[PATCH V3 0/4] Add SPDM device security

[PATCH V3 0/4] Add SPDM device security

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

========= v3 =============

The patch addresses the feedback below:
Liming Gao:
1) specify the spec version in file header for SPDM.

Ray Ni:
1) create a standalone function like PciDeviceAuthenticate() and
move the new code to that function then call it from CreatePciIoDevice

========= v2 =============
This patch series add support for device security based
upon the DMTF SPDM specification.
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.95a.zip

We did design review at 18 Oct, 2019.
https://edk2.groups.io/g/devel/files/Designs/2019/1018
And the feedback from the meeting is addressed.
https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-Device%20Firmware%20Security%20v2.pdf

We add the Device security protocol in EDKII repo.
PCI bus driver consumes the interface.
If there is no producer, the PCI bus driver keeps current behavior.

So far, we only provide the producer what follows Intel
PCI security spec.
https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html
The implementation is put to EDKII platform repo.

The EDKII repo update is at https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2
The EDKII platform repo update is at https://github.com/jyao1/edk2-platforms/tree/DeviceSecurityMasterV2

The validation has been done on a Intel internal platform.
The device measurement can be shown in TCG event log.

signed-off-by: Jiewen Yao <jiewen.yao@intel.com>

Jiewen Yao (4):
  MdePkg/Include: Add DMTF SPDM definition.
  MdeModulePkg/Include: Add DeviceSecurity.h
  MdeModulePkg/dec: Add EdkiiDeviceSecurityProtocolGuid.
  MdeModulePkg/Pci: Add DeviceSecurity support.

 MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c       |  12 +-
 MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h       |   1 +
 MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf  |   4 +-
 .../Bus/Pci/PciBusDxe/PciEnumeratorSupport.c  |  77 +++++
 MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c       |   4 +-
 .../Include/Protocol/DeviceSecurity.h         | 162 +++++++++
 MdeModulePkg/MdeModulePkg.dec                 |   5 +
 MdePkg/Include/IndustryStandard/Spdm.h        | 320 ++++++++++++++++++
 8 files changed, 581 insertions(+), 4 deletions(-)
 create mode 100644 MdeModulePkg/Include/Protocol/DeviceSecurity.h
 create mode 100644 MdePkg/Include/IndustryStandard/Spdm.h

-- 
2.19.2.windows.1

[PATCH V3 1/4] MdePkg/Include: Add DMTF SPDM definition.

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed by: Liming Gao <liming.gao@intel.com>
---
 MdePkg/Include/IndustryStandard/Spdm.h | 320 +++++++++++++++++++++++++
 1 file changed, 320 insertions(+)
 create mode 100644 MdePkg/Include/IndustryStandard/Spdm.h

