[PATCH V3 0/6] Add Device Security driver

[PATCH V3 0/6] Add Device Security driver

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

=============== V3 ===============

The V3 version addresses the feedback below:

Liming Gao:
1. Add SPDM spec version and align to latest one 0.99a.

Rangasai Chaganty:
1. put a reference to the spec at the file header, for Intel PCI security spec.
2. add some high level description above the structure definition that
   describes the structure.
3. on the services "GetDevicePolicy" and "SetDeviceState", Add more error
   return states

Ray Ni:
1. add comments to each field of structures like EDKII_DEVICE_SECURITY_POLICY
   and EDKII_DEVICE_SECURITY_STATE.
2. add comments to all the macros defined in this patch to explain the meaning
   and more important how they are going to impact the logic.
3. make the macro short
    EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED -> EDKII_DEVICE_MEASUREMENT_REQUIRED
    EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED -> EDKII_DEVICE_AUTHENTICATION_REQUIRED
4. rename the SetDeviceState to NotifyDeviceState.
5. add comments to explain clearly what SetDeviceState() needs to do.
6. change the prototype so that caller needs to pass in a policy structure and
   GetDevicePolicy() fills the structure buffer using CopyMem.
7. add the version macro for EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version,
   securitypolicy.version and securitystate.version.
8. add clear debug information for DvSec capability header.

=============== V2 ===============

This patch series add support for device security based
upon the DMTF SPDM specification.
https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.95a.zip

We did design review at 18 Oct, 2019.
https://edk2.groups.io/g/devel/files/Designs/2019/1018
And the feedback from the meeting is addressed.
https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-Device%20Firmware%20Security%20v2.pdf

The Device security protocol is added in EDKII repo.
Here we add the producer what follows Intel PCI security spec
to do the device firmware measurement.
https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html

The EDKII repo update is at https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2
The EDKII platform repo update is at https://github.com/jyao1/edk2-platforms/tree/DeviceSecurityMasterV2

The validation has been done on a Intel internal platform.
The device measurement can be shown in TCG event log.

signed-off-by: Jiewen Yao <jiewen.yao@intel.com>

Jiewen Yao (6):
  IntelSiliconPkg/Include: Add Intel PciSecurity definition.
  IntelSiliconPkg/Include: Add Platform Device Security Policy protocol
  IntelSiliconPkg/dec: Add ProtocolGuid definition.
  IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.
  IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.
  IntelSiliconPkg/dsc: Add Device Security component.

 .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
 .../IntelPciDeviceSecurityDxe.inf             |  45 ++
 .../TcgDeviceEvent.h                          | 178 +++++
 .../SamplePlatformDevicePolicyDxe.c           | 204 +++++
 .../SamplePlatformDevicePolicyDxe.inf         |  40 +
 .../IndustryStandard/IntelPciSecurity.h       |  92 +++
 .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++
 .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec |   4 +
 .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc |   3 +
 9 files changed, 1391 insertions(+)
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h

-- 
2.19.2.windows.1

[PATCH V3 1/6] IntelSiliconPkg/Include: Add Intel PciSecurity definition.

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

Cc: Ray Ni <ray.ni@intel.com>
Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
---
 .../IndustryStandard/IntelPciSecurity.h       | 92 +++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h

diff --git a/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h b/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
new file mode 100644
index 0000000000..f2bdb7ee2d
--- /dev/null
+++ b/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
@@ -0,0 +1,92 @@
+/** @file
+  Intel PCI security data structure definition from
+  PCIe* Device Security Enhancements Specification.
+
+  https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-security-enhancements-spec.html
+
+  NOTE: The data structure is not fully match the current specification,
+  because it is aligned with the real hardware implementation with minor adjustment
+  on INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, INTEL_PCI_DIGEST_DATA_MODIFIED and
+  INTEL_PCI_DIGEST_DATA_VALID.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef __INTEL_PCI_SECURITY_H__
+#define __INTEL_PCI_SECURITY_H__
+
+#pragma pack(1)
+
+///
+/// The PCIE capability structure header for Intel PCI DVSEC extension.
+///
+typedef struct {
+  UINT16  CapId;           // 0x23: DVSEC
+  UINT16  CapVersion:4;    // 1
+  UINT16  NextOffset:12;
+  UINT16  DvSecVendorId;   // 0x8086
+  UINT16  DvSecRevision:4; // 1
+  UINT16  DvSecLength:12;
+  UINT16  DvSecId;         // 0x3E: Measure
+} INTEL_PCI_DIGEST_CAPABILITY_HEADER;
+
+#define INTEL_PCI_CAPID_DVSEC                0x23
+#define INTEL_PCI_DVSEC_VENDORID_INTEL       0x8086
+#define INTEL_PCI_DVSEC_DVSECID_MEASUREMENT  0x3E
+
+///
+/// The Intel PCI digest modified macro.
+///
+#define INTEL_PCI_DIGEST_MODIFIED        BIT0
+
+///
+/// The Intel PCI DVSEC digest data modified structure.
+///
+typedef union {
+  struct {
+    UINT8   DigestModified:1;         // RW1C
+    UINT8   Reserved0:7;
+  } Bits;
+  UINT8 Data;
+} INTEL_PCI_DIGEST_DATA_MODIFIED;
+
+///
+/// The Intel PCI digest valid macro.
+///
+#define INTEL_PCI_DIGEST_0_VALID         BIT0
+#define INTEL_PCI_DIGEST_0_LOCKED        BIT1
+#define INTEL_PCI_DIGEST_1_VALID         BIT2
+#define INTEL_PCI_DIGEST_1_LOCKED        BIT3
+
+///
+/// The Intel PCI DVSEC digest data valid structure.
+///
+typedef union {
+  struct {
+    UINT8   Digest0Valid:1;          // RO
+    UINT8   Digest0Locked:1;         // RO
+    UINT8   Digest1Valid:1;          // RO
+    UINT8   Digest1Locked:1;         // RO
+    UINT8   Reserved1:4;
+  } Bits;
+  UINT8 Data;
+} INTEL_PCI_DIGEST_DATA_VALID;
+
+///
+/// The PCIE capability structure for Intel PCI DVSEC extension with digest.
+///
+typedef struct {
+  INTEL_PCI_DIGEST_DATA_MODIFIED   Modified;   // RW1C
+  INTEL_PCI_DIGEST_DATA_VALID      Valid;      // RO
+  UINT16                           TcgAlgId;   // RO
+  UINT8                            FirmwareID; // RO
+  UINT8                            Reserved;
+//UINT8                            Digest[];
+} INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE;
+
+#pragma pack()
+
+#endif
+
-- 
2.19.2.windows.1

[PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

Cc: Ray Ni <ray.ni@intel.com>
Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
---
 .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h

diff --git a/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
new file mode 100644
index 0000000000..b151781de2
--- /dev/null
+++ b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
@@ -0,0 +1,128 @@
+/** @file
+  Platform Device Security Policy Protocol definition
+
+  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+  SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+
+#ifndef __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
+#define __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
+
+#include <Uefi.h>
+#include <Protocol/DeviceSecurity.h>
+
+typedef struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL EDKII_DEVICE_SECURITY_POLICY_PROTOCOL;
+
+//
+// Revision The revision to which the DEVICE_SECURITY_POLICY protocol interface adheres.
+//          All future revisions must be backwards compatible.
+//          If a future version is not back wards compatible it is not the same GUID.
+//
+#define EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION 0x00010000
+
+//
+// Revision The revision to which the DEVICE_SECURITY_POLICY structure adheres.
+//          All future revisions must be backwards compatible.
+//
+#define EDKII_DEVICE_SECURITY_POLICY_REVISION 0x00010000
+
+///
+/// The macro for the policy defined in EDKII_DEVICE_SECURITY_POLICY
+///
+#define EDKII_DEVICE_MEASUREMENT_REQUIRED                 BIT0
+#define EDKII_DEVICE_AUTHENTICATION_REQUIRED              BIT0
+
+///
+/// The device security policy data structure
+///
+typedef struct {
+  UINT32     Version;
+  UINT32     MeasurementPolicy;
+  UINT32     AuthenticationPolicy;
+} EDKII_DEVICE_SECURITY_POLICY;
+
+//
+// Revision The revision to which the DEVICE_SECURITY_STATE structure adheres.
+//          All future revisions must be backwards compatible.
+//
+#define EDKII_DEVICE_SECURITY_STATE_REVISION 0x00010000
+
+///
+/// The macro for the state defined in EDKII_DEVICE_SECURITY_STATE
+///
+#define EDKII_DEVICE_SECURITY_STATE_SUCCESS                          0
+#define EDKII_DEVICE_SECURITY_STATE_ERROR                            BIT31
+#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED           (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x0)
+#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL   (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x1)
+#define EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES        (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x10)
+#define EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR         (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x20)
+
+///
+/// The device security state data structure
+///
+typedef struct {
+  UINT32     Version;
+  UINT32     MeasurementState;
+  UINT32     AuthenticationState;
+} EDKII_DEVICE_SECURITY_STATE;
+
+/**
+  This function returns the device security policy associated with the device.
+
+  The device security driver may call this interface to get the platform policy
+  for the specific device and determine if the measurement or authentication
+  is required.
+
+  @param[in]  This                   The protocol instance pointer.
+  @param[in]  DeviceId               The Identifier for the device.
+  @param[out] DeviceSecurityPolicy   The Device Security Policy associated with the device.
+
+  @retval EFI_SUCCESS                The device security policy is returned
+  @retval EFI_UNSUPPORTED            The function is unsupported for the specific Device.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY) (
+  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
+  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
+  OUT EDKII_DEVICE_SECURITY_POLICY           *DeviceSecurityPolicy
+  );
+
+/**
+  This function sets the device state based upon the authentication result.
+
+  The device security driver may call this interface to give the platform
+  a notify based upon the measurement or authentication result.
+  If the authentication or measurement fails, the platform may choose:
+  1) Do nothing.
+  2) Disable this device or slot temporarily and continue boot.
+  3) Reset the platform and retry again.
+  4) Disable this device or slot permanently.
+  5) Any other platform specific action.
+
+  @param[in]  This                   The protocol instance pointer.
+  @param[in]  DeviceId               The Identifier for the device.
+  @param[in]  DeviceSecurityState    The Device Security state associated with the device.
+
+  @retval EFI_SUCCESS                The device state is set.
+  @retval EFI_UNSUPPORTED            The function is unsupported for the specific Device.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE) (
+  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
+  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
+  IN  EDKII_DEVICE_SECURITY_STATE            *DeviceSecurityState
+  );
+
+struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL {
+  UINT32                                      Version;
+  EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY     GetDevicePolicy;
+  EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE   NotifyDeviceState;
+};
+
+extern EFI_GUID gEdkiiDeviceSecurityPolicyProtocolGuid;
+
+#endif
-- 
2.19.2.windows.1

[PATCH V3 3/6] IntelSiliconPkg/dec: Add ProtocolGuid definition.

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

Cc: Ray Ni <ray.ni@intel.com>
Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
---
 Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec
index 3079fc2869..22ebf19c4e 100644
--- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec
+++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec
@@ -54,6 +54,10 @@
 [Protocols]
   gEdkiiPlatformVTdPolicyProtocolGuid = { 0x3d17e448, 0x466, 0x4e20, { 0x99, 0x9f, 0xb2, 0xe1, 0x34, 0x88, 0xee, 0x22 }}
 
+  ## Protocol for device security policy.
+  # Include/Protocol/PlatformDeviceSecurityPolicy.h
+  gEdkiiDeviceSecurityPolicyProtocolGuid = {0x7ea41a99, 0x5e32, 0x4c97, {0x88, 0xc4, 0xd6, 0xe7, 0x46, 0x84, 0x9, 0xd4}}
+
 [PcdsFixedAtBuild, PcdsPatchableInModule]
   ## Error code for VTd error.<BR><BR>
   #  EDKII_ERROR_CODE_VTD_ERROR = (EFI_IO_BUS_UNSPECIFIED | (EFI_OEM_SPECIFIC | 0x00000000)) = 0x02008000<BR>
-- 
2.19.2.windows.1

[PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

This driver is to do the PCI device authentication
based upon Intel PCIe Security Specification.

Cc: Ray Ni <ray.ni@intel.com>
Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Yun Lou <yun.lou@intel.com>
---
 .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
 .../IntelPciDeviceSecurityDxe.inf             |  45 ++
 .../TcgDeviceEvent.h                          | 178 +++++
 3 files changed, 920 insertions(+)
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h

diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c
new file mode 100644
index 0000000000..8838d5635a
--- /dev/null
+++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.c
@@ -0,0 +1,697 @@
+/** @file
+  EDKII Device Security library for PCI device.
+  It follows the Intel PCIe Security Specification.
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+#include <IndustryStandard/Spdm.h>
+#include <IndustryStandard/IntelPciSecurity.h>
+#include <IndustryStandard/Pci.h>
+#include <IndustryStandard/Tpm20.h>
+#include <IndustryStandard/UefiTcgPlatform.h>
+#include <Library/BaseLib.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/TpmMeasurementLib.h>
+#include <Protocol/PciIo.h>
+#include <Protocol/DeviceSecurity.h>
+#include <Protocol/PlatformDeviceSecurityPolicy.h>
+#include "TcgDeviceEvent.h"
+
+typedef struct {
+  EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER       EventData;
+  SPDM_MEASUREMENT_BLOCK_COMMON_HEADER          CommonHeader;
+  SPDM_MEASUREMENT_BLOCK_DMTF_HEADER            DmtfHeader;
+  UINT8                                         Digest[SHA256_DIGEST_SIZE];
+  EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT  PciContext;
+} EDKII_DEVICE_SECURITY_PCI_EVENT_DATA;
+
+typedef struct {
+  UINTN         Signature;
+  LIST_ENTRY    Link;
+  UINTN         PciSegment;
+  UINTN         PciBus;
+  UINTN         PciDevice;
+  UINTN         PciFunction;
+} PCI_DEVICE_INSTANCE;
+
+#define PCI_DEVICE_INSTANCE_SIGNATURE  SIGNATURE_32 ('P', 'D', 'I', 'S')
+#define PCI_DEVICE_INSTANCE_FROM_LINK(a)  CR (a, PCI_DEVICE_INSTANCE, Link, PCI_DEVICE_INSTANCE_SIGNATURE)
+
+LIST_ENTRY mSecurityEventMeasurementDeviceList = INITIALIZE_LIST_HEAD_VARIABLE(mSecurityEventMeasurementDeviceList);;
+EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *mDeviceSecurityPolicy;
+
+/**
+  Record a PCI device into device list.
+
+  @param PciIo            PciIo instance of the device
+  @param PciDeviceList    The list to record the the device
+**/
+VOID
+RecordPciDeviceInList(
+  IN EFI_PCI_IO_PROTOCOL          *PciIo,
+  IN LIST_ENTRY                   *PciDeviceList
+  )
+{
+  UINTN                 PciSegment;
+  UINTN                 PciBus;
+  UINTN                 PciDevice;
+  UINTN                 PciFunction;
+  EFI_STATUS            Status;
+  PCI_DEVICE_INSTANCE   *NewPciDevice;
+
+  Status = PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice, &PciFunction);
+  ASSERT_EFI_ERROR(Status);
+
+  NewPciDevice = AllocateZeroPool(sizeof(*NewPciDevice));
+  ASSERT_EFI_ERROR(NewPciDevice != NULL);
+
+  NewPciDevice->Signature   = PCI_DEVICE_INSTANCE_SIGNATURE;
+  NewPciDevice->PciSegment  = PciSegment;
+  NewPciDevice->PciBus      = PciBus;
+  NewPciDevice->PciDevice   = PciDevice;
+  NewPciDevice->PciFunction = PciFunction;
+
+  InsertTailList(PciDeviceList, &NewPciDevice->Link);
+}
+
+/**
+  Check if a PCI device is recorded in device list.
+
+  @param PciIo            PciIo instance of the device
+  @param PciDeviceList    The list to record the the device
+
+  @retval TRUE  The PCI device is in the list.
+  @retval FALSE The PCI device is NOT in the list.
+**/
+BOOLEAN
+IsPciDeviceInList(
+  IN EFI_PCI_IO_PROTOCOL          *PciIo,
+  IN LIST_ENTRY                   *PciDeviceList
+  )
+{
+  UINTN                 PciSegment;
+  UINTN                 PciBus;
+  UINTN                 PciDevice;
+  UINTN                 PciFunction;
+  EFI_STATUS            Status;
+  LIST_ENTRY            *Link;
+  PCI_DEVICE_INSTANCE   *CurrentPciDevice;
+
+  Status = PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice, &PciFunction);
+  ASSERT_EFI_ERROR(Status);
+
+  Link = GetFirstNode(PciDeviceList);
+  while (!IsNull(PciDeviceList, Link)) {
+    CurrentPciDevice = PCI_DEVICE_INSTANCE_FROM_LINK(Link);
+
+    if (CurrentPciDevice->PciSegment == PciSegment && CurrentPciDevice->PciBus == PciBus &&
+        CurrentPciDevice->PciDevice == PciDevice && CurrentPciDevice->PciFunction == PciFunction) {
+      DEBUG((DEBUG_INFO, "PCI device duplicated (Loc - %04x:%02x:%02x:%02x)\n", PciSegment, PciBus, PciDevice, PciFunction));
+      return TRUE;
+    }
+
+    Link = GetNextNode(PciDeviceList, Link);
+  }
+
+  return FALSE;
+}
+
+/*
+  return Offset of the PCI Cap ID.
+
+  @param PciIo            PciIo instance of the device
+  @param CapId            The Capability ID of the Pci device
+
+  @return The PCI Capability ID Offset
+*/
+UINT32
+GetPciCapId (
+  IN EFI_PCI_IO_PROTOCOL          *PciIo,
+  IN UINT8                        CapId
+  )
+{
+  EFI_PCI_CAPABILITY_HDR                    PciCapIdHdr;
+  UINT32                                    PciCapIdOffset;
+  EFI_STATUS                                Status;
+
+  PciCapIdHdr.CapabilityID = ~CapId;
+  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, PCI_CAPBILITY_POINTER_OFFSET, 1, &PciCapIdHdr.NextItemPtr);
+  ASSERT_EFI_ERROR(Status);
+  if (PciCapIdHdr.NextItemPtr == 0 || PciCapIdHdr.NextItemPtr == 0xFF) {
+    return 0;
+  }
+  PciCapIdOffset = 0;
+  do {
+    if (PciCapIdHdr.CapabilityID == CapId) {
+      break;
+    }
+    PciCapIdOffset = PciCapIdHdr.NextItemPtr;
+    Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PciCapIdOffset, 1, &PciCapIdHdr);
+    ASSERT_EFI_ERROR(Status);
+  } while (PciCapIdHdr.NextItemPtr != 0 && PciCapIdHdr.NextItemPtr != 0xFF);
+
+  if (PciCapIdHdr.CapabilityID == CapId) {
+    return PciCapIdOffset;
+  } else {
+    return 0;
+  }
+}
+
+/*
+  return Offset of the PCIe Ext Cap ID.
+
+  @param PciIo            PciIo instance of the device
+  @param CapId            The Ext Capability ID of the Pci device
+
+  @return The PCIe Ext Capability ID Offset
+*/
+UINT32
+GetPciExpressExtCapId (
+  IN EFI_PCI_IO_PROTOCOL          *PciIo,
+  IN UINT16                       CapId
+  )
+{
+  UINT32                                    PcieCapIdOffset;
+  PCI_EXPRESS_EXTENDED_CAPABILITIES_HEADER  PciExpressExtCapIdHdr;
+  EFI_STATUS                                Status;
+
+  PcieCapIdOffset = GetPciCapId (PciIo, EFI_PCI_CAPABILITY_ID_PCIEXP);
+  if (PcieCapIdOffset == 0) {
+    return 0;
+  }
+
+  PciExpressExtCapIdHdr.CapabilityId = ~CapId;
+  PciExpressExtCapIdHdr.CapabilityVersion = 0xF;
+  PciExpressExtCapIdHdr.NextCapabilityOffset = 0x100;
+  PcieCapIdOffset = 0;
+  do {
+    if (PciExpressExtCapIdHdr.CapabilityId == CapId) {
+      break;
+    }
+    PcieCapIdOffset = PciExpressExtCapIdHdr.NextCapabilityOffset;
+    Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint32, PcieCapIdOffset, 1, &PciExpressExtCapIdHdr);
+    ASSERT_EFI_ERROR(Status);
+  } while (PciExpressExtCapIdHdr.NextCapabilityOffset != 0 && PciExpressExtCapIdHdr.NextCapabilityOffset != 0xFFF);
+
+  if (PciExpressExtCapIdHdr.CapabilityId == CapId) {
+    return PcieCapIdOffset;
+  } else {
+    return 0;
+  }
+}
+
+/**
+  Read byte of the PCI device configuration space.
+
+  @param PciIo            PciIo instance of the device
+  @param Offset           The offset of the Pci device configuration space
+
+  @return Byte value of the PCI device configuration space.
+**/
+UINT8
+DvSecPciRead8 (
+  IN EFI_PCI_IO_PROTOCOL *PciIo,
+  IN UINT32              Offset
+  )
+{
+  EFI_STATUS  Status;
+  UINT8       Data;
+
+  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, Offset, 1, &Data);
+  ASSERT_EFI_ERROR(Status);
+
+  return Data;
+}
+
+/**
+  Write byte of the PCI device configuration space.
+
+  @param PciIo            PciIo instance of the device
+  @param Offset           The offset of the Pci device configuration space
+  @param Data             Byte value of the PCI device configuration space.
+**/
+VOID
+DvSecPciWrite8 (
+  IN EFI_PCI_IO_PROTOCOL *PciIo,
+  IN UINT32              Offset,
+  IN UINT8               Data
+  )
+{
+  EFI_STATUS  Status;
+
+  Status = PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, Offset, 1, &Data);
+  ASSERT_EFI_ERROR(Status);
+}
+
+/**
+  Get the Digest size from the TCG hash Algorithm ID.
+
+  @param TcgAlgId            TCG hash Algorithm ID
+
+  @return Digest size of the TCG hash Algorithm ID
+**/
+UINTN
+DigestSizeFromTcgAlgId (
+  IN UINT16                                    TcgAlgId
+  )
+{
+  switch (TcgAlgId) {
+  case TPM_ALG_SHA256:
+    return SHA256_DIGEST_SIZE;
+  case TPM_ALG_SHA384:
+  case TPM_ALG_SHA512:
+  case TPM_ALG_SM3_256:
+  default:
+    break;
+  }
+  return 0;
+}
+
+/**
+  Convert the SPDM hash algo ID from the TCG hash Algorithm ID.
+
+  @param TcgAlgId            TCG hash Algorithm ID
+
+  @return SPDM hash algo ID
+**/
+UINT32
+TcgAlgIdToSpdmHashAlgo (
+  IN UINT16                                    TcgAlgId
+  )
+{
+  switch (TcgAlgId) {
+  case TPM_ALG_SHA256:
+    return SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256;
+  case TPM_ALG_SHA384:
+  case TPM_ALG_SHA512:
+  case TPM_ALG_SM3_256:
+  default:
+    break;
+  }
+  return 0;
+}
+
+/**
+  This function extend the PCI digest from the DvSec register.
+
+  @param[in]  PciIo                  The PciIo of the device.
+  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated with the device.
+  @param[in]  TcgAlgId               TCG hash Algorithm ID
+  @param[in]  DigestSel              The digest selector
+  @param[in]  Digest                 The digest buffer
+  @param[out] DeviceSecurityState    The Device Security state associated with the device.
+**/
+VOID
+ExtendDigestRegister (
+  IN EFI_PCI_IO_PROTOCOL          *PciIo,
+  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
+  IN UINT16                       TcgAlgId,
+  IN UINT8                        DigestSel,
+  IN UINT8                        *Digest,
+  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
+  )
+{
+  UINT32                                                   PcrIndex;
+  UINT32                                                   EventType;
+  EDKII_DEVICE_SECURITY_PCI_EVENT_DATA                     EventLog;
+  EFI_STATUS                                               Status;
+  PCI_TYPE00                                               PciData;
+
+  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, 0, sizeof(PciData), &PciData);
+  ASSERT_EFI_ERROR(Status);
+
+  PcrIndex = EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX;
+  EventType = EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE;
+
+  CopyMem (EventLog.EventData.Signature, EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE, sizeof(EventLog.EventData.Signature));
+  EventLog.EventData.Version                  = EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION;
+  EventLog.EventData.Length                   = sizeof(EDKII_DEVICE_SECURITY_PCI_EVENT_DATA);
+  EventLog.EventData.SpdmHashAlgo             = TcgAlgIdToSpdmHashAlgo (TcgAlgId);
+  EventLog.EventData.DeviceType               = EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI;
+
+  EventLog.CommonHeader.Index                      = DigestSel;
+  EventLog.CommonHeader.MeasurementSpecification   = SPDM_MEASUREMENT_BLOCK_HEADER_SPECIFICATION_DMTF;
+  EventLog.CommonHeader.MeasurementSize            = sizeof(SPDM_MEASUREMENT_BLOCK_DMTF_HEADER) + SHA256_DIGEST_SIZE;
+  EventLog.DmtfHeader.DMTFSpecMeasurementValueType = SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MUTABLE_FIRMWARE;
+  EventLog.DmtfHeader.DMTFSpecMeasurementValueSize = SHA256_DIGEST_SIZE;
+  CopyMem (&EventLog.Digest, Digest, SHA256_DIGEST_SIZE);
+
+  EventLog.PciContext.Version           = EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION;
+  EventLog.PciContext.Length            = sizeof(EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT);
+  EventLog.PciContext.VendorId          = PciData.Hdr.VendorId;
+  EventLog.PciContext.DeviceId          = PciData.Hdr.DeviceId;
+  EventLog.PciContext.RevisionID        = PciData.Hdr.RevisionID;
+  EventLog.PciContext.ClassCode[0]      = PciData.Hdr.ClassCode[0];
+  EventLog.PciContext.ClassCode[1]      = PciData.Hdr.ClassCode[1];
+  EventLog.PciContext.ClassCode[2]      = PciData.Hdr.ClassCode[2];
+  if ((PciData.Hdr.HeaderType & HEADER_LAYOUT_CODE) == HEADER_TYPE_DEVICE) {
+    EventLog.PciContext.SubsystemVendorID = PciData.Device.SubsystemVendorID;
+    EventLog.PciContext.SubsystemID       = PciData.Device.SubsystemID;
+  } else {
+    EventLog.PciContext.SubsystemVendorID = 0;
+    EventLog.PciContext.SubsystemID       = 0;
+  }
+
+  Status = TpmMeasureAndLogData (
+             PcrIndex,
+             EventType,
+             &EventLog,
+             EventLog.EventData.Length,
+             Digest,
+             SHA256_DIGEST_SIZE
+             );
+  DEBUG((DEBUG_INFO, "TpmMeasureAndLogData - %r\n", Status));
+  if (EFI_ERROR(Status)) {
+    DeviceSecurityState->MeasurementState = EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR;
+  } else {
+    RecordPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList);
+  }
+}
+
+/**
+  This function reads the PCI digest from the DvSec register and extend to TPM.
+
+  @param[in]  PciIo                  The PciIo of the device.
+  @param[in]  DvSecOffset            The DvSec register offset of the device.
+  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated with the device.
+  @param[out] DeviceSecurityState    The Device Security state associated with the device.
+**/
+VOID
+DoMeasurementsFromDigestRegister (
+  IN EFI_PCI_IO_PROTOCOL          *PciIo,
+  IN UINT32                       DvSecOffset,
+  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
+  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
+  )
+{
+  UINT8                                     Modified;
+  UINT8                                     Valid;
+  UINT16                                    TcgAlgId;
+  UINT8                                     NumDigest;
+  UINT8                                     DigestSel;
+  UINT8                                     Digest[SHA256_DIGEST_SIZE];
+  UINTN                                     DigestSize;
+  EFI_STATUS                                Status;
+
+  TcgAlgId = DvSecPciRead8 (
+               PciIo,
+               DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, TcgAlgId)
+               );
+  DEBUG((DEBUG_INFO, "  TcgAlgId      - 0x%04x\n", TcgAlgId));
+  DigestSize = DigestSizeFromTcgAlgId (TcgAlgId);
+  if (DigestSize == 0) {
+    DEBUG((DEBUG_INFO, "Unsupported Algorithm - 0x%04x\n", TcgAlgId));
+    DeviceSecurityState->MeasurementState = EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
+    return ;
+  }
+  DEBUG((DEBUG_INFO, "  (DigestSize: 0x%x)\n", DigestSize));
+
+  DeviceSecurityState->MeasurementState = EDKII_DEVICE_SECURITY_STATE_SUCCESS;
+
+  NumDigest = DvSecPciRead8 (
+                PciIo,
+                DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, FirmwareID)
+                );
+  DEBUG((DEBUG_INFO, "  NumDigest     - 0x%02x\n", NumDigest));
+
+  Valid = DvSecPciRead8 (
+            PciIo,
+            DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Valid)
+            );
+  DEBUG((DEBUG_INFO, "  Valid         - 0x%02x\n", Valid));
+
+  //
+  // Only 2 are supported as maximum.
+  // But hardware may report 3.
+  //
+  if (NumDigest > 2) {
+    NumDigest = 2;
+  }
+
+  for (DigestSel = 0; DigestSel < NumDigest; DigestSel++) {
+    DEBUG((DEBUG_INFO, "  DigestSel     - 0x%02x\n", DigestSel));
+    if ((DigestSel == 0) && ((Valid & INTEL_PCI_DIGEST_0_VALID) == 0)) {
+      continue;
+    }
+    if ((DigestSel == 1) && ((Valid & INTEL_PCI_DIGEST_1_VALID) == 0)) {
+      continue;
+    }
+    while (TRUE) {
+      //
+      // Host MUST clear DIGEST_MODIFIED before read DIGEST.
+      //
+      DvSecPciWrite8 (
+        PciIo,
+        DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified),
+        INTEL_PCI_DIGEST_MODIFIED
+        );
+
+      Status = PciIo->Pci.Read (
+                            PciIo,
+                            EfiPciIoWidthUint8,
+                            (UINT32)(DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + sizeof(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE) + DigestSize * DigestSel),
+                            DigestSize,
+                            Digest
+                            );
+      ASSERT_EFI_ERROR(Status);
+
+      //
+      // After read DIGEST, Host MUST consult DIGEST_MODIFIED.
+      //
+      Modified = DvSecPciRead8 (
+                   PciIo,
+                   DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) + OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified)
+                   );
+      if ((Modified & INTEL_PCI_DIGEST_MODIFIED) == 0) {
+        break;
+      }
+    }
+
+    //
+    // Dump Digest
+    //
+    {
+      UINTN  Index;
+      DEBUG((DEBUG_INFO, "  Digest        - "));
+      for (Index = 0; Index < DigestSize; Index++) {
+        DEBUG((DEBUG_INFO, "%02x", *(Digest + Index)));
+      }
+      DEBUG((DEBUG_INFO, "\n"));
+    }
+
+    DEBUG((DEBUG_INFO, "ExtendDigestRegister...\n", ExtendDigestRegister));
+    ExtendDigestRegister (PciIo, DeviceSecurityPolicy, TcgAlgId, DigestSel, Digest, DeviceSecurityState);
+  }
+}
+
+/**
+  The device driver uses this service to measure a PCI device.
+
+  @param[in]  PciIo                  The PciIo of the device.
+  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated with the device.
+  @param[out] DeviceSecurityState    The Device Security state associated with the device.
+**/
+VOID
+DoDeviceMeasurement (
+  IN EFI_PCI_IO_PROTOCOL          *PciIo,
+  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
+  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
+  )
+{
+  UINT32                                    DvSecOffset;
+  INTEL_PCI_DIGEST_CAPABILITY_HEADER        DvSecHdr;
+  EFI_STATUS                                Status;
+
+  if (IsPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList)) {
+    DeviceSecurityState->MeasurementState = EDKII_DEVICE_SECURITY_STATE_SUCCESS;
+    return ;
+  }
+
+  DvSecOffset = GetPciExpressExtCapId (PciIo, INTEL_PCI_CAPID_DVSEC);
+  DEBUG((DEBUG_INFO, "DvSec Capability - 0x%x\n", DvSecOffset));
+  if (DvSecOffset == 0) {
+    DeviceSecurityState->MeasurementState = EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
+    return ;
+  }
+  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, DvSecOffset, sizeof(DvSecHdr)/sizeof(UINT16), &DvSecHdr);
+  ASSERT_EFI_ERROR(Status);
+  DEBUG((DEBUG_INFO, "  CapId         - 0x%04x\n", DvSecHdr.CapId));
+  DEBUG((DEBUG_INFO, "  CapVersion    - 0x%01x\n", DvSecHdr.CapVersion));
+  DEBUG((DEBUG_INFO, "  NextOffset    - 0x%03x\n", DvSecHdr.NextOffset));
+  DEBUG((DEBUG_INFO, "  DvSecVendorId - 0x%04x\n", DvSecHdr.DvSecVendorId));
+  DEBUG((DEBUG_INFO, "  DvSecRevision - 0x%01x\n", DvSecHdr.DvSecRevision));
+  DEBUG((DEBUG_INFO, "  DvSecLength   - 0x%03x\n", DvSecHdr.DvSecLength));
+  DEBUG((DEBUG_INFO, "  DvSecId       - 0x%04x\n", DvSecHdr.DvSecId));
+  if ((DvSecHdr.DvSecVendorId != INTEL_PCI_DVSEC_VENDORID_INTEL) &&
+      (DvSecHdr.DvSecId != INTEL_PCI_DVSEC_DVSECID_MEASUREMENT)) {
+    DeviceSecurityState->MeasurementState = EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
+    return ;
+  }
+
+  DoMeasurementsFromDigestRegister (PciIo, DvSecOffset, DeviceSecurityPolicy, DeviceSecurityState);
+}
+
+/**
+  The device driver uses this service to verify a PCI device.
+
+  @param[in]  PciIo                  The PciIo of the device.
+  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated with the device.
+  @param[out] DeviceSecurityState    The Device Security state associated with the device.
+**/
+VOID
+DoDeviceAuthentication (
+  IN EFI_PCI_IO_PROTOCOL          *PciIo,
+  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
+  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
+  )
+{
+  DeviceSecurityState->AuthenticationState = EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED;
+}
+
+/**
+  The device driver uses this service to measure and/or verify a device.
+
+  The flow in device driver is:
+  1) Device driver discovers a new device.
+  2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL.
+  3) Device driver creates a device access protocol. e.g.
+     EFI_PCI_IO_PROTOCOL for PCI device.
+     EFI_USB_IO_PROTOCOL for USB device.
+     EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device.
+     EFI_ATA_PASS_THRU_PROTOCOL for ATA device.
+     EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device.
+     EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device.
+  4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with EFI_DEVICE_PATH_PROTOCOL_GUID,
+     and the device access protocol with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID.
+     Once it is done, a DeviceHandle is returned.
+  5) Device driver creates EDKII_DEVICE_IDENTIFIER with EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID
+     and the DeviceHandle.
+  6) Device driver calls DeviceAuthenticate().
+  7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device driver uninstalls
+     all protocols on this handle.
+  8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver installs the device access
+     protocol with a real protocol GUID. e.g.
+     EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID.
+     EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID.
+
+  @param[in]  This              The protocol instance pointer.
+  @param[in]  DeviceId          The Identifier for the device.
+
+  @retval EFI_SUCCESS              The device specified by the DeviceId passed the measurement
+                                   and/or authentication based upon the platform policy.
+                                   If TCG measurement is required, the measurement is extended to TPM PCR.
+  @retval EFI_SECURITY_VIOLATION   The device fails to return the measurement data.
+  @retval EFI_SECURITY_VIOLATION   The device fails to response the authentication request.
+  @retval EFI_SECURITY_VIOLATION   The system fails to verify the device based upon the authentication response.
+  @retval EFI_SECURITY_VIOLATION   The system fails to extend the measurement to TPM PCR.
+**/
+EFI_STATUS
+EFIAPI
+DeviceAuthentication (
+  IN EDKII_DEVICE_SECURITY_PROTOCOL  *This,
+  IN EDKII_DEVICE_IDENTIFIER         *DeviceId
+  )
+{
+  EDKII_DEVICE_SECURITY_POLICY           DeviceSecurityPolicy;
+  EDKII_DEVICE_SECURITY_STATE            DeviceSecurityState;
+  EFI_PCI_IO_PROTOCOL                    *PciIo;
+  EFI_STATUS                             Status;
+
+  if (mDeviceSecurityPolicy == NULL) {
+    return EFI_SUCCESS;
+  }
+
+  if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciGuid)) {
+    return EFI_SUCCESS;
+  }
+
+  Status = gBS->HandleProtocol (
+                  DeviceId->DeviceHandle,
+                  &gEdkiiDeviceIdentifierTypePciGuid,
+                  (VOID **)&PciIo
+                  );
+  if (EFI_ERROR(Status)) {
+    DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status));
+    return EFI_SUCCESS;
+  }
+
+  DeviceSecurityState.Version = EDKII_DEVICE_SECURITY_STATE_REVISION;
+  DeviceSecurityState.MeasurementState = 0x0;
+  DeviceSecurityState.AuthenticationState = 0x0;
+
+  Status = mDeviceSecurityPolicy->GetDevicePolicy (mDeviceSecurityPolicy, DeviceId, &DeviceSecurityPolicy);
+  if (EFI_ERROR(Status)) {
+    DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->GetDevicePolicy - %r\n", Status));
+    DeviceSecurityState.MeasurementState = EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL;
+    DeviceSecurityState.AuthenticationState = EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL;
+  } else {
+    if ((DeviceSecurityPolicy.MeasurementPolicy & EDKII_DEVICE_MEASUREMENT_REQUIRED) != 0) {
+      DoDeviceMeasurement (PciIo, &DeviceSecurityPolicy, &DeviceSecurityState);
+      DEBUG((DEBUG_ERROR, "MeasurementState - 0x%08x\n", DeviceSecurityState.MeasurementState));
+    }
+    if ((DeviceSecurityPolicy.AuthenticationPolicy & EDKII_DEVICE_AUTHENTICATION_REQUIRED) != 0) {
+      DoDeviceAuthentication (PciIo, &DeviceSecurityPolicy, &DeviceSecurityState);
+      DEBUG((DEBUG_ERROR, "AuthenticationState - 0x%08x\n", DeviceSecurityState.AuthenticationState));
+    }
+  }
+
+  Status = mDeviceSecurityPolicy->NotifyDeviceState (mDeviceSecurityPolicy, DeviceId, &DeviceSecurityState);
+  if (EFI_ERROR(Status)) {
+    DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->NotifyDeviceState - %r\n", Status));
+  }
+
+  if ((DeviceSecurityState.MeasurementState == 0) &&
+      (DeviceSecurityState.AuthenticationState == 0)) {
+    return EFI_SUCCESS;
+  } else {
+    return EFI_SECURITY_VIOLATION;
+  }
+}
+
+EDKII_DEVICE_SECURITY_PROTOCOL mDeviceSecurity = {
+  EDKII_DEVICE_SECURITY_PROTOCOL_REVISION,
+  DeviceAuthentication
+};
+
+/**
+  Entrypoint of the device security driver.
+
+  @param[in]  ImageHandle  ImageHandle of the loaded driver
+  @param[in]  SystemTable  Pointer to the System Table
+
+  @retval  EFI_SUCCESS           The Protocol is installed.
+  @retval  EFI_OUT_OF_RESOURCES  Not enough resources available to initialize driver.
+  @retval  EFI_DEVICE_ERROR      A device error occurred attempting to initialize the driver.
+
+**/
+EFI_STATUS
+EFIAPI
+MainEntryPoint (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_HANDLE  Handle;
+  EFI_STATUS  Status;
+
+  Status = gBS->LocateProtocol (&gEdkiiDeviceSecurityPolicyProtocolGuid, NULL, (VOID **)&mDeviceSecurityPolicy);
+  ASSERT_EFI_ERROR(Status);
+
+  Handle = NULL;
+  Status = gBS->InstallProtocolInterface (
+                  &Handle,
+                  &gEdkiiDeviceSecurityProtocolGuid,
+                  EFI_NATIVE_INTERFACE,
+                  (VOID **)&mDeviceSecurity
+                  );
+  ASSERT_EFI_ERROR(Status);
+
+  return Status;
+}
diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf
new file mode 100644
index 0000000000..89a4c8fadd
--- /dev/null
+++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf
@@ -0,0 +1,45 @@
+## @file
+#  EDKII Device Security library for PCI device
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = IntelPciDeviceSecurityDxe
+  FILE_GUID                      = D9569195-ED94-47D2-9523-38BF2D201371
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = MainEntryPoint
+
+[Sources]
+  IntelPciDeviceSecurityDxe.c
+  TcgDeviceEvent.h
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  IntelSiliconPkg/IntelSiliconPkg.dec
+
+[LibraryClasses]
+  UefiRuntimeServicesTableLib
+  UefiBootServicesTableLib
+  UefiDriverEntryPoint
+  MemoryAllocationLib
+  DevicePathLib
+  BaseMemoryLib
+  PrintLib
+  DebugLib
+  UefiLib
+  PcdLib
+  TpmMeasurementLib
+
+[Protocols]
+  gEdkiiDeviceSecurityPolicyProtocolGuid  ## CONSUMES
+  gEdkiiDeviceSecurityProtocolGuid        ## PRODUCES
+  gEdkiiDeviceIdentifierTypePciGuid       ## COMSUMES
+
+[Depex]
+  gEdkiiDeviceSecurityPolicyProtocolGuid
diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h
new file mode 100644
index 0000000000..5b642b3ecc
--- /dev/null
+++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/TcgDeviceEvent.h
@@ -0,0 +1,178 @@
+/** @file
+  TCG Device Event data structure
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+**/
+
+
+#ifndef __TCG_EVENT_DATA_H__
+#define __TCG_EVENT_DATA_H__
+
+#include <IndustryStandard/Spdm.h>
+
+#pragma pack(1)
+
+// -------------------------------------------
+// TCG Measurement for SPDM Device Measurement
+// -------------------------------------------
+
+//
+// Device Firmware Component (including immutable ROM or mutable firmware)
+//
+#define EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX        2
+#define EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE       0x800000E1
+//
+// Device Firmware Configuration (including hardware configuration or firmware configuration)
+//
+#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_PCR_INDEX    4
+#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_EVENT_TYPE   0x800000E2
+
+//
+// Device Firmware Measurement Measurement Data
+// The measurement data is the device firmware measurement.
+//
+// In order to support crypto agile, the firmware will hash the DeviceMeasurement again.
+// As such the device measurement algo might be different with host firmware measurement algo.
+//
+
+//
+// Device Firmware Measurement Event Data
+//
+#define EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE "SPDM Device Sec\0"
+#define EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION  0
+
+//
+// Device Type
+// 0x03 ~ 0xDF reserved by TCG.
+// 0xE0 ~ 0xFF reserved by OEM.
+//
+#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_NULL  0
+#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI   1
+#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_USB   2
+
+//
+// Device Firmware Measurement Event Data Common Part
+// The device specific part should follow this data structure.
+//
+typedef struct {
+  //
+  // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE.
+  //
+  UINT8                          Signature[16];
+  //
+  // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION.
+  //
+  UINT16                         Version;
+  //
+  // The length of whole data structure, including Device Context.
+  //
+  UINT16                         Length;
+  //
+  // The SpdmHashAlgo
+  //
+  UINT32                         SpdmHashAlgo;
+  //
+  // The type of device. This field is to determine the Device Context followed by.
+  //
+  UINT32                         DeviceType;
+  //
+  // The SPDM measurement block.
+  //
+//SPDM_MEASUREMENT_BLOCK         SpdmMeasurementBlock;
+} EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER;
+
+//
+// PCI device specific context
+//
+#define EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION  0
+typedef struct {
+  UINT16  Version;
+  UINT16  Length;
+  UINT16  VendorId;
+  UINT16  DeviceId;
+  UINT8   RevisionID;
+  UINT8   ClassCode[3];
+  UINT16  SubsystemVendorID;
+  UINT16  SubsystemID;
+} EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT;
+
+//
+// USB device specific context
+//
+#define EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT_VERSION  0
+typedef struct {
+  UINT16  Version;
+  UINT16  Length;
+//UINT8   DeviceDescriptor[DescLen];
+//UINT8   BodDescriptor[DescLen];
+//UINT8   ConfigurationDescriptor[DescLen][NumOfConfiguration];
+} EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT;
+
+// ----------------------------------------------
+// TCG Measurement for SPDM Device Authentication
+// ----------------------------------------------
+
+//
+// Device Root cert is stored into a UEFI authenticated variable.
+// It is non-volatile, boot service, runtime service, and time based authenticated variable.
+// The "devdb" includes a list of allowed device root cert.
+// The "devdbx" includes a list of forbidden device root cert.
+// The usage of "devdb" and "devdbx" is same as "db" and "dbx" in UEFI secure boot.
+//
+// NOTE: We choose not to mix "db"/"dbx" for better management purpose.
+//
+
+#define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME    L"devdb"
+#define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME   L"devdbx"
+
+#define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \
+  {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d, 0xad}
+
+//
+// Platform Firmware adhering to the policy MUST therefore measure the following values into PCR[7]:
+// 1. The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
+// 2. The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
+// 3. Entries in the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable to
+//    authenticate the device.
+//
+// For all UEFI variable value events, the eventType SHALL be EV_EFI_VARIABLE_DRIVER_CONFIG and the Event
+// value SHALL be the value of the UEFI_VARIABLE_DATA structure (this structure SHALL be considered byte-aligned).
+// The measurement digest MUST be tagged Hash for each supported PCR bank of the event data which is the
+// UEFI_VARIABLE_DATA structure. The UEFI_VARIABLE_DATA.UnicodeNameLength value is the number of CHAR16
+// characters (not the number of bytes). The UEFI_VARIABLE_DATA.UnicodeName contents MUST NOT include a NUL.
+// If reading a UEFI variable returns UEFI_NOT_FOUND, the UEFI_VARIABLE_DATA.VariableDataLength field MUST
+// be set to zero and UEFI_VARIABLE_DATA.VariableData field will have a size of zero.
+//
+
+//
+// Entities that MUST be measured if the TPM is enabled:
+// 1. Before executing any code not cryptographically authenticated as being provided by the Platform Manufacturer,
+//    the Platform Manufacturer firmware MUST measure the following values, in the order listed using the
+//    EV_EFI_VARIABLE_DRIVER_CONFIG event type to PCR[7]:
+//    a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
+//    b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
+// 2. If the platform supports changing any of the following UEFI policy variables after they are initially measured
+//    in PCR[7] and before ExitBootServices() has completed, the platform MAY be restarted OR the variables MUST be
+//    remeasured into PCR[7]. Additionally the normal update process for setting any of the UEFI variables below SHOULD
+//    occur before the initial measurement in PCR[7] or after the call to ExitBootServices() has completed.
+//    a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
+//    b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
+// 3. The system SHALL measure the EV_SEPARATOR event in PCR[7]. (This occurs at the same time the separator is
+//    measured to PCR[0-7].)
+//    Before setting up a device, the UEFI firmware SHALL determine if the entry in the
+//    EDKII_DEVICE_SIGNATURE_DATABASE_GUID/ EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable that was used to validate
+//    the device has previously been measured in PCR[7]. If it has not been, it MUST be measured into PCR[7] as follows.
+//    If it has been measured previously, it MUST NOT be measured again. The measurement SHALL occur in conjunction
+//    with device setup.
+//    a) The eventType SHALL be EV_EFI_VARIABLE_AUTHORITY.
+//    b) The event value SHALL be the value of the UEFI_VARIABLE_DATA structure.
+//       i.   The UEFI_VARIABLE_DATA.VariableData value SHALL be the UEFI_SIGNATURE_DATA value from the
+//            UEFI_SIGNATURE_LIST that contained the authority that was used to validate the image.
+//       ii.  The UEFI_VARIABLE_DATA.VariableName SHALL be set to UEFI_IMAGE_SECURITY_DATABASE_GUID.
+//       iii. The UEFI_VARIABLE_DATA.UnicodeName SHALL be set to the value of UEFI_IMAGE_SECURITY_DATABASE.
+//            The value MUST NOT include the terminating NUL.
+//
+
+#pragma pack()
+
+#endif
-- 
2.19.2.windows.1

