* [PATCH v3 0/3] Add RpmcLib and VariableKeyLib
@ 2020-03-18 2:13 Wang, Jian J
2020-03-18 2:13 ` [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers Wang, Jian J
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Wang, Jian J @ 2020-03-18 2:13 UTC (permalink / raw)
To: devel; +Cc: Jiewen Yao, Chao Zhang, Nishant C Mistry
> v3: update retval description in RpmcLib.h and RpmcLibNull.c
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Patch branch: https://github.com/jwang36/edk2/tree/bz2594-part1-common-interfaces-between-platform-and-edk2-v3
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Jian J Wang (3):
SecurityPkg: add RpmcLib and VariableKeyLib public headers
SecurityPkg: add null version of RpmcLib
SecurityPkg: add null version of VariableKeyLib
SecurityPkg/Include/Library/RpmcLib.h | 46 +++++++++++++
SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 51 ++++++++++++++
.../Library/RpmcLibNull/RpmcLibNull.inf | 33 +++++++++
.../VariableKeyLibNull/VariableKeyLibNull.c | 67 +++++++++++++++++++
.../VariableKeyLibNull/VariableKeyLibNull.inf | 33 +++++++++
SecurityPkg/SecurityPkg.dec | 8 +++
SecurityPkg/SecurityPkg.dsc | 8 +++
8 files changed, 305 insertions(+)
create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h
create mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
create mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
create mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
create mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
--
2.24.0.windows.2
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers
2020-03-18 2:13 [PATCH v3 0/3] Add RpmcLib and VariableKeyLib Wang, Jian J
@ 2020-03-18 2:13 ` Wang, Jian J
2020-03-18 2:26 ` Yao, Jiewen
2020-03-18 2:13 ` [PATCH v3 2/3] SecurityPkg: add null version of RpmcLib Wang, Jian J
2020-03-18 2:13 ` [PATCH v3 3/3] SecurityPkg: add null version of VariableKeyLib Wang, Jian J
2 siblings, 1 reply; 8+ messages in thread
From: Wang, Jian J @ 2020-03-18 2:13 UTC (permalink / raw)
To: devel; +Cc: Jiewen Yao, Chao Zhang, Nishant C Mistry
> v3: update retval description in RpmcLib.h
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
device and Key generator from platform. They will be used to ensure the
integrity and confidentiality of NV variables.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
SecurityPkg/Include/Library/RpmcLib.h | 46 +++++++++++++++
SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
SecurityPkg/SecurityPkg.dec | 8 +++
3 files changed, 113 insertions(+)
create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h
diff --git a/SecurityPkg/Include/Library/RpmcLib.h b/SecurityPkg/Include/Library/RpmcLib.h
new file mode 100644
index 0000000000..f548ad2c9f
--- /dev/null
+++ b/SecurityPkg/Include/Library/RpmcLib.h
@@ -0,0 +1,46 @@
+/** @file
+ Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _RPMC_LIB_H_
+#define _RPMC_LIB_H_
+
+#include <Uefi/UefiBaseType.h>
+
+/**
+ Requests the current monotonic counter from the designated RPMC counter.
+
+ @param[in] CounterId Monotonic Counter Id.
+ @param[out] CounterValue A pointer to a buffer to store the RPMC value.
+
+ @retval EFI_SUCCESS The operation completed successfully.
+ @retval EFI_DEVICE_ERROR A device error occurred while attempting to update the counter.
+ @retval EFI_UNSUPPORTED The operation is un-supported.
+**/
+EFI_STATUS
+EFIAPI
+RequestMonotonicCounter (
+ IN UINT8 CounterId,
+ OUT UINT32 *CounterValue
+ );
+
+/**
+ Increments the designated monotonic counter in the SPI flash device by 1.
+
+ @param[in] CounterId Monotonic Counter Id.
+
+ @retval EFI_SUCCESS The operation completed successfully.
+ @retval EFI_DEVICE_ERROR A device error occurred while attempting to update the counter.
+ @retval EFI_UNSUPPORTED The operation is un-supported.
+**/
+EFI_STATUS
+EFIAPI
+IncrementMonotonicCounter (
+ IN UINT8 CounterId
+ );
+
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h b/SecurityPkg/Include/Library/VariableKeyLib.h
new file mode 100644
index 0000000000..fe642b3d66
--- /dev/null
+++ b/SecurityPkg/Include/Library/VariableKeyLib.h
@@ -0,0 +1,59 @@
+/** @file
+ Public definitions for Variable Key Library.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#ifndef _VARIABLE_KEY_LIB_H_
+#define _VARIABLE_KEY_LIB_H_
+
+#include <Uefi/UefiBaseType.h>
+
+/**
+ Retrieves the variable root key.
+
+ @param[out] VariableRootKey A pointer to pointer for the variable root key buffer.
+ @param[in,out] VariableRootKeySize The size in bytes of the variable root key.
+
+ @retval EFI_SUCCESS The variable root key was returned.
+ @retval EFI_DEVICE_ERROR An error occurred while attempting to get the variable root key.
+ @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface.
+ @retval EFI_UNSUPPORTED The variable root key is not supported in the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+GetVariableRootKey (
+ OUT VOID **VariableRootKey,
+ IN OUT UINTN *VariableRootKeySize
+ );
+
+/**
+ Regenerates the variable root key.