diff --git a/MdePkg/Include/IndustryStandard/Spdm.h b/MdePkg/Include/IndustryStandard/Spdm.h
new file mode 100644
index 0000000000..c05395fea7
--- /dev/null
+++ b/MdePkg/Include/IndustryStandard/Spdm.h
@@ -0,0 +1,320 @@
+/** @file
+  Definitions of Security Protocol & Data Model Specification (SPDM)
+  version 0.99a in Distributed Management Task Force (DMTF).
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#ifndef __SPDM_H__
+#define __SPDM_H__
+
+#pragma pack(1)
+
+///
+/// SPDM response code
+///
+#define SPDM_DIGESTS               0x01
+#define SPDM_CERTIFICATE           0x02
+#define SPDM_CHALLENGE_AUTH        0x03
+#define SPDM_VERSION               0x04
+#define SPDM_MEASUREMENTS          0x60
+#define SPDM_CAPABILITIES          0x61
+#define SPDM_SET_CERT_RESPONSE     0x62
+#define SPDM_ALGORITHMS            0x63
+#define SPDM_ERROR                 0x7F
+///
+/// SPDM request code
+///
+#define SPDM_GET_DIGESTS           0x81
+#define SPDM_GET_CERTIFICATE       0x82
+#define SPDM_CHALLENGE             0x83
+#define SPDM_GET_VERSION           0x84
+#define SPDM_GET_MEASUREMENTS      0xE0
+#define SPDM_GET_CAPABILITIES      0xE1
+#define SPDM_NEGOTIATE_ALGORITHMS  0xE3
+#define SPDM_RESPOND_IF_READY      0xFF
+
+///
+/// SPDM message header
+///
+typedef struct {
+  UINT8   SPDMVersion;
+  UINT8   RequestResponseCode;
+  UINT8   Param1;
+  UINT8   Param2;
+} SPDM_MESSAGE_HEADER;
+
+#define SPDM_MESSAGE_VERSION  0x10
+
+///
+/// SPDM GET_VERSION request
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+} SPDM_GET_VERSION_REQUEST;
+
+///
+/// SPDM GET_VERSION response
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT8                Reserved;
+  UINT8                VersionNumberEntryCount;
+//SPDM_VERSION_NUMBER  VersionNumberEntry[VersionNumberEntryCount];
+} SPDM_VERSION_RESPONSE;
+
+///
+/// SPDM VERSION structure
+///
+typedef struct {
+  UINT16               Alpha:4;
+  UINT16               UpdateVersionNumber:4;
+  UINT16               MinorVersion:4;
+  UINT16               MajorVersion:4;
+} SPDM_VERSION_NUMBER;
+
+///
+/// SPDM GET_CAPABILITIES request
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+} SPDM_GET_CAPABILITIES_REQUEST;
+
+///
+/// SPDM GET_CAPABILITIES response
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT8                Reserved;
+  UINT8                CTExponent;
+  UINT16               Reserved2;
+  UINT32               Flags;
+} SPDM_CAPABILITIES_RESPONSE;
+
+///
+/// SPDM GET_CAPABILITIES response Flags
+///
+#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CACHE_CAP       BIT0
+#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_CAP        BIT1
+#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CHAL_CAP        BIT2
+#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP        (BIT3 | BIT4)
+#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP_NO_SIG   BIT3
+#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP_SIG      BIT4
+#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_FRESH_CAP  BIT5
+
+///
+/// SPDM NEGOTIATE_ALGORITHMS request
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT16               Length;
+  UINT8                MeasurementSpecification;
+  UINT8                Reserved;
+  UINT32               BaseAsymAlgo;
+  UINT32               BaseHashAlgo;
+  UINT8                Reserved2[12];
+  UINT8                ExtAsymCount;
+  UINT8                ExtHashCount;
+  UINT16               Reserved3;
+//UINT32               ExtAsym[ExtAsymCount];
+//UINT32               ExtHash[ExtHashCount];
+} SPDM_NEGOTIATE_ALGORITHMS_REQUEST;
+
+///
+/// SPDM NEGOTIATE_ALGORITHMS request BaseAsymAlgo
+///
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_2048           BIT0
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSAPSS_2048           BIT1
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_3072           BIT2
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSAPSS_3072           BIT3
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P256   BIT4
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSASSA_4096           BIT5
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_RSAPSS_4096           BIT6
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P384   BIT7
+#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P521   BIT8
+
+///
+/// SPDM NEGOTIATE_ALGORITHMS request BaseHashAlgo
+///
+#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256               BIT0
+#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_384               BIT1
+#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_512               BIT2
+#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_256              BIT3
+#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_384              BIT4
+#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_512              BIT5
+
+///
+/// SPDM NEGOTIATE_ALGORITHMS response
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT16               Length;