[PATCH V3 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

This driver provides the platform sample policy to measure
a NVMe card.

Cc: Ray Ni <ray.ni@intel.com>
Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
---
 .../SamplePlatformDevicePolicyDxe.c           | 204 ++++++++++++++++++
 .../SamplePlatformDevicePolicyDxe.inf         |  40 ++++
 2 files changed, 244 insertions(+)
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c
 create mode 100644 Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf

diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c
new file mode 100644
index 0000000000..5b0897d6af
--- /dev/null
+++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.c
@@ -0,0 +1,204 @@
+/** @file
+  EDKII Device Security library for PCI device
+
+Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Uefi.h>
+#include <IndustryStandard/Spdm.h>
+#include <IndustryStandard/Pci.h>
+#include <Protocol/PciIo.h>
+#include <Protocol/DeviceSecurity.h>
+#include <Protocol/PlatformDeviceSecurityPolicy.h>
+#include <Library/DebugLib.h>
+#include <Library/BaseMemoryLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/MemoryAllocationLib.h>
+
+EDKII_DEVICE_SECURITY_POLICY           mDeviceSecurityPolicyNone = {
+  EDKII_DEVICE_SECURITY_POLICY_REVISION,
+  0,
+  0,
+};
+EDKII_DEVICE_SECURITY_POLICY           mDeviceSecurityPolicyMeasurement = {
+  EDKII_DEVICE_SECURITY_POLICY_REVISION,
+  EDKII_DEVICE_MEASUREMENT_REQUIRED,
+  0,
+};
+
+/**
+  This function returns the device security policy associated with the device.
+
+  The device security driver may call this interface to get the platform policy
+  for the specific device and determine if the measurement or authentication
+  is required.
+
+  @param[in]  This                   The protocol instance pointer.
+  @param[in]  DeviceId               The Identifier for the device.
+  @param[out] DeviceSecurityPolicy   The Device Security Policy associated with the device.
+
+  @retval EFI_SUCCESS                The device security policy is returned
+  @retval EFI_UNSUPPORTED            The function is unsupported for the specific Device.
+**/
+EFI_STATUS
+EFIAPI
+GetDevicePolicy (
+  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
+  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
+  OUT EDKII_DEVICE_SECURITY_POLICY           *DeviceSecurityPolicy
+  )
+{
+  EFI_STATUS                  Status;
+  EFI_PCI_IO_PROTOCOL         *PciIo;
+  UINT16                      PciVendorId;
+  UINT16                      PciDeviceId;
+
+  CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyNone, sizeof(EDKII_DEVICE_SECURITY_POLICY));
+
+  DEBUG ((DEBUG_INFO, "GetDevicePolicy - 0x%g\n", &DeviceId->DeviceType));
+
+  if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciGuid)) {
+    return EFI_SUCCESS;
+  }
+
+  Status = gBS->HandleProtocol (
+                  DeviceId->DeviceHandle,
+                  &gEdkiiDeviceIdentifierTypePciGuid,
+                  (VOID **)&PciIo
+                  );
+  if (EFI_ERROR(Status)) {
+    DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status));
+    return EFI_SUCCESS;
+  }
+
+  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OFFSET, 1, &PciVendorId);
+  ASSERT_EFI_ERROR(Status);
+  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OFFSET, 1, &PciDeviceId);
+  ASSERT_EFI_ERROR(Status);
+  DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, PciDeviceId));
+
+  if ((PciVendorId == 0x8086) && (PciDeviceId == 0x0B60)) {
+    CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyMeasurement, sizeof(EDKII_DEVICE_SECURITY_POLICY));
+  }
+
+  return EFI_SUCCESS;
+}
+
+/**
+  This function sets the device state based upon the authentication result.
+
+  The device security driver may call this interface to give the platform
+  a notify based upon the measurement or authentication result.
+  If the authentication or measurement fails, the platform may choose:
+  1) Do nothing.
+  2) Disable this device or slot temporarily and continue boot.
+  3) Reset the platform and retry again.
+  4) Disable this device or slot permanently.
+  5) Any other platform specific action.
+
+  @param[in]  This                   The protocol instance pointer.
+  @param[in]  DeviceId               The Identifier for the device.
+  @param[in]  DeviceSecurityState    The Device Security state associated with the device.
+
+  @retval EFI_SUCCESS                The device state is set
+  @retval EFI_UNSUPPORTED            The function is unsupported for the specific Device.
+**/
+EFI_STATUS
+EFIAPI
+NotifyDeviceState (
+  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
+  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
+  IN  EDKII_DEVICE_SECURITY_STATE            *DeviceSecurityState
+  )
+{
+  EFI_STATUS                  Status;
+  EFI_PCI_IO_PROTOCOL         *PciIo;
+  UINT16                      PciVendorId;
+  UINT16                      PciDeviceId;
+  UINTN                       Segment;
+  UINTN                       Bus;
+  UINTN                       Device;
+  UINTN                       Function;
+
+  DEBUG ((DEBUG_INFO, "NotifyDeviceState - 0x%g\n", &DeviceId->DeviceType));
+
+  if (!CompareGuid (&DeviceId->DeviceType, &gEdkiiDeviceIdentifierTypePciGuid)) {
+    return EFI_SUCCESS;
+  }
+
+  Status = gBS->HandleProtocol (
+                  DeviceId->DeviceHandle,
+                  &gEdkiiDeviceIdentifierTypePciGuid,
+                  (VOID **)&PciIo
+                  );
+  if (EFI_ERROR(Status)) {
+    DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", Status));
+    return EFI_SUCCESS;
+  }
+
+  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_VENDOR_ID_OFFSET, 1, &PciVendorId);
+  ASSERT_EFI_ERROR(Status);
+  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PCI_DEVICE_ID_OFFSET, 1, &PciDeviceId);
+  ASSERT_EFI_ERROR(Status);
+  DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, PciDeviceId));
+
+  Status = PciIo->GetLocation (
+                    PciIo,
+                    &Segment,
+                    &Bus,
+                    &Device,
+                    &Function
+                    );
+  if (!EFI_ERROR(Status)) {
+    DEBUG ((DEBUG_INFO, "PCI Loc - %04x:%02x:%02x:%02x\n",
+      Segment, Bus, Device, Function));
+  }
+
+  DEBUG ((DEBUG_INFO, "State - Measurement - 0x%08x, Authentication - 0x%08x\n",
+    DeviceSecurityState->MeasurementState,
+    DeviceSecurityState->AuthenticationState
+    ));
+
+  return EFI_SUCCESS;
+}
+
+EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  mDeviceSecurityPolicy = {
+  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION,
+  GetDevicePolicy,
+  NotifyDeviceState,
+};
+
+/**
+  Entrypoint of the device security driver.
+
+  @param[in]  ImageHandle  ImageHandle of the loaded driver
+  @param[in]  SystemTable  Pointer to the System Table
+
+  @retval  EFI_SUCCESS           The Protocol is installed.
+  @retval  EFI_OUT_OF_RESOURCES  Not enough resources available to initialize driver.
+  @retval  EFI_DEVICE_ERROR      A device error occurred attempting to initialize the driver.
+
+**/
+EFI_STATUS
+EFIAPI
+MainEntryPoint (
+  IN EFI_HANDLE        ImageHandle,
+  IN EFI_SYSTEM_TABLE  *SystemTable
+  )
+{
+  EFI_HANDLE  Handle;
+  EFI_STATUS  Status;
+
+  Handle = NULL;
+  Status = gBS->InstallProtocolInterface (
+                  &Handle,
+                  &gEdkiiDeviceSecurityPolicyProtocolGuid,
+                  EFI_NATIVE_INTERFACE,
+                  &mDeviceSecurityPolicy
+                  );
+  ASSERT_EFI_ERROR(Status);
+
+  return Status;
+}
diff --git a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf
new file mode 100644
index 0000000000..a9b77d8371
--- /dev/null
+++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf
@@ -0,0 +1,40 @@
+## @file
+#  EDKII Device Security library for PCI device
+#
+# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+  INF_VERSION                    = 0x00010005
+  BASE_NAME                      = SamplePlatformDevicePolicyDxe
+  FILE_GUID                      = 7EA7AACF-7ED3-4166-8271-B21156523620
+  MODULE_TYPE                    = DXE_DRIVER
+  VERSION_STRING                 = 1.0
+  ENTRY_POINT                    = MainEntryPoint
+
+[Sources]
+  SamplePlatformDevicePolicyDxe.c
+
+[Packages]
+  MdePkg/MdePkg.dec
+  MdeModulePkg/MdeModulePkg.dec
+  IntelSiliconPkg/IntelSiliconPkg.dec
+
+[LibraryClasses]
+  UefiRuntimeServicesTableLib
+  UefiBootServicesTableLib
+  UefiDriverEntryPoint
+  MemoryAllocationLib
+  DevicePathLib
+  BaseMemoryLib
+  PrintLib
+  DebugLib
+
+[Protocols]
+  gEdkiiDeviceSecurityPolicyProtocolGuid  ## PRODUCES
+  gEdkiiDeviceIdentifierTypePciGuid       ## COMSUMES
+
+[Depex]
+  TRUE
-- 
2.19.2.windows.1

[PATCH V3 6/6] IntelSiliconPkg/dsc: Add Device Security component.

[Yao, Jiewen]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303

Cc: Ray Ni <ray.ni@intel.com>
Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
Cc: Yun Lou <yun.lou@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
---
 Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc
index df8984a606..0a6509d8b3 100644
--- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc
+++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc
@@ -35,6 +35,7 @@
   CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLib/BaseCacheMaintenanceLib.inf
   MicrocodeFlashAccessLib|IntelSiliconPkg/Feature/Capsule/Library/MicrocodeFlashAccessLibNull/MicrocodeFlashAccessLibNull.inf
   PeiGetVtdPmrAlignmentLib|IntelSiliconPkg/Library/PeiGetVtdPmrAlignmentLib/PeiGetVtdPmrAlignmentLib.inf
+  TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/TpmMeasurementLibNull.inf
 
 [LibraryClasses.common.PEIM]
   PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
@@ -75,6 +76,8 @@
 
 [Components]
   IntelSiliconPkg/Library/DxeSmbiosDataHobLib/DxeSmbiosDataHobLib.inf
+  IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPciDeviceSecurityDxe.inf
+  IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/SamplePlatformDevicePolicyDxe.inf
   IntelSiliconPkg/Feature/VTd/IntelVTdDxe/IntelVTdDxe.inf
   IntelSiliconPkg/Feature/VTd/IntelVTdPmrPei/IntelVTdPmrPei.inf
   IntelSiliconPkg/Feature/VTd/PlatformVTdSampleDxe/PlatformVTdSampleDxe.inf
-- 
2.19.2.windows.1

Re: [edk2-devel] [PATCH V3 0/6] Add Device Security driver

[Javeed, Ashraf]

Jiewen,
It could be better to organize your PcieSecurity driver stack under a common "Pci" folder; like under the following path:
"Intel/IntelSiliconPkg/Feature/Pci"

Thanks
Ashraf

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen
> Sent: Thursday, November 7, 2019 7:08 PM
> To: devel@edk2.groups.io
> Subject: [edk2-devel] [PATCH V3 0/6] Add Device Security driver
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> 
> =============== V3 ===============
> 
> The V3 version addresses the feedback below:
> 
> Liming Gao:
> 1. Add SPDM spec version and align to latest one 0.99a.
> 
> Rangasai Chaganty:
> 1. put a reference to the spec at the file header, for Intel PCI security spec.
> 2. add some high level description above the structure definition that
>    describes the structure.
> 3. on the services "GetDevicePolicy" and "SetDeviceState", Add more error
>    return states
> 
> Ray Ni:
> 1. add comments to each field of structures like
> EDKII_DEVICE_SECURITY_POLICY
>    and EDKII_DEVICE_SECURITY_STATE.
> 2. add comments to all the macros defined in this patch to explain the meaning
>    and more important how they are going to impact the logic.
> 3. make the macro short
>     EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED ->
> EDKII_DEVICE_MEASUREMENT_REQUIRED
>     EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED ->
> EDKII_DEVICE_AUTHENTICATION_REQUIRED
> 4. rename the SetDeviceState to NotifyDeviceState.
> 5. add comments to explain clearly what SetDeviceState() needs to do.
> 6. change the prototype so that caller needs to pass in a policy structure and
>    GetDevicePolicy() fills the structure buffer using CopyMem.
> 7. add the version macro for
> EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version,
>    securitypolicy.version and securitystate.version.
> 8. add clear debug information for DvSec capability header.
> 
> =============== V2 ===============
> 
> This patch series add support for device security based upon the DMTF SPDM
> specification.
> https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.95a
> .zip
> 
> We did design review at 18 Oct, 2019.
> https://edk2.groups.io/g/devel/files/Designs/2019/1018
> And the feedback from the meeting is addressed.
> https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-
> Device%20Firmware%20Security%20v2.pdf
> 
> The Device security protocol is added in EDKII repo.
> Here we add the producer what follows Intel PCI security spec to do the device
> firmware measurement.
> https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-
> security-enhancements-spec.html
> 
> The EDKII repo update is at
> https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2
> The EDKII platform repo update is at https://github.com/jyao1/edk2-
> platforms/tree/DeviceSecurityMasterV2
> 
> The validation has been done on a Intel internal platform.
> The device measurement can be shown in TCG event log.
> 
> signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> 
> Jiewen Yao (6):
>   IntelSiliconPkg/Include: Add Intel PciSecurity definition.
>   IntelSiliconPkg/Include: Add Platform Device Security Policy protocol
>   IntelSiliconPkg/dec: Add ProtocolGuid definition.
>   IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.
>   IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.
>   IntelSiliconPkg/dsc: Add Device Security component.
> 
>  .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
>  .../IntelPciDeviceSecurityDxe.inf             |  45 ++
>  .../TcgDeviceEvent.h                          | 178 +++++
>  .../SamplePlatformDevicePolicyDxe.c           | 204 +++++
>  .../SamplePlatformDevicePolicyDxe.inf         |  40 +
>  .../IndustryStandard/IntelPciSecurity.h       |  92 +++
>  .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++
>  .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec |   4 +
>  .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc |   3 +
>  9 files changed, 1391 insertions(+)
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/Int
> elPciDeviceSecurityDxe.c
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/Int
> elPciDeviceSecurityDxe.inf
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/Tcg
> DeviceEvent.h
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyD
> xe/SamplePlatformDevicePolicyDxe.c
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyD
> xe/SamplePlatformDevicePolicyDxe.inf
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
> 
> --
> 2.19.2.windows.1
> 
> 
> 

Re: [edk2-devel] [PATCH V3 0/6] Add Device Security driver

[Yao, Jiewen]

Right. I have put them to edk2-platforms\Silicon\Intel\IntelSiliconPkg\Feature\PcieSecurity. Similar to Capsule, SmmAccess, VTd.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Javeed, Ashraf <ashraf.javeed@intel.com>
> Sent: Friday, November 8, 2019 12:23 PM
> To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: RE: [edk2-devel] [PATCH V3 0/6] Add Device Security driver
> 
> Jiewen,
> It could be better to organize your PcieSecurity driver stack under a common
> "Pci" folder; like under the following path:
> "Intel/IntelSiliconPkg/Feature/Pci"
> 
> Thanks
> Ashraf
> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao,
> Jiewen
> > Sent: Thursday, November 7, 2019 7:08 PM
> > To: devel@edk2.groups.io
> > Subject: [edk2-devel] [PATCH V3 0/6] Add Device Security driver
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> >
> > =============== V3 ===============
> >
> > The V3 version addresses the feedback below:
> >
> > Liming Gao:
> > 1. Add SPDM spec version and align to latest one 0.99a.
> >
> > Rangasai Chaganty:
> > 1. put a reference to the spec at the file header, for Intel PCI security spec.
> > 2. add some high level description above the structure definition that
> >    describes the structure.
> > 3. on the services "GetDevicePolicy" and "SetDeviceState", Add more error
> >    return states
> >
> > Ray Ni:
> > 1. add comments to each field of structures like
> > EDKII_DEVICE_SECURITY_POLICY
> >    and EDKII_DEVICE_SECURITY_STATE.
> > 2. add comments to all the macros defined in this patch to explain the meaning
> >    and more important how they are going to impact the logic.
> > 3. make the macro short
> >     EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED ->
> > EDKII_DEVICE_MEASUREMENT_REQUIRED
> >     EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED ->
> > EDKII_DEVICE_AUTHENTICATION_REQUIRED
> > 4. rename the SetDeviceState to NotifyDeviceState.
> > 5. add comments to explain clearly what SetDeviceState() needs to do.
> > 6. change the prototype so that caller needs to pass in a policy structure and
> >    GetDevicePolicy() fills the structure buffer using CopyMem.
> > 7. add the version macro for
> > EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version,
> >    securitypolicy.version and securitystate.version.
> > 8. add clear debug information for DvSec capability header.
> >
> > =============== V2 ===============
> >
> > This patch series add support for device security based upon the DMTF SPDM
> > specification.
> >
> https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.95a
> > .zip
> >
> > We did design review at 18 Oct, 2019.
> > https://edk2.groups.io/g/devel/files/Designs/2019/1018
> > And the feedback from the meeting is addressed.
> > https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-
> > Device%20Firmware%20Security%20v2.pdf
> >
> > The Device security protocol is added in EDKII repo.
> > Here we add the producer what follows Intel PCI security spec to do the device
> > firmware measurement.
> > https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-
> > security-enhancements-spec.html
> >
> > The EDKII repo update is at
> > https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2
> > The EDKII platform repo update is at https://github.com/jyao1/edk2-
> > platforms/tree/DeviceSecurityMasterV2
> >
> > The validation has been done on a Intel internal platform.
> > The device measurement can be shown in TCG event log.
> >
> > signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> >
> > Jiewen Yao (6):
> >   IntelSiliconPkg/Include: Add Intel PciSecurity definition.
> >   IntelSiliconPkg/Include: Add Platform Device Security Policy protocol
> >   IntelSiliconPkg/dec: Add ProtocolGuid definition.
> >   IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.
> >   IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.
> >   IntelSiliconPkg/dsc: Add Device Security component.
> >
> >  .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
> >  .../IntelPciDeviceSecurityDxe.inf             |  45 ++
> >  .../TcgDeviceEvent.h                          | 178 +++++
> >  .../SamplePlatformDevicePolicyDxe.c           | 204 +++++
> >  .../SamplePlatformDevicePolicyDxe.inf         |  40 +
> >  .../IndustryStandard/IntelPciSecurity.h       |  92 +++
> >  .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++
> >  .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec |   4 +
> >  .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc |   3 +
> >  9 files changed, 1391 insertions(+)
> >  create mode 100644
> >
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/Int
> > elPciDeviceSecurityDxe.c
> >  create mode 100644
> >
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/Int
> > elPciDeviceSecurityDxe.inf
> >  create mode 100644
> >
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/Tcg
> > DeviceEvent.h
> >  create mode 100644
> >
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyD
> > xe/SamplePlatformDevicePolicyDxe.c
> >  create mode 100644
> >
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyD
> > xe/SamplePlatformDevicePolicyDxe.inf
> >  create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
> >  create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
> >
> > --
> > 2.19.2.windows.1
> >
> >
> > 

Re: [PATCH V3 1/6] IntelSiliconPkg/Include: Add Intel PciSecurity definition.