+
+ @retval EFI_SUCCESS The variable root key was regenerated successfully.
+ @retval EFI_DEVICE_ERROR An error occurred while attempting to regenerate the root key.
+ @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface.
+ @retval EFI_UNSUPPORTED Key regeneration is not supported in the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+RegenerateKey (
+ VOID
+ );
+
+/**
+ Locks the regenerate key interface.
+
+ @retval EFI_SUCCESS The key interface was locked successfully.
+ @retval EFI_UNSUPPORTED Locking the key interface is not supported in the current boot configuration.
+ @retval Others An error occurred while attempting to lock the key interface.
+**/
+EFI_STATUS
+EFIAPI
+LockKeyInterface (
+ VOID
+ );
+
+#endif
\ No newline at end of file
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 5335cc5397..2cdfb02cc5 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -76,6 +76,14 @@
#
TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h
+ ## @libraryclass Provides interfaces to access RPMC device.
+ #
+ RpmcLib|Include/Library/RpmcLib.h
+
+ ## @libraryclass Provides interfaces to access variable root key.
+ #
+ VariableKeyLib|Include/Library/VariableKeyLib.h
+
[Guids]
## Security package token space guid.
# Include/Guid/SecurityPkgTokenSpace.h
--
2.24.0.windows.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v3 2/3] SecurityPkg: add null version of RpmcLib
2020-03-18 2:13 [PATCH v3 0/3] Add RpmcLib and VariableKeyLib Wang, Jian J
2020-03-18 2:13 ` [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers Wang, Jian J
@ 2020-03-18 2:13 ` Wang, Jian J
2020-03-18 2:13 ` [PATCH v3 3/3] SecurityPkg: add null version of VariableKeyLib Wang, Jian J
2 siblings, 0 replies; 8+ messages in thread
From: Wang, Jian J @ 2020-03-18 2:13 UTC (permalink / raw)
To: devel; +Cc: Jiewen Yao, Chao Zhang, Nishant C Mistry
> v3: update retval description in RpmcLibNull.c
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Add null version of RpmcLib instance. The full version should be provided
by platform which supports RPMC device.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c | 51 +++++++++++++++++++
.../Library/RpmcLibNull/RpmcLibNull.inf | 33 ++++++++++++
SecurityPkg/SecurityPkg.dsc | 6 +++
3 files changed, 90 insertions(+)
create mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
create mode 100644 SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
new file mode 100644
index 0000000000..79d480484e
--- /dev/null
+++ b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.c
@@ -0,0 +1,51 @@
+/** @file
+ NULL RpmcLib instance for build purpose.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+
+#include <Library/DebugLib.h>
+#include <Library/RpmcLib.h>
+
+/**
+ Requests the current monotonic counter from the designated RPMC counter.
+
+ @param[in] CounterId Monotonic Counter Id.
+ @param[out] CounterValue A pointer to a buffer to store the RPMC value.
+
+ @retval EFI_SUCCESS The operation completed successfully.
+ @retval EFI_DEVICE_ERROR A device error occurred while attempting to update the counter.
+ @retval EFI_UNSUPPORTED The operation is un-supported.
+**/
+EFI_STATUS
+EFIAPI
+RequestMonotonicCounter (
+ IN UINT8 CounterId,
+ OUT UINT32 *CounterValue
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Increments the designated monotonic counter in the SPI flash device by 1.
+
+ @param[in] CounterId Monotonic Counter Id.
+
+ @retval EFI_SUCCESS The operation completed successfully.
+ @retval EFI_DEVICE_ERROR A device error occurred while attempting to update the counter.
+ @retval EFI_UNSUPPORTED The operation is un-supported.
+**/
+EFI_STATUS
+EFIAPI
+IncrementMonotonicCounter (
+ IN UINT8 CounterId
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
diff --git a/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
new file mode 100644
index 0000000000..500edfa87d
--- /dev/null
+++ b/SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
@@ -0,0 +1,33 @@
+## @file
+# Provides Null version of RpmcLib for build purpose.
+#
+# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010029
+ BASE_NAME = RpmcLibNull
+ FILE_GUID = FAE0BA22-92E2-4334-8F0F-96AFF9BAE360
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = RpmcLib
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 Arm AArch64
+#
+
+[Sources]
+ RpmcLibNull.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index a2eeadda7a..97e0e7ed6e 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -64,6 +64,7 @@
TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf
+ RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
[LibraryClasses.ARM]
#
@@ -217,6 +218,11 @@
SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
+ #
+ # Variable Confidentiality & Integrity
+ #
+ SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
+
#
# Other
#
--
2.24.0.windows.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH v3 3/3] SecurityPkg: add null version of VariableKeyLib
2020-03-18 2:13 [PATCH v3 0/3] Add RpmcLib and VariableKeyLib Wang, Jian J
2020-03-18 2:13 ` [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers Wang, Jian J
2020-03-18 2:13 ` [PATCH v3 2/3] SecurityPkg: add null version of RpmcLib Wang, Jian J
@ 2020-03-18 2:13 ` Wang, Jian J
2 siblings, 0 replies; 8+ messages in thread
From: Wang, Jian J @ 2020-03-18 2:13 UTC (permalink / raw)
To: devel; +Cc: Jiewen Yao, Chao Zhang, Nishant C Mistry
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
Add null version of VariableKeyLib instance. The full version should be
provided by platforms which supports key generator.
