From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mx.groups.io with SMTP id smtpd.web09.2664.1626136920574620140 for ; Mon, 12 Jul 2021 17:42:03 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.151, mailfrom: nathaniel.l.desimone@intel.com) X-IronPort-AV: E=McAfee;i="6200,9189,10043"; a="190456228" X-IronPort-AV: E=Sophos;i="5.84,235,1620716400"; d="scan'208";a="190456228" Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jul 2021 17:41:58 -0700 X-IronPort-AV: E=Sophos;i="5.84,235,1620716400"; d="scan'208";a="653422945" Received: from nldesimo-desk1.amr.corp.intel.com ([10.212.211.135]) by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jul 2021 17:41:54 -0700 From: "Nate DeSimone" To: devel@edk2.groups.io Cc: Isaac Oram , Mohamed Abbas , Chasel Chiu , Michael D Kinney , Liming Gao , Eric Dong , Michael Kubacki Subject: [edk2-platforms] [PATCH V1 08/17] WhitleySiliconPkg: Add Security Includes Date: Mon, 12 Jul 2021 17:41:22 -0700 Message-Id: <20210713004131.1782-9-nathaniel.l.desimone@intel.com> X-Mailer: git-send-email 2.27.0.windows.1 In-Reply-To: <20210713004131.1782-1-nathaniel.l.desimone@intel.com> References: <20210713004131.1782-1-nathaniel.l.desimone@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Signed-off-by: Nate DeSimone Co-authored-by: Isaac Oram Co-authored-by: Mohamed Abbas Cc: Chasel Chiu Cc: Michael D Kinney Cc: Isaac Oram Cc: Mohamed Abbas Cc: Liming Gao Cc: Eric Dong Cc: Michael Kubacki --- .../SecurityIp/SecurityIpMkTme1v0_Inputs.h | 25 ++++++++++++ .../SecurityIp/SecurityIpMkTme1v0_Outputs.h | 18 +++++++++ .../SecurityIp/SecurityIpSgxTem1v0_Inputs.h | 39 +++++++++++++++++++ .../SecurityIp/SecurityIpSgxTem1v0_Outputs.h | 22 +++++++++++ .../Guid/SecurityIp/SecurityIpTdx1v0_Inputs.h | 13 +++++++ .../SecurityIp/SecurityIpTdx1v0_Outputs.h | 11 ++++++ .../Include/Guid/SecurityPolicy_Flat.h | 22 +++++++++++ 7 files changed, 150 insertions(+) create mode 100644 Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpMkTme1v0_Inputs.h create mode 100644 Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpMkTme1v0_Outputs.h create mode 100644 Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpSgxTem1v0_Inputs.h create mode 100644 Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpSgxTem1v0_Outputs.h create mode 100644 Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpTdx1v0_Inputs.h create mode 100644 Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpTdx1v0_Outputs.h create mode 100644 Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityPolicy_Flat.h diff --git a/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpMkTme1v0_Inputs.h b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpMkTme1v0_Inputs.h new file mode 100644 index 0000000000..4c48ca19ee --- /dev/null +++ b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpMkTme1v0_Inputs.h @@ -0,0 +1,25 @@ +/** @file + Provides data structure information used by SiliconIp MK-TME + + @copyright + Copyright 2020 - 2021 Intel Corporation.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +// +// TME +// +UINT8 EnableTme; // TME Enable +UINT8 EnableTmeCR; // Exclude Crystal Ridge memory from encryption. + +// +// MK-TME +// +UINT8 EnableMktme; // MK-TME Enable + +UINT8 ReservedS234; +UINT8 ReservedS235; +UINT64 ReservedS236; +UINT64 ReservedS237; +UINT8 ReservedS238; diff --git a/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpMkTme1v0_Outputs.h b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpMkTme1v0_Outputs.h new file mode 100644 index 0000000000..3a6262a658 --- /dev/null +++ b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpMkTme1v0_Outputs.h @@ -0,0 +1,18 @@ +/** @file + Provides data structure information used by SiliconIp MK-TME + + @copyright + Copyright 2020 - 2021 Intel Corporation.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +// +// MK-TME +// +// NAK - Not a knob, used just for indication +UINT8 TmeCapability; // TME Capable +UINT8 TmeCrSupport; // Flag used to check if Crystal Ridge is supported in UEFI +UINT8 MktmeCapability; // MK-TME Capable +UINT16 MktmeMaxKeys; // Max number of keys used for encryption +UINT8 MkTmeKeyIdBits; // Used to suppress setup menu key-splits \ No newline at end of file diff --git a/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpSgxTem1v0_Inputs.h b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpSgxTem1v0_Inputs.h new file mode 100644 index 0000000000..2deabd0b50 --- /dev/null +++ b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpSgxTem1v0_Inputs.h @@ -0,0 +1,39 @@ +/** @file + Provides data structure information used by SiliconIp SGX-TEM + + @copyright + Copyright 2020 - 2021 Intel Corporation.