[Ni, Ray]

Reviewed-by: Ray Ni <ray.ni@intel.com>

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Thursday, November 7, 2019 9:38 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> Subject: [PATCH V3 1/6] IntelSiliconPkg/Include: Add Intel PciSecurity
> definition.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> 
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> Cc: Yun Lou <yun.lou@intel.com>
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> ---
>  .../IndustryStandard/IntelPciSecurity.h       | 92 +++++++++++++++++++
>  1 file changed, 92 insertions(+)
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
> 
> diff --git
> a/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
> b/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.h
> new file mode 100644
> index 0000000000..f2bdb7ee2d
> --- /dev/null
> +++ b/Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSec
> +++ urity.h
> @@ -0,0 +1,92 @@
> +/** @file
> +  Intel PCI security data structure definition from
> +  PCIe* Device Security Enhancements Specification.
> +
> +
> + https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-
> sec
> + urity-enhancements-spec.html
> +
> +  NOTE: The data structure is not fully match the current
> + specification,  because it is aligned with the real hardware
> + implementation with minor adjustment  on
> + INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE,
> INTEL_PCI_DIGEST_DATA_MODIFIED and  INTEL_PCI_DIGEST_DATA_VALID.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#ifndef __INTEL_PCI_SECURITY_H__
> +#define __INTEL_PCI_SECURITY_H__
> +
> +#pragma pack(1)
> +
> +///
> +/// The PCIE capability structure header for Intel PCI DVSEC extension.
> +///
> +typedef struct {
> +  UINT16  CapId;           // 0x23: DVSEC
> +  UINT16  CapVersion:4;    // 1
> +  UINT16  NextOffset:12;
> +  UINT16  DvSecVendorId;   // 0x8086
> +  UINT16  DvSecRevision:4; // 1
> +  UINT16  DvSecLength:12;
> +  UINT16  DvSecId;         // 0x3E: Measure
> +} INTEL_PCI_DIGEST_CAPABILITY_HEADER;
> +
> +#define INTEL_PCI_CAPID_DVSEC                0x23
> +#define INTEL_PCI_DVSEC_VENDORID_INTEL       0x8086
> +#define INTEL_PCI_DVSEC_DVSECID_MEASUREMENT  0x3E
> +
> +///
> +/// The Intel PCI digest modified macro.
> +///
> +#define INTEL_PCI_DIGEST_MODIFIED        BIT0
> +
> +///
> +/// The Intel PCI DVSEC digest data modified structure.
> +///
> +typedef union {
> +  struct {
> +    UINT8   DigestModified:1;         // RW1C
> +    UINT8   Reserved0:7;
> +  } Bits;
> +  UINT8 Data;
> +} INTEL_PCI_DIGEST_DATA_MODIFIED;
> +
> +///
> +/// The Intel PCI digest valid macro.
> +///
> +#define INTEL_PCI_DIGEST_0_VALID         BIT0
> +#define INTEL_PCI_DIGEST_0_LOCKED        BIT1
> +#define INTEL_PCI_DIGEST_1_VALID         BIT2
> +#define INTEL_PCI_DIGEST_1_LOCKED        BIT3
> +
> +///
> +/// The Intel PCI DVSEC digest data valid structure.
> +///
> +typedef union {
> +  struct {
> +    UINT8   Digest0Valid:1;          // RO
> +    UINT8   Digest0Locked:1;         // RO
> +    UINT8   Digest1Valid:1;          // RO
> +    UINT8   Digest1Locked:1;         // RO
> +    UINT8   Reserved1:4;
> +  } Bits;
> +  UINT8 Data;
> +} INTEL_PCI_DIGEST_DATA_VALID;
> +
> +///
> +/// The PCIE capability structure for Intel PCI DVSEC extension with digest.
> +///
> +typedef struct {
> +  INTEL_PCI_DIGEST_DATA_MODIFIED   Modified;   // RW1C
> +  INTEL_PCI_DIGEST_DATA_VALID      Valid;      // RO
> +  UINT16                           TcgAlgId;   // RO
> +  UINT8                            FirmwareID; // RO
> +  UINT8                            Reserved;
> +//UINT8                            Digest[];
> +} INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE;
> +
> +#pragma pack()
> +
> +#endif
> +
> --
> 2.19.2.windows.1

Re: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol

[Ni, Ray]

Jiewen,
The structure field is named "Version" while the macro is ended with "_REVISION".
Is there a special reason for such inconsistency?

Thanks,
Ray

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Thursday, November 7, 2019 9:38 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> Subject: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> Security Policy protocol
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> 
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> Cc: Yun Lou <yun.lou@intel.com>
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> ---
>  .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++++++++++++++++
>  1 file changed, 128 insertions(+)
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
> 
> diff --git
> a/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic
> y.h
> b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic
> y.h
> new file mode 100644
> index 0000000000..b151781de2
> --- /dev/null
> +++ b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecur
> +++ ityPolicy.h
> @@ -0,0 +1,128 @@
> +/** @file
> +  Platform Device Security Policy Protocol definition
> +
> +  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +  SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +
> +#ifndef __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
> +#define __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
> +
> +#include <Uefi.h>
> +#include <Protocol/DeviceSecurity.h>
> +
> +typedef struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL
> +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL;
> +
> +//
> +// Revision The revision to which the DEVICE_SECURITY_POLICY protocol
> interface adheres.
> +//          All future revisions must be backwards compatible.
> +//          If a future version is not back wards compatible it is not the same
> GUID.
> +//
> +#define EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION
> 0x00010000
> +
> +//
> +// Revision The revision to which the DEVICE_SECURITY_POLICY structure
> adheres.
> +//          All future revisions must be backwards compatible.
> +//
> +#define EDKII_DEVICE_SECURITY_POLICY_REVISION 0x00010000
> +
> +///
> +/// The macro for the policy defined in EDKII_DEVICE_SECURITY_POLICY
> +///
> +#define EDKII_DEVICE_MEASUREMENT_REQUIRED                 BIT0
> +#define EDKII_DEVICE_AUTHENTICATION_REQUIRED              BIT0
> +
> +///
> +/// The device security policy data structure /// typedef struct {
> +  UINT32     Version;
> +  UINT32     MeasurementPolicy;
> +  UINT32     AuthenticationPolicy;
> +} EDKII_DEVICE_SECURITY_POLICY;
> +
> +//
> +// Revision The revision to which the DEVICE_SECURITY_STATE structure
> adheres.
> +//          All future revisions must be backwards compatible.
> +//
> +#define EDKII_DEVICE_SECURITY_STATE_REVISION 0x00010000
> +
> +///
> +/// The macro for the state defined in EDKII_DEVICE_SECURITY_STATE ///
> +#define EDKII_DEVICE_SECURITY_STATE_SUCCESS                          0
> +#define EDKII_DEVICE_SECURITY_STATE_ERROR                            BIT31
> +#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED
> (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x0)
> +#define
> EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL
> (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x1)
> +#define EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES
> (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x10)
> +#define EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR
> (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x20)
> +
> +///
> +/// The device security state data structure /// typedef struct {
> +  UINT32     Version;
> +  UINT32     MeasurementState;
> +  UINT32     AuthenticationState;
> +} EDKII_DEVICE_SECURITY_STATE;
> +
> +/**
> +  This function returns the device security policy associated with the device.
> +
> +  The device security driver may call this interface to get the
> + platform policy  for the specific device and determine if the
> + measurement or authentication  is required.
> +
> +  @param[in]  This                   The protocol instance pointer.
> +  @param[in]  DeviceId               The Identifier for the device.
> +  @param[out] DeviceSecurityPolicy   The Device Security Policy associated
> with the device.
> +
> +  @retval EFI_SUCCESS                The device security policy is returned
> +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> specific Device.
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY) (
> +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> +  OUT EDKII_DEVICE_SECURITY_POLICY           *DeviceSecurityPolicy
> +  );
> +
> +/**
> +  This function sets the device state based upon the authentication result.
> +
> +  The device security driver may call this interface to give the
> + platform  a notify based upon the measurement or authentication result.
> +  If the authentication or measurement fails, the platform may choose:
> +  1) Do nothing.
> +  2) Disable this device or slot temporarily and continue boot.
> +  3) Reset the platform and retry again.
> +  4) Disable this device or slot permanently.
> +  5) Any other platform specific action.
> +
> +  @param[in]  This                   The protocol instance pointer.
> +  @param[in]  DeviceId               The Identifier for the device.
> +  @param[in]  DeviceSecurityState    The Device Security state associated
> with the device.
> +
> +  @retval EFI_SUCCESS                The device state is set.
> +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> specific Device.
> +**/
> +typedef
> +EFI_STATUS
> +(EFIAPI *EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE) (
> +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> +  IN  EDKII_DEVICE_SECURITY_STATE            *DeviceSecurityState
> +  );
> +
> +struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL {
> +  UINT32                                      Version;
> +  EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY     GetDevicePolicy;
> +  EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE   NotifyDeviceState;
> +};
> +
> +extern EFI_GUID gEdkiiDeviceSecurityPolicyProtocolGuid;
> +
> +#endif
> --
> 2.19.2.windows.1

Re: [PATCH V3 3/6] IntelSiliconPkg/dec: Add ProtocolGuid definition.

[Ni, Ray]

Reviewed-by: Ray Ni <ray.ni@intel.com>

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Thursday, November 7, 2019 9:38 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> Subject: [PATCH V3 3/6] IntelSiliconPkg/dec: Add ProtocolGuid definition.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> 
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> Cc: Yun Lou <yun.lou@intel.com>
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> ---
>  Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec
> b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec
> index 3079fc2869..22ebf19c4e 100644
> --- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec
> +++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dec
> @@ -54,6 +54,10 @@
>  [Protocols]
>    gEdkiiPlatformVTdPolicyProtocolGuid = { 0x3d17e448, 0x466, 0x4e20, { 0x99,
> 0x9f, 0xb2, 0xe1, 0x34, 0x88, 0xee, 0x22 }}
> 
> +  ## Protocol for device security policy.
> +  # Include/Protocol/PlatformDeviceSecurityPolicy.h
> +  gEdkiiDeviceSecurityPolicyProtocolGuid = {0x7ea41a99, 0x5e32, 0x4c97,
> {0x88, 0xc4, 0xd6, 0xe7, 0x46, 0x84, 0x9, 0xd4}}
> +
>  [PcdsFixedAtBuild, PcdsPatchableInModule]
>    ## Error code for VTd error.<BR><BR>
>    #  EDKII_ERROR_CODE_VTD_ERROR = (EFI_IO_BUS_UNSPECIFIED |
> (EFI_OEM_SPECIFIC | 0x00000000)) = 0x02008000<BR>
> --
> 2.19.2.windows.1

Re: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol

[Yao, Jiewen]

Good catch.
No special meaning.

I will use _VERSION.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Ni, Ray <ray.ni@intel.com>
> Sent: Friday, November 8, 2019 3:00 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun
> <yun.lou@intel.com>
> Subject: RE: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> Security Policy protocol
> 
> Jiewen,
> The structure field is named "Version" while the macro is ended with
> "_REVISION".
> Is there a special reason for such inconsistency?
> 
> Thanks,
> Ray
> 
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Thursday, November 7, 2019 9:38 PM
> > To: devel@edk2.groups.io
> > Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> > <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> > Subject: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> > Security Policy protocol
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> >
> > Cc: Ray Ni <ray.ni@intel.com>
> > Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> > Cc: Yun Lou <yun.lou@intel.com>
> > Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> > ---
> >  .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++++++++++++++++
> >  1 file changed, 128 insertions(+)
> >  create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
> >
> > diff --git
> > a/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic
> > y.h
> > b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic
> > y.h
> > new file mode 100644
> > index 0000000000..b151781de2
> > --- /dev/null
> > +++ b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecur
> > +++ ityPolicy.h
> > @@ -0,0 +1,128 @@
> > +/** @file
> > +  Platform Device Security Policy Protocol definition
> > +
> > +  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > +  SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +
> > +#ifndef __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
> > +#define __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
> > +
> > +#include <Uefi.h>
> > +#include <Protocol/DeviceSecurity.h>
> > +
> > +typedef struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL
> > +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL;
> > +
> > +//
> > +// Revision The revision to which the DEVICE_SECURITY_POLICY protocol
> > interface adheres.
> > +//          All future revisions must be backwards compatible.
> > +//          If a future version is not back wards compatible it is not the same
> > GUID.
> > +//
> > +#define EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION
> > 0x00010000
> > +
> > +//
> > +// Revision The revision to which the DEVICE_SECURITY_POLICY structure
> > adheres.
> > +//          All future revisions must be backwards compatible.
> > +//
> > +#define EDKII_DEVICE_SECURITY_POLICY_REVISION 0x00010000
> > +
> > +///
> > +/// The macro for the policy defined in EDKII_DEVICE_SECURITY_POLICY
> > +///
> > +#define EDKII_DEVICE_MEASUREMENT_REQUIRED                 BIT0
> > +#define EDKII_DEVICE_AUTHENTICATION_REQUIRED              BIT0
> > +
> > +///
> > +/// The device security policy data structure /// typedef struct {
> > +  UINT32     Version;
> > +  UINT32     MeasurementPolicy;
> > +  UINT32     AuthenticationPolicy;
> > +} EDKII_DEVICE_SECURITY_POLICY;
> > +
> > +//
> > +// Revision The revision to which the DEVICE_SECURITY_STATE structure
> > adheres.
> > +//          All future revisions must be backwards compatible.
> > +//
> > +#define EDKII_DEVICE_SECURITY_STATE_REVISION 0x00010000
> > +
> > +///
> > +/// The macro for the state defined in EDKII_DEVICE_SECURITY_STATE ///
> > +#define EDKII_DEVICE_SECURITY_STATE_SUCCESS                          0
> > +#define EDKII_DEVICE_SECURITY_STATE_ERROR                            BIT31
> > +#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED
> > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x0)
> > +#define
> > EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL
> > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x1)
> > +#define EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES
> > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x10)
> > +#define EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR
> > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x20)
> > +
> > +///
> > +/// The device security state data structure /// typedef struct {
> > +  UINT32     Version;
> > +  UINT32     MeasurementState;
> > +  UINT32     AuthenticationState;
> > +} EDKII_DEVICE_SECURITY_STATE;
> > +
> > +/**
> > +  This function returns the device security policy associated with the device.
> > +
> > +  The device security driver may call this interface to get the
> > + platform policy  for the specific device and determine if the
> > + measurement or authentication  is required.
> > +
> > +  @param[in]  This                   The protocol instance pointer.
> > +  @param[in]  DeviceId               The Identifier for the device.
> > +  @param[out] DeviceSecurityPolicy   The Device Security Policy associated
> > with the device.
> > +
> > +  @retval EFI_SUCCESS                The device security policy is returned
> > +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> > specific Device.
> > +**/
> > +typedef
> > +EFI_STATUS
> > +(EFIAPI *EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY) (
> > +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> > +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> > +  OUT EDKII_DEVICE_SECURITY_POLICY           *DeviceSecurityPolicy
> > +  );
> > +
> > +/**
> > +  This function sets the device state based upon the authentication result.
> > +
> > +  The device security driver may call this interface to give the
> > + platform  a notify based upon the measurement or authentication result.
> > +  If the authentication or measurement fails, the platform may choose:
> > +  1) Do nothing.
> > +  2) Disable this device or slot temporarily and continue boot.
> > +  3) Reset the platform and retry again.
> > +  4) Disable this device or slot permanently.
> > +  5) Any other platform specific action.
> > +
> > +  @param[in]  This                   The protocol instance pointer.
> > +  @param[in]  DeviceId               The Identifier for the device.
> > +  @param[in]  DeviceSecurityState    The Device Security state associated
> > with the device.
> > +
> > +  @retval EFI_SUCCESS                The device state is set.
> > +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> > specific Device.
> > +**/
> > +typedef
> > +EFI_STATUS
> > +(EFIAPI *EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE) (
> > +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> > +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> > +  IN  EDKII_DEVICE_SECURITY_STATE            *DeviceSecurityState
> > +  );
> > +
> > +struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL {
> > +  UINT32                                      Version;
> > +  EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY     GetDevicePolicy;
> > +  EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE   NotifyDeviceState;
> > +};
> > +
> > +extern EFI_GUID gEdkiiDeviceSecurityPolicyProtocolGuid;
> > +
> > +#endif
> > --
> > 2.19.2.windows.1

Re: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol

[Ni, Ray]

With that, Reviewed-by: Ray Ni <ray.ni@intel.com>

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Friday, November 8, 2019 3:01 PM
> To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
> Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> Subject: RE: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol
> 
> Good catch.
> No special meaning.
> 
> I will use _VERSION.
> 
> Thank you
> Yao Jiewen
> 
> > -----Original Message-----
> > From: Ni, Ray <ray.ni@intel.com>
> > Sent: Friday, November 8, 2019 3:00 PM
> > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> > Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun
> > <yun.lou@intel.com>
> > Subject: RE: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> > Security Policy protocol
> >
> > Jiewen,
> > The structure field is named "Version" while the macro is ended with
> > "_REVISION".
> > Is there a special reason for such inconsistency?
> >
> > Thanks,
> > Ray
> >
> > > -----Original Message-----
> > > From: Yao, Jiewen <jiewen.yao@intel.com>
> > > Sent: Thursday, November 7, 2019 9:38 PM
> > > To: devel@edk2.groups.io
> > > Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> > > <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> > > Subject: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> > > Security Policy protocol
> > >
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> > >
> > > Cc: Ray Ni <ray.ni@intel.com>
> > > Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> > > Cc: Yun Lou <yun.lou@intel.com>
> > > Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> > > ---
> > >  .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++++++++++++++++
> > >  1 file changed, 128 insertions(+)
> > >  create mode 100644
> > > Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
> > >
> > > diff --git
> > > a/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic
> > > y.h
> > > b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic
> > > y.h
> > > new file mode 100644
> > > index 0000000000..b151781de2
> > > --- /dev/null
> > > +++ b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecur
> > > +++ ityPolicy.h
> > > @@ -0,0 +1,128 @@
> > > +/** @file
> > > +  Platform Device Security Policy Protocol definition
> > > +
> > > +  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > > +  SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +
> > > +**/
> > > +
> > > +
> > > +#ifndef __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
> > > +#define __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
> > > +
> > > +#include <Uefi.h>
> > > +#include <Protocol/DeviceSecurity.h>
> > > +
> > > +typedef struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL
> > > +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL;
> > > +
> > > +//
> > > +// Revision The revision to which the DEVICE_SECURITY_POLICY protocol
> > > interface adheres.
> > > +//          All future revisions must be backwards compatible.
> > > +//          If a future version is not back wards compatible it is not the same
> > > GUID.
> > > +//
> > > +#define EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION
> > > 0x00010000
> > > +
> > > +//
> > > +// Revision The revision to which the DEVICE_SECURITY_POLICY structure
> > > adheres.
> > > +//          All future revisions must be backwards compatible.
> > > +//
> > > +#define EDKII_DEVICE_SECURITY_POLICY_REVISION 0x00010000
> > > +
> > > +///
> > > +/// The macro for the policy defined in EDKII_DEVICE_SECURITY_POLICY
> > > +///
> > > +#define EDKII_DEVICE_MEASUREMENT_REQUIRED                 BIT0
> > > +#define EDKII_DEVICE_AUTHENTICATION_REQUIRED              BIT0
> > > +
> > > +///
> > > +/// The device security policy data structure /// typedef struct {
> > > +  UINT32     Version;
> > > +  UINT32     MeasurementPolicy;
> > > +  UINT32     AuthenticationPolicy;
> > > +} EDKII_DEVICE_SECURITY_POLICY;
> > > +
> > > +//
> > > +// Revision The revision to which the DEVICE_SECURITY_STATE structure
> > > adheres.
> > > +//          All future revisions must be backwards compatible.
> > > +//
> > > +#define EDKII_DEVICE_SECURITY_STATE_REVISION 0x00010000
> > > +
> > > +///
> > > +/// The macro for the state defined in EDKII_DEVICE_SECURITY_STATE ///
> > > +#define EDKII_DEVICE_SECURITY_STATE_SUCCESS                          0
> > > +#define EDKII_DEVICE_SECURITY_STATE_ERROR                            BIT31
> > > +#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED
> > > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x0)
> > > +#define
> > > EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL
> > > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x1)
> > > +#define EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES
> > > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x10)
> > > +#define EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR
> > > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x20)
> > > +
> > > +///
> > > +/// The device security state data structure /// typedef struct {
> > > +  UINT32     Version;
> > > +  UINT32     MeasurementState;
> > > +  UINT32     AuthenticationState;
> > > +} EDKII_DEVICE_SECURITY_STATE;
> > > +
> > > +/**
> > > +  This function returns the device security policy associated with the device.
> > > +
> > > +  The device security driver may call this interface to get the
> > > + platform policy  for the specific device and determine if the
> > > + measurement or authentication  is required.
> > > +
> > > +  @param[in]  This                   The protocol instance pointer.
> > > +  @param[in]  DeviceId               The Identifier for the device.
> > > +  @param[out] DeviceSecurityPolicy   The Device Security Policy associated
> > > with the device.
> > > +
> > > +  @retval EFI_SUCCESS                The device security policy is returned
> > > +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> > > specific Device.
> > > +**/
> > > +typedef
> > > +EFI_STATUS
> > > +(EFIAPI *EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY) (
> > > +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> > > +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> > > +  OUT EDKII_DEVICE_SECURITY_POLICY           *DeviceSecurityPolicy
> > > +  );
> > > +
> > > +/**
> > > +  This function sets the device state based upon the authentication result.
> > > +
> > > +  The device security driver may call this interface to give the
> > > + platform  a notify based upon the measurement or authentication result.
> > > +  If the authentication or measurement fails, the platform may choose:
> > > +  1) Do nothing.
> > > +  2) Disable this device or slot temporarily and continue boot.
> > > +  3) Reset the platform and retry again.
> > > +  4) Disable this device or slot permanently.
> > > +  5) Any other platform specific action.
> > > +
> > > +  @param[in]  This                   The protocol instance pointer.
> > > +  @param[in]  DeviceId               The Identifier for the device.
> > > +  @param[in]  DeviceSecurityState    The Device Security state associated
> > > with the device.
> > > +
> > > +  @retval EFI_SUCCESS                The device state is set.
> > > +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> > > specific Device.
> > > +**/
> > > +typedef
> > > +EFI_STATUS
> > > +(EFIAPI *EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE) (
> > > +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> > > +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> > > +  IN  EDKII_DEVICE_SECURITY_STATE            *DeviceSecurityState
> > > +  );
> > > +
> > > +struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL {
> > > +  UINT32                                      Version;
> > > +  EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY     GetDevicePolicy;
> > > +  EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE   NotifyDeviceState;
> > > +};
> > > +
> > > +extern EFI_GUID gEdkiiDeviceSecurityPolicyProtocolGuid;
> > > +
> > > +#endif
> > > --
> > > 2.19.2.windows.1

Re: [edk2-devel] [PATCH V3 0/6] Add Device Security driver

[Javeed, Ashraf]

True, thought PCI is a vast topic, could be many more sample drivers in future, thus having under one" Pci" folder would be better. I know this is your third version already, and I could have reviewed it earlier and made this point. No issues now, could be moved in future.

Regards
Ashraf

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Friday, November 8, 2019 10:44 AM
> To: Javeed, Ashraf <ashraf.javeed@intel.com>; devel@edk2.groups.io
> Subject: RE: [edk2-devel] [PATCH V3 0/6] Add Device Security driver
> 
> Right. I have put them to edk2-
> platforms\Silicon\Intel\IntelSiliconPkg\Feature\PcieSecurity. Similar to Capsule,
> SmmAccess, VTd.
> 
> Thank you
> Yao Jiewen
> 
> > -----Original Message-----
> > From: Javeed, Ashraf <ashraf.javeed@intel.com>
> > Sent: Friday, November 8, 2019 12:23 PM
> > To: devel@edk2.groups.io; Yao, Jiewen <jiewen.yao@intel.com>
> > Subject: RE: [edk2-devel] [PATCH V3 0/6] Add Device Security driver
> >
> > Jiewen,
> > It could be better to organize your PcieSecurity driver stack under a
> > common "Pci" folder; like under the following path:
> > "Intel/IntelSiliconPkg/Feature/Pci"
> >
> > Thanks
> > Ashraf
> >
> > > -----Original Message-----
> > > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao,
> > Jiewen
> > > Sent: Thursday, November 7, 2019 7:08 PM
> > > To: devel@edk2.groups.io
> > > Subject: [edk2-devel] [PATCH V3 0/6] Add Device Security driver
> > >
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> > >
> > > =============== V3 ===============
> > >
> > > The V3 version addresses the feedback below:
> > >
> > > Liming Gao:
> > > 1. Add SPDM spec version and align to latest one 0.99a.
> > >
> > > Rangasai Chaganty:
> > > 1. put a reference to the spec at the file header, for Intel PCI security spec.
> > > 2. add some high level description above the structure definition that
> > >    describes the structure.
> > > 3. on the services "GetDevicePolicy" and "SetDeviceState", Add more error
> > >    return states
> > >
> > > Ray Ni:
> > > 1. add comments to each field of structures like
> > > EDKII_DEVICE_SECURITY_POLICY
> > >    and EDKII_DEVICE_SECURITY_STATE.
> > > 2. add comments to all the macros defined in this patch to explain the
> meaning
> > >    and more important how they are going to impact the logic.
> > > 3. make the macro short
> > >     EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED ->
> > > EDKII_DEVICE_MEASUREMENT_REQUIRED
> > >     EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED ->
> > > EDKII_DEVICE_AUTHENTICATION_REQUIRED
> > > 4. rename the SetDeviceState to NotifyDeviceState.
> > > 5. add comments to explain clearly what SetDeviceState() needs to do.
> > > 6. change the prototype so that caller needs to pass in a policy structure and
> > >    GetDevicePolicy() fills the structure buffer using CopyMem.
> > > 7. add the version macro for
> > > EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version,
> > >    securitypolicy.version and securitystate.version.
> > > 8. add clear debug information for DvSec capability header.
> > >
> > > =============== V2 ===============
> > >
> > > This patch series add support for device security based upon the
> > > DMTF SPDM specification.
> > >
> > https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0
> > .95a
> > > .zip
> > >
> > > We did design review at 18 Oct, 2019.
> > > https://edk2.groups.io/g/devel/files/Designs/2019/1018
> > > And the feedback from the meeting is addressed.
> > > https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-
> > > Device%20Firmware%20Security%20v2.pdf
> > >
> > > The Device security protocol is added in EDKII repo.
> > > Here we add the producer what follows Intel PCI security spec to do
> > > the device firmware measurement.
> > > https://www.intel.com/content/www/us/en/io/pci-express/pcie-device-
> > > security-enhancements-spec.html
> > >
> > > The EDKII repo update is at
> > > https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2
> > > The EDKII platform repo update is at https://github.com/jyao1/edk2-
> > > platforms/tree/DeviceSecurityMasterV2
> > >
> > > The validation has been done on a Intel internal platform.
> > > The device measurement can be shown in TCG event log.
> > >
> > > signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> > >
> > > Jiewen Yao (6):
> > >   IntelSiliconPkg/Include: Add Intel PciSecurity definition.
> > >   IntelSiliconPkg/Include: Add Platform Device Security Policy protocol
> > >   IntelSiliconPkg/dec: Add ProtocolGuid definition.
> > >   IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.
> > >   IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.
> > >   IntelSiliconPkg/dsc: Add Device Security component.
> > >
> > >  .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
> > >  .../IntelPciDeviceSecurityDxe.inf             |  45 ++
> > >  .../TcgDeviceEvent.h                          | 178 +++++
> > >  .../SamplePlatformDevicePolicyDxe.c           | 204 +++++
> > >  .../SamplePlatformDevicePolicyDxe.inf         |  40 +
> > >  .../IndustryStandard/IntelPciSecurity.h       |  92 +++
> > >  .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++
> > >  .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec |   4 +
> > >  .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc |   3 +
> > >  9 files changed, 1391 insertions(+)  create mode 100644
> > >
> > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecur
> > ityDxe/Int
> > > elPciDeviceSecurityDxe.c
> > >  create mode 100644
> > >
> > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecur
> > ityDxe/Int
> > > elPciDeviceSecurityDxe.inf
> > >  create mode 100644
> > >
> > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecur
> > ityDxe/Tcg
> > > DeviceEvent.h
> > >  create mode 100644
> > >
> > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevic
> > ePolicyD
> > > xe/SamplePlatformDevicePolicyDxe.c
> > >  create mode 100644
> > >
> > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevic
> > ePolicyD
> > > xe/SamplePlatformDevicePolicyDxe.inf
> > >  create mode 100644
> > > Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecur
> > > ity.h
> > >  create mode 100644
> > > Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurit
> > > yPolicy.h
> > >
> > > --
> > > 2.19.2.windows.1
> > >
> > >
> > > 

Re: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device Security Policy protocol

[Yao, Jiewen]

Hi Ray
I checked the UEFI spec and other protocol definition again.
I believe Revision is a better name for minor update. I will update the structure field from Version to Revision.