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
---
.../VariableKeyLibNull/VariableKeyLibNull.c | 67 +++++++++++++++++++
.../VariableKeyLibNull/VariableKeyLibNull.inf | 33 +++++++++
SecurityPkg/SecurityPkg.dsc | 2 +
3 files changed, 102 insertions(+)
create mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
create mode 100644 SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
new file mode 100644
index 0000000000..2ef6a68ea0
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.c
@@ -0,0 +1,67 @@
+/** @file
+ Null version of VariableKeyLib for build purpose. Don't use it in real product.
+
+Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+SPDX-License-Identifier: BSD-2-Clause-Patent
+
+**/
+#include <Library/DebugLib.h>
+#include <Library/VariableKeyLib.h>
+
+/**
+ Retrieves the variable root key.
+
+ @param[out] VariableRootKey A pointer to pointer for the variable root key buffer.
+ @param[in,out] VariableRootKeySize The size in bytes of the variable root key.
+
+ @retval EFI_SUCCESS The variable root key was returned.
+ @retval EFI_DEVICE_ERROR An error occurred while attempting to get the variable root key.
+ @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface.
+ @retval EFI_UNSUPPORTED The variable root key is not supported in the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+GetVariableRootKey (
+ OUT VOID **VariableRootKey,
+ IN OUT UINTN *VariableRootKeySize
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Regenerates the variable root key.
+
+ @retval EFI_SUCCESS The variable root key was regenerated successfully.
+ @retval EFI_DEVICE_ERROR An error occurred while attempting to regenerate the root key.
+ @retval EFI_ACCESS_DENIED The function was invoked after locking the key interface.
+ @retval EFI_UNSUPPORTED Key regeneration is not supported in the current boot configuration.
+**/
+EFI_STATUS
+EFIAPI
+RegenerateKey (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
+/**
+ Locks the regenerate key interface.
+
+ @retval EFI_SUCCESS The key interface was locked successfully.
+ @retval EFI_UNSUPPORTED Locking the key interface is not supported in the current boot configuration.
+ @retval Others An error occurred while attempting to lock the key interface.
+**/
+EFI_STATUS
+EFIAPI
+LockKeyInterface (
+ VOID
+ )
+{
+ ASSERT (FALSE);
+ return EFI_UNSUPPORTED;
+}
+
diff --git a/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
new file mode 100644
index 0000000000..ea74e38cf9
--- /dev/null
+++ b/SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
@@ -0,0 +1,33 @@
+## @file
+# Provides Null version of VariableKeyLib for build only.
+#
+# Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+
+[Defines]
+ INF_VERSION = 0x00010029
+ BASE_NAME = VariableKeyLibNull
+ FILE_GUID = 2B640ED8-1E6A-4516-9F1D-25910E59BC4A
+ MODULE_TYPE = BASE
+ VERSION_STRING = 1.0
+ LIBRARY_CLASS = VariableKeyLib
+
+#
+# The following information is for reference only and not required by the build tools.
+#
+# VALID_ARCHITECTURES = IA32 X64 Arm AArch64
+#
+
+[Sources]
+ VariableKeyLibNull.c
+
+[Packages]
+ MdePkg/MdePkg.dec
+ SecurityPkg/SecurityPkg.dec
+
+[LibraryClasses]
+ BaseLib
+ DebugLib
+
diff --git a/SecurityPkg/SecurityPkg.dsc b/SecurityPkg/SecurityPkg.dsc
index 97e0e7ed6e..4b85f77b02 100644
--- a/SecurityPkg/SecurityPkg.dsc
+++ b/SecurityPkg/SecurityPkg.dsc
@@ -64,6 +64,7 @@
TcgStorageCoreLib|SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
TcgStorageOpalLib|SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
ResetSystemLib|MdeModulePkg/Library/BaseResetSystemLibNull/BaseResetSystemLibNull.inf
+ VariableKeyLib|SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
RpmcLib|SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
[LibraryClasses.ARM]
@@ -221,6 +222,7 @@
#
# Variable Confidentiality & Integrity
#
+ SecurityPkg/Library/VariableKeyLibNull/VariableKeyLibNull.inf
SecurityPkg/Library/RpmcLibNull/RpmcLibNull.inf
#
--
2.24.0.windows.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers
2020-03-18 2:13 ` [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers Wang, Jian J
@ 2020-03-18 2:26 ` Yao, Jiewen
0 siblings, 0 replies; 8+ messages in thread
From: Yao, Jiewen @ 2020-03-18 2:26 UTC (permalink / raw)
To: Wang, Jian J, devel@edk2.groups.io; +Cc: Zhang, Chao B, Mistry, Nishant C
Thanks Jian. Some comments and thought.
1) RPMC spec uses CounterAddress as the indicator. Can we use the same name instead of CounterId in the API definition?
2) How the caller known which CounterAddress it need to fill?
Do we need an API such as GetValidCounterAddress() ?
3) What is the value to add CounterAddress? Do can we guarantee that 2 drivers use 2 different counter address?
Or If 2 drivers may use same counter address, why not remove the counter address parameter at all ?