+  UINT8                MeasurementSpecificationSel;
+  UINT8                Reserved;
+  UINT32               MeasurementHashAlgo;
+  UINT32               BaseAsymSel;
+  UINT32               BaseHashSel;
+  UINT8                Reserved2[12];
+  UINT8                ExtAsymSelCount;
+  UINT8                ExtHashSelCount;
+  UINT16               Reserved3;
+//UINT32               ExtAsymSel[ExtAsymSelCount];
+//UINT32               ExtHashSel[ExtHashSelCount];
+} SPDM_ALGORITHMS_RESPONSE;
+
+///
+/// SPDM NEGOTIATE_ALGORITHMS response MeasurementHashAlgo
+///
+#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_RAW_BIT_STREAM_ONLY BIT0
+#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA_256     BIT1
+#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA_384     BIT2
+#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA_512     BIT3
+#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA3_256    BIT4
+#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA3_384    BIT5
+#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA3_512    BIT6
+
+///
+/// SPDM GET_DIGESTS request
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+} SPDM_GET_DIGESTS_REQUEST;
+
+///
+/// SPDM GET_DIGESTS response
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+//UINT8                Digest[DigestSize];
+} SPDM_DIGESTS_RESPONSE;
+
+///
+/// SPDM GET_DIGESTS request
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT16               Offset;
+  UINT16               Length;
+} SPDM_GET_CERTIFICATE_REQUEST;
+
+///
+/// SPDM GET_DIGESTS response
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT16               PortionLength;
+  UINT16               RemainderLength;
+//UINT8                CertChain[CertChainSize];
+} SPDM_CERTIFICATE_RESPONSE;
+
+///
+/// SPDM CHALLENGE request
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT32               Nonce;
+} SPDM_CHALLENGE_REQUEST;
+
+///
+/// SPDM CHALLENGE response
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+//UINT8                CertChainHash[DigestSize];
+//UINT32               Nonce;
+//UINT8                MeasurementSummaryHash[DigestSize];
+//UINT16               OpaqueLength;
+//UINT8                OpaqueData[OpaqueLength];
+//UINT8                Signature[KeySize];
+} SPDM_CHALLENGE_AUTH_RESPONSE;
+
+///
+/// SPDM GET_MEASUREMENTS request
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT32               Nonce;
+} SPDM_GET_MEASUREMENTS_REQUEST;
+
+///
+/// SPDM MEASUREMENTS block common header
+///
+typedef struct {
+  UINT8                Index;
+  UINT8                MeasurementSpecification;
+  UINT16               MeasurementSize;
+//UINT8                Measurement[MeasurementSize];
+} SPDM_MEASUREMENT_BLOCK_COMMON_HEADER;
+
+#define SPDM_MEASUREMENT_BLOCK_HEADER_SPECIFICATION_DMTF BIT0
+
+///
+/// SPDM MEASUREMENTS block DMTF header
+///
+typedef struct {
+  UINT8                DMTFSpecMeasurementValueType;
+  UINT16               DMTFSpecMeasurementValueSize;
+//UINT8                DMTFSpecMeasurementValue[DMTFSpecMeasurementValueSize];
+} SPDM_MEASUREMENT_BLOCK_DMTF_HEADER;
+
+///
+/// SPDM MEASUREMENTS block MeasurementValueType
+///
+#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_IMMUTABLE_ROM           0
+#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MUTABLE_FIRMWARE        1
+#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_HARDWARE_CONFIGURATION  2
+#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_FIRMWARE_CONFIGURATION  3
+#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_RAW_BIT_STREAM          BIT7
+
+///
+/// SPDM GET_MEASUREMENTS response
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  UINT8                NumberOfBlocks;
+  UINT8                MeasurementRecordLength[3];
+//UINT8                MeasurementRecord[MeasurementRecordLength];
+//UINT32               Nonce;
+//UINT16               OpaqueLength;
+//UINT8                OpaqueData[OpaqueLength];
+//UINT8                Signature[KeySize];
+} SPDM_MEASUREMENTS_RESPONSE;
+
+///
+/// SPDM ERROR response
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  // Param1 == Error Code
+  // Param2 == Error Data
+//UINT8                ExtendedErrorData[];
+} SPDM_ERROR_RESPONSE;
+
+///
+/// SPDM error code
+///
+#define SPDM_ERROR_CODE_INVALID_REQUEST         0x01
+#define SPDM_ERROR_CODE_BUSY                    0x03
+#define SPDM_ERROR_CODE_UNEXPECTED_REQUEST      0x04
+#define SPDM_ERROR_CODE_UNSPECIFIED             0x05
+#define SPDM_ERROR_CODE_UNSUPPORTED_REQUEST     0x07
+#define SPDM_ERROR_CODE_MAJOR_VERSION_MISMATCH  0x41
+#define SPDM_ERROR_CODE_RESPONSE_NOT_READY      0x42
+#define SPDM_ERROR_CODE_REQUEST_RESYNCH         0x43
+
+///
+/// SPDM RESPONSE_IF_READY request
+///
+typedef struct {
+  SPDM_MESSAGE_HEADER  Header;
+  // Param1 == RequestCode
+  // Param2 == Token
+} SPDM_RESPONSE_IF_READY_REQUEST;
+
+#pragma pack()
+
+#endif
+
-- 
2.19.2.windows.1

