From nobody Mon Feb 9 19:06:59 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+50224+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50224+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1573133927; cv=none; d=zoho.com; s=zohoarc; b=kbFR2qKDObGNKVV9JZA4sC/+cC4bdB0AvmWp5hkfwB6iaVPuqi1ocZKCwOhn8MUatse6NyyTQIpEg2Zs+K8WCVZcf/fKEMBNgbZN98Hd87AhaWbNiLJWkoFA09+IiGT7cjrgCr8BGPw+Ryc1LZPKGkDEvUcLKLhQKuN/cBW4r4o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1573133927; h=Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To; bh=o3Bs4SZwgKgiw/J2cKkJkvdxTLHAthY7zvnmGqmk70Q=; b=I5sHSOORrQHwv1ehfZ9e97FalzZUV0nodehYL44O7Mtsf6aa2mqEiytWkTc9GoK3ZXuahukJp7gny51eFyMx1hLJyOSaXkNg7/A1Tw0CwLHMHLWSmWEMA2FaeCqEPFuudg2AyuO6wxG6haCseqP/MCw/7RnbY6i7tPiArk1Ys9E= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+50224+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1573133927424371.42910535461715; Thu, 7 Nov 2019 05:38:47 -0800 (PST) Return-Path: X-Received: by 127.0.0.2 with SMTP id uiuVYY1788612xvtk5lQUIGX; Thu, 07 Nov 2019 05:38:47 -0800 X-Received: from mga02.intel.com (mga02.intel.com []) by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106 for ; Thu, 07 Nov 2019 05:38:44 -0800 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:44 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678765" X-Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:42 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Cc: Ray Ni , Rangasai V Chaganty , Yun Lou Subject: [edk2-devel] [PATCH V3 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy. Date: Thu, 7 Nov 2019 21:38:30 +0800 Message-Id: <20191107133831.22412-6-jiewen.yao@intel.com> In-Reply-To: <20191107133831.22412-1-jiewen.yao@intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> MIME-Version: 1.0 Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,jiewen.yao@intel.com X-Gm-Message-State: U9ELVwbmZseY4vhwQh0Pc822x1787277AA= Content-Transfer-Encoding: quoted-printable DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1573133927; bh=0BGIL6/5Ak5DZ6PY9cKHNn3QvQceGAK9p0HI+iZF+mg=; h=Cc:Date:From:Reply-To:Subject:To; b=CweVMkcydQ8lRhOAbuD5/l+oDK5pNRqIdlSiB27rT1ZzfDDQvVitA5V8WUlqRxowi2O /QbvgkEsuC5ErWVIFGGpnYZKIm2DtTYzErA2b/6ZfWbaloG7/ku665/zo0zszQdMCgDyH YStwqyQp9xNFsRgDDd+q+VcY0owXLADdYa0= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 This driver provides the platform sample policy to measure a NVMe card. Cc: Ray Ni Cc: Rangasai V Chaganty Cc: Yun Lou Signed-off-by: Jiewen Yao Reviewed-by: Ray Ni --- .../SamplePlatformDevicePolicyDxe.c | 204 ++++++++++++++++++ .../SamplePlatformDevicePolicyDxe.inf | 40 ++++ 2 files changed, 244 insertions(+) create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/Samp= lePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/Samp= lePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatf= ormDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c b/Silicon/Intel/IntelSil= iconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDe= vicePolicyDxe.c new file mode 100644 index 0000000000..5b0897d6af --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevi= cePolicyDxe/SamplePlatformDevicePolicyDxe.c @@ -0,0 +1,204 @@ +/** @file + EDKII Device Security library for PCI device + +Copyright (c) 2019, Intel Corporation. All rights reserved.
+SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +EDKII_DEVICE_SECURITY_POLICY mDeviceSecurityPolicyNone =3D { + EDKII_DEVICE_SECURITY_POLICY_REVISION, + 0, + 0, +}; +EDKII_DEVICE_SECURITY_POLICY mDeviceSecurityPolicyMeasurement = =3D { + EDKII_DEVICE_SECURITY_POLICY_REVISION, + EDKII_DEVICE_MEASUREMENT_REQUIRED, + 0, +}; + +/** + This function returns the device security policy associated with the dev= ice. + + The device security driver may call this interface to get the platform p= olicy + for the specific device and determine if the measurement or authenticati= on + is required. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[out] DeviceSecurityPolicy The Device Security Policy associated= with the device. + + @retval EFI_SUCCESS The device security policy is returned + @retval EFI_UNSUPPORTED The function is unsupported for the s= pecific Device. +**/ +EFI_STATUS +EFIAPI +GetDevicePolicy ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + OUT EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy + ) +{ + EFI_STATUS Status; + EFI_PCI_IO_PROTOCOL *PciIo; + UINT16 PciVendorId; + UINT16 PciDeviceId; + + CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyNone, sizeof(EDKII_= DEVICE_SECURITY_POLICY)); + + DEBUG ((DEBUG_INFO, "GetDevicePolicy - 0x%g\n", &DeviceId->DeviceType)); + + if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciG= uid)) { + return EFI_SUCCESS; + } + + Status =3D gBS->HandleProtocol ( + DeviceId->DeviceHandle, + &gEdkiiDeviceIdentifierTypePciGuid, + (VOID **)&PciIo + ); + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status= )); + return EFI_SUCCESS; + } + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OF= FSET, 