Thank you
Yao Jiewen
> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com>
> Sent: Wednesday, March 18, 2020 10:13 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B
> <chao.b.zhang@intel.com>; Mistry, Nishant C <nishant.c.mistry@intel.com>
> Subject: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public
> headers
>
> > v3: update retval description in RpmcLib.h
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
> device and Key generator from platform. They will be used to ensure the
> integrity and confidentiality of NV variables.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
> SecurityPkg/Include/Library/RpmcLib.h | 46 +++++++++++++++
> SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
> SecurityPkg/SecurityPkg.dec | 8 +++
> 3 files changed, 113 insertions(+)
> create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
> create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h
>
> diff --git a/SecurityPkg/Include/Library/RpmcLib.h
> b/SecurityPkg/Include/Library/RpmcLib.h
> new file mode 100644
> index 0000000000..f548ad2c9f
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/RpmcLib.h
> @@ -0,0 +1,46 @@
> +/** @file
>
> + Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _RPMC_LIB_H_
>
> +#define _RPMC_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> + Requests the current monotonic counter from the designated RPMC counter.
>
> +
>
> + @param[in] CounterId Monotonic Counter Id.
>
> + @param[out] CounterValue A pointer to a buffer to store the RPMC
> value.
>
> +
>
> + @retval EFI_SUCCESS The operation completed successfully.
>
> + @retval EFI_DEVICE_ERROR A device error occurred while attempting
> to update the counter.
>
> + @retval EFI_UNSUPPORTED The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RequestMonotonicCounter (
>
> + IN UINT8 CounterId,
>
> + OUT UINT32 *CounterValue
>
> + );
>
> +
>
> +/**
>
> + Increments the designated monotonic counter in the SPI flash device by 1.
>
> +
>
> + @param[in] CounterId Monotonic Counter Id.
>
> +
>
> + @retval EFI_SUCCESS The operation completed successfully.
>
> + @retval EFI_DEVICE_ERROR A device error occurred while attempting
> to update the counter.
>
> + @retval EFI_UNSUPPORTED The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +IncrementMonotonicCounter (
>
> + IN UINT8 CounterId
>
> + );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h
> b/SecurityPkg/Include/Library/VariableKeyLib.h
> new file mode 100644
> index 0000000000..fe642b3d66
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/VariableKeyLib.h
> @@ -0,0 +1,59 @@
> +/** @file
>
> + Public definitions for Variable Key Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _VARIABLE_KEY_LIB_H_
>
> +#define _VARIABLE_KEY_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> + Retrieves the variable root key.
>
> +
>
> + @param[out] VariableRootKey A pointer to pointer for the variable
> root key buffer.
>
> + @param[in,out] VariableRootKeySize The size in bytes of the variable root
> key.
>
> +
>
> + @retval EFI_SUCCESS The variable root key was returned.
>
> + @retval EFI_DEVICE_ERROR An error occurred while attempting to get
> the variable root key.
>
> + @retval EFI_ACCESS_DENIED The function was invoked after locking
> the key interface.
>
> + @retval EFI_UNSUPPORTED The variable root key is not supported in
> the current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +GetVariableRootKey (
>
> + OUT VOID **VariableRootKey,
>
> + IN OUT UINTN *VariableRootKeySize
>
> + );
>
> +
>
> +/**
>
> + Regenerates the variable root key.
>
> +
>
> + @retval EFI_SUCCESS The variable root key was regenerated
> successfully.
>
> + @retval EFI_DEVICE_ERROR An error occurred while attempting to
> regenerate the root key.
>
> + @retval EFI_ACCESS_DENIED The function was invoked after locking
> the key interface.
>
> + @retval EFI_UNSUPPORTED Key regeneration is not supported in the
> current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RegenerateKey (
>
> + VOID
>
> + );
>
> +
>
> +/**
>
> + Locks the regenerate key interface.
>
> +
>
> + @retval EFI_SUCCESS The key interface was locked successfully.
>
> + @retval EFI_UNSUPPORTED Locking the key interface is not supported
> in the current boot configuration.
>
> + @retval Others An error occurred while attempting to lock the
> key interface.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +LockKeyInterface (
>
> + VOID
>
> + );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 5335cc5397..2cdfb02cc5 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -76,6 +76,14 @@
> #
>
> TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h
>
>
>
> + ## @libraryclass Provides interfaces to access RPMC device.
>
> + #
>
> + RpmcLib|Include/Library/RpmcLib.h
>
> +
>
> + ## @libraryclass Provides interfaces to access variable root key.
>
> + #
>
> + VariableKeyLib|Include/Library/VariableKeyLib.h
>
> +
>
> [Guids]
>
> ## Security package token space guid.
>
> # Include/Guid/SecurityPkgTokenSpace.h
>
> --
> 2.24.0.windows.2
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers
@ 2020-03-18 2:53 Mistry, Nishant C
2020-03-18 2:59 ` Yao, Jiewen
0 siblings, 1 reply; 8+ messages in thread
From: Mistry, Nishant C @ 2020-03-18 2:53 UTC (permalink / raw)
To: Yao, Jiewen; +Cc: Wang, Jian J, devel@edk2.groups.io, Zhang, Chao B
[-- Attachment #1: Type: text/plain, Size: 7733 bytes --]
My thoughts below ...
Regards,
Nishant
Message sent from Phone.
On Mar 17, 2020 7:27 PM, "Yao, Jiewen" <jiewen.yao@intel.com> wrote:
Thanks Jian. Some comments and thought.