[PATCH V3 2/4] MdeModulePkg/Include: Add DeviceSecurity.h

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

EDKII_DEVICE_SECURITY_PROTOCOL is used for device
measurement and/or authentication.
It is similar to EFI_SECURITY_ARCH_PROTOCOL.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
---
 .../Include/Protocol/DeviceSecurity.h         | 162 ++++++++++++++++++
 1 file changed, 162 insertions(+)
 create mode 100644 MdeModulePkg/Include/Protocol/DeviceSecurity.h

diff --git a/MdeModulePkg/Include/Protocol/DeviceSecurity.h b/MdeModulePkg/Include/Protocol/DeviceSecurity.h
new file mode 100644
index 0000000000..c3bf624cac
--- /dev/null
+++ b/MdeModulePkg/Include/Protocol/DeviceSecurity.h
@@ -0,0 +1,162 @@
+/** @file
+  Device Security Protocol definition.
+
+  It is used to authenticate a device based upon the platform policy.
+  It is similar to the EFI_SECURITY_ARCH_PROTOCOL, which is used to verify a image.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#ifndef __DEVICE_SECURITY_H__
+#define __DEVICE_SECURITY_H__
+
+//
+// Device Security Protocol GUID value
+//
+#define EDKII_DEVICE_SECURITY_PROTOCOL_GUID \
+    { \
+      0x5d6b38c8, 0x5510, 0x4458, { 0xb4, 0x8d, 0x95, 0x81, 0xcf, 0xa7, 0xb0, 0xd } \
+    }
+
+//
+// Forward reference for pure ANSI compatability
+//
+typedef struct _EDKII_DEVICE_SECURITY_PROTOCOL  EDKII_DEVICE_SECURITY_PROTOCOL;
+
+//
+// Revision The revision to which the DEVICE_SECURITY interface adheres.
+//          All future revisions must be backwards compatible.
+//          If a future version is not back wards compatible it is not the same GUID.
+//
+#define EDKII_DEVICE_SECURITY_PROTOCOL_REVISION 0x00010000
+
+//
+// The device identifier.
+//
+typedef struct {
+  ///
+  /// Version of this data structure.
+  ///
+  UINT32                Version;
+  ///
+  /// Type of the device.
+  /// This field is also served as a device Access protocol GUID.
+  /// The device access protocol is installed on the DeviceHandle.
+  /// The device access protocol is device specific.
+  ///   EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID means the device access protocol is PciIo.
+  ///   EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID means the device access protocol is UsbIo.
+  ///
+  EFI_GUID              DeviceType;
+  ///
+  /// The handle created for this device.
+  /// NOTE: This might be a temporary handle.
+  ///       If the device is not authenticated, this handle shall be uninstalled.
+  ///
+  /// As minimal requirement, there should be 2 protocols installed on the device handle.
+  /// 1) An EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_PATH_PROTOCOL_GUID.
+  /// 2) A device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID.
+  ///    If the device is PCI device, the EFI_PCI_IO_PROTOCOL is installed with
+  ///    EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID.
+  ///    If the device is USB device, the EFI_USB_IO_PROTOCOL is installed with
+  ///    EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID.
+  ///
+  ///    The device access protocol is required, because the verifier need have a way
+  ///    to communciate with the device hardware to get the measurement or do the
+  ///    challenge/response for the device authentication.
+  ///
+  /// NOTE: We don't use EFI_PCI_IO_PROTOCOL_GUID or EFI_USB_IO_PROTOCOL_GUID here,
+  ///       because we don't want to expose a real protocol. A platform may have driver
+  ///       register a protocol notify function. Installing a real protocol may cause
+  ///       the callback function being executed before the device is authenticated.
+  ///
