From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by mx.groups.io with SMTP id smtpd.web10.7336.1654754625219451717 for ; Wed, 08 Jun 2022 23:03:46 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="unable to parse pub key" header.i=@intel.com header.s=intel header.b=LJXiF2LD; spf=pass (domain: intel.com, ip: 192.55.52.43, mailfrom: judah.vang@intel.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1654754625; x=1686290625; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=IVXSiuFkSh1f84cV3vLZR7rQbrNGIb+vPmzIqKDRErg=; b=LJXiF2LD7GwXMsQxSAj3fsapUYpNK3IE/U1vDDN+x3lv8IKKrgoGaYat 2/bXK+OCJkKvnn17bTNe9dyi+ZxMUcn/bMcQxxoNCyxoscr4CCI1LCjii b4Buill5vWk2Mxwo56Ix2qKBnqJlXP+WVhYoJUEvGKFr5mKAs82B3Rr3P 1u7oFIvYvankOq2Hy8jwUUwqA4jNM2o6hwycGCO1+IC5/3M+Gir6M+tOz aS6noIt1apr90sCdmujZNb5FHtolFqzLGF5X9xaSrqmscMGaK68UtOaY4 eUq1Ftlri9wDyRZDAHUTG1c0xj4nrhN6d6liqbmOkbs3TSNgC+mdtFtDh Q==; X-IronPort-AV: E=McAfee;i="6400,9594,10372"; a="363487899" X-IronPort-AV: E=Sophos;i="5.91,287,1647327600"; d="scan'208";a="363487899" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jun 2022 23:03:43 -0700 X-IronPort-AV: E=Sophos;i="5.91,287,1647327600"; d="scan'208";a="566239797" Received: from jvang-mobl.amr.corp.intel.com ([10.209.91.16]) by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Jun 2022 23:03:42 -0700 From: "Judah Vang" To: devel@edk2.groups.io Cc: Jian J Wang , Jiewen Yao , Nishant C Mistry Subject: [PATCH v3 02/28] SecurityPkg: Add new GUIDs for Date: Wed, 8 Jun 2022 23:02:56 -0700 Message-Id: <20220609060322.3491-3-judah.vang@intel.com> X-Mailer: git-send-email 2.35.1.windows.2 In-Reply-To: <20220609060322.3491-1-judah.vang@intel.com> References: <20220609060322.3491-1-judah.vang@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594 The gEdkiiProtectedVariableGlobalGuid HOB contains the global configuration data structure which is verified in PEI Phase. The gEdkiiMetaDataHmacVariableGuid is used for saving the meta data HMAC variable. The gEdkiiProtectedVariableContextGuid contains the Protected Variable context saved in PEI phase to be used later. Cc: Jian J Wang Cc: Jiewen Yao Cc: Nishant C Mistry Signed-off-by: Jian J Wang Signed-off-by: Nishant C Mistry Signed-off-by: Judah Vang --- SecurityPkg/SecurityPkg.dec | 43 +++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 0ee75efc1a97..fc690d874eed 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -5,7 +5,7 @@ # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes) # and libraries instances, which are used for those features. # -# Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.
+# Copyright (c) 2009 - 2022, Intel Corporation. All rights reserved.
# (C) Copyright 2015 Hewlett Packard Enterprise Development LP
# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent @@ -221,6 +221,18 @@ [Guids] ## GUID used to specify section with default dbt content gDefaultdbtFileGuid = { 0x36c513ee, 0xa338, 0x4976, { 0xa0, 0xfb, 0x6d, 0xdb, 0xa3, 0xda, 0xfe, 0x87 } } + ## Include/Guid/ProtectedVariable.h + # {8EBF379A-F18E-4728-A410-00CF9A65BE91} + gEdkiiProtectedVariableGlobalGuid = { 0x8ebf379a, 0xf18e, 0x4728, { 0xa4, 0x10, 0x0, 0xcf, 0x9a, 0x65, 0xbe, 0x91 } } + + ## Include/Guid/ProtectedVariable.h + # {e3e890ad-5b67-466e-904f-94ca7e9376bb} + gEdkiiMetaDataHmacVariableGuid = {0xe3e890ad, 0x5b67, 0x466e, {0x90, 0x4f, 0x94, 0xca, 0x7e, 0x93, 0x76, 0xbb}} + + ## Include/Guid/ProtectedVariable.h + # {a11a3652-875b-495a-b097-200917580b98} + gEdkiiProtectedVariableContextGuid = {0xa11a3652, 0x875b, 0x495a, {0xb0, 0x97, 0x20, 0x09, 0x17, 0x58, 0x0b, 0x98} } + [Ppis] ## The PPI GUID for that TPM physical presence should be locked. # Include/Ppi/LockPhysicalPresence.h @@ -246,6 +258,10 @@ [Ppis] ## Include/Ppi/Tcg.h gEdkiiTcgPpiGuid = {0x57a13b87, 0x133d, 0x4bf3, { 0xbf, 0xf1, 0x1b, 0xca, 0xc7, 0x17, 0x6c, 0xf1 } } + ## Key Service Ppi + # Include/Ppi/KeyServicePpi.h + gKeyServicePpiGuid = {0x583592f6, 0xEC34, 0x4CED, {0x8E, 0x81, 0xC8, 0xD1, 0x36, 0x93, 0x04, 0x27}} + # # [Error.gEfiSecurityPkgTokenSpaceGuid] # 0x80000001 | Invalid value provided. @@ -329,6 +345,31 @@ [PcdsFixedAtBuild, PcdsPatchableInModule] gEfiSecurityPkgTokenSpaceGuid.PcdCpuRngSupportedAlgorithm|{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00}|VOID*|0x00010032 + ## Progress Code for variable integrity check result.

+ # DEFAULT: (EFI_PERIPHERAL_FIXED_MEDIA | [EFI_STATUS&0xFF]) + # @Prompt Status Code for variable integiry check result + gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeVariableIntegrity|0x01070000|UINT32|0x00010033 + + ## Null-terminated Unicode string of the Platform Variable Name + # @Prompt known unprotected variable name + gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableName|L""|VOID*|0x00010034 + + ## Guid name to identify Platform Variable Guid + # @Prompt known unprotected variable guid + gEfiSecurityPkgTokenSpaceGuid.PcdPlatformVariableGuid|{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }|VOID*|0x00010035 + + ## Defines Protected Variable Integrity support. + # TRUE - Enable Protected Variable Integrity.
+ # FALSE - Disable Protected Variable Integrity.
+ # @Prompt Protected Variable Integrity support. + gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableIntegrity|FALSE|BOOLEAN|0x00010036 + + ## Defines Protected Variable Confidentiality support. + # TRUE - Enable Protected Variable Confidentiality.
+ # FALSE - Disable Protected Variable Confidentiality.
+ # @Prompt Protected Variable Integrity support. + gEfiSecurityPkgTokenSpaceGuid.PcdProtectedVariableConfidentiality|FALSE|BOOLEAN|0x00010037 + [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx] ## Image verification policy for OptionRom. Only following values are valid:

# NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.
-- 2.35.1.windows.2