Thank you
Yao Jiewen

> -----Original Message-----
> From: Ni, Ray <ray.ni@intel.com>
> Sent: Friday, November 8, 2019 3:10 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun
> <yun.lou@intel.com>
> Subject: RE: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> Security Policy protocol
> 
> With that, Reviewed-by: Ray Ni <ray.ni@intel.com>
> 
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Friday, November 8, 2019 3:01 PM
> > To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
> > Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun
> <yun.lou@intel.com>
> > Subject: RE: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> Security Policy protocol
> >
> > Good catch.
> > No special meaning.
> >
> > I will use _VERSION.
> >
> > Thank you
> > Yao Jiewen
> >
> > > -----Original Message-----
> > > From: Ni, Ray <ray.ni@intel.com>
> > > Sent: Friday, November 8, 2019 3:00 PM
> > > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> > > Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun
> > > <yun.lou@intel.com>
> > > Subject: RE: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> > > Security Policy protocol
> > >
> > > Jiewen,
> > > The structure field is named "Version" while the macro is ended with
> > > "_REVISION".
> > > Is there a special reason for such inconsistency?
> > >
> > > Thanks,
> > > Ray
> > >
> > > > -----Original Message-----
> > > > From: Yao, Jiewen <jiewen.yao@intel.com>
> > > > Sent: Thursday, November 7, 2019 9:38 PM
> > > > To: devel@edk2.groups.io
> > > > Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> > > > <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> > > > Subject: [PATCH V3 2/6] IntelSiliconPkg/Include: Add Platform Device
> > > > Security Policy protocol
> > > >
> > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> > > >
> > > > Cc: Ray Ni <ray.ni@intel.com>
> > > > Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> > > > Cc: Yun Lou <yun.lou@intel.com>
> > > > Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> > > > ---
> > > >  .../Protocol/PlatformDeviceSecurityPolicy.h   | 128 ++++++++++++++++++
> > > >  1 file changed, 128 insertions(+)
> > > >  create mode 100644
> > > >
> Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolicy.h
> > > >
> > > > diff --git
> > > >
> a/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic
> > > > y.h
> > > >
> b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPolic
> > > > y.h
> > > > new file mode 100644
> > > > index 0000000000..b151781de2
> > > > --- /dev/null
> > > > +++ b/Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecur
> > > > +++ ityPolicy.h
> > > > @@ -0,0 +1,128 @@
> > > > +/** @file
> > > > +  Platform Device Security Policy Protocol definition
> > > > +
> > > > +  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > > > +  SPDX-License-Identifier: BSD-2-Clause-Patent
> > > > +
> > > > +**/
> > > > +
> > > > +
> > > > +#ifndef __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
> > > > +#define __EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H__
> > > > +
> > > > +#include <Uefi.h>
> > > > +#include <Protocol/DeviceSecurity.h>
> > > > +
> > > > +typedef struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL
> > > > +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL;
> > > > +
> > > > +//
> > > > +// Revision The revision to which the DEVICE_SECURITY_POLICY protocol
> > > > interface adheres.
> > > > +//          All future revisions must be backwards compatible.
> > > > +//          If a future version is not back wards compatible it is not the same
> > > > GUID.
> > > > +//
> > > > +#define EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION
> > > > 0x00010000
> > > > +
> > > > +//
> > > > +// Revision The revision to which the DEVICE_SECURITY_POLICY structure
> > > > adheres.
> > > > +//          All future revisions must be backwards compatible.
> > > > +//
> > > > +#define EDKII_DEVICE_SECURITY_POLICY_REVISION 0x00010000
> > > > +
> > > > +///
> > > > +/// The macro for the policy defined in EDKII_DEVICE_SECURITY_POLICY
> > > > +///
> > > > +#define EDKII_DEVICE_MEASUREMENT_REQUIRED                 BIT0
> > > > +#define EDKII_DEVICE_AUTHENTICATION_REQUIRED              BIT0
> > > > +
> > > > +///
> > > > +/// The device security policy data structure /// typedef struct {
> > > > +  UINT32     Version;
> > > > +  UINT32     MeasurementPolicy;
> > > > +  UINT32     AuthenticationPolicy;
> > > > +} EDKII_DEVICE_SECURITY_POLICY;
> > > > +
> > > > +//
> > > > +// Revision The revision to which the DEVICE_SECURITY_STATE structure
> > > > adheres.
> > > > +//          All future revisions must be backwards compatible.
> > > > +//
> > > > +#define EDKII_DEVICE_SECURITY_STATE_REVISION 0x00010000
> > > > +
> > > > +///
> > > > +/// The macro for the state defined in EDKII_DEVICE_SECURITY_STATE ///
> > > > +#define EDKII_DEVICE_SECURITY_STATE_SUCCESS                          0
> > > > +#define EDKII_DEVICE_SECURITY_STATE_ERROR                            BIT31
> > > > +#define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED
> > > > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x0)
> > > > +#define
> > > > EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL
> > > > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x1)
> > > > +#define EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES
> > > > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x10)
> > > > +#define
> EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR
> > > > (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x20)
> > > > +
> > > > +///
> > > > +/// The device security state data structure /// typedef struct {
> > > > +  UINT32     Version;
> > > > +  UINT32     MeasurementState;
> > > > +  UINT32     AuthenticationState;
> > > > +} EDKII_DEVICE_SECURITY_STATE;
> > > > +
> > > > +/**
> > > > +  This function returns the device security policy associated with the
> device.
> > > > +
> > > > +  The device security driver may call this interface to get the
> > > > + platform policy  for the specific device and determine if the
> > > > + measurement or authentication  is required.
> > > > +
> > > > +  @param[in]  This                   The protocol instance pointer.
> > > > +  @param[in]  DeviceId               The Identifier for the device.
> > > > +  @param[out] DeviceSecurityPolicy   The Device Security Policy
> associated
> > > > with the device.
> > > > +
> > > > +  @retval EFI_SUCCESS                The device security policy is returned
> > > > +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> > > > specific Device.
> > > > +**/
> > > > +typedef
> > > > +EFI_STATUS
> > > > +(EFIAPI *EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY) (
> > > > +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> > > > +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> > > > +  OUT EDKII_DEVICE_SECURITY_POLICY           *DeviceSecurityPolicy
> > > > +  );
> > > > +
> > > > +/**
> > > > +  This function sets the device state based upon the authentication result.
> > > > +
> > > > +  The device security driver may call this interface to give the
> > > > + platform  a notify based upon the measurement or authentication result.
> > > > +  If the authentication or measurement fails, the platform may choose:
> > > > +  1) Do nothing.
> > > > +  2) Disable this device or slot temporarily and continue boot.
> > > > +  3) Reset the platform and retry again.
> > > > +  4) Disable this device or slot permanently.
> > > > +  5) Any other platform specific action.
> > > > +
> > > > +  @param[in]  This                   The protocol instance pointer.
> > > > +  @param[in]  DeviceId               The Identifier for the device.
> > > > +  @param[in]  DeviceSecurityState    The Device Security state associated
> > > > with the device.
> > > > +
> > > > +  @retval EFI_SUCCESS                The device state is set.
> > > > +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> > > > specific Device.
> > > > +**/
> > > > +typedef
> > > > +EFI_STATUS
> > > > +(EFIAPI *EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE) (
> > > > +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> > > > +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> > > > +  IN  EDKII_DEVICE_SECURITY_STATE            *DeviceSecurityState
> > > > +  );
> > > > +
> > > > +struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL {
> > > > +  UINT32                                      Version;
> > > > +  EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY     GetDevicePolicy;
> > > > +  EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE   NotifyDeviceState;
> > > > +};
> > > > +
> > > > +extern EFI_GUID gEdkiiDeviceSecurityPolicyProtocolGuid;
> > > > +
> > > > +#endif
> > > > --
> > > > 2.19.2.windows.1

Re: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.

[Ni, Ray]

Jiewen,
Below definitions are not used by the new driver but defined in
driver internal header file.
Can you please remove the unused definitions?

EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT
#define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME    L"devdb"
#define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME   L"devdbx"

#define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \
  {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d, 0xad}

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Thursday, November 7, 2019 9:38 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> Subject: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add
> PciSecurity.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> 
> This driver is to do the PCI device authentication based upon Intel PCIe
> Security Specification.
> 
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> Cc: Yun Lou <yun.lou@intel.com>
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Yun Lou <yun.lou@intel.com>
> ---
>  .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
>  .../IntelPciDeviceSecurityDxe.inf             |  45 ++
>  .../TcgDeviceEvent.h                          | 178 +++++
>  3 files changed, 920 insertions(+)
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> /IntelPciDeviceSecurityDxe.c
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> /IntelPciDeviceSecurityDxe.inf
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> /TcgDeviceEvent.h
> 
> diff --git
> a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> e/IntelPciDeviceSecurityDxe.c
> b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> xe/IntelPciDeviceSecurityDxe.c
> new file mode 100644
> index 0000000000..8838d5635a
> --- /dev/null
> +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> +++ ecurityDxe/IntelPciDeviceSecurityDxe.c
> @@ -0,0 +1,697 @@
> +/** @file
> +  EDKII Device Security library for PCI device.
> +  It follows the Intel PCIe Security Specification.
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Uefi.h>
> +#include <IndustryStandard/Spdm.h>
> +#include <IndustryStandard/IntelPciSecurity.h>
> +#include <IndustryStandard/Pci.h>
> +#include <IndustryStandard/Tpm20.h>
> +#include <IndustryStandard/UefiTcgPlatform.h>
> +#include <Library/BaseLib.h>
> +#include <Library/DebugLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/UefiBootServicesTableLib.h>
> +#include <Library/MemoryAllocationLib.h> #include
> +<Library/TpmMeasurementLib.h> #include <Protocol/PciIo.h> #include
> +<Protocol/DeviceSecurity.h> #include
> +<Protocol/PlatformDeviceSecurityPolicy.h>
> +#include "TcgDeviceEvent.h"
> +
> +typedef struct {
> +  EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER       EventData;
> +  SPDM_MEASUREMENT_BLOCK_COMMON_HEADER          CommonHeader;
> +  SPDM_MEASUREMENT_BLOCK_DMTF_HEADER            DmtfHeader;
> +  UINT8                                         Digest[SHA256_DIGEST_SIZE];
> +  EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT  PciContext; }
> +EDKII_DEVICE_SECURITY_PCI_EVENT_DATA;
> +
> +typedef struct {
> +  UINTN         Signature;
> +  LIST_ENTRY    Link;
> +  UINTN         PciSegment;
> +  UINTN         PciBus;
> +  UINTN         PciDevice;
> +  UINTN         PciFunction;
> +} PCI_DEVICE_INSTANCE;
> +
> +#define PCI_DEVICE_INSTANCE_SIGNATURE  SIGNATURE_32 ('P', 'D', 'I',
> +'S') #define PCI_DEVICE_INSTANCE_FROM_LINK(a)  CR (a,
> +PCI_DEVICE_INSTANCE, Link, PCI_DEVICE_INSTANCE_SIGNATURE)
> +
> +LIST_ENTRY mSecurityEventMeasurementDeviceList =
> +INITIALIZE_LIST_HEAD_VARIABLE(mSecurityEventMeasurementDeviceList)
> ;;
> +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *mDeviceSecurityPolicy;
> +
> +/**
> +  Record a PCI device into device list.
> +
> +  @param PciIo            PciIo instance of the device
> +  @param PciDeviceList    The list to record the the device
> +**/
> +VOID
> +RecordPciDeviceInList(
> +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> +  IN LIST_ENTRY                   *PciDeviceList
> +  )
> +{
> +  UINTN                 PciSegment;
> +  UINTN                 PciBus;
> +  UINTN                 PciDevice;
> +  UINTN                 PciFunction;
> +  EFI_STATUS            Status;
> +  PCI_DEVICE_INSTANCE   *NewPciDevice;
> +
> +  Status = PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice,
> + &PciFunction);  ASSERT_EFI_ERROR(Status);
> +
> +  NewPciDevice = AllocateZeroPool(sizeof(*NewPciDevice));
> +  ASSERT_EFI_ERROR(NewPciDevice != NULL);
> +
> +  NewPciDevice->Signature   = PCI_DEVICE_INSTANCE_SIGNATURE;
> +  NewPciDevice->PciSegment  = PciSegment;
> +  NewPciDevice->PciBus      = PciBus;
> +  NewPciDevice->PciDevice   = PciDevice;
> +  NewPciDevice->PciFunction = PciFunction;
> +
> +  InsertTailList(PciDeviceList, &NewPciDevice->Link); }
> +
> +/**
> +  Check if a PCI device is recorded in device list.
> +
> +  @param PciIo            PciIo instance of the device
> +  @param PciDeviceList    The list to record the the device
> +
> +  @retval TRUE  The PCI device is in the list.
> +  @retval FALSE The PCI device is NOT in the list.
> +**/
> +BOOLEAN
> +IsPciDeviceInList(
> +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> +  IN LIST_ENTRY                   *PciDeviceList
> +  )
> +{
> +  UINTN                 PciSegment;
> +  UINTN                 PciBus;
> +  UINTN                 PciDevice;
> +  UINTN                 PciFunction;
> +  EFI_STATUS            Status;
> +  LIST_ENTRY            *Link;
> +  PCI_DEVICE_INSTANCE   *CurrentPciDevice;
> +
> +  Status = PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice,
> + &PciFunction);  ASSERT_EFI_ERROR(Status);
> +
> +  Link = GetFirstNode(PciDeviceList);
> +  while (!IsNull(PciDeviceList, Link)) {
> +    CurrentPciDevice = PCI_DEVICE_INSTANCE_FROM_LINK(Link);
> +
> +    if (CurrentPciDevice->PciSegment == PciSegment && CurrentPciDevice-
> >PciBus == PciBus &&
> +        CurrentPciDevice->PciDevice == PciDevice && CurrentPciDevice-
> >PciFunction == PciFunction) {
> +      DEBUG((DEBUG_INFO, "PCI device duplicated (Loc -
>  %04x:%02x:%02x:%02x)\n", PciSegment, PciBus, PciDevice, PciFunction));
> +      return TRUE;
> +    }
> +
> +    Link = GetNextNode(PciDeviceList, Link);  }
> +
> +  return FALSE;
> +}
> +
> +/*
> +  return Offset of the PCI Cap ID.
> +
> +  @param PciIo            PciIo instance of the device
> +  @param CapId            The Capability ID of the Pci device
> +
> +  @return The PCI Capability ID Offset
> +*/
> +UINT32
> +GetPciCapId (
> +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> +  IN UINT8                        CapId
> +  )
> +{
> +  EFI_PCI_CAPABILITY_HDR                    PciCapIdHdr;
> +  UINT32                                    PciCapIdOffset;
> +  EFI_STATUS                                Status;
> +
> +  PciCapIdHdr.CapabilityID = ~CapId;
> +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8,
> + PCI_CAPBILITY_POINTER_OFFSET, 1, &PciCapIdHdr.NextItemPtr);
> + ASSERT_EFI_ERROR(Status);  if (PciCapIdHdr.NextItemPtr == 0 ||
> PciCapIdHdr.NextItemPtr == 0xFF) {
> +    return 0;
> +  }
> +  PciCapIdOffset = 0;
> +  do {
> +    if (PciCapIdHdr.CapabilityID == CapId) {
> +      break;
> +    }
> +    PciCapIdOffset = PciCapIdHdr.NextItemPtr;
> +    Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PciCapIdOffset, 1,
> &PciCapIdHdr);
> +    ASSERT_EFI_ERROR(Status);
> +  } while (PciCapIdHdr.NextItemPtr != 0 && PciCapIdHdr.NextItemPtr !=
> + 0xFF);
> +
> +  if (PciCapIdHdr.CapabilityID == CapId) {
> +    return PciCapIdOffset;
> +  } else {
> +    return 0;
> +  }
> +}
> +
> +/*
> +  return Offset of the PCIe Ext Cap ID.
> +
> +  @param PciIo            PciIo instance of the device
> +  @param CapId            The Ext Capability ID of the Pci device
> +
> +  @return The PCIe Ext Capability ID Offset */
> +UINT32
> +GetPciExpressExtCapId (
> +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> +  IN UINT16                       CapId
> +  )
> +{
> +  UINT32                                    PcieCapIdOffset;
> +  PCI_EXPRESS_EXTENDED_CAPABILITIES_HEADER  PciExpressExtCapIdHdr;
> +  EFI_STATUS                                Status;
> +
> +  PcieCapIdOffset = GetPciCapId (PciIo, EFI_PCI_CAPABILITY_ID_PCIEXP);
> + if (PcieCapIdOffset == 0) {
> +    return 0;
> +  }
> +
> +  PciExpressExtCapIdHdr.CapabilityId = ~CapId;
> + PciExpressExtCapIdHdr.CapabilityVersion = 0xF;
> + PciExpressExtCapIdHdr.NextCapabilityOffset = 0x100;  PcieCapIdOffset =
> + 0;  do {
> +    if (PciExpressExtCapIdHdr.CapabilityId == CapId) {
> +      break;
> +    }
> +    PcieCapIdOffset = PciExpressExtCapIdHdr.NextCapabilityOffset;
> +    Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint32, PcieCapIdOffset, 1,
> &PciExpressExtCapIdHdr);
> +    ASSERT_EFI_ERROR(Status);
> +  } while (PciExpressExtCapIdHdr.NextCapabilityOffset != 0 &&
> + PciExpressExtCapIdHdr.NextCapabilityOffset != 0xFFF);
> +
> +  if (PciExpressExtCapIdHdr.CapabilityId == CapId) {
> +    return PcieCapIdOffset;
> +  } else {
> +    return 0;
> +  }
> +}
> +
> +/**
> +  Read byte of the PCI device configuration space.
> +
> +  @param PciIo            PciIo instance of the device
> +  @param Offset           The offset of the Pci device configuration space
> +
> +  @return Byte value of the PCI device configuration space.
> +**/
> +UINT8
> +DvSecPciRead8 (
> +  IN EFI_PCI_IO_PROTOCOL *PciIo,
> +  IN UINT32              Offset
> +  )
> +{
> +  EFI_STATUS  Status;
> +  UINT8       Data;
> +
> +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, Offset, 1,
> + &Data);  ASSERT_EFI_ERROR(Status);
> +
> +  return Data;
> +}
> +
> +/**
> +  Write byte of the PCI device configuration space.
> +
> +  @param PciIo            PciIo instance of the device
> +  @param Offset           The offset of the Pci device configuration space
> +  @param Data             Byte value of the PCI device configuration space.
> +**/
> +VOID
> +DvSecPciWrite8 (
> +  IN EFI_PCI_IO_PROTOCOL *PciIo,
> +  IN UINT32              Offset,
> +  IN UINT8               Data
> +  )
> +{
> +  EFI_STATUS  Status;
> +
> +  Status = PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, Offset, 1,
> +&Data);
> +  ASSERT_EFI_ERROR(Status);
> +}
> +
> +/**
> +  Get the Digest size from the TCG hash Algorithm ID.
> +
> +  @param TcgAlgId            TCG hash Algorithm ID
> +
> +  @return Digest size of the TCG hash Algorithm ID **/ UINTN
> +DigestSizeFromTcgAlgId (
> +  IN UINT16                                    TcgAlgId
> +  )
> +{
> +  switch (TcgAlgId) {
> +  case TPM_ALG_SHA256:
> +    return SHA256_DIGEST_SIZE;
> +  case TPM_ALG_SHA384:
> +  case TPM_ALG_SHA512:
> +  case TPM_ALG_SM3_256:
> +  default:
> +    break;
> +  }
> +  return 0;
> +}
> +
> +/**
> +  Convert the SPDM hash algo ID from the TCG hash Algorithm ID.
> +
> +  @param TcgAlgId            TCG hash Algorithm ID
> +
> +  @return SPDM hash algo ID
> +**/
> +UINT32
> +TcgAlgIdToSpdmHashAlgo (
> +  IN UINT16                                    TcgAlgId
> +  )
> +{
> +  switch (TcgAlgId) {
> +  case TPM_ALG_SHA256:
> +    return SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256;
> +  case TPM_ALG_SHA384:
> +  case TPM_ALG_SHA512:
> +  case TPM_ALG_SM3_256:
> +  default:
> +    break;
> +  }
> +  return 0;
> +}
> +
> +/**
> +  This function extend the PCI digest from the DvSec register.
> +
> +  @param[in]  PciIo                  The PciIo of the device.
> +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> with the device.
> +  @param[in]  TcgAlgId               TCG hash Algorithm ID
> +  @param[in]  DigestSel              The digest selector
> +  @param[in]  Digest                 The digest buffer
> +  @param[out] DeviceSecurityState    The Device Security state associated
> with the device.
> +**/
> +VOID
> +ExtendDigestRegister (
> +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> +  IN UINT16                       TcgAlgId,
> +  IN UINT8                        DigestSel,
> +  IN UINT8                        *Digest,
> +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> +  )
> +{
> +  UINT32                                                   PcrIndex;
> +  UINT32                                                   EventType;
> +  EDKII_DEVICE_SECURITY_PCI_EVENT_DATA                     EventLog;
> +  EFI_STATUS                                               Status;
> +  PCI_TYPE00                                               PciData;
> +
> +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, 0,
> + sizeof(PciData), &PciData);  ASSERT_EFI_ERROR(Status);
> +
> +  PcrIndex = EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX;
> +  EventType = EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE;
> +
> +  CopyMem (EventLog.EventData.Signature,
> EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE,
> sizeof(EventLog.EventData.Signature));
> +  EventLog.EventData.Version                  =
> EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION;
> +  EventLog.EventData.Length                   =
> sizeof(EDKII_DEVICE_SECURITY_PCI_EVENT_DATA);
> +  EventLog.EventData.SpdmHashAlgo             = TcgAlgIdToSpdmHashAlgo
> (TcgAlgId);
> +  EventLog.EventData.DeviceType               =
> EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI;
> +
> +  EventLog.CommonHeader.Index                      = DigestSel;
> +  EventLog.CommonHeader.MeasurementSpecification   =
> SPDM_MEASUREMENT_BLOCK_HEADER_SPECIFICATION_DMTF;
> +  EventLog.CommonHeader.MeasurementSize            =
> sizeof(SPDM_MEASUREMENT_BLOCK_DMTF_HEADER) +
> SHA256_DIGEST_SIZE;
> +  EventLog.DmtfHeader.DMTFSpecMeasurementValueType =
> +
> SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MUTABLE_FIRMWA
> RE;
> +  EventLog.DmtfHeader.DMTFSpecMeasurementValueSize =
> + SHA256_DIGEST_SIZE;  CopyMem (&EventLog.Digest, Digest,
> + SHA256_DIGEST_SIZE);
> +
> +  EventLog.PciContext.Version           =
> EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION;
> +  EventLog.PciContext.Length            =
> sizeof(EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT);
> +  EventLog.PciContext.VendorId          = PciData.Hdr.VendorId;
> +  EventLog.PciContext.DeviceId          = PciData.Hdr.DeviceId;
> +  EventLog.PciContext.RevisionID        = PciData.Hdr.RevisionID;
> +  EventLog.PciContext.ClassCode[0]      = PciData.Hdr.ClassCode[0];
> +  EventLog.PciContext.ClassCode[1]      = PciData.Hdr.ClassCode[1];
> +  EventLog.PciContext.ClassCode[2]      = PciData.Hdr.ClassCode[2];
> +  if ((PciData.Hdr.HeaderType & HEADER_LAYOUT_CODE) ==
> HEADER_TYPE_DEVICE) {
> +    EventLog.PciContext.SubsystemVendorID =
> PciData.Device.SubsystemVendorID;
> +    EventLog.PciContext.SubsystemID       = PciData.Device.SubsystemID;
> +  } else {
> +    EventLog.PciContext.SubsystemVendorID = 0;
> +    EventLog.PciContext.SubsystemID       = 0;
> +  }
> +
> +  Status = TpmMeasureAndLogData (
> +             PcrIndex,
> +             EventType,
> +             &EventLog,
> +             EventLog.EventData.Length,
> +             Digest,
> +             SHA256_DIGEST_SIZE
> +             );
> +  DEBUG((DEBUG_INFO, "TpmMeasureAndLogData - %r\n", Status));
> +  if (EFI_ERROR(Status)) {
> +    DeviceSecurityState->MeasurementState =
> +EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR;
> +  } else {
> +    RecordPciDeviceInList (PciIo,
> +&mSecurityEventMeasurementDeviceList);
> +  }
> +}
> +
> +/**
> +  This function reads the PCI digest from the DvSec register and extend to
> TPM.
> +
> +  @param[in]  PciIo                  The PciIo of the device.
> +  @param[in]  DvSecOffset            The DvSec register offset of the device.
> +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> with the device.
> +  @param[out] DeviceSecurityState    The Device Security state associated
> with the device.
> +**/
> +VOID
> +DoMeasurementsFromDigestRegister (
> +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> +  IN UINT32                       DvSecOffset,
> +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> +  )
> +{
> +  UINT8                                     Modified;
> +  UINT8                                     Valid;
> +  UINT16                                    TcgAlgId;
> +  UINT8                                     NumDigest;
> +  UINT8                                     DigestSel;
> +  UINT8                                     Digest[SHA256_DIGEST_SIZE];
> +  UINTN                                     DigestSize;
> +  EFI_STATUS                                Status;
> +
> +  TcgAlgId = DvSecPciRead8 (
> +               PciIo,
> +               DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, TcgAlgId)
> +               );
> +  DEBUG((DEBUG_INFO, "  TcgAlgId      - 0x%04x\n", TcgAlgId));
> +  DigestSize = DigestSizeFromTcgAlgId (TcgAlgId);  if (DigestSize == 0)
> + {
> +    DEBUG((DEBUG_INFO, "Unsupported Algorithm - 0x%04x\n", TcgAlgId));
> +    DeviceSecurityState->MeasurementState =
> EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> +    return ;
> +  }
> +  DEBUG((DEBUG_INFO, "  (DigestSize: 0x%x)\n", DigestSize));
> +
> +  DeviceSecurityState->MeasurementState =
> + EDKII_DEVICE_SECURITY_STATE_SUCCESS;
> +
> +  NumDigest = DvSecPciRead8 (
> +                PciIo,
> +                DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, FirmwareID)
> +                );
> +  DEBUG((DEBUG_INFO, "  NumDigest     - 0x%02x\n", NumDigest));
> +
> +  Valid = DvSecPciRead8 (
> +            PciIo,
> +            DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Valid)
> +            );
> +  DEBUG((DEBUG_INFO, "  Valid         - 0x%02x\n", Valid));
> +
> +  //
> +  // Only 2 are supported as maximum.
> +  // But hardware may report 3.
> +  //
> +  if (NumDigest > 2) {
> +    NumDigest = 2;
> +  }
> +
> +  for (DigestSel = 0; DigestSel < NumDigest; DigestSel++) {
> +    DEBUG((DEBUG_INFO, "  DigestSel     - 0x%02x\n", DigestSel));
> +    if ((DigestSel == 0) && ((Valid & INTEL_PCI_DIGEST_0_VALID) == 0)) {
> +      continue;
> +    }
> +    if ((DigestSel == 1) && ((Valid & INTEL_PCI_DIGEST_1_VALID) == 0)) {
> +      continue;
> +    }
> +    while (TRUE) {
> +      //
> +      // Host MUST clear DIGEST_MODIFIED before read DIGEST.
> +      //
> +      DvSecPciWrite8 (
> +        PciIo,
> +        DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified),
> +        INTEL_PCI_DIGEST_MODIFIED
> +        );
> +
> +      Status = PciIo->Pci.Read (
> +                            PciIo,
> +                            EfiPciIoWidthUint8,
> +                            (UINT32)(DvSecOffset +
> sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> sizeof(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE) + DigestSize * DigestSel),
> +                            DigestSize,
> +                            Digest
> +                            );
> +      ASSERT_EFI_ERROR(Status);
> +
> +      //
> +      // After read DIGEST, Host MUST consult DIGEST_MODIFIED.
> +      //
> +      Modified = DvSecPciRead8 (
> +                   PciIo,
> +                   DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified)
> +                   );
> +      if ((Modified & INTEL_PCI_DIGEST_MODIFIED) == 0) {
> +        break;
> +      }
> +    }
> +
> +    //
> +    // Dump Digest
> +    //
> +    {
> +      UINTN  Index;
> +      DEBUG((DEBUG_INFO, "  Digest        - "));
> +      for (Index = 0; Index < DigestSize; Index++) {
> +        DEBUG((DEBUG_INFO, "%02x", *(Digest + Index)));
> +      }
> +      DEBUG((DEBUG_INFO, "\n"));
> +    }
> +
> +    DEBUG((DEBUG_INFO, "ExtendDigestRegister...\n",
> ExtendDigestRegister));
> +    ExtendDigestRegister (PciIo, DeviceSecurityPolicy, TcgAlgId,
> +DigestSel, Digest, DeviceSecurityState);
> +  }
> +}
> +
> +/**
> +  The device driver uses this service to measure a PCI device.
> +
> +  @param[in]  PciIo                  The PciIo of the device.
> +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> with the device.
> +  @param[out] DeviceSecurityState    The Device Security state associated
> with the device.
> +**/
> +VOID
> +DoDeviceMeasurement (
> +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> +  )
> +{
> +  UINT32                                    DvSecOffset;
> +  INTEL_PCI_DIGEST_CAPABILITY_HEADER        DvSecHdr;
> +  EFI_STATUS                                Status;
> +
> +  if (IsPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList)) {
> +    DeviceSecurityState->MeasurementState =
> EDKII_DEVICE_SECURITY_STATE_SUCCESS;
> +    return ;
> +  }
> +
> +  DvSecOffset = GetPciExpressExtCapId (PciIo, INTEL_PCI_CAPID_DVSEC);
> + DEBUG((DEBUG_INFO, "DvSec Capability - 0x%x\n", DvSecOffset));  if
> + (DvSecOffset == 0) {
> +    DeviceSecurityState->MeasurementState =
> EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> +    return ;
> +  }
> +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, DvSecOffset,
> + sizeof(DvSecHdr)/sizeof(UINT16), &DvSecHdr);
> ASSERT_EFI_ERROR(Status);
> +  DEBUG((DEBUG_INFO, "  CapId         - 0x%04x\n", DvSecHdr.CapId));
> +  DEBUG((DEBUG_INFO, "  CapVersion    - 0x%01x\n",
> DvSecHdr.CapVersion));
> +  DEBUG((DEBUG_INFO, "  NextOffset    - 0x%03x\n",
> DvSecHdr.NextOffset));
> +  DEBUG((DEBUG_INFO, "  DvSecVendorId - 0x%04x\n",
> + DvSecHdr.DvSecVendorId));  DEBUG((DEBUG_INFO, "  DvSecRevision -
> 0x%01x\n", DvSecHdr.DvSecRevision));
> +  DEBUG((DEBUG_INFO, "  DvSecLength   - 0x%03x\n",
> DvSecHdr.DvSecLength));
> +  DEBUG((DEBUG_INFO, "  DvSecId       - 0x%04x\n", DvSecHdr.DvSecId));
> +  if ((DvSecHdr.DvSecVendorId != INTEL_PCI_DVSEC_VENDORID_INTEL) &&
> +      (DvSecHdr.DvSecId != INTEL_PCI_DVSEC_DVSECID_MEASUREMENT)) {
> +    DeviceSecurityState->MeasurementState =
> EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> +    return ;
> +  }
> +
> +  DoMeasurementsFromDigestRegister (PciIo, DvSecOffset,
> +DeviceSecurityPolicy, DeviceSecurityState); }
> +
> +/**
> +  The device driver uses this service to verify a PCI device.
> +
> +  @param[in]  PciIo                  The PciIo of the device.
> +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> with the device.
> +  @param[out] DeviceSecurityState    The Device Security state associated
> with the device.
> +**/
> +VOID
> +DoDeviceAuthentication (
> +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> +  )
> +{
> +  DeviceSecurityState->AuthenticationState =
> +EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED;
> +}
> +
> +/**
> +  The device driver uses this service to measure and/or verify a device.
> +
> +  The flow in device driver is:
> +  1) Device driver discovers a new device.
> +  2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL.
> +  3) Device driver creates a device access protocol. e.g.
> +     EFI_PCI_IO_PROTOCOL for PCI device.
> +     EFI_USB_IO_PROTOCOL for USB device.
> +     EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device.
> +     EFI_ATA_PASS_THRU_PROTOCOL for ATA device.
> +     EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device.
> +     EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device.
> +  4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with
> EFI_DEVICE_PATH_PROTOCOL_GUID,
> +     and the device access protocol with
> EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID.
> +     Once it is done, a DeviceHandle is returned.
> +  5) Device driver creates EDKII_DEVICE_IDENTIFIER with
> EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID
> +     and the DeviceHandle.
> +  6) Device driver calls DeviceAuthenticate().
> +  7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device
> driver uninstalls
> +     all protocols on this handle.
> +  8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver installs
> the device access
> +     protocol with a real protocol GUID. e.g.
> +     EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID.
> +     EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID.
> +
> +  @param[in]  This              The protocol instance pointer.
> +  @param[in]  DeviceId          The Identifier for the device.
> +
> +  @retval EFI_SUCCESS              The device specified by the DeviceId passed
> the measurement
> +                                   and/or authentication based upon the platform policy.
> +                                   If TCG measurement is required, the measurement is
> extended to TPM PCR.
> +  @retval EFI_SECURITY_VIOLATION   The device fails to return the
> measurement data.
> +  @retval EFI_SECURITY_VIOLATION   The device fails to response the
> authentication request.
> +  @retval EFI_SECURITY_VIOLATION   The system fails to verify the device
> based upon the authentication response.
> +  @retval EFI_SECURITY_VIOLATION   The system fails to extend the
> measurement to TPM PCR.
> +**/
> +EFI_STATUS
> +EFIAPI
> +DeviceAuthentication (
> +  IN EDKII_DEVICE_SECURITY_PROTOCOL  *This,
> +  IN EDKII_DEVICE_IDENTIFIER         *DeviceId
> +  )
> +{
> +  EDKII_DEVICE_SECURITY_POLICY           DeviceSecurityPolicy;
> +  EDKII_DEVICE_SECURITY_STATE            DeviceSecurityState;
> +  EFI_PCI_IO_PROTOCOL                    *PciIo;
> +  EFI_STATUS                             Status;
> +
> +  if (mDeviceSecurityPolicy == NULL) {
> +    return EFI_SUCCESS;
> +  }
> +
> +  if (!CompareGuid (&DeviceId->DeviceType,
> &gEdkiiDeviceIdentifierTypePciGuid)) {
> +    return EFI_SUCCESS;
> +  }
> +
> +  Status = gBS->HandleProtocol (
> +                  DeviceId->DeviceHandle,
> +                  &gEdkiiDeviceIdentifierTypePciGuid,
> +                  (VOID **)&PciIo
> +                  );
> +  if (EFI_ERROR(Status)) {
> +    DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n",
> Status));
> +    return EFI_SUCCESS;
> +  }
> +
> +  DeviceSecurityState.Version = EDKII_DEVICE_SECURITY_STATE_REVISION;
> +  DeviceSecurityState.MeasurementState = 0x0;
> + DeviceSecurityState.AuthenticationState = 0x0;
> +
> +  Status = mDeviceSecurityPolicy->GetDevicePolicy
> + (mDeviceSecurityPolicy, DeviceId, &DeviceSecurityPolicy);  if
> (EFI_ERROR(Status)) {
> +    DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->GetDevicePolicy -
>  %r\n", Status));
> +    DeviceSecurityState.MeasurementState =
> EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL;
> +    DeviceSecurityState.AuthenticationState =
> + EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL;
> +  } else {
> +    if ((DeviceSecurityPolicy.MeasurementPolicy &
> EDKII_DEVICE_MEASUREMENT_REQUIRED) != 0) {
> +      DoDeviceMeasurement (PciIo, &DeviceSecurityPolicy,
> &DeviceSecurityState);
> +      DEBUG((DEBUG_ERROR, "MeasurementState - 0x%08x\n",
> DeviceSecurityState.MeasurementState));
> +    }
> +    if ((DeviceSecurityPolicy.AuthenticationPolicy &
> EDKII_DEVICE_AUTHENTICATION_REQUIRED) != 0) {
> +      DoDeviceAuthentication (PciIo, &DeviceSecurityPolicy,
> &DeviceSecurityState);
> +      DEBUG((DEBUG_ERROR, "AuthenticationState - 0x%08x\n",
> DeviceSecurityState.AuthenticationState));
> +    }
> +  }
> +
> +  Status = mDeviceSecurityPolicy->NotifyDeviceState
> + (mDeviceSecurityPolicy, DeviceId, &DeviceSecurityState);  if
> (EFI_ERROR(Status)) {
> +    DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->NotifyDeviceState -
> + %r\n", Status));  }
> +
> +  if ((DeviceSecurityState.MeasurementState == 0) &&
> +      (DeviceSecurityState.AuthenticationState == 0)) {
> +    return EFI_SUCCESS;
> +  } else {
> +    return EFI_SECURITY_VIOLATION;
> +  }
> +}
> +
> +EDKII_DEVICE_SECURITY_PROTOCOL mDeviceSecurity = {
> +  EDKII_DEVICE_SECURITY_PROTOCOL_REVISION,
> +  DeviceAuthentication
> +};
> +
> +/**
> +  Entrypoint of the device security driver.
> +
> +  @param[in]  ImageHandle  ImageHandle of the loaded driver  @param[in]
> + SystemTable  Pointer to the System Table
> +
> +  @retval  EFI_SUCCESS           The Protocol is installed.
> +  @retval  EFI_OUT_OF_RESOURCES  Not enough resources available to
> initialize driver.
> +  @retval  EFI_DEVICE_ERROR      A device error occurred attempting to
> initialize the driver.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +MainEntryPoint (
> +  IN EFI_HANDLE        ImageHandle,
> +  IN EFI_SYSTEM_TABLE  *SystemTable
> +  )
> +{
> +  EFI_HANDLE  Handle;
> +  EFI_STATUS  Status;
> +
> +  Status = gBS->LocateProtocol
> + (&gEdkiiDeviceSecurityPolicyProtocolGuid, NULL, (VOID
> + **)&mDeviceSecurityPolicy);  ASSERT_EFI_ERROR(Status);
> +
> +  Handle = NULL;
> +  Status = gBS->InstallProtocolInterface (
> +                  &Handle,
> +                  &gEdkiiDeviceSecurityProtocolGuid,
> +                  EFI_NATIVE_INTERFACE,
> +                  (VOID **)&mDeviceSecurity
> +                  );
> +  ASSERT_EFI_ERROR(Status);
> +
> +  return Status;
> +}
> diff --git
> a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> e/IntelPciDeviceSecurityDxe.inf
> b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> xe/IntelPciDeviceSecurityDxe.inf
> new file mode 100644
> index 0000000000..89a4c8fadd
> --- /dev/null
> +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> +++ ecurityDxe/IntelPciDeviceSecurityDxe.inf
> @@ -0,0 +1,45 @@
> +## @file
> +#  EDKII Device Security library for PCI device # # Copyright (c) 2019,
> +Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier:
> +BSD-2-Clause-Patent # ##
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = IntelPciDeviceSecurityDxe
> +  FILE_GUID                      = D9569195-ED94-47D2-9523-38BF2D201371
> +  MODULE_TYPE                    = DXE_DRIVER
> +  VERSION_STRING                 = 1.0
> +  ENTRY_POINT                    = MainEntryPoint
> +
> +[Sources]
> +  IntelPciDeviceSecurityDxe.c
> +  TcgDeviceEvent.h
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  IntelSiliconPkg/IntelSiliconPkg.dec
> +
> +[LibraryClasses]
> +  UefiRuntimeServicesTableLib
> +  UefiBootServicesTableLib
> +  UefiDriverEntryPoint
> +  MemoryAllocationLib
> +  DevicePathLib
> +  BaseMemoryLib
> +  PrintLib
> +  DebugLib
> +  UefiLib
> +  PcdLib
> +  TpmMeasurementLib
> +
> +[Protocols]
> +  gEdkiiDeviceSecurityPolicyProtocolGuid  ## CONSUMES
> +  gEdkiiDeviceSecurityProtocolGuid        ## PRODUCES
> +  gEdkiiDeviceIdentifierTypePciGuid       ## COMSUMES
> +
> +[Depex]
> +  gEdkiiDeviceSecurityPolicyProtocolGuid
> diff --git
> a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> e/TcgDeviceEvent.h
> b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> xe/TcgDeviceEvent.h
> new file mode 100644
> index 0000000000..5b642b3ecc
> --- /dev/null
> +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> +++ ecurityDxe/TcgDeviceEvent.h
> @@ -0,0 +1,178 @@
> +/** @file
> +  TCG Device Event data structure
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent **/
> +
> +
> +#ifndef __TCG_EVENT_DATA_H__
> +#define __TCG_EVENT_DATA_H__
> +
> +#include <IndustryStandard/Spdm.h>
> +
> +#pragma pack(1)
> +
> +// -------------------------------------------
> +// TCG Measurement for SPDM Device Measurement //
> +-------------------------------------------
> +
> +//
> +// Device Firmware Component (including immutable ROM or mutable
> +firmware) //
> +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX        2
> +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE
> 0x800000E1
> +//
> +// Device Firmware Configuration (including hardware configuration or
> +firmware configuration) //
> +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_PCR_INDEX    4
> +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_EVENT_TYPE
> 0x800000E2
> +
> +//
> +// Device Firmware Measurement Measurement Data // The measurement
> data
> +is the device firmware measurement.
> +//
> +// In order to support crypto agile, the firmware will hash the
> DeviceMeasurement again.
> +// As such the device measurement algo might be different with host
> firmware measurement algo.
> +//
> +
> +//
> +// Device Firmware Measurement Event Data // #define
> +EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE "SPDM Device Sec\0"
> +#define EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION  0
> +
> +//
> +// Device Type
> +// 0x03 ~ 0xDF reserved by TCG.
> +// 0xE0 ~ 0xFF reserved by OEM.
> +//
> +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_NULL  0
> +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI   1
> +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_USB   2
> +
> +//
> +// Device Firmware Measurement Event Data Common Part // The device
> +specific part should follow this data structure.
> +//
> +typedef struct {
> +  //
> +  // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE.
> +  //
> +  UINT8                          Signature[16];
> +  //
> +  // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION.
> +  //
> +  UINT16                         Version;
> +  //
> +  // The length of whole data structure, including Device Context.
> +  //
> +  UINT16                         Length;
> +  //
> +  // The SpdmHashAlgo
> +  //
> +  UINT32                         SpdmHashAlgo;
> +  //
> +  // The type of device. This field is to determine the Device Context
> followed by.
> +  //
> +  UINT32                         DeviceType;
> +  //
> +  // The SPDM measurement block.
> +  //
> +//SPDM_MEASUREMENT_BLOCK         SpdmMeasurementBlock;
> +} EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER;
> +
> +//
> +// PCI device specific context
> +//
> +#define EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION  0
> typedef
> +struct {
> +  UINT16  Version;
> +  UINT16  Length;
> +  UINT16  VendorId;
> +  UINT16  DeviceId;
> +  UINT8   RevisionID;
> +  UINT8   ClassCode[3];
> +  UINT16  SubsystemVendorID;
> +  UINT16  SubsystemID;
> +} EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT;
> +
> +//
> +// USB device specific context
> +//
> +#define EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT_VERSION
> 0 typedef
> +struct {
> +  UINT16  Version;
> +  UINT16  Length;
> +//UINT8   DeviceDescriptor[DescLen];
> +//UINT8   BodDescriptor[DescLen];
> +//UINT8   ConfigurationDescriptor[DescLen][NumOfConfiguration];
> +} EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT;
> +
> +// ----------------------------------------------
> +// TCG Measurement for SPDM Device Authentication //
> +----------------------------------------------
> +
> +//
> +// Device Root cert is stored into a UEFI authenticated variable.
> +// It is non-volatile, boot service, runtime service, and time based
> authenticated variable.
> +// The "devdb" includes a list of allowed device root cert.
> +// The "devdbx" includes a list of forbidden device root cert.
> +// The usage of "devdb" and "devdbx" is same as "db" and "dbx" in UEFI
> secure boot.
> +//
> +// NOTE: We choose not to mix "db"/"dbx" for better management
> purpose.
> +//
> +
> +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME    L"devdb"
> +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME   L"devdbx"
> +
> +#define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \
> +  {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d,
> +0xad}
> +
> +//
> +// Platform Firmware adhering to the policy MUST therefore measure the
> following values into PCR[7]:
> +// 1. The content of the
> EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> ARAIBLE_NAME variable.
> +// 2. The content of the
> EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> ARAIBLE2_NAME variable.
> +// 3. Entries in the
> EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> ARAIBLE_NAME variable to
> +//    authenticate the device.
> +//
> +// For all UEFI variable value events, the eventType SHALL be
> +EV_EFI_VARIABLE_DRIVER_CONFIG and the Event // value SHALL be the
> value of the UEFI_VARIABLE_DATA structure (this structure SHALL be
> considered byte-aligned).
> +// The measurement digest MUST be tagged Hash for each supported PCR
> +bank of the event data which is the // UEFI_VARIABLE_DATA structure.
> +The UEFI_VARIABLE_DATA.UnicodeNameLength value is the number of
> CHAR16 // characters (not the number of bytes). The
> UEFI_VARIABLE_DATA.UnicodeName contents MUST NOT include a NUL.
> +// If reading a UEFI variable returns UEFI_NOT_FOUND, the
> +UEFI_VARIABLE_DATA.VariableDataLength field MUST // be set to zero and
> UEFI_VARIABLE_DATA.VariableData field will have a size of zero.
> +//
> +
> +//
> +// Entities that MUST be measured if the TPM is enabled:
> +// 1. Before executing any code not cryptographically authenticated as
> being provided by the Platform Manufacturer,
> +//    the Platform Manufacturer firmware MUST measure the following
> values, in the order listed using the
> +//    EV_EFI_VARIABLE_DRIVER_CONFIG event type to PCR[7]:
> +//    a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
> +//    b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
> +// 2. If the platform supports changing any of the following UEFI policy
> variables after they are initially measured
> +//    in PCR[7] and before ExitBootServices() has completed, the platform
> MAY be restarted OR the variables MUST be
> +//    remeasured into PCR[7]. Additionally the normal update process for
> setting any of the UEFI variables below SHOULD
> +//    occur before the initial measurement in PCR[7] or after the call to
> ExitBootServices() has completed.
> +//    a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
> +//    b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
> +// 3. The system SHALL measure the EV_SEPARATOR event in PCR[7]. (This
> occurs at the same time the separator is
> +//    measured to PCR[0-7].)
> +//    Before setting up a device, the UEFI firmware SHALL determine if the
> entry in the
> +//    EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable that was used to
> validate
> +//    the device has previously been measured in PCR[7]. If it has not been, it
> MUST be measured into PCR[7] as follows.
> +//    If it has been measured previously, it MUST NOT be measured again.
> The measurement SHALL occur in conjunction
> +//    with device setup.
> +//    a) The eventType SHALL be EV_EFI_VARIABLE_AUTHORITY.
> +//    b) The event value SHALL be the value of the UEFI_VARIABLE_DATA
> structure.
> +//       i.   The UEFI_VARIABLE_DATA.VariableData value SHALL be the
> UEFI_SIGNATURE_DATA value from the
> +//            UEFI_SIGNATURE_LIST that contained the authority that was used
> to validate the image.
> +//       ii.  The UEFI_VARIABLE_DATA.VariableName SHALL be set to
> UEFI_IMAGE_SECURITY_DATABASE_GUID.
> +//       iii. The UEFI_VARIABLE_DATA.UnicodeName SHALL be set to the value
> of UEFI_IMAGE_SECURITY_DATABASE.
> +//            The value MUST NOT include the terminating NUL.
> +//
> +
> +#pragma pack()
> +
> +#endif
> --
> 2.19.2.windows.1