+  EFI_HANDLE            DeviceHandle;
+} EDKII_DEVICE_IDENTIFIER;
+
+//
+// Revision The revision to which the DEVICE_IDENTIFIER interface adheres.
+//          All future revisions must be backwards compatible.
+//
+#define EDKII_DEVICE_IDENTIFIER_REVISION 0x00010000
+
+//
+// Device Identifier GUID value
+//
+#define EDKII_DEVICE_IDENTIFIER_TYPE_PCI_GUID \
+    { \
+      0x2509b2f1, 0xa022, 0x4cca, { 0xaf, 0x70, 0xf9, 0xd3, 0x21, 0xfb, 0x66, 0x49 } \
+    }
+
+#define EDKII_DEVICE_IDENTIFIER_TYPE_USB_GUID \
+    { \
+      0x7394f350, 0x394d, 0x488c, { 0xbb, 0x75, 0xc, 0xab, 0x7b, 0x12, 0xa, 0xc5 } \
+    }
+
+/**
+  The device driver uses this service to measure and/or verify a device.
+
+  The flow in device driver is:
+  1) Device driver discovers a new device.
+  2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL.
+  3) Device driver creates a device access protocol. e.g.
+     EFI_PCI_IO_PROTOCOL for PCI device.
+     EFI_USB_IO_PROTOCOL for USB device.
+     EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device.
+     EFI_ATA_PASS_THRU_PROTOCOL for ATA device.
+     EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device.
+     EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device.
+  4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_PATH_PROTOCOL_GUID,
+     and the device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID.
+     Once it is done, a DeviceHandle is returned.
+  5) Device driver creates EDKII_DEVICE_IDENTIFIER with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID
+     and the DeviceHandle.
+  6) Device driver calls DeviceAuthenticate().
+  7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device driver uninstalls
+     all protocols on this handle.
+  8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver installs the device access
+     protocol with a real protocol GUID. e.g.
+     EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID.
+     EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID.
+
+  @param[in]  This              The protocol instance pointer.
+  @param[in]  DeviceId          The Identifier for the device.
+
+  @retval EFI_SUCCESS              The device specified by the DeviceId passed the measurement
+                                   and/or authentication based upon the platform policy.
+                                   If TCG measurement is required, the measurement is extended to TPM PCR.
+  @retval EFI_SECURITY_VIOLATION   The device fails to return the measurement data.
+  @retval EFI_SECURITY_VIOLATION   The device fails to response the authentication request.
+  @retval EFI_SECURITY_VIOLATION   The system fails to verify the device based upon the authentication response.
+  @retval EFI_SECURITY_VIOLATION   The system fails to extend the measurement to TPM PCR.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_DEVICE_AUTHENTICATE)(
+  IN EDKII_DEVICE_SECURITY_PROTOCOL  *This,
+  IN EDKII_DEVICE_IDENTIFIER         *DeviceId
+  );
+
+///
+/// Device Security Protocol structure.
+/// It is similar to the EFI_SECURITY_ARCH_PROTOCOL, which is used to verify a image.
+/// This protocol is used to authenticate a device based upon the platform policy.
+///
+struct _EDKII_DEVICE_SECURITY_PROTOCOL {
+  UINT64                              Revision;
+  EDKII_DEVICE_AUTHENTICATE           DeviceAuthenticate;
+};
+
+///
+/// Device Security Protocol GUID variable.
+///
+extern EFI_GUID gEdkiiDeviceSecurityProtocolGuid;
+
+///
+/// Device Identifier tpye GUID variable.
+///
+extern EFI_GUID gEdkiiDeviceIdentifierTypePciGuid;
+extern EFI_GUID gEdkiiDeviceIdentifierTypeUsbGuid;
+
+#endif
-- 
2.19.2.windows.1