1) RPMC spec uses CounterAddress as the indicator. Can we use the same name instead of CounterId in the API definition? [Nishant] I agree. CounterId is what CSME has defined thus I asked Jian to go with this name. However, we should use industry spec naming.
2) How the caller known which CounterAddress it need to fill?
Do we need an API such as GetValidCounterAddress() ?[Nishant] The platform RPMC driver has an GetRpmcStatus() API that indicates how many counters supported as reported by CSME.
3) What is the value to add CounterAddress? Do can we guarantee that 2 drivers use 2 different counter address?
Or If 2 drivers may use same counter address, why not remove the counter address parameter at all ? [Nishant] It might be simpler to just use one counter Address (i.e. 0) for UEFI firmware. If there is a customer request in future we can introduce the Counter Address parameter. At this moment I don't see a value add for BIOS.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com>
> Sent: Wednesday, March 18, 2020 10:13 AM
> To: devel@edk2.groups.io
> Cc: Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Chao B
> <chao.b.zhang@intel.com>; Mistry, Nishant C <nishant.c.mistry@intel.com>
> Subject: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public
> headers
>
> > v3: update retval description in RpmcLib.h
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
> device and Key generator from platform. They will be used to ensure the
> integrity and confidentiality of NV variables.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Nishant C Mistry <nishant.c.mistry@intel.com>
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
> ---
> SecurityPkg/Include/Library/RpmcLib.h | 46 +++++++++++++++
> SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
> SecurityPkg/SecurityPkg.dec | 8 +++
> 3 files changed, 113 insertions(+)
> create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
> create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h
>
> diff --git a/SecurityPkg/Include/Library/RpmcLib.h
> b/SecurityPkg/Include/Library/RpmcLib.h
> new file mode 100644
> index 0000000000..f548ad2c9f
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/RpmcLib.h
> @@ -0,0 +1,46 @@
> +/** @file
>
> + Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _RPMC_LIB_H_
>
> +#define _RPMC_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> + Requests the current monotonic counter from the designated RPMC counter.
>
> +
>
> + @param[in] CounterId Monotonic Counter Id.
>
> + @param[out] CounterValue A pointer to a buffer to store the RPMC
> value.
>
> +
>
> + @retval EFI_SUCCESS The operation completed successfully.
>
> + @retval EFI_DEVICE_ERROR A device error occurred while attempting
> to update the counter.
>
> + @retval EFI_UNSUPPORTED The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RequestMonotonicCounter (
>
> + IN UINT8 CounterId,
>
> + OUT UINT32 *CounterValue
>
> + );
>
> +
>
> +/**
>
> + Increments the designated monotonic counter in the SPI flash device by 1.
>
> +
>
> + @param[in] CounterId Monotonic Counter Id.
>
> +
>
> + @retval EFI_SUCCESS The operation completed successfully.
>
> + @retval EFI_DEVICE_ERROR A device error occurred while attempting
> to update the counter.
>
> + @retval EFI_UNSUPPORTED The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +IncrementMonotonicCounter (
>
> + IN UINT8 CounterId
>
> + );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h
> b/SecurityPkg/Include/Library/VariableKeyLib.h
> new file mode 100644
> index 0000000000..fe642b3d66
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/VariableKeyLib.h
> @@ -0,0 +1,59 @@
> +/** @file
>
> + Public definitions for Variable Key Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _VARIABLE_KEY_LIB_H_
>
> +#define _VARIABLE_KEY_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> + Retrieves the variable root key.
>
> +
>
> + @param[out] VariableRootKey A pointer to pointer for the variable
> root key buffer.
>
> + @param[in,out] VariableRootKeySize The size in bytes of the variable root
> key.
>
> +
>
> + @retval EFI_SUCCESS The variable root key was returned.
>
> + @retval EFI_DEVICE_ERROR An error occurred while attempting to get
> the variable root key.
>
> + @retval EFI_ACCESS_DENIED The function was invoked after locking
> the key interface.
>
> + @retval EFI_UNSUPPORTED The variable root key is not supported in
> the current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +GetVariableRootKey (
>
> + OUT VOID **VariableRootKey,
>
> + IN OUT UINTN *VariableRootKeySize
>
> + );
>
> +
>
> +/**
>
> + Regenerates the variable root key.
>
> +
>
> + @retval EFI_SUCCESS The variable root key was regenerated
> successfully.
>
> + @retval EFI_DEVICE_ERROR An error occurred while attempting to
> regenerate the root key.
>
> + @retval EFI_ACCESS_DENIED The function was invoked after locking
> the key interface.
>
> + @retval EFI_UNSUPPORTED Key regeneration is not supported in the
> current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RegenerateKey (
>
> + VOID
>
> + );
>
> +
>
> +/**
>
> + Locks the regenerate key interface.
>
> +
>
> + @retval EFI_SUCCESS The key interface was locked successfully.
>
> + @retval EFI_UNSUPPORTED Locking the key interface is not supported
> in the current boot configuration.
>
> + @retval Others An error occurred while attempting to lock the
> key interface.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +LockKeyInterface (
>
> + VOID
>
> + );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 5335cc5397..2cdfb02cc5 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -76,6 +76,14 @@
> #
>
> TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h
>
>
>
> + ## @libraryclass Provides interfaces to access RPMC device.