Re: [PATCH V3 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy.

[Ni, Ray]

Reviewed-by: Ray Ni <ray.ni@intel.com>

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Thursday, November 7, 2019 9:39 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> Subject: [PATCH V3 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe:
> Add sample policy.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> 
> This driver provides the platform sample policy to measure a NVMe card.
> 
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> Cc: Yun Lou <yun.lou@intel.com>
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> ---
>  .../SamplePlatformDevicePolicyDxe.c           | 204 ++++++++++++++++++
>  .../SamplePlatformDevicePolicyDxe.inf         |  40 ++++
>  2 files changed, 244 insertions(+)
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePoli
> cyDxe/SamplePlatformDevicePolicyDxe.c
>  create mode 100644
> Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePoli
> cyDxe/SamplePlatformDevicePolicyDxe.inf
> 
> diff --git
> a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP
> olicyDxe/SamplePlatformDevicePolicyDxe.c
> b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP
> olicyDxe/SamplePlatformDevicePolicyDxe.c
> new file mode 100644
> index 0000000000..5b0897d6af
> --- /dev/null
> +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformD
> +++ evicePolicyDxe/SamplePlatformDevicePolicyDxe.c
> @@ -0,0 +1,204 @@
> +/** @file
> +  EDKII Device Security library for PCI device
> +
> +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> +
> +**/
> +
> +#include <Uefi.h>
> +#include <IndustryStandard/Spdm.h>
> +#include <IndustryStandard/Pci.h>
> +#include <Protocol/PciIo.h>
> +#include <Protocol/DeviceSecurity.h>
> +#include <Protocol/PlatformDeviceSecurityPolicy.h>
> +#include <Library/DebugLib.h>
> +#include <Library/BaseMemoryLib.h>
> +#include <Library/UefiBootServicesTableLib.h>
> +#include <Library/MemoryAllocationLib.h>
> +
> +EDKII_DEVICE_SECURITY_POLICY           mDeviceSecurityPolicyNone = {
> +  EDKII_DEVICE_SECURITY_POLICY_REVISION,
> +  0,
> +  0,
> +};
> +EDKII_DEVICE_SECURITY_POLICY           mDeviceSecurityPolicyMeasurement
> = {
> +  EDKII_DEVICE_SECURITY_POLICY_REVISION,
> +  EDKII_DEVICE_MEASUREMENT_REQUIRED,
> +  0,
> +};
> +
> +/**
> +  This function returns the device security policy associated with the device.
> +
> +  The device security driver may call this interface to get the
> + platform policy  for the specific device and determine if the
> + measurement or authentication  is required.
> +
> +  @param[in]  This                   The protocol instance pointer.
> +  @param[in]  DeviceId               The Identifier for the device.
> +  @param[out] DeviceSecurityPolicy   The Device Security Policy associated
> with the device.
> +
> +  @retval EFI_SUCCESS                The device security policy is returned
> +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> specific Device.
> +**/
> +EFI_STATUS
> +EFIAPI
> +GetDevicePolicy (
> +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> +  OUT EDKII_DEVICE_SECURITY_POLICY           *DeviceSecurityPolicy
> +  )
> +{
> +  EFI_STATUS                  Status;
> +  EFI_PCI_IO_PROTOCOL         *PciIo;
> +  UINT16                      PciVendorId;
> +  UINT16                      PciDeviceId;
> +
> +  CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyNone,
> + sizeof(EDKII_DEVICE_SECURITY_POLICY));
> +
> +  DEBUG ((DEBUG_INFO, "GetDevicePolicy - 0x%g\n",
> + &DeviceId->DeviceType));
> +
> +  if (!CompareGuid (&DeviceId->DeviceType,
> &gEdkiiDeviceIdentifierTypePciGuid)) {
> +    return EFI_SUCCESS;
> +  }
> +
> +  Status = gBS->HandleProtocol (
> +                  DeviceId->DeviceHandle,
> +                  &gEdkiiDeviceIdentifierTypePciGuid,
> +                  (VOID **)&PciIo
> +                  );
> +  if (EFI_ERROR(Status)) {
> +    DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n",
> Status));
> +    return EFI_SUCCESS;
> +  }
> +
> +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16,
> + PCI_VENDOR_ID_OFFSET, 1, &PciVendorId);  ASSERT_EFI_ERROR(Status);
> + Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16,
> + PCI_DEVICE_ID_OFFSET, 1, &PciDeviceId);  ASSERT_EFI_ERROR(Status);
> + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId,
> + PciDeviceId));
> +
> +  if ((PciVendorId == 0x8086) && (PciDeviceId == 0x0B60)) {
> +    CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyMeasurement,
> + sizeof(EDKII_DEVICE_SECURITY_POLICY));
> +  }
> +
> +  return EFI_SUCCESS;
> +}
> +
> +/**
> +  This function sets the device state based upon the authentication result.
> +
> +  The device security driver may call this interface to give the
> + platform  a notify based upon the measurement or authentication result.
> +  If the authentication or measurement fails, the platform may choose:
> +  1) Do nothing.
> +  2) Disable this device or slot temporarily and continue boot.
> +  3) Reset the platform and retry again.
> +  4) Disable this device or slot permanently.
> +  5) Any other platform specific action.
> +
> +  @param[in]  This                   The protocol instance pointer.
> +  @param[in]  DeviceId               The Identifier for the device.
> +  @param[in]  DeviceSecurityState    The Device Security state associated
> with the device.
> +
> +  @retval EFI_SUCCESS                The device state is set
> +  @retval EFI_UNSUPPORTED            The function is unsupported for the
> specific Device.
> +**/
> +EFI_STATUS
> +EFIAPI
> +NotifyDeviceState (
> +  IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This,
> +  IN  EDKII_DEVICE_IDENTIFIER                *DeviceId,
> +  IN  EDKII_DEVICE_SECURITY_STATE            *DeviceSecurityState
> +  )
> +{
> +  EFI_STATUS                  Status;
> +  EFI_PCI_IO_PROTOCOL         *PciIo;
> +  UINT16                      PciVendorId;
> +  UINT16                      PciDeviceId;
> +  UINTN                       Segment;
> +  UINTN                       Bus;
> +  UINTN                       Device;
> +  UINTN                       Function;
> +
> +  DEBUG ((DEBUG_INFO, "NotifyDeviceState - 0x%g\n",
> + &DeviceId->DeviceType));
> +
> +  if (!CompareGuid (&DeviceId->DeviceType,
> &gEdkiiDeviceIdentifierTypePciGuid)) {
> +    return EFI_SUCCESS;
> +  }
> +
> +  Status = gBS->HandleProtocol (
> +                  DeviceId->DeviceHandle,
> +                  &gEdkiiDeviceIdentifierTypePciGuid,
> +                  (VOID **)&PciIo
> +                  );
> +  if (EFI_ERROR(Status)) {
> +    DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n",
> Status));
> +    return EFI_SUCCESS;
> +  }
> +
> +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16,
> + PCI_VENDOR_ID_OFFSET, 1, &PciVendorId);  ASSERT_EFI_ERROR(Status);
> + Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16,
> + PCI_DEVICE_ID_OFFSET, 1, &PciDeviceId);  ASSERT_EFI_ERROR(Status);
> + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId,
> + PciDeviceId));
> +
> +  Status = PciIo->GetLocation (
> +                    PciIo,
> +                    &Segment,
> +                    &Bus,
> +                    &Device,
> +                    &Function
> +                    );
> +  if (!EFI_ERROR(Status)) {
> +    DEBUG ((DEBUG_INFO, "PCI Loc - %04x:%02x:%02x:%02x\n",
> +      Segment, Bus, Device, Function));  }
> +
> +  DEBUG ((DEBUG_INFO, "State - Measurement - 0x%08x, Authentication -
> 0x%08x\n",
> +    DeviceSecurityState->MeasurementState,
> +    DeviceSecurityState->AuthenticationState
> +    ));
> +
> +  return EFI_SUCCESS;
> +}
> +
> +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  mDeviceSecurityPolicy = {
> +  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION,
> +  GetDevicePolicy,
> +  NotifyDeviceState,
> +};
> +
> +/**
> +  Entrypoint of the device security driver.
> +
> +  @param[in]  ImageHandle  ImageHandle of the loaded driver  @param[in]
> + SystemTable  Pointer to the System Table
> +
> +  @retval  EFI_SUCCESS           The Protocol is installed.
> +  @retval  EFI_OUT_OF_RESOURCES  Not enough resources available to
> initialize driver.
> +  @retval  EFI_DEVICE_ERROR      A device error occurred attempting to
> initialize the driver.
> +
> +**/
> +EFI_STATUS
> +EFIAPI
> +MainEntryPoint (
> +  IN EFI_HANDLE        ImageHandle,
> +  IN EFI_SYSTEM_TABLE  *SystemTable
> +  )
> +{
> +  EFI_HANDLE  Handle;
> +  EFI_STATUS  Status;
> +
> +  Handle = NULL;
> +  Status = gBS->InstallProtocolInterface (
> +                  &Handle,
> +                  &gEdkiiDeviceSecurityPolicyProtocolGuid,
> +                  EFI_NATIVE_INTERFACE,
> +                  &mDeviceSecurityPolicy
> +                  );
> +  ASSERT_EFI_ERROR(Status);
> +
> +  return Status;
> +}
> diff --git
> a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP
> olicyDxe/SamplePlatformDevicePolicyDxe.inf
> b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP
> olicyDxe/SamplePlatformDevicePolicyDxe.inf
> new file mode 100644
> index 0000000000..a9b77d8371
> --- /dev/null
> +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformD
> +++ evicePolicyDxe/SamplePlatformDevicePolicyDxe.inf
> @@ -0,0 +1,40 @@
> +## @file
> +#  EDKII Device Security library for PCI device # # Copyright (c) 2019,
> +Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier:
> +BSD-2-Clause-Patent # ##
> +
> +[Defines]
> +  INF_VERSION                    = 0x00010005
> +  BASE_NAME                      = SamplePlatformDevicePolicyDxe
> +  FILE_GUID                      = 7EA7AACF-7ED3-4166-8271-B21156523620
> +  MODULE_TYPE                    = DXE_DRIVER
> +  VERSION_STRING                 = 1.0
> +  ENTRY_POINT                    = MainEntryPoint
> +
> +[Sources]
> +  SamplePlatformDevicePolicyDxe.c
> +
> +[Packages]
> +  MdePkg/MdePkg.dec
> +  MdeModulePkg/MdeModulePkg.dec
> +  IntelSiliconPkg/IntelSiliconPkg.dec
> +
> +[LibraryClasses]
> +  UefiRuntimeServicesTableLib
> +  UefiBootServicesTableLib
> +  UefiDriverEntryPoint
> +  MemoryAllocationLib
> +  DevicePathLib
> +  BaseMemoryLib
> +  PrintLib
> +  DebugLib
> +
> +[Protocols]
> +  gEdkiiDeviceSecurityPolicyProtocolGuid  ## PRODUCES
> +  gEdkiiDeviceIdentifierTypePciGuid       ## COMSUMES
> +
> +[Depex]
> +  TRUE
> --
> 2.19.2.windows.1

Re: [PATCH V3 6/6] IntelSiliconPkg/dsc: Add Device Security component.

[Ni, Ray]

Reviewed-by: Ray Ni <ray.ni@intel.com>

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Thursday, November 7, 2019 9:39 PM
> To: devel@edk2.groups.io
> Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> Subject: [PATCH V3 6/6] IntelSiliconPkg/dsc: Add Device Security component.
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> 
> Cc: Ray Ni <ray.ni@intel.com>
> Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> Cc: Yun Lou <yun.lou@intel.com>
> Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> ---
>  Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc
> b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc
> index df8984a606..0a6509d8b3 100644
> --- a/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc
> +++ b/Silicon/Intel/IntelSiliconPkg/IntelSiliconPkg.dsc
> @@ -35,6 +35,7 @@
> 
> CacheMaintenanceLib|MdePkg/Library/BaseCacheMaintenanceLib/BaseCac
> heMaintenanceLib.inf
> 
> MicrocodeFlashAccessLib|IntelSiliconPkg/Feature/Capsule/Library/Microcod
> eFlashAccessLibNull/MicrocodeFlashAccessLibNull.inf
> 
> PeiGetVtdPmrAlignmentLib|IntelSiliconPkg/Library/PeiGetVtdPmrAlignment
> Lib/PeiGetVtdPmrAlignmentLib.inf
> +
> +
> TpmMeasurementLib|MdeModulePkg/Library/TpmMeasurementLibNull/Tp
> mMeasur
> + ementLibNull.inf
> 
>  [LibraryClasses.common.PEIM]
>    PeimEntryPoint|MdePkg/Library/PeimEntryPoint/PeimEntryPoint.inf
> @@ -75,6 +76,8 @@
> 
>  [Components]
>    IntelSiliconPkg/Library/DxeSmbiosDataHobLib/DxeSmbiosDataHobLib.inf
> +
> + IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/IntelPc
> + iDeviceSecurityDxe.inf
> + IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePolicyDxe/Sam
> + plePlatformDevicePolicyDxe.inf
>    IntelSiliconPkg/Feature/VTd/IntelVTdDxe/IntelVTdDxe.inf
>    IntelSiliconPkg/Feature/VTd/IntelVTdPmrPei/IntelVTdPmrPei.inf
> 
> IntelSiliconPkg/Feature/VTd/PlatformVTdSampleDxe/PlatformVTdSampleDx
> e.inf
> --
> 2.19.2.windows.1

Re: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.