[PATCH V3 3/4] MdeModulePkg/dec: Add EdkiiDeviceSecurityProtocolGuid.

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
---
 MdeModulePkg/MdeModulePkg.dec | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/MdeModulePkg/MdeModulePkg.dec b/MdeModulePkg/MdeModulePkg.dec
index d6bac974da..b7356aa4ed 100644
--- a/MdeModulePkg/MdeModulePkg.dec
+++ b/MdeModulePkg/MdeModulePkg.dec
@@ -584,6 +584,11 @@
   ## Include/Protocol/IoMmu.h
   gEdkiiIoMmuProtocolGuid = { 0x4e939de9, 0xd948, 0x4b0f, { 0x88, 0xed, 0xe6, 0xe1, 0xce, 0x51, 0x7c, 0x1e } }
 
+  ## Include/Protocol/DeviceSecurity.h
+  gEdkiiDeviceSecurityProtocolGuid  = { 0x5d6b38c8, 0x5510, 0x4458, { 0xb4, 0x8d, 0x95, 0x81, 0xcf, 0xa7, 0xb0, 0xd } }
+  gEdkiiDeviceIdentifierTypePciGuid = { 0x2509b2f1, 0xa022, 0x4cca, { 0xaf, 0x70, 0xf9, 0xd3, 0x21, 0xfb, 0x66, 0x49 } }
+  gEdkiiDeviceIdentifierTypeUsbGuid = { 0x7394f350, 0x394d, 0x488c, { 0xbb, 0x75, 0xc, 0xab, 0x7b, 0x12, 0xa, 0xc5 } }
+
   ## Include/Protocol/SmmMemoryAttribute.h
   gEdkiiSmmMemoryAttributeProtocolGuid = { 0x69b792ea, 0x39ce, 0x402d, { 0xa2, 0xa6, 0xf7, 0x21, 0xde, 0x35, 0x1d, 0xfe } }
 
-- 
2.19.2.windows.1

[PATCH V3 4/4] MdeModulePkg/Pci: Add DeviceSecurity support.

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

Whenever a PCI device is discovered, PCI bus calls the
EDKII_DEVICE_SECURITY_PROTOCOL to authenticate it.
If the function returns success, the PCI bus allocates
the resource and installs the PCI_IO for the device.
If the function returns fail, the PCI bus skips the device.

It is similar to EFI_SECURITY_ARCH_PROTOCOL, which
is used to verify an EFI image.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Hao A Wu <hao.a.wu@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
---
 MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c       | 12 ++-
 MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h       |  1 +
 MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf  |  4 +-
 .../Bus/Pci/PciBusDxe/PciEnumeratorSupport.c  | 77 +++++++++++++++++++
 MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c       |  4 +-
 5 files changed, 94 insertions(+), 4 deletions(-)

diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c
index b020ce50ce..64284ac825 100644
--- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c
+++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c
@@ -8,7 +8,7 @@
   PCI Root Bridges. So it means platform needs install PCI Root Bridge IO protocol for each
   PCI Root Bus and install PCI Host Bridge Resource Allocation Protocol.
 
-Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -37,7 +37,7 @@ UINT64                                        gAllZero             = 0;
 EFI_PCI_PLATFORM_PROTOCOL                     *gPciPlatformProtocol;
 EFI_PCI_OVERRIDE_PROTOCOL                     *gPciOverrideProtocol;
 EDKII_IOMMU_PROTOCOL                          *mIoMmuProtocol;
-
+EDKII_DEVICE_SECURITY_PROTOCOL                *mDeviceSecurityProtocol;
 
 GLOBAL_REMOVE_IF_UNREFERENCED EFI_PCI_HOTPLUG_REQUEST_PROTOCOL mPciHotPlugRequest = {
   PciHotPlugRequestNotify
@@ -293,6 +293,14 @@ PciBusDriverBindingStart (
           );
   }
 
+  if (mDeviceSecurityProtocol == NULL) {
+    gBS->LocateProtocol (
+          &gEdkiiDeviceSecurityProtocolGuid,
+          NULL,
+          (VOID **) &mDeviceSecurityProtocol
+          );
+  }
+
   if (PcdGetBool (PcdPciDisableBusEnumeration)) {
     gFullEnumeration = FALSE;
   } else {
diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h
index 504a1b1c12..d4113993c8 100644
--- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h
+++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h
@@ -27,6 +27,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include <Protocol/PciOverride.h>
 #include <Protocol/PciEnumerationComplete.h>
 #include <Protocol/IoMmu.h>
+#include <Protocol/DeviceSecurity.h>
 
 #include <Library/DebugLib.h>
 #include <Library/UefiDriverEntryPoint.h>
diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf
index 05c22025b8..9284998f36 100644
--- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf
+++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf
@@ -2,7 +2,7 @@
 #  The PCI bus driver will probe all PCI devices and allocate MMIO and IO space for these devices.
 #  Please use PCD feature flag PcdPciBusHotplugDeviceSupport to enable hot plug supporting.
 #
-#  Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR>
 #
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -90,6 +90,8 @@
   gEfiIncompatiblePciDeviceSupportProtocolGuid    ## SOMETIMES_CONSUMES
   gEfiLoadFile2ProtocolGuid                       ## SOMETIMES_PRODUCES
   gEdkiiIoMmuProtocolGuid                         ## SOMETIMES_CONSUMES
+  gEdkiiDeviceSecurityProtocolGuid                ## SOMETIMES_CONSUMES
+  gEdkiiDeviceIdentifierTypePciGuid               ## SOMETIMES_CONSUMES
   gEfiLoadedImageDevicePathProtocolGuid           ## CONSUMES
 