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +// +// SGX +// +UINT8 EnableSgx; +UINT8 SgxFactoryReset; // Delete all registration data, if SGX enabled force IPE/FirstBinding flow +UINT64 PrmrrSize; // SGX PRMRR size +UINT64 ReservedS239; +UINT8 SgxQoS; // SGX Quality of Service +UINT8 SgxAutoRegistrationAgent; +UINT8 SgxPackageInfoInBandAccess; // Expose Package Info to OS +UINT8 EpochUpdate; +UINT64 SgxEpoch0; // SGX EPOCH0 value {0 - 0xFFFFFFFFFFFFFFFF} +UINT64 SgxEpoch1; // SGX EPOCH1 value {0 - 0xFFFFFFFFFFFFFFFF} +UINT8 SgxLeWr; // Flexible Launch Enclave Policy (Wr En) +UINT64 SgxLePubKeyHash0; // Launch Enclave Hash 0 +UINT64 SgxLePubKeyHash1; // Launch Enclave Hash 1 +UINT64 SgxLePubKeyHash2; // Launch Enclave Hash 2 +UINT64 SgxLePubKeyHash3; // Launch Enclave Hash 3 +// Client SGX - unused in server +UINT8 SgxSinitNvsData; // SGX NVS data from Flash passed during previous boot using CPU_INFO_PROTOCOL.SGX_INFO; + // Pass value of zero if there is not data saved or when SGX is disabled. +UINT8 SgxSinitDataFromTpm; // SGX SVN data from TPM; 0: when SGX is disabled or TPM is not present or no data + // is present in TPM. +UINT8 SgxDebugMode; + +UINT8 ReservedS240; +UINT8 ReservedS241; +UINT8 ReservedS242; +UINT8 ReservedS243; +UINT8 ReservedS244; diff --git a/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpSgxTem1v0_Outputs.h b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpSgxTem1v0_Outputs.h new file mode 100644 index 0000000000..45b63b21c5 --- /dev/null +++ b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpSgxTem1v0_Outputs.h @@ -0,0 +1,22 @@ +/** @file + Provides data structure information used by SiliconIp SGX-TEM + + @copyright + Copyright 2020 - 2021 Intel Corporation.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +// NAK - Not a knob, used just for indication +UINT8 IsSgxCapable; +UINT8 IsHwCongifSupportedBySgx; // ## PRODUCED by SgxPreMemInit +UINT8 CrDimmsPresent; +UINT64 ValidPrmrrBitMap; +UINT64 SprspOrLaterPrmSizeBitmap; // ## PRODUCED by SgxPreMemInit +UINT8 ShowEpoch; +UINT8 SkipSignalPpmDone; // ## PRODUCED by SgxEarlyInit + +UINT8 SprspOrLaterIsPrmSizeInvalidated; // ## PRODUCED by SgxPreMemInit +UINT8 SprspOrLaterAreHardwarePreconditionsMet; // ## PRODUCED by SgxPreMemInit +UINT8 SprspOrLaterAreMemoryPreconditionsMet; // ## PRODUCED by SgxPreMeminit +UINT8 SprspOrLaterAreSetupPreconditionsMet; // ## PRODUCED by SgxPreMemInit diff --git a/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpTdx1v0_Inputs.h b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpTdx1v0_Inputs.h new file mode 100644 index 0000000000..db5081c0aa --- /dev/null +++ b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpTdx1v0_Inputs.h @@ -0,0 +1,13 @@ +/** @file + Provides data structure information used by SiliconIp TDX + + @copyright + Copyright 2020 - 2021 Intel Corporation.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +UINT8 EnableTdx; // TDX Enable +UINT8 KeySplit; // TDX/MK-TME key split + +UINT8 ReservedS245; diff --git a/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpTdx1v0_Outputs.h b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpTdx1v0_Outputs.h new file mode 100644 index 0000000000..d744baefb5 --- /dev/null +++ b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityIp/SecurityIpTdx1v0_Outputs.h @@ -0,0 +1,11 @@ +/** @file + Provides data structure information used by SiliconIp TDX + + @copyright + Copyright 2020 - 2021 Intel Corporation.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + +// NAK - Not a knob, used just for indication +UINT8 TdxCapability; // TDX socket capability \ No newline at end of file diff --git a/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityPolicy_Flat.h b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityPolicy_Flat.h new file mode 100644 index 0000000000..ba62b8c3ab --- /dev/null +++ b/Silicon/Intel/WhitleySiliconPkg/Security/Include/Guid/SecurityPolicy_Flat.h @@ -0,0 +1,22 @@ +/** @file + Provides data structure information used by ServerSecurity features in literally all products + Header is flat and injected directly in SecurityPolicy sructuture and SOCKET_PROCESSORCORE_CONFIGURATION. + + @copyright + Copyright 2020 - 2021 Intel Corporation.
+ + SPDX-License-Identifier: BSD-2-Clause-Patent +**/ + + // Header is flat and injected directly in SecurityPolicy sructuture and SOCKET_PROCESSORCORE_CONFIGURATION. + // Put common definitons here either directly or via intermediate header file.. + +// SECURITY_IP_MKTME_1V0 MkTme; +#include "SecurityIp/SecurityIpMkTme1v0_Inputs.h" +#include "SecurityIp/SecurityIpMkTme1v0_Outputs.h" +// SECURITY_IP_SGXTEM_1V0 SgxTem; +#include "SecurityIp/SecurityIpSgxTem1v0_Inputs.h" +#include "SecurityIp/SecurityIpSgxTem1v0_Outputs.h" +// SECURITY_IP_TDX_1V0 Tdx; +#include "SecurityIp/SecurityIpTdx1v0_Inputs.h" +#include "SecurityIp/SecurityIpTdx1v0_Outputs.h" \ No newline at end of file -- 2.27.0.windows.1