From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20])
 by mx.groups.io with SMTP id smtpd.web12.4107.1573133917633868106
 for <devel@edk2.groups.io>;
 Thu, 07 Nov 2019 05:38:37 -0800
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.20, mailfrom: jiewen.yao@intel.com)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga003.jf.intel.com ([10.7.209.27])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:38:37 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; 
   d="scan'208";a="205678739"
Received: from jyao1-mobl2.ccr.corp.intel.com ([10.254.209.46])
  by orsmga003.jf.intel.com with ESMTP; 07 Nov 2019 05:38:36 -0800
From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: devel@edk2.groups.io
Subject: [PATCH V3 0/6] Add Device Security driver
Date: Thu,  7 Nov 2019 21:38:25 +0800
Message-Id: <20191107133831.22412-1-jiewen.yao@intel.com>
X-Mailer: git-send-email 2.19.2.windows.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

=============== V3 ===============

The V3 version addresses the feedback below:

Liming Gao:
1. Add SPDM spec version and align to latest one 0.99a.

Rangasai Chaganty:
1. put a reference to the spec at the file header, for Intel PCI security spec.
2. add some high level description above the structure definition that
   describes the structure.
3. on the services "GetDevicePolicy" and "SetDeviceState", Add more error
   return states

Ray Ni:
1. add comments to each field of structures like EDKII_DEVICE_SECURITY_POLICY
   and EDKII_DEVICE_SECURITY_STATE.
2. add comments to all the macros defined in this patch to explain the meaning
   and more important how they are going to impact the logic.
3. make the macro short
    EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED -> EDKII_DEVICE_MEASUREMENT_REQUIRED
    EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED -> EDKII_DEVICE_AUTHENTICATION_REQUIRED
4. rename the SetDeviceState to NotifyDeviceState.
5. add comments to explain clearly what SetDeviceState() needs to do.
6. change the prototype so that caller needs to pass in a policy structure and
   GetDevicePolicy() fills the structure buffer using CopyMem.
7. add the version macro for EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version,
   securitypolicy.version and securitystate.version.
8. add clear debug information for DvSec capability header.

=============== V2 ===============

This patch series add support for device security based
upon the DMTF SPDM specification.
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.95a.zip

We did design review at 18 Oct, 2019.
https://edk2.groups.io/g/devel/files/Designs/2019/1018
And the feedback from the meeting is addressed.
https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-Device%20Firmware%20Security%20v2.pdf

The Device security protocol is added in EDKII repo.
Here we add the producer what follows Intel PCI security spec
to do the device firmware measurement.
https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html

The EDKII repo update is at https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2
The EDKII platform repo update is at https://github.com/jyao1/edk2-platforms/tree/DeviceSecurityMasterV2

The validation has been done on a Intel internal platform.
The device measurement can be shown in TCG event log.

signed-off-by: Jiewen Yao <jiewen.yao@intel.com>

Jiewen Yao (6):
  IntelSiliconPkg/Include: Add Intel PciSecurity definition.
  IntelSiliconPkg/Include: Add Platform Device Security Policy protocol
  IntelSiliconPkg/dec: Add ProtocolGuid definition.
  IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.
  IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.
  IntelSiliconPkg/dsc: Add Device Security component.

 .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
 .../IntelPciDeviceSecurityDxe.inf             |  45 ++
 .../TcgDeviceEvent.h                          | 178 +++++
 .../SamplePlatformDevicePolicyDxe.c           | 204 +++++
 .../SamplePlatformDevicePolicyDxe.inf         |  40 +
 .../IndustryStandard/IntelPciSecurity.h       |  92 +++
 .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++
 .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec |   4 +
 .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc |   3 +
 9 files changed, 1391 insertions(+)
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h

-- 
2.19.2.windows.1