From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106 for ; Thu, 07 Nov 2019 05:38:37 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: jiewen.yao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:37 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="205678739" Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46]) by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:36 -0800 From: "Yao, Jiewen" To: devel@edk2.groups.io Subject: [PATCH V3 0/6] Add Device Security driver Date: Thu, 7 Nov 2019 21:38:25 +0800 Message-Id: <20191107133831.22412-1-jiewen.yao@intel.com> X-Mailer: git-send-email 2.19.2.windows.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303 =============== V3 =============== The V3 version addresses the feedback below: Liming Gao: 1. Add SPDM spec version and align to latest one 0.99a. Rangasai Chaganty: 1. put a reference to the spec at the file header, for Intel PCI security spec. 2. add some high level description above the structure definition that describes the structure. 3. on the services "GetDevicePolicy" and "SetDeviceState", Add more error return states Ray Ni: 1. add comments to each field of structures like EDKII_DEVICE_SECURITY_POLICY and EDKII_DEVICE_SECURITY_STATE. 2. add comments to all the macros defined in this patch to explain the meaning and more important how they are going to impact the logic. 3. make the macro short EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED -> EDKII_DEVICE_MEASUREMENT_REQUIRED EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED -> EDKII_DEVICE_AUTHENTICATION_REQUIRED 4. rename the SetDeviceState to NotifyDeviceState. 5. add comments to explain clearly what SetDeviceState() needs to do. 6. change the prototype so that caller needs to pass in a policy structure and GetDevicePolicy() fills the structure buffer using CopyMem. 7. add the version macro for EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version, securitypolicy.version and securitystate.version. 8. add clear debug information for DvSec capability header. =============== V2 =============== This patch series add support for device security based upon the DMTF SPDM specification. https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.95a.zip We did design review at 18 Oct, 2019. https://edk2.groups.io/g/devel/files/Designs/2019/1018 And the feedback from the meeting is addressed. https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-Device%20Firmware%20Security%20v2.pdf The Device security protocol is added in EDKII repo. Here we add the producer what follows Intel PCI security spec to do the device firmware measurement. https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html The EDKII repo update is at https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2 The EDKII platform repo update is at https://github.com/jyao1/edk2-platforms/tree/DeviceSecurityMasterV2 The validation has been done on a Intel internal platform. The device measurement can be shown in TCG event log. signed-off-by: Jiewen Yao Jiewen Yao (6): IntelSiliconPkg/Include: Add Intel PciSecurity definition. IntelSiliconPkg/Include: Add Platform Device Security Policy protocol IntelSiliconPkg/dec: Add ProtocolGuid definition. IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity. IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy. IntelSiliconPkg/dsc: Add Device Security component. .../IntelPciDeviceSecurityDxe.c | 697 ++++++++++++++++++ .../IntelPciDeviceSecurityDxe.inf | 45 ++ .../TcgDeviceEvent.h | 178 +++++ .../SamplePlatformDevicePolicyDxe.c | 204 +++++ .../SamplePlatformDevicePolicyDxe.inf | 40 + .../IndustryStandard/IntelPciSecurity.h | 92 +++ .../Protocol/PlatformDeviceSecurityPolicy.h | 128 ++++ .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 4 + .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 + 9 files changed, 1391 insertions(+) create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h -- 2.19.2.windows.1