[Yao, Jiewen]

Agree. I will remove them.

> -----Original Message-----
> From: Ni, Ray <ray.ni@intel.com>
> Sent: Monday, November 11, 2019 4:20 PM
> To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun
> <yun.lou@intel.com>
> Subject: RE: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add
> PciSecurity.
> 
> Jiewen,
> Below definitions are not used by the new driver but defined in
> driver internal header file.
> Can you please remove the unused definitions?
> 
> EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT
> #define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME    L"devdb"
> #define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME   L"devdbx"
> 
> #define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \
>   {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d, 0xad}
> 
> > -----Original Message-----
> > From: Yao, Jiewen <jiewen.yao@intel.com>
> > Sent: Thursday, November 7, 2019 9:38 PM
> > To: devel@edk2.groups.io
> > Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> > <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> > Subject: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add
> > PciSecurity.
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> >
> > This driver is to do the PCI device authentication based upon Intel PCIe
> > Security Specification.
> >
> > Cc: Ray Ni <ray.ni@intel.com>
> > Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> > Cc: Yun Lou <yun.lou@intel.com>
> > Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> > Signed-off-by: Yun Lou <yun.lou@intel.com>
> > ---
> >  .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
> >  .../IntelPciDeviceSecurityDxe.inf             |  45 ++
> >  .../TcgDeviceEvent.h                          | 178 +++++
> >  3 files changed, 920 insertions(+)
> >  create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> > /IntelPciDeviceSecurityDxe.c
> >  create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> > /IntelPciDeviceSecurityDxe.inf
> >  create mode 100644
> > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> > /TcgDeviceEvent.h
> >
> > diff --git
> > a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> > e/IntelPciDeviceSecurityDxe.c
> > b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> > xe/IntelPciDeviceSecurityDxe.c
> > new file mode 100644
> > index 0000000000..8838d5635a
> > --- /dev/null
> > +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> > +++ ecurityDxe/IntelPciDeviceSecurityDxe.c
> > @@ -0,0 +1,697 @@
> > +/** @file
> > +  EDKII Device Security library for PCI device.
> > +  It follows the Intel PCIe Security Specification.
> > +
> > +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > +
> > +**/
> > +
> > +#include <Uefi.h>
> > +#include <IndustryStandard/Spdm.h>
> > +#include <IndustryStandard/IntelPciSecurity.h>
> > +#include <IndustryStandard/Pci.h>
> > +#include <IndustryStandard/Tpm20.h>
> > +#include <IndustryStandard/UefiTcgPlatform.h>
> > +#include <Library/BaseLib.h>
> > +#include <Library/DebugLib.h>
> > +#include <Library/BaseMemoryLib.h>
> > +#include <Library/UefiBootServicesTableLib.h>
> > +#include <Library/MemoryAllocationLib.h> #include
> > +<Library/TpmMeasurementLib.h> #include <Protocol/PciIo.h> #include
> > +<Protocol/DeviceSecurity.h> #include
> > +<Protocol/PlatformDeviceSecurityPolicy.h>
> > +#include "TcgDeviceEvent.h"
> > +
> > +typedef struct {
> > +  EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER       EventData;
> > +  SPDM_MEASUREMENT_BLOCK_COMMON_HEADER          CommonHeader;
> > +  SPDM_MEASUREMENT_BLOCK_DMTF_HEADER            DmtfHeader;
> > +  UINT8                                         Digest[SHA256_DIGEST_SIZE];
> > +  EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT  PciContext; }
> > +EDKII_DEVICE_SECURITY_PCI_EVENT_DATA;
> > +
> > +typedef struct {
> > +  UINTN         Signature;
> > +  LIST_ENTRY    Link;
> > +  UINTN         PciSegment;
> > +  UINTN         PciBus;
> > +  UINTN         PciDevice;
> > +  UINTN         PciFunction;
> > +} PCI_DEVICE_INSTANCE;
> > +
> > +#define PCI_DEVICE_INSTANCE_SIGNATURE  SIGNATURE_32 ('P', 'D', 'I',
> > +'S') #define PCI_DEVICE_INSTANCE_FROM_LINK(a)  CR (a,
> > +PCI_DEVICE_INSTANCE, Link, PCI_DEVICE_INSTANCE_SIGNATURE)
> > +
> > +LIST_ENTRY mSecurityEventMeasurementDeviceList =
> > +INITIALIZE_LIST_HEAD_VARIABLE(mSecurityEventMeasurementDeviceList)
> > ;;
> > +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *mDeviceSecurityPolicy;
> > +
> > +/**
> > +  Record a PCI device into device list.
> > +
> > +  @param PciIo            PciIo instance of the device
> > +  @param PciDeviceList    The list to record the the device
> > +**/
> > +VOID
> > +RecordPciDeviceInList(
> > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > +  IN LIST_ENTRY                   *PciDeviceList
> > +  )
> > +{
> > +  UINTN                 PciSegment;
> > +  UINTN                 PciBus;
> > +  UINTN                 PciDevice;
> > +  UINTN                 PciFunction;
> > +  EFI_STATUS            Status;
> > +  PCI_DEVICE_INSTANCE   *NewPciDevice;
> > +
> > +  Status = PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice,
> > + &PciFunction);  ASSERT_EFI_ERROR(Status);
> > +
> > +  NewPciDevice = AllocateZeroPool(sizeof(*NewPciDevice));
> > +  ASSERT_EFI_ERROR(NewPciDevice != NULL);
> > +
> > +  NewPciDevice->Signature   = PCI_DEVICE_INSTANCE_SIGNATURE;
> > +  NewPciDevice->PciSegment  = PciSegment;
> > +  NewPciDevice->PciBus      = PciBus;
> > +  NewPciDevice->PciDevice   = PciDevice;
> > +  NewPciDevice->PciFunction = PciFunction;
> > +
> > +  InsertTailList(PciDeviceList, &NewPciDevice->Link); }
> > +
> > +/**
> > +  Check if a PCI device is recorded in device list.
> > +
> > +  @param PciIo            PciIo instance of the device
> > +  @param PciDeviceList    The list to record the the device
> > +
> > +  @retval TRUE  The PCI device is in the list.
> > +  @retval FALSE The PCI device is NOT in the list.
> > +**/
> > +BOOLEAN
> > +IsPciDeviceInList(
> > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > +  IN LIST_ENTRY                   *PciDeviceList
> > +  )
> > +{
> > +  UINTN                 PciSegment;
> > +  UINTN                 PciBus;
> > +  UINTN                 PciDevice;
> > +  UINTN                 PciFunction;
> > +  EFI_STATUS            Status;
> > +  LIST_ENTRY            *Link;
> > +  PCI_DEVICE_INSTANCE   *CurrentPciDevice;
> > +
> > +  Status = PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice,
> > + &PciFunction);  ASSERT_EFI_ERROR(Status);
> > +
> > +  Link = GetFirstNode(PciDeviceList);
> > +  while (!IsNull(PciDeviceList, Link)) {
> > +    CurrentPciDevice = PCI_DEVICE_INSTANCE_FROM_LINK(Link);
> > +
> > +    if (CurrentPciDevice->PciSegment == PciSegment && CurrentPciDevice-
> > >PciBus == PciBus &&
> > +        CurrentPciDevice->PciDevice == PciDevice && CurrentPciDevice-
> > >PciFunction == PciFunction) {
> > +      DEBUG((DEBUG_INFO, "PCI device duplicated (Loc -
> >  %04x:%02x:%02x:%02x)\n", PciSegment, PciBus, PciDevice, PciFunction));
> > +      return TRUE;
> > +    }
> > +
> > +    Link = GetNextNode(PciDeviceList, Link);  }
> > +
> > +  return FALSE;
> > +}
> > +
> > +/*
> > +  return Offset of the PCI Cap ID.
> > +
> > +  @param PciIo            PciIo instance of the device
> > +  @param CapId            The Capability ID of the Pci device
> > +
> > +  @return The PCI Capability ID Offset
> > +*/
> > +UINT32
> > +GetPciCapId (
> > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > +  IN UINT8                        CapId
> > +  )
> > +{
> > +  EFI_PCI_CAPABILITY_HDR                    PciCapIdHdr;
> > +  UINT32                                    PciCapIdOffset;
> > +  EFI_STATUS                                Status;
> > +
> > +  PciCapIdHdr.CapabilityID = ~CapId;
> > +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8,
> > + PCI_CAPBILITY_POINTER_OFFSET, 1, &PciCapIdHdr.NextItemPtr);
> > + ASSERT_EFI_ERROR(Status);  if (PciCapIdHdr.NextItemPtr == 0 ||
> > PciCapIdHdr.NextItemPtr == 0xFF) {
> > +    return 0;
> > +  }
> > +  PciCapIdOffset = 0;
> > +  do {
> > +    if (PciCapIdHdr.CapabilityID == CapId) {
> > +      break;
> > +    }
> > +    PciCapIdOffset = PciCapIdHdr.NextItemPtr;
> > +    Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PciCapIdOffset, 1,
> > &PciCapIdHdr);
> > +    ASSERT_EFI_ERROR(Status);
> > +  } while (PciCapIdHdr.NextItemPtr != 0 && PciCapIdHdr.NextItemPtr !=
> > + 0xFF);
> > +
> > +  if (PciCapIdHdr.CapabilityID == CapId) {
> > +    return PciCapIdOffset;
> > +  } else {
> > +    return 0;
> > +  }
> > +}
> > +
> > +/*
> > +  return Offset of the PCIe Ext Cap ID.
> > +
> > +  @param PciIo            PciIo instance of the device
> > +  @param CapId            The Ext Capability ID of the Pci device
> > +
> > +  @return The PCIe Ext Capability ID Offset */
> > +UINT32
> > +GetPciExpressExtCapId (
> > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > +  IN UINT16                       CapId
> > +  )
> > +{
> > +  UINT32                                    PcieCapIdOffset;
> > +  PCI_EXPRESS_EXTENDED_CAPABILITIES_HEADER  PciExpressExtCapIdHdr;
> > +  EFI_STATUS                                Status;
> > +
> > +  PcieCapIdOffset = GetPciCapId (PciIo, EFI_PCI_CAPABILITY_ID_PCIEXP);
> > + if (PcieCapIdOffset == 0) {
> > +    return 0;
> > +  }
> > +
> > +  PciExpressExtCapIdHdr.CapabilityId = ~CapId;
> > + PciExpressExtCapIdHdr.CapabilityVersion = 0xF;
> > + PciExpressExtCapIdHdr.NextCapabilityOffset = 0x100;  PcieCapIdOffset =
> > + 0;  do {
> > +    if (PciExpressExtCapIdHdr.CapabilityId == CapId) {
> > +      break;
> > +    }
> > +    PcieCapIdOffset = PciExpressExtCapIdHdr.NextCapabilityOffset;
> > +    Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint32, PcieCapIdOffset, 1,
> > &PciExpressExtCapIdHdr);
> > +    ASSERT_EFI_ERROR(Status);
> > +  } while (PciExpressExtCapIdHdr.NextCapabilityOffset != 0 &&
> > + PciExpressExtCapIdHdr.NextCapabilityOffset != 0xFFF);
> > +
> > +  if (PciExpressExtCapIdHdr.CapabilityId == CapId) {
> > +    return PcieCapIdOffset;
> > +  } else {
> > +    return 0;
> > +  }
> > +}
> > +
> > +/**
> > +  Read byte of the PCI device configuration space.
> > +
> > +  @param PciIo            PciIo instance of the device
> > +  @param Offset           The offset of the Pci device configuration space
> > +
> > +  @return Byte value of the PCI device configuration space.
> > +**/
> > +UINT8
> > +DvSecPciRead8 (
> > +  IN EFI_PCI_IO_PROTOCOL *PciIo,
> > +  IN UINT32              Offset
> > +  )
> > +{
> > +  EFI_STATUS  Status;
> > +  UINT8       Data;
> > +
> > +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, Offset, 1,
> > + &Data);  ASSERT_EFI_ERROR(Status);
> > +
> > +  return Data;
> > +}
> > +
> > +/**
> > +  Write byte of the PCI device configuration space.
> > +
> > +  @param PciIo            PciIo instance of the device
> > +  @param Offset           The offset of the Pci device configuration space
> > +  @param Data             Byte value of the PCI device configuration space.
> > +**/
> > +VOID
> > +DvSecPciWrite8 (
> > +  IN EFI_PCI_IO_PROTOCOL *PciIo,
> > +  IN UINT32              Offset,
> > +  IN UINT8               Data
> > +  )
> > +{
> > +  EFI_STATUS  Status;
> > +
> > +  Status = PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, Offset, 1,
> > +&Data);
> > +  ASSERT_EFI_ERROR(Status);
> > +}
> > +
> > +/**
> > +  Get the Digest size from the TCG hash Algorithm ID.
> > +
> > +  @param TcgAlgId            TCG hash Algorithm ID
> > +
> > +  @return Digest size of the TCG hash Algorithm ID **/ UINTN
> > +DigestSizeFromTcgAlgId (
> > +  IN UINT16                                    TcgAlgId
> > +  )
> > +{
> > +  switch (TcgAlgId) {
> > +  case TPM_ALG_SHA256:
> > +    return SHA256_DIGEST_SIZE;
> > +  case TPM_ALG_SHA384:
> > +  case TPM_ALG_SHA512:
> > +  case TPM_ALG_SM3_256:
> > +  default:
> > +    break;
> > +  }
> > +  return 0;
> > +}
> > +
> > +/**
> > +  Convert the SPDM hash algo ID from the TCG hash Algorithm ID.
> > +
> > +  @param TcgAlgId            TCG hash Algorithm ID
> > +
> > +  @return SPDM hash algo ID
> > +**/
> > +UINT32
> > +TcgAlgIdToSpdmHashAlgo (
> > +  IN UINT16                                    TcgAlgId
> > +  )
> > +{
> > +  switch (TcgAlgId) {
> > +  case TPM_ALG_SHA256:
> > +    return SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256;
> > +  case TPM_ALG_SHA384:
> > +  case TPM_ALG_SHA512:
> > +  case TPM_ALG_SM3_256:
> > +  default:
> > +    break;
> > +  }
> > +  return 0;
> > +}
> > +
> > +/**
> > +  This function extend the PCI digest from the DvSec register.
> > +
> > +  @param[in]  PciIo                  The PciIo of the device.
> > +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> > with the device.
> > +  @param[in]  TcgAlgId               TCG hash Algorithm ID
> > +  @param[in]  DigestSel              The digest selector
> > +  @param[in]  Digest                 The digest buffer
> > +  @param[out] DeviceSecurityState    The Device Security state associated
> > with the device.
> > +**/
> > +VOID
> > +ExtendDigestRegister (
> > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> > +  IN UINT16                       TcgAlgId,
> > +  IN UINT8                        DigestSel,
> > +  IN UINT8                        *Digest,
> > +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> > +  )
> > +{
> > +  UINT32                                                   PcrIndex;
> > +  UINT32                                                   EventType;
> > +  EDKII_DEVICE_SECURITY_PCI_EVENT_DATA                     EventLog;
> > +  EFI_STATUS                                               Status;
> > +  PCI_TYPE00                                               PciData;
> > +
> > +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, 0,
> > + sizeof(PciData), &PciData);  ASSERT_EFI_ERROR(Status);
> > +
> > +  PcrIndex = EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX;
> > +  EventType = EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE;
> > +
> > +  CopyMem (EventLog.EventData.Signature,
> > EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE,
> > sizeof(EventLog.EventData.Signature));
> > +  EventLog.EventData.Version                  =
> > EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION;
> > +  EventLog.EventData.Length                   =
> > sizeof(EDKII_DEVICE_SECURITY_PCI_EVENT_DATA);
> > +  EventLog.EventData.SpdmHashAlgo             = TcgAlgIdToSpdmHashAlgo
> > (TcgAlgId);
> > +  EventLog.EventData.DeviceType               =
> > EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI;
> > +
> > +  EventLog.CommonHeader.Index                      = DigestSel;
> > +  EventLog.CommonHeader.MeasurementSpecification   =
> > SPDM_MEASUREMENT_BLOCK_HEADER_SPECIFICATION_DMTF;
> > +  EventLog.CommonHeader.MeasurementSize            =
> > sizeof(SPDM_MEASUREMENT_BLOCK_DMTF_HEADER) +
> > SHA256_DIGEST_SIZE;
> > +  EventLog.DmtfHeader.DMTFSpecMeasurementValueType =
> > +
> > SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MUTABLE_FIRMWA
> > RE;
> > +  EventLog.DmtfHeader.DMTFSpecMeasurementValueSize =
> > + SHA256_DIGEST_SIZE;  CopyMem (&EventLog.Digest, Digest,
> > + SHA256_DIGEST_SIZE);
> > +
> > +  EventLog.PciContext.Version           =
> > EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION;
> > +  EventLog.PciContext.Length            =
> > sizeof(EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT);
> > +  EventLog.PciContext.VendorId          = PciData.Hdr.VendorId;
> > +  EventLog.PciContext.DeviceId          = PciData.Hdr.DeviceId;
> > +  EventLog.PciContext.RevisionID        = PciData.Hdr.RevisionID;
> > +  EventLog.PciContext.ClassCode[0]      = PciData.Hdr.ClassCode[0];
> > +  EventLog.PciContext.ClassCode[1]      = PciData.Hdr.ClassCode[1];
> > +  EventLog.PciContext.ClassCode[2]      = PciData.Hdr.ClassCode[2];
> > +  if ((PciData.Hdr.HeaderType & HEADER_LAYOUT_CODE) ==
> > HEADER_TYPE_DEVICE) {
> > +    EventLog.PciContext.SubsystemVendorID =
> > PciData.Device.SubsystemVendorID;
> > +    EventLog.PciContext.SubsystemID       = PciData.Device.SubsystemID;
> > +  } else {
> > +    EventLog.PciContext.SubsystemVendorID = 0;
> > +    EventLog.PciContext.SubsystemID       = 0;
> > +  }
> > +
> > +  Status = TpmMeasureAndLogData (
> > +             PcrIndex,
> > +             EventType,
> > +             &EventLog,
> > +             EventLog.EventData.Length,
> > +             Digest,
> > +             SHA256_DIGEST_SIZE
> > +             );
> > +  DEBUG((DEBUG_INFO, "TpmMeasureAndLogData - %r\n", Status));
> > +  if (EFI_ERROR(Status)) {
> > +    DeviceSecurityState->MeasurementState =
> > +EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR;
> > +  } else {
> > +    RecordPciDeviceInList (PciIo,
> > +&mSecurityEventMeasurementDeviceList);
> > +  }
> > +}
> > +
> > +/**
> > +  This function reads the PCI digest from the DvSec register and extend to
> > TPM.
> > +
> > +  @param[in]  PciIo                  The PciIo of the device.
> > +  @param[in]  DvSecOffset            The DvSec register offset of the device.
> > +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> > with the device.
> > +  @param[out] DeviceSecurityState    The Device Security state associated
> > with the device.
> > +**/
> > +VOID
> > +DoMeasurementsFromDigestRegister (
> > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > +  IN UINT32                       DvSecOffset,
> > +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> > +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> > +  )
> > +{
> > +  UINT8                                     Modified;
> > +  UINT8                                     Valid;
> > +  UINT16                                    TcgAlgId;
> > +  UINT8                                     NumDigest;
> > +  UINT8                                     DigestSel;
> > +  UINT8                                     Digest[SHA256_DIGEST_SIZE];
> > +  UINTN                                     DigestSize;
> > +  EFI_STATUS                                Status;
> > +
> > +  TcgAlgId = DvSecPciRead8 (
> > +               PciIo,
> > +               DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, TcgAlgId)
> > +               );
> > +  DEBUG((DEBUG_INFO, "  TcgAlgId      - 0x%04x\n", TcgAlgId));
> > +  DigestSize = DigestSizeFromTcgAlgId (TcgAlgId);  if (DigestSize == 0)
> > + {
> > +    DEBUG((DEBUG_INFO, "Unsupported Algorithm - 0x%04x\n", TcgAlgId));
> > +    DeviceSecurityState->MeasurementState =
> > EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> > +    return ;
> > +  }
> > +  DEBUG((DEBUG_INFO, "  (DigestSize: 0x%x)\n", DigestSize));
> > +
> > +  DeviceSecurityState->MeasurementState =
> > + EDKII_DEVICE_SECURITY_STATE_SUCCESS;
> > +
> > +  NumDigest = DvSecPciRead8 (
> > +                PciIo,
> > +                DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, FirmwareID)
> > +                );
> > +  DEBUG((DEBUG_INFO, "  NumDigest     - 0x%02x\n", NumDigest));
> > +
> > +  Valid = DvSecPciRead8 (
> > +            PciIo,
> > +            DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Valid)
> > +            );
> > +  DEBUG((DEBUG_INFO, "  Valid         - 0x%02x\n", Valid));
> > +
> > +  //
> > +  // Only 2 are supported as maximum.
> > +  // But hardware may report 3.
> > +  //
> > +  if (NumDigest > 2) {
> > +    NumDigest = 2;
> > +  }
> > +
> > +  for (DigestSel = 0; DigestSel < NumDigest; DigestSel++) {
> > +    DEBUG((DEBUG_INFO, "  DigestSel     - 0x%02x\n", DigestSel));
> > +    if ((DigestSel == 0) && ((Valid & INTEL_PCI_DIGEST_0_VALID) == 0)) {
> > +      continue;
> > +    }
> > +    if ((DigestSel == 1) && ((Valid & INTEL_PCI_DIGEST_1_VALID) == 0)) {
> > +      continue;
> > +    }
> > +    while (TRUE) {
> > +      //
> > +      // Host MUST clear DIGEST_MODIFIED before read DIGEST.
> > +      //
> > +      DvSecPciWrite8 (
> > +        PciIo,
> > +        DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified),
> > +        INTEL_PCI_DIGEST_MODIFIED
> > +        );
> > +
> > +      Status = PciIo->Pci.Read (
> > +                            PciIo,
> > +                            EfiPciIoWidthUint8,
> > +                            (UINT32)(DvSecOffset +
> > sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > sizeof(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE) + DigestSize * DigestSel),
> > +                            DigestSize,
> > +                            Digest
> > +                            );
> > +      ASSERT_EFI_ERROR(Status);
> > +
> > +      //
> > +      // After read DIGEST, Host MUST consult DIGEST_MODIFIED.
> > +      //
> > +      Modified = DvSecPciRead8 (
> > +                   PciIo,
> > +                   DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified)
> > +                   );
> > +      if ((Modified & INTEL_PCI_DIGEST_MODIFIED) == 0) {
> > +        break;
> > +      }
> > +    }
> > +
> > +    //
> > +    // Dump Digest
> > +    //
> > +    {
> > +      UINTN  Index;
> > +      DEBUG((DEBUG_INFO, "  Digest        - "));
> > +      for (Index = 0; Index < DigestSize; Index++) {
> > +        DEBUG((DEBUG_INFO, "%02x", *(Digest + Index)));
> > +      }
> > +      DEBUG((DEBUG_INFO, "\n"));
> > +    }
> > +
> > +    DEBUG((DEBUG_INFO, "ExtendDigestRegister...\n",
> > ExtendDigestRegister));
> > +    ExtendDigestRegister (PciIo, DeviceSecurityPolicy, TcgAlgId,
> > +DigestSel, Digest, DeviceSecurityState);
> > +  }
> > +}
> > +
> > +/**
> > +  The device driver uses this service to measure a PCI device.
> > +
> > +  @param[in]  PciIo                  The PciIo of the device.
> > +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> > with the device.
> > +  @param[out] DeviceSecurityState    The Device Security state associated
> > with the device.
> > +**/
> > +VOID
> > +DoDeviceMeasurement (
> > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> > +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> > +  )
> > +{
> > +  UINT32                                    DvSecOffset;
> > +  INTEL_PCI_DIGEST_CAPABILITY_HEADER        DvSecHdr;
> > +  EFI_STATUS                                Status;
> > +
> > +  if (IsPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList)) {
> > +    DeviceSecurityState->MeasurementState =
> > EDKII_DEVICE_SECURITY_STATE_SUCCESS;
> > +    return ;
> > +  }
> > +
> > +  DvSecOffset = GetPciExpressExtCapId (PciIo, INTEL_PCI_CAPID_DVSEC);
> > + DEBUG((DEBUG_INFO, "DvSec Capability - 0x%x\n", DvSecOffset));  if
> > + (DvSecOffset == 0) {
> > +    DeviceSecurityState->MeasurementState =
> > EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> > +    return ;
> > +  }
> > +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, DvSecOffset,
> > + sizeof(DvSecHdr)/sizeof(UINT16), &DvSecHdr);
> > ASSERT_EFI_ERROR(Status);
> > +  DEBUG((DEBUG_INFO, "  CapId         - 0x%04x\n", DvSecHdr.CapId));
> > +  DEBUG((DEBUG_INFO, "  CapVersion    - 0x%01x\n",
> > DvSecHdr.CapVersion));
> > +  DEBUG((DEBUG_INFO, "  NextOffset    - 0x%03x\n",
> > DvSecHdr.NextOffset));
> > +  DEBUG((DEBUG_INFO, "  DvSecVendorId - 0x%04x\n",
> > + DvSecHdr.DvSecVendorId));  DEBUG((DEBUG_INFO, "  DvSecRevision -
> > 0x%01x\n", DvSecHdr.DvSecRevision));
> > +  DEBUG((DEBUG_INFO, "  DvSecLength   - 0x%03x\n",
> > DvSecHdr.DvSecLength));
> > +  DEBUG((DEBUG_INFO, "  DvSecId       - 0x%04x\n", DvSecHdr.DvSecId));
> > +  if ((DvSecHdr.DvSecVendorId != INTEL_PCI_DVSEC_VENDORID_INTEL) &&
> > +      (DvSecHdr.DvSecId != INTEL_PCI_DVSEC_DVSECID_MEASUREMENT)) {
> > +    DeviceSecurityState->MeasurementState =
> > EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> > +    return ;
> > +  }
> > +
> > +  DoMeasurementsFromDigestRegister (PciIo, DvSecOffset,
> > +DeviceSecurityPolicy, DeviceSecurityState); }
> > +
> > +/**
> > +  The device driver uses this service to verify a PCI device.
> > +
> > +  @param[in]  PciIo                  The PciIo of the device.
> > +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> > with the device.
> > +  @param[out] DeviceSecurityState    The Device Security state associated
> > with the device.
> > +**/
> > +VOID
> > +DoDeviceAuthentication (
> > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> > +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> > +  )
> > +{
> > +  DeviceSecurityState->AuthenticationState =
> > +EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED;
> > +}
> > +
> > +/**
> > +  The device driver uses this service to measure and/or verify a device.
> > +
> > +  The flow in device driver is:
> > +  1) Device driver discovers a new device.
> > +  2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL.
> > +  3) Device driver creates a device access protocol. e.g.
> > +     EFI_PCI_IO_PROTOCOL for PCI device.
> > +     EFI_USB_IO_PROTOCOL for USB device.
> > +     EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device.
> > +     EFI_ATA_PASS_THRU_PROTOCOL for ATA device.
> > +     EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device.
> > +     EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device.
> > +  4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with
> > EFI_DEVICE_PATH_PROTOCOL_GUID,
> > +     and the device access protocol with
> > EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID.
> > +     Once it is done, a DeviceHandle is returned.
> > +  5) Device driver creates EDKII_DEVICE_IDENTIFIER with
> > EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID
> > +     and the DeviceHandle.
> > +  6) Device driver calls DeviceAuthenticate().
> > +  7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device
> > driver uninstalls
> > +     all protocols on this handle.
> > +  8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver installs
> > the device access
> > +     protocol with a real protocol GUID. e.g.
> > +     EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID.
> > +     EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID.
> > +
> > +  @param[in]  This              The protocol instance pointer.
> > +  @param[in]  DeviceId          The Identifier for the device.
> > +
> > +  @retval EFI_SUCCESS              The device specified by the DeviceId passed
> > the measurement
> > +                                   and/or authentication based upon the platform policy.
> > +                                   If TCG measurement is required, the measurement is
> > extended to TPM PCR.
> > +  @retval EFI_SECURITY_VIOLATION   The device fails to return the
> > measurement data.
> > +  @retval EFI_SECURITY_VIOLATION   The device fails to response the
> > authentication request.
> > +  @retval EFI_SECURITY_VIOLATION   The system fails to verify the device
> > based upon the authentication response.
> > +  @retval EFI_SECURITY_VIOLATION   The system fails to extend the
> > measurement to TPM PCR.
> > +**/
> > +EFI_STATUS
> > +EFIAPI
> > +DeviceAuthentication (
> > +  IN EDKII_DEVICE_SECURITY_PROTOCOL  *This,
> > +  IN EDKII_DEVICE_IDENTIFIER         *DeviceId
> > +  )
> > +{
> > +  EDKII_DEVICE_SECURITY_POLICY           DeviceSecurityPolicy;
> > +  EDKII_DEVICE_SECURITY_STATE            DeviceSecurityState;
> > +  EFI_PCI_IO_PROTOCOL                    *PciIo;
> > +  EFI_STATUS                             Status;
> > +
> > +  if (mDeviceSecurityPolicy == NULL) {
> > +    return EFI_SUCCESS;
> > +  }
> > +
> > +  if (!CompareGuid (&DeviceId->DeviceType,
> > &gEdkiiDeviceIdentifierTypePciGuid)) {
> > +    return EFI_SUCCESS;
> > +  }
> > +
> > +  Status = gBS->HandleProtocol (
> > +                  DeviceId->DeviceHandle,
> > +                  &gEdkiiDeviceIdentifierTypePciGuid,
> > +                  (VOID **)&PciIo
> > +                  );
> > +  if (EFI_ERROR(Status)) {
> > +    DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n",
> > Status));
> > +    return EFI_SUCCESS;
> > +  }
> > +
> > +  DeviceSecurityState.Version = EDKII_DEVICE_SECURITY_STATE_REVISION;
> > +  DeviceSecurityState.MeasurementState = 0x0;
> > + DeviceSecurityState.AuthenticationState = 0x0;
> > +
> > +  Status = mDeviceSecurityPolicy->GetDevicePolicy
> > + (mDeviceSecurityPolicy, DeviceId, &DeviceSecurityPolicy);  if
> > (EFI_ERROR(Status)) {
> > +    DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->GetDevicePolicy -
> >  %r\n", Status));
> > +    DeviceSecurityState.MeasurementState =
> > EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL;
> > +    DeviceSecurityState.AuthenticationState =
> > + EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL;
> > +  } else {
> > +    if ((DeviceSecurityPolicy.MeasurementPolicy &
> > EDKII_DEVICE_MEASUREMENT_REQUIRED) != 0) {
> > +      DoDeviceMeasurement (PciIo, &DeviceSecurityPolicy,
> > &DeviceSecurityState);
> > +      DEBUG((DEBUG_ERROR, "MeasurementState - 0x%08x\n",
> > DeviceSecurityState.MeasurementState));
> > +    }
> > +    if ((DeviceSecurityPolicy.AuthenticationPolicy &
> > EDKII_DEVICE_AUTHENTICATION_REQUIRED) != 0) {
> > +      DoDeviceAuthentication (PciIo, &DeviceSecurityPolicy,
> > &DeviceSecurityState);
> > +      DEBUG((DEBUG_ERROR, "AuthenticationState - 0x%08x\n",
> > DeviceSecurityState.AuthenticationState));
> > +    }
> > +  }
> > +
> > +  Status = mDeviceSecurityPolicy->NotifyDeviceState
> > + (mDeviceSecurityPolicy, DeviceId, &DeviceSecurityState);  if
> > (EFI_ERROR(Status)) {
> > +    DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->NotifyDeviceState -
> > + %r\n", Status));  }
> > +
> > +  if ((DeviceSecurityState.MeasurementState == 0) &&
> > +      (DeviceSecurityState.AuthenticationState == 0)) {
> > +    return EFI_SUCCESS;
> > +  } else {
> > +    return EFI_SECURITY_VIOLATION;
> > +  }
> > +}
> > +
> > +EDKII_DEVICE_SECURITY_PROTOCOL mDeviceSecurity = {
> > +  EDKII_DEVICE_SECURITY_PROTOCOL_REVISION,
> > +  DeviceAuthentication
> > +};
> > +
> > +/**
> > +  Entrypoint of the device security driver.
> > +
> > +  @param[in]  ImageHandle  ImageHandle of the loaded driver  @param[in]
> > + SystemTable  Pointer to the System Table
> > +
> > +  @retval  EFI_SUCCESS           The Protocol is installed.
> > +  @retval  EFI_OUT_OF_RESOURCES  Not enough resources available to
> > initialize driver.
> > +  @retval  EFI_DEVICE_ERROR      A device error occurred attempting to
> > initialize the driver.
> > +
> > +**/
> > +EFI_STATUS
> > +EFIAPI
> > +MainEntryPoint (
> > +  IN EFI_HANDLE        ImageHandle,
> > +  IN EFI_SYSTEM_TABLE  *SystemTable
> > +  )
> > +{
> > +  EFI_HANDLE  Handle;
> > +  EFI_STATUS  Status;
> > +
> > +  Status = gBS->LocateProtocol
> > + (&gEdkiiDeviceSecurityPolicyProtocolGuid, NULL, (VOID
> > + **)&mDeviceSecurityPolicy);  ASSERT_EFI_ERROR(Status);
> > +
> > +  Handle = NULL;
> > +  Status = gBS->InstallProtocolInterface (
> > +                  &Handle,
> > +                  &gEdkiiDeviceSecurityProtocolGuid,
> > +                  EFI_NATIVE_INTERFACE,
> > +                  (VOID **)&mDeviceSecurity
> > +                  );
> > +  ASSERT_EFI_ERROR(Status);
> > +
> > +  return Status;
> > +}
> > diff --git
> > a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> > e/IntelPciDeviceSecurityDxe.inf
> > b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> > xe/IntelPciDeviceSecurityDxe.inf
> > new file mode 100644
> > index 0000000000..89a4c8fadd
> > --- /dev/null
> > +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> > +++ ecurityDxe/IntelPciDeviceSecurityDxe.inf
> > @@ -0,0 +1,45 @@
> > +## @file
> > +#  EDKII Device Security library for PCI device # # Copyright (c) 2019,
> > +Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier:
> > +BSD-2-Clause-Patent # ##
> > +
> > +[Defines]
> > +  INF_VERSION                    = 0x00010005
> > +  BASE_NAME                      = IntelPciDeviceSecurityDxe
> > +  FILE_GUID                      = D9569195-ED94-47D2-9523-38BF2D201371
> > +  MODULE_TYPE                    = DXE_DRIVER
> > +  VERSION_STRING                 = 1.0
> > +  ENTRY_POINT                    = MainEntryPoint
> > +
> > +[Sources]
> > +  IntelPciDeviceSecurityDxe.c
> > +  TcgDeviceEvent.h
> > +
> > +[Packages]
> > +  MdePkg/MdePkg.dec
> > +  MdeModulePkg/MdeModulePkg.dec
> > +  IntelSiliconPkg/IntelSiliconPkg.dec
> > +
> > +[LibraryClasses]
> > +  UefiRuntimeServicesTableLib
> > +  UefiBootServicesTableLib
> > +  UefiDriverEntryPoint
> > +  MemoryAllocationLib
> > +  DevicePathLib
> > +  BaseMemoryLib
> > +  PrintLib
> > +  DebugLib
> > +  UefiLib
> > +  PcdLib
> > +  TpmMeasurementLib
> > +
> > +[Protocols]
> > +  gEdkiiDeviceSecurityPolicyProtocolGuid  ## CONSUMES
> > +  gEdkiiDeviceSecurityProtocolGuid        ## PRODUCES
> > +  gEdkiiDeviceIdentifierTypePciGuid       ## COMSUMES
> > +
> > +[Depex]
> > +  gEdkiiDeviceSecurityPolicyProtocolGuid
> > diff --git
> > a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> > e/TcgDeviceEvent.h
> > b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> > xe/TcgDeviceEvent.h
> > new file mode 100644
> > index 0000000000..5b642b3ecc
> > --- /dev/null
> > +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> > +++ ecurityDxe/TcgDeviceEvent.h
> > @@ -0,0 +1,178 @@
> > +/** @file
> > +  TCG Device Event data structure
> > +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > +SPDX-License-Identifier: BSD-2-Clause-Patent **/
> > +
> > +
> > +#ifndef __TCG_EVENT_DATA_H__
> > +#define __TCG_EVENT_DATA_H__
> > +
> > +#include <IndustryStandard/Spdm.h>
> > +
> > +#pragma pack(1)
> > +
> > +// -------------------------------------------
> > +// TCG Measurement for SPDM Device Measurement //
> > +-------------------------------------------
> > +
> > +//
> > +// Device Firmware Component (including immutable ROM or mutable
> > +firmware) //
> > +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX        2
> > +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE
> > 0x800000E1
> > +//
> > +// Device Firmware Configuration (including hardware configuration or
> > +firmware configuration) //
> > +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_PCR_INDEX    4
> > +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_EVENT_TYPE
> > 0x800000E2
> > +
> > +//
> > +// Device Firmware Measurement Measurement Data // The measurement
> > data
> > +is the device firmware measurement.
> > +//
> > +// In order to support crypto agile, the firmware will hash the
> > DeviceMeasurement again.
> > +// As such the device measurement algo might be different with host
> > firmware measurement algo.
> > +//
> > +
> > +//
> > +// Device Firmware Measurement Event Data // #define
> > +EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE "SPDM Device Sec\0"
> > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION  0
> > +
> > +//
> > +// Device Type
> > +// 0x03 ~ 0xDF reserved by TCG.
> > +// 0xE0 ~ 0xFF reserved by OEM.
> > +//
> > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_NULL  0
> > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI   1
> > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_USB   2
> > +
> > +//
> > +// Device Firmware Measurement Event Data Common Part // The device
> > +specific part should follow this data structure.
> > +//
> > +typedef struct {
> > +  //
> > +  // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE.
> > +  //
> > +  UINT8                          Signature[16];
> > +  //
> > +  // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION.
> > +  //
> > +  UINT16                         Version;
> > +  //
> > +  // The length of whole data structure, including Device Context.
> > +  //
> > +  UINT16                         Length;
> > +  //
> > +  // The SpdmHashAlgo
> > +  //
> > +  UINT32                         SpdmHashAlgo;
> > +  //
> > +  // The type of device. This field is to determine the Device Context
> > followed by.
> > +  //
> > +  UINT32                         DeviceType;
> > +  //
> > +  // The SPDM measurement block.
> > +  //
> > +//SPDM_MEASUREMENT_BLOCK         SpdmMeasurementBlock;
> > +} EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER;
> > +
> > +//
> > +// PCI device specific context
> > +//
> > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION  0
> > typedef
> > +struct {
> > +  UINT16  Version;
> > +  UINT16  Length;
> > +  UINT16  VendorId;
> > +  UINT16  DeviceId;
> > +  UINT8   RevisionID;
> > +  UINT8   ClassCode[3];
> > +  UINT16  SubsystemVendorID;
> > +  UINT16  SubsystemID;
> > +} EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT;
> > +
> > +//
> > +// USB device specific context
> > +//
> > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT_VERSION
> > 0 typedef
> > +struct {
> > +  UINT16  Version;
> > +  UINT16  Length;
> > +//UINT8   DeviceDescriptor[DescLen];
> > +//UINT8   BodDescriptor[DescLen];
> > +//UINT8   ConfigurationDescriptor[DescLen][NumOfConfiguration];
> > +} EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT;
> > +
> > +// ----------------------------------------------
> > +// TCG Measurement for SPDM Device Authentication //
> > +----------------------------------------------
> > +
> > +//
> > +// Device Root cert is stored into a UEFI authenticated variable.
> > +// It is non-volatile, boot service, runtime service, and time based
> > authenticated variable.
> > +// The "devdb" includes a list of allowed device root cert.
> > +// The "devdbx" includes a list of forbidden device root cert.
> > +// The usage of "devdb" and "devdbx" is same as "db" and "dbx" in UEFI
> > secure boot.
> > +//
> > +// NOTE: We choose not to mix "db"/"dbx" for better management
> > purpose.
> > +//
> > +
> > +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME    L"devdb"
> > +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME   L"devdbx"
> > +
> > +#define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \
> > +  {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d,
> > +0xad}
> > +
> > +//
> > +// Platform Firmware adhering to the policy MUST therefore measure the
> > following values into PCR[7]:
> > +// 1. The content of the
> > EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> > ARAIBLE_NAME variable.
> > +// 2. The content of the
> > EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> > ARAIBLE2_NAME variable.
> > +// 3. Entries in the
> > EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> > ARAIBLE_NAME variable to
> > +//    authenticate the device.
> > +//
> > +// For all UEFI variable value events, the eventType SHALL be
> > +EV_EFI_VARIABLE_DRIVER_CONFIG and the Event // value SHALL be the
> > value of the UEFI_VARIABLE_DATA structure (this structure SHALL be
> > considered byte-aligned).
> > +// The measurement digest MUST be tagged Hash for each supported PCR
> > +bank of the event data which is the // UEFI_VARIABLE_DATA structure.
> > +The UEFI_VARIABLE_DATA.UnicodeNameLength value is the number of
> > CHAR16 // characters (not the number of bytes). The
> > UEFI_VARIABLE_DATA.UnicodeName contents MUST NOT include a NUL.
> > +// If reading a UEFI variable returns UEFI_NOT_FOUND, the
> > +UEFI_VARIABLE_DATA.VariableDataLength field MUST // be set to zero and
> > UEFI_VARIABLE_DATA.VariableData field will have a size of zero.
> > +//
> > +
> > +//
> > +// Entities that MUST be measured if the TPM is enabled:
> > +// 1. Before executing any code not cryptographically authenticated as
> > being provided by the Platform Manufacturer,
> > +//    the Platform Manufacturer firmware MUST measure the following
> > values, in the order listed using the
> > +//    EV_EFI_VARIABLE_DRIVER_CONFIG event type to PCR[7]:
> > +//    a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
> > +//    b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
> > +// 2. If the platform supports changing any of the following UEFI policy
> > variables after they are initially measured
> > +//    in PCR[7] and before ExitBootServices() has completed, the platform
> > MAY be restarted OR the variables MUST be
> > +//    remeasured into PCR[7]. Additionally the normal update process for
> > setting any of the UEFI variables below SHOULD
> > +//    occur before the initial measurement in PCR[7] or after the call to
> > ExitBootServices() has completed.
> > +//    a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
> > +//    b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
> > +// 3. The system SHALL measure the EV_SEPARATOR event in PCR[7]. (This
> > occurs at the same time the separator is
> > +//    measured to PCR[0-7].)
> > +//    Before setting up a device, the UEFI firmware SHALL determine if the
> > entry in the
> > +//    EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable that was used to
> > validate
> > +//    the device has previously been measured in PCR[7]. If it has not been, it
> > MUST be measured into PCR[7] as follows.
> > +//    If it has been measured previously, it MUST NOT be measured again.
> > The measurement SHALL occur in conjunction
> > +//    with device setup.
> > +//    a) The eventType SHALL be EV_EFI_VARIABLE_AUTHORITY.
> > +//    b) The event value SHALL be the value of the UEFI_VARIABLE_DATA
> > structure.
> > +//       i.   The UEFI_VARIABLE_DATA.VariableData value SHALL be the
> > UEFI_SIGNATURE_DATA value from the
> > +//            UEFI_SIGNATURE_LIST that contained the authority that was used
> > to validate the image.
> > +//       ii.  The UEFI_VARIABLE_DATA.VariableName SHALL be set to
> > UEFI_IMAGE_SECURITY_DATABASE_GUID.
> > +//       iii. The UEFI_VARIABLE_DATA.UnicodeName SHALL be set to the value
> > of UEFI_IMAGE_SECURITY_DATABASE.
> > +//            The value MUST NOT include the terminating NUL.
> > +//
> > +
> > +#pragma pack()
> > +
> > +#endif
> > --
> > 2.19.2.windows.1