>
> + #
>
> + RpmcLib|Include/Library/RpmcLib.h
>
> +
>
> + ## @libraryclass Provides interfaces to access variable root key.
>
> + #
>
> + VariableKeyLib|Include/Library/VariableKeyLib.h
>
> +
>
> [Guids]
>
> ## Security package token space guid.
>
> # Include/Guid/SecurityPkgTokenSpace.h
>
> --
> 2.24.0.windows.2
[-- Attachment #2: Type: text/html, Size: 14479 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers
2020-03-18 2:53 [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers Mistry, Nishant C
@ 2020-03-18 2:59 ` Yao, Jiewen
0 siblings, 0 replies; 8+ messages in thread
From: Yao, Jiewen @ 2020-03-18 2:59 UTC (permalink / raw)
To: Mistry, Nishant C; +Cc: Wang, Jian J, devel@edk2.groups.io, Zhang, Chao B
[-- Attachment #1: Type: text/plain, Size: 8932 bytes --]
Thanks Nishant.
If the platform RPMC driver calls GetRpmcState(), then we should not define it in UEFI, because the variable driver does not have such knowledge.
I do see the complexity on the counter management requirement. Current API might be either insufficient or unnecessary.
To keep our work simple, l recommend remove CounterAddr from the API, and force BIOS use single counter.
It does not have to be 0, the RpmcLib can make decision. But the high level driver does not care.
We can revisit when we see more usage.
Thank you
Yao Jiewen
From: Mistry, Nishant C <nishant.c.mistry@intel.com>
Sent: Wednesday, March 18, 2020 10:53 AM
To: Yao, Jiewen <jiewen.yao@intel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>; devel@edk2.groups.io; Zhang, Chao B <chao.b.zhang@intel.com>
Subject: RE: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers
My thoughts below ...
Regards,
Nishant
Message sent from Phone.
On Mar 17, 2020 7:27 PM, "Yao, Jiewen" <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
Thanks Jian. Some comments and thought.
1) RPMC spec uses CounterAddress as the indicator. Can we use the same name instead of CounterId in the API definition? [Nishant] I agree. CounterId is what CSME has defined thus I asked Jian to go with this name. However, we should use industry spec naming.
2) How the caller known which CounterAddress it need to fill?
Do we need an API such as GetValidCounterAddress() ?[Nishant] The platform RPMC driver has an GetRpmcStatus() API that indicates how many counters supported as reported by CSME.
3) What is the value to add CounterAddress? Do can we guarantee that 2 drivers use 2 different counter address?
Or If 2 drivers may use same counter address, why not remove the counter address parameter at all ? [Nishant] It might be simpler to just use one counter Address (i.e. 0) for UEFI firmware. If there is a customer request in future we can introduce the Counter Address parameter. At this moment I don't see a value add for BIOS.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Sent: Wednesday, March 18, 2020 10:13 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B
> <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; Mistry, Nishant C <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
> Subject: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public
> headers
>
> > v3: update retval description in RpmcLib.h
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
> device and Key generator from platform. They will be used to ensure the
> integrity and confidentiality of NV variables.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Chao Zhang <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>
> Cc: Nishant C Mistry <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> ---
> SecurityPkg/Include/Library/RpmcLib.h | 46 +++++++++++++++
> SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
> SecurityPkg/SecurityPkg.dec | 8 +++
> 3 files changed, 113 insertions(+)
> create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
> create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h
>
> diff --git a/SecurityPkg/Include/Library/RpmcLib.h
> b/SecurityPkg/Include/Library/RpmcLib.h
> new file mode 100644
> index 0000000000..f548ad2c9f
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/RpmcLib.h
> @@ -0,0 +1,46 @@
> +/** @file
>
> + Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _RPMC_LIB_H_
>
> +#define _RPMC_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> + Requests the current monotonic counter from the designated RPMC counter.
>
> +
>
> + @param[in] CounterId Monotonic Counter Id.
>
> + @param[out] CounterValue A pointer to a buffer to store the RPMC
> value.
>
> +
>
> + @retval EFI_SUCCESS The operation completed successfully.
>
> + @retval EFI_DEVICE_ERROR A device error occurred while attempting
> to update the counter.
>
> + @retval EFI_UNSUPPORTED The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RequestMonotonicCounter (
>
> + IN UINT8 CounterId,
>
> + OUT UINT32 *CounterValue
>
> + );
>
> +
>
> +/**
>
> + Increments the designated monotonic counter in the SPI flash device by 1.
>
> +
>
> + @param[in] CounterId Monotonic Counter Id.
>
> +
>
> + @retval EFI_SUCCESS The operation completed successfully.
>
> + @retval EFI_DEVICE_ERROR A device error occurred while attempting
> to update the counter.
>
> + @retval EFI_UNSUPPORTED The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +IncrementMonotonicCounter (
>
> + IN UINT8 CounterId
>
> + );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h
> b/SecurityPkg/Include/Library/VariableKeyLib.h
> new file mode 100644
> index 0000000000..fe642b3d66
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/VariableKeyLib.h
> @@ -0,0 +1,59 @@
> +/** @file
>
> + Public definitions for Variable Key Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _VARIABLE_KEY_LIB_H_
>
> +#define _VARIABLE_KEY_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> + Retrieves the variable root key.
