0,0 +1,40 @@ +## @file +# EDKII Device Security library for PCI device +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SamplePlatformDevicePolicyDxe + FILE_GUID =3D 7EA7AACF-7ED3-4166-8271-B21156523620 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D MainEntryPoint + +[Sources] + SamplePlatformDevicePolicyDxe.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + IntelSiliconPkg/IntelSiliconPkg.dec + +[LibraryClasses] + UefiRuntimeServicesTableLib + UefiBootServicesTableLib + UefiDriverEntryPoint + MemoryAllocationLib + DevicePathLib + BaseMemoryLib + PrintLib + DebugLib + +[Protocols] + gEdkiiDeviceSecurityPolicyProtocolGuid ## PRODUCES + gEdkiiDeviceIdentifierTypePciGuid ## COMSUMES + +[Depex] + TRUE --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50224): https://edk2.groups.io/g/devel/message/50224 Mute This Topic: https://groups.io/mt/46028057/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Wed Apr 24 01:30:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50225+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50225+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133928; cv=none; d=zoho.com; s=zohoarc; b=R7Kwzp3oawf+5NMFaG7w/XfQmSP+MR/Xk5vibNfUoJNyID5yj5VILGKsesvwODnDJoJ1EAP16V25i+1TmyMZ6BYUVVkCokLOZ2jSYtpSWnCnMZlIGxp4d8ww2LT3TyMjqv31LDZCabstXtSvyh8eSPx5jiAINRDPIhA2xVonaFk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133928; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=aHl5gDByHv9tNpid4rNx0iyV2UwOW+Q6Sc4A1uI3ThM=; b=mQPXBuCbobw8a3vE6kfVtvWJToSATxA1xpzM+xYKo6KJu3imqJegeNQ9PIxOM8lc6oFpTQGjdWGN2NC9t8M3ikxs+TAMzJ95iuGt2lWaonH5/ng/SbKC234j3BPYapnjeN0fqS8UhrQekb2SQnx153Xb0ZZd7DAJIcuerRUzikk= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50225+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133928030445.62244276180195; Thu, 7 Nov 2019 05:38:48 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id VuFbYY1788612xaJ6cvgxhUy; Thu, 07 Nov 2019 05:38:47 -0800 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106 for ; Thu, 07 Nov 2019 05:38:45 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:45 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678770" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:44 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V3 6/6] IntelSiliconPkg/dsc: Add Device Security component. Date: Thu, 7 Nov 2019 21:38:31 +0800 Message-Id: <20191107133831.22412-7-jiewen.yao@intel.com> In-Reply-To: <20191107133831.22412-1-jiewen.yao@intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: XQOxLoHzjU1lSr6cKBg2olWIx1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133927; bh=tgoCiBW5PRI6y2r7opv9vJfF2GjYlhnvoxTESKXrZls=; h=Cc:Date:From:Reply-To:Subject:To; b=a289obfbmTAjeBxqlbKMnE/la0v/RJMRCEURm6/DJtvcDRTv2ljRNBonHaJNBFyZ/mn hvZB2qcvUCFJlTuDD/Q/6rrLOmKttWBo6NyVFO2Vralna8Fv+NcWWTjfoCp5/ZEywVFqo pCDaf4cPJX4Zkwe2ZvXHtErHYsH7KuTA57w= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao Reviewed-by: Ray Ni --- Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc b/Silicon/In= tel/IntelSiliconPkg/IntelSiliconPkg.dsc index df8984a606..0a6509d8b3 100644 --- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc +++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc @@ -35,6 +35,7 @@ CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMain= tenanceLib.inf MicrocodeFlashAccessLib|IntelSiliconPkg/Feature/Capsule/Library/Microcod= eFlashAccessLibNull/MicrocodeFlashAccessLibNull.inf PeiGetVtdPmrAlignmentLib|IntelSiliconPkg/Library/PeiGetVtdPmrAlignmentLi= b/PeiGetVtdPmrAlignmentLib.inf + TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurem= entLibNull.inf =20 [LibraryClasses.common.PEIM] PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf @@ -75,6 +76,8 @@ =20 [Components] IntelSiliconPkg/Library/DxeSmbiosDataHobLib/DxeSmbiosDataHobLib.inf + IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciD= eviceSecurityDxe.inf + IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/Sampl= ePlatformDevicePolicyDxe.inf IntelSiliconPkg/Feature/VTd/IntelVTdDxe/IntelVTdDxe.inf IntelSiliconPkg/Feature/VTd/IntelVTdPmrPei/IntelVTdPmrPei.inf IntelSiliconPkg/Feature/VTd/PlatformVTdSampleDxe/PlatformVTdSampleDxe.inf --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50225): https://edk2.groups.io/g/devel/message/50225 Mute This Topic: https://groups.io/mt/46028079/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-