Re: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.

[Ni, Ray]

With that, Reviewed-by: Ray Ni <ray.ni@intel.com>

> -----Original Message-----
> From: Yao, Jiewen <jiewen.yao@intel.com>
> Sent: Monday, November 11, 2019 6:17 PM
> To: Ni, Ray <ray.ni@intel.com>; devel@edk2.groups.io
> Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> Subject: RE: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity.
> 
> Agree. I will remove them.
> 
> > -----Original Message-----
> > From: Ni, Ray <ray.ni@intel.com>
> > Sent: Monday, November 11, 2019 4:20 PM
> > To: Yao, Jiewen <jiewen.yao@intel.com>; devel@edk2.groups.io
> > Cc: Chaganty, Rangasai V <rangasai.v.chaganty@intel.com>; Lou, Yun
> > <yun.lou@intel.com>
> > Subject: RE: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add
> > PciSecurity.
> >
> > Jiewen,
> > Below definitions are not used by the new driver but defined in
> > driver internal header file.
> > Can you please remove the unused definitions?
> >
> > EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT
> > #define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME    L"devdb"
> > #define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME   L"devdbx"
> >
> > #define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \
> >   {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d, 0xad}
> >
> > > -----Original Message-----
> > > From: Yao, Jiewen <jiewen.yao@intel.com>
> > > Sent: Thursday, November 7, 2019 9:38 PM
> > > To: devel@edk2.groups.io
> > > Cc: Ni, Ray <ray.ni@intel.com>; Chaganty, Rangasai V
> > > <rangasai.v.chaganty@intel.com>; Lou, Yun <yun.lou@intel.com>
> > > Subject: [PATCH V3 4/6] IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add
> > > PciSecurity.
> > >
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303
> > >
> > > This driver is to do the PCI device authentication based upon Intel PCIe
> > > Security Specification.
> > >
> > > Cc: Ray Ni <ray.ni@intel.com>
> > > Cc: Rangasai V Chaganty <rangasai.v.chaganty@intel.com>
> > > Cc: Yun Lou <yun.lou@intel.com>
> > > Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
> > > Signed-off-by: Yun Lou <yun.lou@intel.com>
> > > ---
> > >  .../IntelPciDeviceSecurityDxe.c               | 697 ++++++++++++++++++
> > >  .../IntelPciDeviceSecurityDxe.inf             |  45 ++
> > >  .../TcgDeviceEvent.h                          | 178 +++++
> > >  3 files changed, 920 insertions(+)
> > >  create mode 100644
> > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> > > /IntelPciDeviceSecurityDxe.c
> > >  create mode 100644
> > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> > > /IntelPciDeviceSecurityDxe.inf
> > >  create mode 100644
> > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe
> > > /TcgDeviceEvent.h
> > >
> > > diff --git
> > > a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> > > e/IntelPciDeviceSecurityDxe.c
> > > b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> > > xe/IntelPciDeviceSecurityDxe.c
> > > new file mode 100644
> > > index 0000000000..8838d5635a
> > > --- /dev/null
> > > +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> > > +++ ecurityDxe/IntelPciDeviceSecurityDxe.c
> > > @@ -0,0 +1,697 @@
> > > +/** @file
> > > +  EDKII Device Security library for PCI device.
> > > +  It follows the Intel PCIe Security Specification.
> > > +
> > > +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent
> > > +
> > > +**/
> > > +
> > > +#include <Uefi.h>
> > > +#include <IndustryStandard/Spdm.h>
> > > +#include <IndustryStandard/IntelPciSecurity.h>
> > > +#include <IndustryStandard/Pci.h>
> > > +#include <IndustryStandard/Tpm20.h>
> > > +#include <IndustryStandard/UefiTcgPlatform.h>
> > > +#include <Library/BaseLib.h>
> > > +#include <Library/DebugLib.h>
> > > +#include <Library/BaseMemoryLib.h>
> > > +#include <Library/UefiBootServicesTableLib.h>
> > > +#include <Library/MemoryAllocationLib.h> #include
> > > +<Library/TpmMeasurementLib.h> #include <Protocol/PciIo.h> #include
> > > +<Protocol/DeviceSecurity.h> #include
> > > +<Protocol/PlatformDeviceSecurityPolicy.h>
> > > +#include "TcgDeviceEvent.h"
> > > +
> > > +typedef struct {
> > > +  EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER       EventData;
> > > +  SPDM_MEASUREMENT_BLOCK_COMMON_HEADER          CommonHeader;
> > > +  SPDM_MEASUREMENT_BLOCK_DMTF_HEADER            DmtfHeader;
> > > +  UINT8                                         Digest[SHA256_DIGEST_SIZE];
> > > +  EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT  PciContext; }
> > > +EDKII_DEVICE_SECURITY_PCI_EVENT_DATA;
> > > +
> > > +typedef struct {
> > > +  UINTN         Signature;
> > > +  LIST_ENTRY    Link;
> > > +  UINTN         PciSegment;
> > > +  UINTN         PciBus;
> > > +  UINTN         PciDevice;
> > > +  UINTN         PciFunction;
> > > +} PCI_DEVICE_INSTANCE;
> > > +
> > > +#define PCI_DEVICE_INSTANCE_SIGNATURE  SIGNATURE_32 ('P', 'D', 'I',
> > > +'S') #define PCI_DEVICE_INSTANCE_FROM_LINK(a)  CR (a,
> > > +PCI_DEVICE_INSTANCE, Link, PCI_DEVICE_INSTANCE_SIGNATURE)
> > > +
> > > +LIST_ENTRY mSecurityEventMeasurementDeviceList =
> > > +INITIALIZE_LIST_HEAD_VARIABLE(mSecurityEventMeasurementDeviceList)
> > > ;;
> > > +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *mDeviceSecurityPolicy;
> > > +
> > > +/**
> > > +  Record a PCI device into device list.
> > > +
> > > +  @param PciIo            PciIo instance of the device
> > > +  @param PciDeviceList    The list to record the the device
> > > +**/
> > > +VOID
> > > +RecordPciDeviceInList(
> > > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > > +  IN LIST_ENTRY                   *PciDeviceList
> > > +  )
> > > +{
> > > +  UINTN                 PciSegment;
> > > +  UINTN                 PciBus;
> > > +  UINTN                 PciDevice;
> > > +  UINTN                 PciFunction;
> > > +  EFI_STATUS            Status;
> > > +  PCI_DEVICE_INSTANCE   *NewPciDevice;
> > > +
> > > +  Status = PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice,
> > > + &PciFunction);  ASSERT_EFI_ERROR(Status);
> > > +
> > > +  NewPciDevice = AllocateZeroPool(sizeof(*NewPciDevice));
> > > +  ASSERT_EFI_ERROR(NewPciDevice != NULL);
> > > +
> > > +  NewPciDevice->Signature   = PCI_DEVICE_INSTANCE_SIGNATURE;
> > > +  NewPciDevice->PciSegment  = PciSegment;
> > > +  NewPciDevice->PciBus      = PciBus;
> > > +  NewPciDevice->PciDevice   = PciDevice;
> > > +  NewPciDevice->PciFunction = PciFunction;
> > > +
> > > +  InsertTailList(PciDeviceList, &NewPciDevice->Link); }
> > > +
> > > +/**
> > > +  Check if a PCI device is recorded in device list.
> > > +
> > > +  @param PciIo            PciIo instance of the device
> > > +  @param PciDeviceList    The list to record the the device
> > > +
> > > +  @retval TRUE  The PCI device is in the list.
> > > +  @retval FALSE The PCI device is NOT in the list.
> > > +**/
> > > +BOOLEAN
> > > +IsPciDeviceInList(
> > > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > > +  IN LIST_ENTRY                   *PciDeviceList
> > > +  )
> > > +{
> > > +  UINTN                 PciSegment;
> > > +  UINTN                 PciBus;
> > > +  UINTN                 PciDevice;
> > > +  UINTN                 PciFunction;
> > > +  EFI_STATUS            Status;
> > > +  LIST_ENTRY            *Link;
> > > +  PCI_DEVICE_INSTANCE   *CurrentPciDevice;
> > > +
> > > +  Status = PciIo->GetLocation (PciIo, &PciSegment, &PciBus, &PciDevice,
> > > + &PciFunction);  ASSERT_EFI_ERROR(Status);
> > > +
> > > +  Link = GetFirstNode(PciDeviceList);
> > > +  while (!IsNull(PciDeviceList, Link)) {
> > > +    CurrentPciDevice = PCI_DEVICE_INSTANCE_FROM_LINK(Link);
> > > +
> > > +    if (CurrentPciDevice->PciSegment == PciSegment && CurrentPciDevice-
> > > >PciBus == PciBus &&
> > > +        CurrentPciDevice->PciDevice == PciDevice && CurrentPciDevice-
> > > >PciFunction == PciFunction) {
> > > +      DEBUG((DEBUG_INFO, "PCI device duplicated (Loc -
> > >  %04x:%02x:%02x:%02x)\n", PciSegment, PciBus, PciDevice, PciFunction));
> > > +      return TRUE;
> > > +    }
> > > +
> > > +    Link = GetNextNode(PciDeviceList, Link);  }
> > > +
> > > +  return FALSE;
> > > +}
> > > +
> > > +/*
> > > +  return Offset of the PCI Cap ID.
> > > +
> > > +  @param PciIo            PciIo instance of the device
> > > +  @param CapId            The Capability ID of the Pci device
> > > +
> > > +  @return The PCI Capability ID Offset
> > > +*/
> > > +UINT32
> > > +GetPciCapId (
> > > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > > +  IN UINT8                        CapId
> > > +  )
> > > +{
> > > +  EFI_PCI_CAPABILITY_HDR                    PciCapIdHdr;
> > > +  UINT32                                    PciCapIdOffset;
> > > +  EFI_STATUS                                Status;
> > > +
> > > +  PciCapIdHdr.CapabilityID = ~CapId;
> > > +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8,
> > > + PCI_CAPBILITY_POINTER_OFFSET, 1, &PciCapIdHdr.NextItemPtr);
> > > + ASSERT_EFI_ERROR(Status);  if (PciCapIdHdr.NextItemPtr == 0 ||
> > > PciCapIdHdr.NextItemPtr == 0xFF) {
> > > +    return 0;
> > > +  }
> > > +  PciCapIdOffset = 0;
> > > +  do {
> > > +    if (PciCapIdHdr.CapabilityID == CapId) {
> > > +      break;
> > > +    }
> > > +    PciCapIdOffset = PciCapIdHdr.NextItemPtr;
> > > +    Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, PciCapIdOffset, 1,
> > > &PciCapIdHdr);
> > > +    ASSERT_EFI_ERROR(Status);
> > > +  } while (PciCapIdHdr.NextItemPtr != 0 && PciCapIdHdr.NextItemPtr !=
> > > + 0xFF);
> > > +
> > > +  if (PciCapIdHdr.CapabilityID == CapId) {
> > > +    return PciCapIdOffset;
> > > +  } else {
> > > +    return 0;
> > > +  }
> > > +}
> > > +
> > > +/*
> > > +  return Offset of the PCIe Ext Cap ID.
> > > +
> > > +  @param PciIo            PciIo instance of the device
> > > +  @param CapId            The Ext Capability ID of the Pci device
> > > +
> > > +  @return The PCIe Ext Capability ID Offset */
> > > +UINT32
> > > +GetPciExpressExtCapId (
> > > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > > +  IN UINT16                       CapId
> > > +  )
> > > +{
> > > +  UINT32                                    PcieCapIdOffset;
> > > +  PCI_EXPRESS_EXTENDED_CAPABILITIES_HEADER  PciExpressExtCapIdHdr;
> > > +  EFI_STATUS                                Status;
> > > +
> > > +  PcieCapIdOffset = GetPciCapId (PciIo, EFI_PCI_CAPABILITY_ID_PCIEXP);
> > > + if (PcieCapIdOffset == 0) {
> > > +    return 0;
> > > +  }
> > > +
> > > +  PciExpressExtCapIdHdr.CapabilityId = ~CapId;
> > > + PciExpressExtCapIdHdr.CapabilityVersion = 0xF;
> > > + PciExpressExtCapIdHdr.NextCapabilityOffset = 0x100;  PcieCapIdOffset =
> > > + 0;  do {
> > > +    if (PciExpressExtCapIdHdr.CapabilityId == CapId) {
> > > +      break;
> > > +    }
> > > +    PcieCapIdOffset = PciExpressExtCapIdHdr.NextCapabilityOffset;
> > > +    Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint32, PcieCapIdOffset, 1,
> > > &PciExpressExtCapIdHdr);
> > > +    ASSERT_EFI_ERROR(Status);
> > > +  } while (PciExpressExtCapIdHdr.NextCapabilityOffset != 0 &&
> > > + PciExpressExtCapIdHdr.NextCapabilityOffset != 0xFFF);
> > > +
> > > +  if (PciExpressExtCapIdHdr.CapabilityId == CapId) {
> > > +    return PcieCapIdOffset;
> > > +  } else {
> > > +    return 0;
> > > +  }
> > > +}
> > > +
> > > +/**
> > > +  Read byte of the PCI device configuration space.
> > > +
> > > +  @param PciIo            PciIo instance of the device
> > > +  @param Offset           The offset of the Pci device configuration space
> > > +
> > > +  @return Byte value of the PCI device configuration space.
> > > +**/
> > > +UINT8
> > > +DvSecPciRead8 (
> > > +  IN EFI_PCI_IO_PROTOCOL *PciIo,
> > > +  IN UINT32              Offset
> > > +  )
> > > +{
> > > +  EFI_STATUS  Status;
> > > +  UINT8       Data;
> > > +
> > > +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, Offset, 1,
> > > + &Data);  ASSERT_EFI_ERROR(Status);
> > > +
> > > +  return Data;
> > > +}
> > > +
> > > +/**
> > > +  Write byte of the PCI device configuration space.
> > > +
> > > +  @param PciIo            PciIo instance of the device
> > > +  @param Offset           The offset of the Pci device configuration space
> > > +  @param Data             Byte value of the PCI device configuration space.
> > > +**/
> > > +VOID
> > > +DvSecPciWrite8 (
> > > +  IN EFI_PCI_IO_PROTOCOL *PciIo,
> > > +  IN UINT32              Offset,
> > > +  IN UINT8               Data
> > > +  )
> > > +{
> > > +  EFI_STATUS  Status;
> > > +
> > > +  Status = PciIo->Pci.Write (PciIo, EfiPciIoWidthUint8, Offset, 1,
> > > +&Data);
> > > +  ASSERT_EFI_ERROR(Status);
> > > +}
> > > +
> > > +/**
> > > +  Get the Digest size from the TCG hash Algorithm ID.
> > > +
> > > +  @param TcgAlgId            TCG hash Algorithm ID
> > > +
> > > +  @return Digest size of the TCG hash Algorithm ID **/ UINTN
> > > +DigestSizeFromTcgAlgId (
> > > +  IN UINT16                                    TcgAlgId
> > > +  )
> > > +{
> > > +  switch (TcgAlgId) {
> > > +  case TPM_ALG_SHA256:
> > > +    return SHA256_DIGEST_SIZE;
> > > +  case TPM_ALG_SHA384:
> > > +  case TPM_ALG_SHA512:
> > > +  case TPM_ALG_SM3_256:
> > > +  default:
> > > +    break;
> > > +  }
> > > +  return 0;
> > > +}
> > > +
> > > +/**
> > > +  Convert the SPDM hash algo ID from the TCG hash Algorithm ID.
> > > +
> > > +  @param TcgAlgId            TCG hash Algorithm ID
> > > +
> > > +  @return SPDM hash algo ID
> > > +**/
> > > +UINT32
> > > +TcgAlgIdToSpdmHashAlgo (
> > > +  IN UINT16                                    TcgAlgId
> > > +  )
> > > +{
> > > +  switch (TcgAlgId) {
> > > +  case TPM_ALG_SHA256:
> > > +    return SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_256;
> > > +  case TPM_ALG_SHA384:
> > > +  case TPM_ALG_SHA512:
> > > +  case TPM_ALG_SM3_256:
> > > +  default:
> > > +    break;
> > > +  }
> > > +  return 0;
> > > +}
> > > +
> > > +/**
> > > +  This function extend the PCI digest from the DvSec register.
> > > +
> > > +  @param[in]  PciIo                  The PciIo of the device.
> > > +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> > > with the device.
> > > +  @param[in]  TcgAlgId               TCG hash Algorithm ID
> > > +  @param[in]  DigestSel              The digest selector
> > > +  @param[in]  Digest                 The digest buffer
> > > +  @param[out] DeviceSecurityState    The Device Security state associated
> > > with the device.
> > > +**/
> > > +VOID
> > > +ExtendDigestRegister (
> > > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > > +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> > > +  IN UINT16                       TcgAlgId,
> > > +  IN UINT8                        DigestSel,
> > > +  IN UINT8                        *Digest,
> > > +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> > > +  )
> > > +{
> > > +  UINT32                                                   PcrIndex;
> > > +  UINT32                                                   EventType;
> > > +  EDKII_DEVICE_SECURITY_PCI_EVENT_DATA                     EventLog;
> > > +  EFI_STATUS                                               Status;
> > > +  PCI_TYPE00                                               PciData;
> > > +
> > > +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint8, 0,
> > > + sizeof(PciData), &PciData);  ASSERT_EFI_ERROR(Status);
> > > +
> > > +  PcrIndex = EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX;
> > > +  EventType = EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE;
> > > +
> > > +  CopyMem (EventLog.EventData.Signature,
> > > EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE,
> > > sizeof(EventLog.EventData.Signature));
> > > +  EventLog.EventData.Version                  =
> > > EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION;
> > > +  EventLog.EventData.Length                   =
> > > sizeof(EDKII_DEVICE_SECURITY_PCI_EVENT_DATA);
> > > +  EventLog.EventData.SpdmHashAlgo             = TcgAlgIdToSpdmHashAlgo
> > > (TcgAlgId);
> > > +  EventLog.EventData.DeviceType               =
> > > EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI;
> > > +
> > > +  EventLog.CommonHeader.Index                      = DigestSel;
> > > +  EventLog.CommonHeader.MeasurementSpecification   =
> > > SPDM_MEASUREMENT_BLOCK_HEADER_SPECIFICATION_DMTF;
> > > +  EventLog.CommonHeader.MeasurementSize            =
> > > sizeof(SPDM_MEASUREMENT_BLOCK_DMTF_HEADER) +
> > > SHA256_DIGEST_SIZE;
> > > +  EventLog.DmtfHeader.DMTFSpecMeasurementValueType =
> > > +
> > > SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MUTABLE_FIRMWA
> > > RE;
> > > +  EventLog.DmtfHeader.DMTFSpecMeasurementValueSize =
> > > + SHA256_DIGEST_SIZE;  CopyMem (&EventLog.Digest, Digest,
> > > + SHA256_DIGEST_SIZE);
> > > +
> > > +  EventLog.PciContext.Version           =
> > > EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION;
> > > +  EventLog.PciContext.Length            =
> > > sizeof(EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT);
> > > +  EventLog.PciContext.VendorId          = PciData.Hdr.VendorId;
> > > +  EventLog.PciContext.DeviceId          = PciData.Hdr.DeviceId;
> > > +  EventLog.PciContext.RevisionID        = PciData.Hdr.RevisionID;
> > > +  EventLog.PciContext.ClassCode[0]      = PciData.Hdr.ClassCode[0];
> > > +  EventLog.PciContext.ClassCode[1]      = PciData.Hdr.ClassCode[1];
> > > +  EventLog.PciContext.ClassCode[2]      = PciData.Hdr.ClassCode[2];
> > > +  if ((PciData.Hdr.HeaderType & HEADER_LAYOUT_CODE) ==
> > > HEADER_TYPE_DEVICE) {
> > > +    EventLog.PciContext.SubsystemVendorID =
> > > PciData.Device.SubsystemVendorID;
> > > +    EventLog.PciContext.SubsystemID       = PciData.Device.SubsystemID;
> > > +  } else {
> > > +    EventLog.PciContext.SubsystemVendorID = 0;
> > > +    EventLog.PciContext.SubsystemID       = 0;
> > > +  }
> > > +
> > > +  Status = TpmMeasureAndLogData (
> > > +             PcrIndex,
> > > +             EventType,
> > > +             &EventLog,
> > > +             EventLog.EventData.Length,
> > > +             Digest,
> > > +             SHA256_DIGEST_SIZE
> > > +             );
> > > +  DEBUG((DEBUG_INFO, "TpmMeasureAndLogData - %r\n", Status));
> > > +  if (EFI_ERROR(Status)) {
> > > +    DeviceSecurityState->MeasurementState =
> > > +EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR;
> > > +  } else {
> > > +    RecordPciDeviceInList (PciIo,
> > > +&mSecurityEventMeasurementDeviceList);
> > > +  }
> > > +}
> > > +
> > > +/**
> > > +  This function reads the PCI digest from the DvSec register and extend to
> > > TPM.
> > > +
> > > +  @param[in]  PciIo                  The PciIo of the device.
> > > +  @param[in]  DvSecOffset            The DvSec register offset of the device.
> > > +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> > > with the device.
> > > +  @param[out] DeviceSecurityState    The Device Security state associated
> > > with the device.
> > > +**/
> > > +VOID
> > > +DoMeasurementsFromDigestRegister (
> > > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > > +  IN UINT32                       DvSecOffset,
> > > +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> > > +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> > > +  )
> > > +{
> > > +  UINT8                                     Modified;
> > > +  UINT8                                     Valid;
> > > +  UINT16                                    TcgAlgId;
> > > +  UINT8                                     NumDigest;
> > > +  UINT8                                     DigestSel;
> > > +  UINT8                                     Digest[SHA256_DIGEST_SIZE];
> > > +  UINTN                                     DigestSize;
> > > +  EFI_STATUS                                Status;
> > > +
> > > +  TcgAlgId = DvSecPciRead8 (
> > > +               PciIo,
> > > +               DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, TcgAlgId)
> > > +               );
> > > +  DEBUG((DEBUG_INFO, "  TcgAlgId      - 0x%04x\n", TcgAlgId));
> > > +  DigestSize = DigestSizeFromTcgAlgId (TcgAlgId);  if (DigestSize == 0)
> > > + {
> > > +    DEBUG((DEBUG_INFO, "Unsupported Algorithm - 0x%04x\n", TcgAlgId));
> > > +    DeviceSecurityState->MeasurementState =
> > > EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> > > +    return ;
> > > +  }
> > > +  DEBUG((DEBUG_INFO, "  (DigestSize: 0x%x)\n", DigestSize));
> > > +
> > > +  DeviceSecurityState->MeasurementState =
> > > + EDKII_DEVICE_SECURITY_STATE_SUCCESS;
> > > +
> > > +  NumDigest = DvSecPciRead8 (
> > > +                PciIo,
> > > +                DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, FirmwareID)
> > > +                );
> > > +  DEBUG((DEBUG_INFO, "  NumDigest     - 0x%02x\n", NumDigest));
> > > +
> > > +  Valid = DvSecPciRead8 (
> > > +            PciIo,
> > > +            DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Valid)
> > > +            );
> > > +  DEBUG((DEBUG_INFO, "  Valid         - 0x%02x\n", Valid));
> > > +
> > > +  //
> > > +  // Only 2 are supported as maximum.
> > > +  // But hardware may report 3.
> > > +  //
> > > +  if (NumDigest > 2) {
> > > +    NumDigest = 2;
> > > +  }
> > > +
> > > +  for (DigestSel = 0; DigestSel < NumDigest; DigestSel++) {
> > > +    DEBUG((DEBUG_INFO, "  DigestSel     - 0x%02x\n", DigestSel));
> > > +    if ((DigestSel == 0) && ((Valid & INTEL_PCI_DIGEST_0_VALID) == 0)) {
> > > +      continue;
> > > +    }
> > > +    if ((DigestSel == 1) && ((Valid & INTEL_PCI_DIGEST_1_VALID) == 0)) {
> > > +      continue;
> > > +    }
> > > +    while (TRUE) {
> > > +      //
> > > +      // Host MUST clear DIGEST_MODIFIED before read DIGEST.
> > > +      //
> > > +      DvSecPciWrite8 (
> > > +        PciIo,
> > > +        DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified),
> > > +        INTEL_PCI_DIGEST_MODIFIED
> > > +        );
> > > +
> > > +      Status = PciIo->Pci.Read (
> > > +                            PciIo,
> > > +                            EfiPciIoWidthUint8,
> > > +                            (UINT32)(DvSecOffset +
> > > sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > > sizeof(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE) + DigestSize * DigestSel),
> > > +                            DigestSize,
> > > +                            Digest
> > > +                            );
> > > +      ASSERT_EFI_ERROR(Status);
> > > +
> > > +      //
> > > +      // After read DIGEST, Host MUST consult DIGEST_MODIFIED.
> > > +      //
> > > +      Modified = DvSecPciRead8 (
> > > +                   PciIo,