 [FeaturePcd]
diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c
index c7eafff593..f8020f4e72 100644
--- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c
+++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c
@@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 #include "PciBus.h"
 
 extern CHAR16  *mBarTypeStr[];
+extern EDKII_DEVICE_SECURITY_PROTOCOL                          *mDeviceSecurityProtocol;
 
 #define OLD_ALIGN   0xFFFFFFFFFFFFFFFFULL
 #define EVEN_ALIGN  0xFFFFFFFFFFFFFFFEULL
@@ -2070,6 +2071,67 @@ InitializeP2C (
   PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, 0x3C, 1, &gAllZero);
 }
 
+/*
+  Authenticate the PCI device by using DeviceSecurityProtocol.
+
+  @param PciIoDevice  PCI device.
+
+  @retval EFI_SUCCESS     The device passes the authentication.
+  @return not EFI_SUCCESS The device failes the authentication or
+                          unexpected error happen during authentication.
+*/
+EFI_STATUS
+AuthenticatePciDevice (
+  IN PCI_IO_DEVICE            *PciIoDevice
+  )
+{
+  EDKII_DEVICE_IDENTIFIER  DeviceIdentifier;
+  EFI_STATUS               Status;
+
+  if (mDeviceSecurityProtocol != NULL) {
+    //
+    // Prepare the parameter
+    //
+    DeviceIdentifier.Version = EDKII_DEVICE_IDENTIFIER_REVISION;
+    CopyGuid (&DeviceIdentifier.DeviceType, &gEdkiiDeviceIdentifierTypePciGuid);
+    DeviceIdentifier.DeviceHandle = NULL;
+    Status = gBS->InstallMultipleProtocolInterfaces (
+                    &DeviceIdentifier.DeviceHandle,
+                    &gEfiDevicePathProtocolGuid,
+                    PciIoDevice->DevicePath,
+                    &gEdkiiDeviceIdentifierTypePciGuid,
+                    &PciIoDevice->PciIo,
+                    NULL
+                    );
+    if (EFI_ERROR(Status)) {
+      return Status;
+    }
+
+    //
+    // Do DeviceAuthentication
+    //
+    Status = mDeviceSecurityProtocol->DeviceAuthenticate (mDeviceSecurityProtocol, &DeviceIdentifier);
+    //
+    // Always uninstall, because they are only for Authentication.
+    // No need to check return Status.
+    //
+    gBS->UninstallMultipleProtocolInterfaces (
+                    DeviceIdentifier.DeviceHandle,
+                    &gEfiDevicePathProtocolGuid,
+                    PciIoDevice->DevicePath,
+                    &gEdkiiDeviceIdentifierTypePciGuid,
+                    &PciIoDevice->PciIo,
+                    NULL
+                    );
+    return Status;
+  }
+
+  //
+  // Device Security Protocol is not found, just return success
+  //
+  return EFI_SUCCESS;
+}
+
 /**
   Create and initialize general PCI I/O device instance for
   PCI device/bridge device/hotplug bridge device.
@@ -2156,6 +2218,21 @@ CreatePciIoDevice (
     PciIoDevice->IsPciExp = TRUE;
   }
 
+  //
+  // Now we can do the authentication check for the device.
+  //
+  Status = AuthenticatePciDevice (PciIoDevice);
+  //
+  // If authentication fails, skip this device.
+  //
+  if (EFI_ERROR(Status)) {
+    if (PciIoDevice->DevicePath != NULL) {
+      FreePool (PciIoDevice->DevicePath);
+    }
+    FreePool (PciIoDevice);
+    return NULL;
+  }
+
   if (PcdGetBool (PcdAriSupport)) {
     //
     // Check if the device is an ARI device.
diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c b/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c
index 5b55fb5d3b..72690ab647 100644
--- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c
+++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c
@@ -1054,7 +1054,9 @@ PciScanBus (
                 &PciDevice
                 );
 
-      ASSERT (!EFI_ERROR (Status));
+      if (EFI_ERROR (Status)) {
+        continue;
+      }
 
       PciAddress = EFI_PCI_ADDRESS (StartBusNumber, Device, Func, 0);
 
-- 
2.19.2.windows.1