1, &PciVendorId); + ASSERT_EFI_ERROR(Status); + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OF= FSET, 1, &PciDeviceId); + ASSERT_EFI_ERROR(Status); + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, PciDeviceId)); + + if ((PciVendorId =3D=3D 0x8086) && (PciDeviceId =3D=3D 0x0B60)) { + CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyMeasurement, size= of(EDKII_DEVICE_SECURITY_POLICY)); + } + + return EFI_SUCCESS; +} + +/** + This function sets the device state based upon the authentication result. + + The device security driver may call this interface to give the platform + a notify based upon the measurement or authentication result. + If the authentication or measurement fails, the platform may choose: + 1) Do nothing. + 2) Disable this device or slot temporarily and continue boot. + 3) Reset the platform and retry again. + 4) Disable this device or slot permanently. + 5) Any other platform specific action. + + @param[in] This The protocol instance pointer. + @param[in] DeviceId The Identifier for the device. + @param[in] DeviceSecurityState The Device Security state associated = with the device. + + @retval EFI_SUCCESS The device state is set + @retval EFI_UNSUPPORTED The function is unsupported for the s= pecific Device. +**/ +EFI_STATUS +EFIAPI +NotifyDeviceState ( + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, + IN EDKII_DEVICE_IDENTIFIER *DeviceId, + IN EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState + ) +{ + EFI_STATUS Status; + EFI_PCI_IO_PROTOCOL *PciIo; + UINT16 PciVendorId; + UINT16 PciDeviceId; + UINTN Segment; + UINTN Bus; + UINTN Device; + UINTN Function; + + DEBUG ((DEBUG_INFO, "NotifyDeviceState - 0x%g\n", &DeviceId->DeviceType)= ); + + if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciG= uid)) { + return EFI_SUCCESS; + } + + Status =3D gBS->HandleProtocol ( + DeviceId->DeviceHandle, + &gEdkiiDeviceIdentifierTypePciGuid, + (VOID **)&PciIo + ); + if (EFI_ERROR(Status)) { + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status= )); + return EFI_SUCCESS; + } + + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OF= FSET, 1, &PciVendorId); + ASSERT_EFI_ERROR(Status); + Status =3D PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OF= FSET, 1, &PciDeviceId); + ASSERT_EFI_ERROR(Status); + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, PciDeviceId)); + + Status =3D PciIo->GetLocation ( + PciIo, + &Segment, + &Bus, + &Device, + &Function + ); + if (!EFI_ERROR(Status)) { + DEBUG ((DEBUG_INFO, "PCI Loc - %04x:%02x:%02x:%02x\n", + Segment, Bus, Device, Function)); + } + + DEBUG ((DEBUG_INFO, "State - Measurement - 0x%08x, Authentication - 0x%0= 8x\n", + DeviceSecurityState->MeasurementState, + DeviceSecurityState->AuthenticationState + )); + + return EFI_SUCCESS; +} + +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL mDeviceSecurityPolicy =3D { + EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION, + GetDevicePolicy, + NotifyDeviceState, +}; + +/** + Entrypoint of the device security driver. + + @param[in] ImageHandle ImageHandle of the loaded driver + @param[in] SystemTable Pointer to the System Table + + @retval EFI_SUCCESS The Protocol is installed. + @retval EFI_OUT_OF_RESOURCES Not enough resources available to initial= ize driver. + @retval EFI_DEVICE_ERROR A device error occurred attempting to ini= tialize the driver. + +**/ +EFI_STATUS +EFIAPI +MainEntryPoint ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_HANDLE Handle; + EFI_STATUS Status; + + Handle =3D NULL; + Status =3D gBS->InstallProtocolInterface ( + &Handle, + &gEdkiiDeviceSecurityPolicyProtocolGuid, + EFI_NATIVE_INTERFACE, + &mDeviceSecurityPolicy + ); + ASSERT_EFI_ERROR(Status); + + return Status; +} diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatf= ormDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf b/Silicon/Intel/IntelS= iliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatform= DevicePolicyDxe.inf new file mode 100644 index 0000000000..a9b77d8371 --- /dev/null +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevi= cePolicyDxe/SamplePlatformDevicePolicyDxe.inf @@ -0,0 +1,40 @@ +## @file +# EDKII Device Security library for PCI device +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D SamplePlatformDevicePolicyDxe + FILE_GUID =3D 7EA7AACF-7ED3-4166-8271-B21156523620 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + ENTRY_POINT =3D MainEntryPoint + +[Sources] + SamplePlatformDevicePolicyDxe.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + IntelSiliconPkg/IntelSiliconPkg.dec + +[LibraryClasses] + UefiRuntimeServicesTableLib + UefiBootServicesTableLib + UefiDriverEntryPoint + MemoryAllocationLib + DevicePathLib + BaseMemoryLib + PrintLib + DebugLib + +[Protocols] + gEdkiiDeviceSecurityPolicyProtocolGuid ## PRODUCES + gEdkiiDeviceIdentifierTypePciGuid ## COMSUMES + +[Depex] + TRUE --=20 2.19.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50224): https://edk2.groups.io/g/devel/message/50224 Mute This Topic: https://groups.io/mt/46028057/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-