> > > +                   DvSecOffset + sizeof(INTEL_PCI_DIGEST_CAPABILITY_HEADER) +
> > > OFFSET_OF(INTEL_PCI_DIGEST_CAPABILITY_STRUCTURE, Modified)
> > > +                   );
> > > +      if ((Modified & INTEL_PCI_DIGEST_MODIFIED) == 0) {
> > > +        break;
> > > +      }
> > > +    }
> > > +
> > > +    //
> > > +    // Dump Digest
> > > +    //
> > > +    {
> > > +      UINTN  Index;
> > > +      DEBUG((DEBUG_INFO, "  Digest        - "));
> > > +      for (Index = 0; Index < DigestSize; Index++) {
> > > +        DEBUG((DEBUG_INFO, "%02x", *(Digest + Index)));
> > > +      }
> > > +      DEBUG((DEBUG_INFO, "\n"));
> > > +    }
> > > +
> > > +    DEBUG((DEBUG_INFO, "ExtendDigestRegister...\n",
> > > ExtendDigestRegister));
> > > +    ExtendDigestRegister (PciIo, DeviceSecurityPolicy, TcgAlgId,
> > > +DigestSel, Digest, DeviceSecurityState);
> > > +  }
> > > +}
> > > +
> > > +/**
> > > +  The device driver uses this service to measure a PCI device.
> > > +
> > > +  @param[in]  PciIo                  The PciIo of the device.
> > > +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> > > with the device.
> > > +  @param[out] DeviceSecurityState    The Device Security state associated
> > > with the device.
> > > +**/
> > > +VOID
> > > +DoDeviceMeasurement (
> > > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > > +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> > > +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> > > +  )
> > > +{
> > > +  UINT32                                    DvSecOffset;
> > > +  INTEL_PCI_DIGEST_CAPABILITY_HEADER        DvSecHdr;
> > > +  EFI_STATUS                                Status;
> > > +
> > > +  if (IsPciDeviceInList (PciIo, &mSecurityEventMeasurementDeviceList)) {
> > > +    DeviceSecurityState->MeasurementState =
> > > EDKII_DEVICE_SECURITY_STATE_SUCCESS;
> > > +    return ;
> > > +  }
> > > +
> > > +  DvSecOffset = GetPciExpressExtCapId (PciIo, INTEL_PCI_CAPID_DVSEC);
> > > + DEBUG((DEBUG_INFO, "DvSec Capability - 0x%x\n", DvSecOffset));  if
> > > + (DvSecOffset == 0) {
> > > +    DeviceSecurityState->MeasurementState =
> > > EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> > > +    return ;
> > > +  }
> > > +  Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, DvSecOffset,
> > > + sizeof(DvSecHdr)/sizeof(UINT16), &DvSecHdr);
> > > ASSERT_EFI_ERROR(Status);
> > > +  DEBUG((DEBUG_INFO, "  CapId         - 0x%04x\n", DvSecHdr.CapId));
> > > +  DEBUG((DEBUG_INFO, "  CapVersion    - 0x%01x\n",
> > > DvSecHdr.CapVersion));
> > > +  DEBUG((DEBUG_INFO, "  NextOffset    - 0x%03x\n",
> > > DvSecHdr.NextOffset));
> > > +  DEBUG((DEBUG_INFO, "  DvSecVendorId - 0x%04x\n",
> > > + DvSecHdr.DvSecVendorId));  DEBUG((DEBUG_INFO, "  DvSecRevision -
> > > 0x%01x\n", DvSecHdr.DvSecRevision));
> > > +  DEBUG((DEBUG_INFO, "  DvSecLength   - 0x%03x\n",
> > > DvSecHdr.DvSecLength));
> > > +  DEBUG((DEBUG_INFO, "  DvSecId       - 0x%04x\n", DvSecHdr.DvSecId));
> > > +  if ((DvSecHdr.DvSecVendorId != INTEL_PCI_DVSEC_VENDORID_INTEL) &&
> > > +      (DvSecHdr.DvSecId != INTEL_PCI_DVSEC_DVSECID_MEASUREMENT)) {
> > > +    DeviceSecurityState->MeasurementState =
> > > EDKII_DEVICE_SECURITY_STATE_ERROR_PCI_NO_CAPABILITIES;
> > > +    return ;
> > > +  }
> > > +
> > > +  DoMeasurementsFromDigestRegister (PciIo, DvSecOffset,
> > > +DeviceSecurityPolicy, DeviceSecurityState); }
> > > +
> > > +/**
> > > +  The device driver uses this service to verify a PCI device.
> > > +
> > > +  @param[in]  PciIo                  The PciIo of the device.
> > > +  @param[in]  DeviceSecurityPolicy   The Device Security Policy associated
> > > with the device.
> > > +  @param[out] DeviceSecurityState    The Device Security state associated
> > > with the device.
> > > +**/
> > > +VOID
> > > +DoDeviceAuthentication (
> > > +  IN EFI_PCI_IO_PROTOCOL          *PciIo,
> > > +  IN EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy,
> > > +  OUT EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState
> > > +  )
> > > +{
> > > +  DeviceSecurityState->AuthenticationState =
> > > +EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED;
> > > +}
> > > +
> > > +/**
> > > +  The device driver uses this service to measure and/or verify a device.
> > > +
> > > +  The flow in device driver is:
> > > +  1) Device driver discovers a new device.
> > > +  2) Device driver creates an EFI_DEVICE_PATH_PROTOCOL.
> > > +  3) Device driver creates a device access protocol. e.g.
> > > +     EFI_PCI_IO_PROTOCOL for PCI device.
> > > +     EFI_USB_IO_PROTOCOL for USB device.
> > > +     EFI_EXT_SCSI_PASS_THRU_PROTOCOL for SCSI device.
> > > +     EFI_ATA_PASS_THRU_PROTOCOL for ATA device.
> > > +     EFI_NVM_EXPRESS_PASS_THRU_PROTOCOL for NVMe device.
> > > +     EFI_SD_MMC_PASS_THRU_PROTOCOL for SD/MMC device.
> > > +  4) Device driver installs the EFI_DEVICE_PATH_PROTOCOL with
> > > EFI_DEVICE_PATH_PROTOCOL_GUID,
> > > +     and the device access protocol with
> > > EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID.
> > > +     Once it is done, a DeviceHandle is returned.
> > > +  5) Device driver creates EDKII_DEVICE_IDENTIFIER with
> > > EDKII_DEVICE_IDENTIFIER_TYPE_xxx_GUID
> > > +     and the DeviceHandle.
> > > +  6) Device driver calls DeviceAuthenticate().
> > > +  7) If DeviceAuthenticate() returns EFI_SECURITY_VIOLATION, the device
> > > driver uninstalls
> > > +     all protocols on this handle.
> > > +  8) If DeviceAuthenticate() returns EFI_SUCCESS, the device driver installs
> > > the device access
> > > +     protocol with a real protocol GUID. e.g.
> > > +     EFI_PCI_IO_PROTOCOL with EFI_PCI_IO_PROTOCOL_GUID.
> > > +     EFI_USB_IO_PROTOCOL with EFI_USB_IO_PROTOCOL_GUID.
> > > +
> > > +  @param[in]  This              The protocol instance pointer.
> > > +  @param[in]  DeviceId          The Identifier for the device.
> > > +
> > > +  @retval EFI_SUCCESS              The device specified by the DeviceId passed
> > > the measurement
> > > +                                   and/or authentication based upon the platform policy.
> > > +                                   If TCG measurement is required, the measurement is
> > > extended to TPM PCR.
> > > +  @retval EFI_SECURITY_VIOLATION   The device fails to return the
> > > measurement data.
> > > +  @retval EFI_SECURITY_VIOLATION   The device fails to response the
> > > authentication request.
> > > +  @retval EFI_SECURITY_VIOLATION   The system fails to verify the device
> > > based upon the authentication response.
> > > +  @retval EFI_SECURITY_VIOLATION   The system fails to extend the
> > > measurement to TPM PCR.
> > > +**/
> > > +EFI_STATUS
> > > +EFIAPI
> > > +DeviceAuthentication (
> > > +  IN EDKII_DEVICE_SECURITY_PROTOCOL  *This,
> > > +  IN EDKII_DEVICE_IDENTIFIER         *DeviceId
> > > +  )
> > > +{
> > > +  EDKII_DEVICE_SECURITY_POLICY           DeviceSecurityPolicy;
> > > +  EDKII_DEVICE_SECURITY_STATE            DeviceSecurityState;
> > > +  EFI_PCI_IO_PROTOCOL                    *PciIo;
> > > +  EFI_STATUS                             Status;
> > > +
> > > +  if (mDeviceSecurityPolicy == NULL) {
> > > +    return EFI_SUCCESS;
> > > +  }
> > > +
> > > +  if (!CompareGuid (&DeviceId->DeviceType,
> > > &gEdkiiDeviceIdentifierTypePciGuid)) {
> > > +    return EFI_SUCCESS;
> > > +  }
> > > +
> > > +  Status = gBS->HandleProtocol (
> > > +                  DeviceId->DeviceHandle,
> > > +                  &gEdkiiDeviceIdentifierTypePciGuid,
> > > +                  (VOID **)&PciIo
> > > +                  );
> > > +  if (EFI_ERROR(Status)) {
> > > +    DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n",
> > > Status));
> > > +    return EFI_SUCCESS;
> > > +  }
> > > +
> > > +  DeviceSecurityState.Version = EDKII_DEVICE_SECURITY_STATE_REVISION;
> > > +  DeviceSecurityState.MeasurementState = 0x0;
> > > + DeviceSecurityState.AuthenticationState = 0x0;
> > > +
> > > +  Status = mDeviceSecurityPolicy->GetDevicePolicy
> > > + (mDeviceSecurityPolicy, DeviceId, &DeviceSecurityPolicy);  if
> > > (EFI_ERROR(Status)) {
> > > +    DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->GetDevicePolicy -
> > >  %r\n", Status));
> > > +    DeviceSecurityState.MeasurementState =
> > > EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL;
> > > +    DeviceSecurityState.AuthenticationState =
> > > + EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL;
> > > +  } else {
> > > +    if ((DeviceSecurityPolicy.MeasurementPolicy &
> > > EDKII_DEVICE_MEASUREMENT_REQUIRED) != 0) {
> > > +      DoDeviceMeasurement (PciIo, &DeviceSecurityPolicy,
> > > &DeviceSecurityState);
> > > +      DEBUG((DEBUG_ERROR, "MeasurementState - 0x%08x\n",
> > > DeviceSecurityState.MeasurementState));
> > > +    }
> > > +    if ((DeviceSecurityPolicy.AuthenticationPolicy &
> > > EDKII_DEVICE_AUTHENTICATION_REQUIRED) != 0) {
> > > +      DoDeviceAuthentication (PciIo, &DeviceSecurityPolicy,
> > > &DeviceSecurityState);
> > > +      DEBUG((DEBUG_ERROR, "AuthenticationState - 0x%08x\n",
> > > DeviceSecurityState.AuthenticationState));
> > > +    }
> > > +  }
> > > +
> > > +  Status = mDeviceSecurityPolicy->NotifyDeviceState
> > > + (mDeviceSecurityPolicy, DeviceId, &DeviceSecurityState);  if
> > > (EFI_ERROR(Status)) {
> > > +    DEBUG((DEBUG_ERROR, "mDeviceSecurityPolicy->NotifyDeviceState -
> > > + %r\n", Status));  }
> > > +
> > > +  if ((DeviceSecurityState.MeasurementState == 0) &&
> > > +      (DeviceSecurityState.AuthenticationState == 0)) {
> > > +    return EFI_SUCCESS;
> > > +  } else {
> > > +    return EFI_SECURITY_VIOLATION;
> > > +  }
> > > +}
> > > +
> > > +EDKII_DEVICE_SECURITY_PROTOCOL mDeviceSecurity = {
> > > +  EDKII_DEVICE_SECURITY_PROTOCOL_REVISION,
> > > +  DeviceAuthentication
> > > +};
> > > +
> > > +/**
> > > +  Entrypoint of the device security driver.
> > > +
> > > +  @param[in]  ImageHandle  ImageHandle of the loaded driver  @param[in]
> > > + SystemTable  Pointer to the System Table
> > > +
> > > +  @retval  EFI_SUCCESS           The Protocol is installed.
> > > +  @retval  EFI_OUT_OF_RESOURCES  Not enough resources available to
> > > initialize driver.
> > > +  @retval  EFI_DEVICE_ERROR      A device error occurred attempting to
> > > initialize the driver.
> > > +
> > > +**/
> > > +EFI_STATUS
> > > +EFIAPI
> > > +MainEntryPoint (
> > > +  IN EFI_HANDLE        ImageHandle,
> > > +  IN EFI_SYSTEM_TABLE  *SystemTable
> > > +  )
> > > +{
> > > +  EFI_HANDLE  Handle;
> > > +  EFI_STATUS  Status;
> > > +
> > > +  Status = gBS->LocateProtocol
> > > + (&gEdkiiDeviceSecurityPolicyProtocolGuid, NULL, (VOID
> > > + **)&mDeviceSecurityPolicy);  ASSERT_EFI_ERROR(Status);
> > > +
> > > +  Handle = NULL;
> > > +  Status = gBS->InstallProtocolInterface (
> > > +                  &Handle,
> > > +                  &gEdkiiDeviceSecurityProtocolGuid,
> > > +                  EFI_NATIVE_INTERFACE,
> > > +                  (VOID **)&mDeviceSecurity
> > > +                  );
> > > +  ASSERT_EFI_ERROR(Status);
> > > +
> > > +  return Status;
> > > +}
> > > diff --git
> > > a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> > > e/IntelPciDeviceSecurityDxe.inf
> > > b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> > > xe/IntelPciDeviceSecurityDxe.inf
> > > new file mode 100644
> > > index 0000000000..89a4c8fadd
> > > --- /dev/null
> > > +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> > > +++ ecurityDxe/IntelPciDeviceSecurityDxe.inf
> > > @@ -0,0 +1,45 @@
> > > +## @file
> > > +#  EDKII Device Security library for PCI device # # Copyright (c) 2019,
> > > +Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier:
> > > +BSD-2-Clause-Patent # ##
> > > +
> > > +[Defines]
> > > +  INF_VERSION                    = 0x00010005
> > > +  BASE_NAME                      = IntelPciDeviceSecurityDxe
> > > +  FILE_GUID                      = D9569195-ED94-47D2-9523-38BF2D201371
> > > +  MODULE_TYPE                    = DXE_DRIVER
> > > +  VERSION_STRING                 = 1.0
> > > +  ENTRY_POINT                    = MainEntryPoint
> > > +
> > > +[Sources]
> > > +  IntelPciDeviceSecurityDxe.c
> > > +  TcgDeviceEvent.h
> > > +
> > > +[Packages]
> > > +  MdePkg/MdePkg.dec
> > > +  MdeModulePkg/MdeModulePkg.dec
> > > +  IntelSiliconPkg/IntelSiliconPkg.dec
> > > +
> > > +[LibraryClasses]
> > > +  UefiRuntimeServicesTableLib
> > > +  UefiBootServicesTableLib
> > > +  UefiDriverEntryPoint
> > > +  MemoryAllocationLib
> > > +  DevicePathLib
> > > +  BaseMemoryLib
> > > +  PrintLib
> > > +  DebugLib
> > > +  UefiLib
> > > +  PcdLib
> > > +  TpmMeasurementLib
> > > +
> > > +[Protocols]
> > > +  gEdkiiDeviceSecurityPolicyProtocolGuid  ## CONSUMES
> > > +  gEdkiiDeviceSecurityProtocolGuid        ## PRODUCES
> > > +  gEdkiiDeviceIdentifierTypePciGuid       ## COMSUMES
> > > +
> > > +[Depex]
> > > +  gEdkiiDeviceSecurityPolicyProtocolGuid
> > > diff --git
> > > a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDx
> > > e/TcgDeviceEvent.h
> > > b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityD
> > > xe/TcgDeviceEvent.h
> > > new file mode 100644
> > > index 0000000000..5b642b3ecc
> > > --- /dev/null
> > > +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceS
> > > +++ ecurityDxe/TcgDeviceEvent.h
> > > @@ -0,0 +1,178 @@
> > > +/** @file
> > > +  TCG Device Event data structure
> > > +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
> > > +SPDX-License-Identifier: BSD-2-Clause-Patent **/
> > > +
> > > +
> > > +#ifndef __TCG_EVENT_DATA_H__
> > > +#define __TCG_EVENT_DATA_H__
> > > +
> > > +#include <IndustryStandard/Spdm.h>
> > > +
> > > +#pragma pack(1)
> > > +
> > > +// -------------------------------------------
> > > +// TCG Measurement for SPDM Device Measurement //
> > > +-------------------------------------------
> > > +
> > > +//
> > > +// Device Firmware Component (including immutable ROM or mutable
> > > +firmware) //
> > > +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_PCR_INDEX        2
> > > +#define EDKII_DEVICE_MEASUREMENT_COMPONENT_EVENT_TYPE
> > > 0x800000E1
> > > +//
> > > +// Device Firmware Configuration (including hardware configuration or
> > > +firmware configuration) //
> > > +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_PCR_INDEX    4
> > > +#define EDKII_DEVICE_MEASUREMENT_CONFIGURATION_EVENT_TYPE
> > > 0x800000E2
> > > +
> > > +//
> > > +// Device Firmware Measurement Measurement Data // The measurement
> > > data
> > > +is the device firmware measurement.
> > > +//
> > > +// In order to support crypto agile, the firmware will hash the
> > > DeviceMeasurement again.
> > > +// As such the device measurement algo might be different with host
> > > firmware measurement algo.
> > > +//
> > > +
> > > +//
> > > +// Device Firmware Measurement Event Data // #define
> > > +EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE "SPDM Device Sec\0"
> > > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION  0
> > > +
> > > +//
> > > +// Device Type
> > > +// 0x03 ~ 0xDF reserved by TCG.
> > > +// 0xE0 ~ 0xFF reserved by OEM.
> > > +//
> > > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_NULL  0
> > > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_PCI   1
> > > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_DEVICE_TYPE_USB   2
> > > +
> > > +//
> > > +// Device Firmware Measurement Event Data Common Part // The device
> > > +specific part should follow this data structure.
> > > +//
> > > +typedef struct {
> > > +  //
> > > +  // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_SIGNATURE.
> > > +  //
> > > +  UINT8                          Signature[16];
> > > +  //
> > > +  // It must be EDKII_DEVICE_SECURITY_EVENT_DATA_VERSION.
> > > +  //
> > > +  UINT16                         Version;
> > > +  //
> > > +  // The length of whole data structure, including Device Context.
> > > +  //
> > > +  UINT16                         Length;
> > > +  //
> > > +  // The SpdmHashAlgo
> > > +  //
> > > +  UINT32                         SpdmHashAlgo;
> > > +  //
> > > +  // The type of device. This field is to determine the Device Context
> > > followed by.
> > > +  //
> > > +  UINT32                         DeviceType;
> > > +  //
> > > +  // The SPDM measurement block.
> > > +  //
> > > +//SPDM_MEASUREMENT_BLOCK         SpdmMeasurementBlock;
> > > +} EDKII_DEVICE_SECURITY_EVENT_DATA_HEADER;
> > > +
> > > +//
> > > +// PCI device specific context
> > > +//
> > > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT_VERSION  0
> > > typedef
> > > +struct {
> > > +  UINT16  Version;
> > > +  UINT16  Length;
> > > +  UINT16  VendorId;
> > > +  UINT16  DeviceId;
> > > +  UINT8   RevisionID;
> > > +  UINT8   ClassCode[3];
> > > +  UINT16  SubsystemVendorID;
> > > +  UINT16  SubsystemID;
> > > +} EDKII_DEVICE_SECURITY_EVENT_DATA_PCI_CONTEXT;
> > > +
> > > +//
> > > +// USB device specific context
> > > +//
> > > +#define EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT_VERSION
> > > 0 typedef
> > > +struct {
> > > +  UINT16  Version;
> > > +  UINT16  Length;
> > > +//UINT8   DeviceDescriptor[DescLen];
> > > +//UINT8   BodDescriptor[DescLen];
> > > +//UINT8   ConfigurationDescriptor[DescLen][NumOfConfiguration];
> > > +} EDKII_DEVICE_SECURITY_EVENT_DATA_USB_CONTEXT;
> > > +
> > > +// ----------------------------------------------
> > > +// TCG Measurement for SPDM Device Authentication //
> > > +----------------------------------------------
> > > +
> > > +//
> > > +// Device Root cert is stored into a UEFI authenticated variable.
> > > +// It is non-volatile, boot service, runtime service, and time based
> > > authenticated variable.
> > > +// The "devdb" includes a list of allowed device root cert.
> > > +// The "devdbx" includes a list of forbidden device root cert.
> > > +// The usage of "devdb" and "devdbx" is same as "db" and "dbx" in UEFI
> > > secure boot.
> > > +//
> > > +// NOTE: We choose not to mix "db"/"dbx" for better management
> > > purpose.
> > > +//
> > > +
> > > +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME    L"devdb"
> > > +#define EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME   L"devdbx"
> > > +
> > > +#define EDKII_DEVICE_SIGNATURE_DATABASE_GUID \
> > > +  {0xb9c2b4f4, 0xbf5f, 0x462d, 0x8a, 0xdf, 0xc5, 0xc7, 0xa, 0xc3, 0x5d,
> > > +0xad}
> > > +
> > > +//
> > > +// Platform Firmware adhering to the policy MUST therefore measure the
> > > following values into PCR[7]:
> > > +// 1. The content of the
> > > EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> > > ARAIBLE_NAME variable.
> > > +// 2. The content of the
> > > EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> > > ARAIBLE2_NAME variable.
> > > +// 3. Entries in the
> > > EDKII_DEVICE_SIGNATURE_DATABASE_GUID/EDKII_DEVICE_ROOT_CERT_V
> > > ARAIBLE_NAME variable to
> > > +//    authenticate the device.
> > > +//
> > > +// For all UEFI variable value events, the eventType SHALL be
> > > +EV_EFI_VARIABLE_DRIVER_CONFIG and the Event // value SHALL be the
> > > value of the UEFI_VARIABLE_DATA structure (this structure SHALL be
> > > considered byte-aligned).
> > > +// The measurement digest MUST be tagged Hash for each supported PCR
> > > +bank of the event data which is the // UEFI_VARIABLE_DATA structure.
> > > +The UEFI_VARIABLE_DATA.UnicodeNameLength value is the number of
> > > CHAR16 // characters (not the number of bytes). The
> > > UEFI_VARIABLE_DATA.UnicodeName contents MUST NOT include a NUL.
> > > +// If reading a UEFI variable returns UEFI_NOT_FOUND, the
> > > +UEFI_VARIABLE_DATA.VariableDataLength field MUST // be set to zero and
> > > UEFI_VARIABLE_DATA.VariableData field will have a size of zero.
> > > +//
> > > +
> > > +//
> > > +// Entities that MUST be measured if the TPM is enabled:
> > > +// 1. Before executing any code not cryptographically authenticated as
> > > being provided by the Platform Manufacturer,
> > > +//    the Platform Manufacturer firmware MUST measure the following
> > > values, in the order listed using the
> > > +//    EV_EFI_VARIABLE_DRIVER_CONFIG event type to PCR[7]:
> > > +//    a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > > EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
> > > +//    b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > > EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
> > > +// 2. If the platform supports changing any of the following UEFI policy
> > > variables after they are initially measured
> > > +//    in PCR[7] and before ExitBootServices() has completed, the platform
> > > MAY be restarted OR the variables MUST be
> > > +//    remeasured into PCR[7]. Additionally the normal update process for
> > > setting any of the UEFI variables below SHOULD
> > > +//    occur before the initial measurement in PCR[7] or after the call to
> > > ExitBootServices() has completed.
> > > +//    a) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > > EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable.
> > > +//    b) The content of the EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > > EDKII_DEVICE_ROOT_CERT_VARAIBLE2_NAME variable.
> > > +// 3. The system SHALL measure the EV_SEPARATOR event in PCR[7]. (This
> > > occurs at the same time the separator is
> > > +//    measured to PCR[0-7].)
> > > +//    Before setting up a device, the UEFI firmware SHALL determine if the
> > > entry in the
> > > +//    EDKII_DEVICE_SIGNATURE_DATABASE_GUID/
> > > EDKII_DEVICE_ROOT_CERT_VARAIBLE_NAME variable that was used to
> > > validate
> > > +//    the device has previously been measured in PCR[7]. If it has not been, it
> > > MUST be measured into PCR[7] as follows.
> > > +//    If it has been measured previously, it MUST NOT be measured again.
> > > The measurement SHALL occur in conjunction
> > > +//    with device setup.
> > > +//    a) The eventType SHALL be EV_EFI_VARIABLE_AUTHORITY.
> > > +//    b) The event value SHALL be the value of the UEFI_VARIABLE_DATA
> > > structure.
> > > +//       i.   The UEFI_VARIABLE_DATA.VariableData value SHALL be the
> > > UEFI_SIGNATURE_DATA value from the
> > > +//            UEFI_SIGNATURE_LIST that contained the authority that was used
> > > to validate the image.
> > > +//       ii.  The UEFI_VARIABLE_DATA.VariableName SHALL be set to
> > > UEFI_IMAGE_SECURITY_DATABASE_GUID.
> > > +//       iii. The UEFI_VARIABLE_DATA.UnicodeName SHALL be set to the value
> > > of UEFI_IMAGE_SECURITY_DATABASE.
> > > +//            The value MUST NOT include the terminating NUL.
> > > +//
> > > +
> > > +#pragma pack()
> > > +
> > > +#endif
> > > --
> > > 2.19.2.windows.1