>
> +
>
> + @param[out] VariableRootKey A pointer to pointer for the variable
> root key buffer.
>
> + @param[in,out] VariableRootKeySize The size in bytes of the variable root
> key.
>
> +
>
> + @retval EFI_SUCCESS The variable root key was returned.
>
> + @retval EFI_DEVICE_ERROR An error occurred while attempting to get
> the variable root key.
>
> + @retval EFI_ACCESS_DENIED The function was invoked after locking
> the key interface.
>
> + @retval EFI_UNSUPPORTED The variable root key is not supported in
> the current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +GetVariableRootKey (
>
> + OUT VOID **VariableRootKey,
>
> + IN OUT UINTN *VariableRootKeySize
>
> + );
>
> +
>
> +/**
>
> + Regenerates the variable root key.
>
> +
>
> + @retval EFI_SUCCESS The variable root key was regenerated
> successfully.
>
> + @retval EFI_DEVICE_ERROR An error occurred while attempting to
> regenerate the root key.
>
> + @retval EFI_ACCESS_DENIED The function was invoked after locking
> the key interface.
>
> + @retval EFI_UNSUPPORTED Key regeneration is not supported in the
> current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RegenerateKey (
>
> + VOID
>
> + );
>
> +
>
> +/**
>
> + Locks the regenerate key interface.
>
> +
>
> + @retval EFI_SUCCESS The key interface was locked successfully.
>
> + @retval EFI_UNSUPPORTED Locking the key interface is not supported
> in the current boot configuration.
>
> + @retval Others An error occurred while attempting to lock the
> key interface.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +LockKeyInterface (
>
> + VOID
>
> + );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 5335cc5397..2cdfb02cc5 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -76,6 +76,14 @@
> #
>
> TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h
>
>
>
> + ## @libraryclass Provides interfaces to access RPMC device.
>
> + #
>
> + RpmcLib|Include/Library/RpmcLib.h
>
> +
>
> + ## @libraryclass Provides interfaces to access variable root key.
>
> + #
>
> + VariableKeyLib|Include/Library/VariableKeyLib.h
>
> +
>
> [Guids]
>
> ## Security package token space guid.
>
> # Include/Guid/SecurityPkgTokenSpace.h
>
> --
> 2.24.0.windows.2
[-- Attachment #2: Type: text/html, Size: 18964 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers
@ 2020-03-18 3:13 Mistry, Nishant C
0 siblings, 0 replies; 8+ messages in thread
From: Mistry, Nishant C @ 2020-03-18 3:13 UTC (permalink / raw)
To: Yao, Jiewen; +Cc: Wang, Jian J, devel@edk2.groups.io, Zhang, Chao B
[-- Attachment #1: Type: text/plain, Size: 9173 bytes --]
Agree. I will make needed changes to remove CounterId parameter.
Regards,
Nishant
Message sent from Phone.
On Mar 17, 2020 7:59 PM, "Yao, Jiewen" <jiewen.yao@intel.com> wrote:
Thanks Nishant.
If the platform RPMC driver calls GetRpmcState(), then we should not define it in UEFI, because the variable driver does not have such knowledge.
I do see the complexity on the counter management requirement. Current API might be either insufficient or unnecessary.
To keep our work simple, l recommend remove CounterAddr from the API, and force BIOS use single counter.
It does not have to be 0, the RpmcLib can make decision. But the high level driver does not care.
We can revisit when we see more usage.
Thank you
Yao Jiewen
From: Mistry, Nishant C <nishant.c.mistry@intel.com>
Sent: Wednesday, March 18, 2020 10:53 AM
To: Yao, Jiewen <jiewen.yao@intel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>; devel@edk2.groups.io; Zhang, Chao B <chao.b.zhang@intel.com>
Subject: RE: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers
My thoughts below ...
Regards,
Nishant
Message sent from Phone.
On Mar 17, 2020 7:27 PM, "Yao, Jiewen" <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
Thanks Jian. Some comments and thought.
1) RPMC spec uses CounterAddress as the indicator. Can we use the same name instead of CounterId in the API definition? [Nishant] I agree. CounterId is what CSME has defined thus I asked Jian to go with this name. However, we should use industry spec naming.
2) How the caller known which CounterAddress it need to fill?
Do we need an API such as GetValidCounterAddress() ?[Nishant] The platform RPMC driver has an GetRpmcStatus() API that indicates how many counters supported as reported by CSME.
3) What is the value to add CounterAddress? Do can we guarantee that 2 drivers use 2 different counter address?
Or If 2 drivers may use same counter address, why not remove the counter address parameter at all ? [Nishant] It might be simpler to just use one counter Address (i.e. 0) for UEFI firmware. If there is a customer request in future we can introduce the Counter Address parameter. At this moment I don't see a value add for BIOS.
Thank you
Yao Jiewen
> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Sent: Wednesday, March 18, 2020 10:13 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Zhang, Chao B
> <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>; Mistry, Nishant C <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
> Subject: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public
> headers
>
> > v3: update retval description in RpmcLib.h
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
> device and Key generator from platform. They will be used to ensure the
> integrity and confidentiality of NV variables.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Cc: Chao Zhang <chao.b.zhang@intel.com<mailto:chao.b.zhang@intel.com>>
> Cc: Nishant C Mistry <nishant.c.mistry@intel.com<mailto:nishant.c.mistry@intel.com>>
> Signed-off-by: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> ---
> SecurityPkg/Include/Library/RpmcLib.h | 46 +++++++++++++++
> SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
> SecurityPkg/SecurityPkg.dec | 8 +++
> 3 files changed, 113 insertions(+)
> create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
> create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h
>
> diff --git a/SecurityPkg/Include/Library/RpmcLib.h
> b/SecurityPkg/Include/Library/RpmcLib.h
> new file mode 100644
> index 0000000000..f548ad2c9f
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/RpmcLib.h
> @@ -0,0 +1,46 @@
> +/** @file
>
> + Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _RPMC_LIB_H_
>
> +#define _RPMC_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> + Requests the current monotonic counter from the designated RPMC counter.
>
> +
>
> + @param[in] CounterId Monotonic Counter Id.
>
> + @param[out] CounterValue A pointer to a buffer to store the RPMC
> value.
>
> +
>
> + @retval EFI_SUCCESS The operation completed successfully.
>
> + @retval EFI_DEVICE_ERROR A device error occurred while attempting
> to update the counter.
>
> + @retval EFI_UNSUPPORTED The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RequestMonotonicCounter (
>
> + IN UINT8 CounterId,
>
> + OUT UINT32 *CounterValue
>
> + );
>
> +
>
> +/**
>
> + Increments the designated monotonic counter in the SPI flash device by 1.
>
> +
>
> + @param[in] CounterId Monotonic Counter Id.
>
> +
>
> + @retval EFI_SUCCESS The operation completed successfully.
>
> + @retval EFI_DEVICE_ERROR A device error occurred while attempting
> to update the counter.
>
> + @retval EFI_UNSUPPORTED The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +IncrementMonotonicCounter (
>
> + IN UINT8 CounterId
>
> + );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h
> b/SecurityPkg/Include/Library/VariableKeyLib.h
> new file mode 100644
> index 0000000000..fe642b3d66
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/VariableKeyLib.h
> @@ -0,0 +1,59 @@
> +/** @file
>
> + Public definitions for Variable Key Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _VARIABLE_KEY_LIB_H_
>
> +#define _VARIABLE_KEY_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> + Retrieves the variable root key.
>
> +
>
> + @param[out] VariableRootKey A pointer to pointer for the variable
> root key buffer.
>
> + @param[in,out] VariableRootKeySize The size in bytes of the variable root
> key.
>
> +
>
> + @retval EFI_SUCCESS The variable root key was returned.
>
> + @retval EFI_DEVICE_ERROR An error occurred while attempting to get
> the variable root key.
>
> + @retval EFI_ACCESS_DENIED The function was invoked after locking
> the key interface.
>
> + @retval EFI_UNSUPPORTED The variable root key is not supported in
> the current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +GetVariableRootKey (
>
> + OUT VOID **VariableRootKey,
>
> + IN OUT UINTN *VariableRootKeySize
>
> + );
>
> +
>
> +/**
>
> + Regenerates the variable root key.
>
> +
>
> + @retval EFI_SUCCESS The variable root key was regenerated
> successfully.
>
> + @retval EFI_DEVICE_ERROR An error occurred while attempting to
> regenerate the root key.
>
> + @retval EFI_ACCESS_DENIED The function was invoked after locking
> the key interface.
>
> + @retval EFI_UNSUPPORTED Key regeneration is not supported in the
> current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RegenerateKey (
>
> + VOID
>
> + );
>
> +
>
> +/**
>
> + Locks the regenerate key interface.
>
> +
>
> + @retval EFI_SUCCESS The key interface was locked successfully.
>
> + @retval EFI_UNSUPPORTED Locking the key interface is not supported
> in the current boot configuration.
>
> + @retval Others An error occurred while attempting to lock the
> key interface.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +LockKeyInterface (
>
> + VOID
>
> + );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 5335cc5397..2cdfb02cc5 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -76,6 +76,14 @@
> #
>
> TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h
>
>
>
> + ## @libraryclass Provides interfaces to access RPMC device.
>
> + #
>
> + RpmcLib|Include/Library/RpmcLib.h
>
> +
>
> + ## @libraryclass Provides interfaces to access variable root key.
>
> + #
>
> + VariableKeyLib|Include/Library/VariableKeyLib.h
>
> +
>
> [Guids]
>
> ## Security package token space guid.
>
> # Include/Guid/SecurityPkgTokenSpace.h
>
> --
> 2.24.0.windows.2
[-- Attachment #2: Type: text/html, Size: 16852 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-03-18 3:13 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-18 2:13 [PATCH v3 0/3] Add RpmcLib and VariableKeyLib Wang, Jian J
2020-03-18 2:13 ` [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers Wang, Jian J
2020-03-18 2:26 ` Yao, Jiewen
2020-03-18 2:13 ` [PATCH v3 2/3] SecurityPkg: add null version of RpmcLib Wang, Jian J
2020-03-18 2:13 ` [PATCH v3 3/3] SecurityPkg: add null version of VariableKeyLib Wang, Jian J
-- strict thread matches above, loose matches on Subject: below --
2020-03-18 2:53 [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers Mistry, Nishant C
2020-03-18 2:59 ` Yao, Jiewen
2020-03-18 3:13 Mistry, Nishant C
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox