[edk2-devel] [PATCH 0/2] OvmfPkg: Implement minimal HSTI driver

[edk2-devel] [PATCH 0/2] OvmfPkg: Implement minimal HSTI driver

[Konstantin Kostiuk]

Resolve: https://issues.redhat.com/browse/RHEL-28751

HSTI (Hardware Security Test Interface) table is a requiremnt for
ont test [1] from Microsoft Server Virtualization Validation Program.

HSTI is a UEFI driver that provides a way to query the platform for
the presence of security features. Current implementation does not have
any security checks.

[1] https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/13292c6c-a807-4916-80ac-fea6de9af552

Konstantin Kostiuk (2):
  OvmfPkg: Add VirtHstiDxe driver
  OvmfPkg: Add VirtHstiDxe to OVMF firmware build

 OvmfPkg/OvmfPkgIa32.dsc             |  2 +
 OvmfPkg/OvmfPkgIa32.fdf             |  1 +
 OvmfPkg/OvmfPkgIa32X64.dsc          |  2 +
 OvmfPkg/OvmfPkgIa32X64.fdf          |  1 +
 OvmfPkg/OvmfPkgX64.dsc              |  2 +
 OvmfPkg/OvmfPkgX64.fdf              |  1 +
 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c   | 75 +++++++++++++++++++++++++++++
 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 64 ++++++++++++++++++++++++
 8 files changed, 148 insertions(+)
 create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
 create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf

--
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116857): https://edk2.groups.io/g/devel/message/116857
Mute This Topic: https://groups.io/mt/105014742/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver

[Konstantin Kostiuk]

The driver provides empty HSTI table.

Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
---
 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c   | 75 +++++++++++++++++++++++++++++
 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 64 ++++++++++++++++++++++++
 2 files changed, 139 insertions(+)
 create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
 create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf

diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
new file mode 100644
index 0000000000..b9ed189f33
--- /dev/null
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
@@ -0,0 +1,75 @@
+/** @file

+  This file contains DXE driver for publishing empty HSTI table

+

+Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>

+Copyright (c) 2024, Red Hat. Inc

+

+SPDX-License-Identifier: BSD-2-Clause-Patent

+

+**/

+

+#include <PiDxe.h>

+#include <Library/BaseLib.h>

+#include <Library/DebugLib.h>

+#include <Library/BaseMemoryLib.h>

+#include <Library/MemoryAllocationLib.h>

+#include <Library/UefiBootServicesTableLib.h>

+#include <Library/UefiLib.h>

+#include <IndustryStandard/Hsti.h>

+#include <Library/HstiLib.h>

+

+#define HSTI_PLATFORM_NAME          L"Intel(R) 9-Series v1"

+#define HSTI_SECURITY_FEATURE_SIZE  1

+

+ADAPTER_INFO_PLATFORM_SECURITY  mHstiBase = {

+  PLATFORM_SECURITY_VERSION_VNEXTCS,

+  PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE,

+  { HSTI_PLATFORM_NAME },

+  HSTI_SECURITY_FEATURE_SIZE,

+};

+

+/**

+  The driver's entry point.

+

+  @param[in] ImageHandle  The firmware allocated handle for the EFI image.

+  @param[in] SystemTable  A pointer to the EFI System Table.

+

+  @retval EFI_SUCCESS     The entry point is executed successfully.

+  @retval other           Some error occurs when executing this entry point.

+**/

+EFI_STATUS

+EFIAPI

+VirtHstiDxeEntrypoint (

+  IN EFI_HANDLE        ImageHandle,

+  IN EFI_SYSTEM_TABLE  *SystemTable

+  )

+{

+  EFI_STATUS  Status;

+

+  // Allocate memory for HSTI struct

+  // 3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE is for the 3 arrays

+  //   UINT8   SecurityFeaturesRequired[];

+  //   UINT8   SecurityFeaturesImplemented[];

+  //   UINT8   SecurityFeaturesVerified[];

+  // sizeof (CHAR16) is for the NULL terminator of ErrorString

+  //   CHAR16 ErrorString[]

+  UINTN  HstiSize = sizeof (ADAPTER_INFO_PLATFORM_SECURITY) +

+                    3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE +

+                    sizeof (CHAR16);

+  VOID  *HstiStruct = AllocateZeroPool (HstiSize);

+

+  if (HstiStruct == NULL) {

+    return EFI_OUT_OF_RESOURCES;

+  }

+

+  CopyMem (HstiStruct, &mHstiBase, sizeof (ADAPTER_INFO_PLATFORM_SECURITY));

+

+  Status = HstiLibSetTable (HstiStruct, HstiSize);

+  if (EFI_ERROR (Status)) {

+    if (Status != EFI_ALREADY_STARTED) {

+      ASSERT_EFI_ERROR (Status);

+    }

+  }

+

+  return EFI_SUCCESS;

+}

diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
new file mode 100644
index 0000000000..270aa60026
--- /dev/null
+++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
@@ -0,0 +1,64 @@
+## @file

+#  Component description file for Virt Hsti Driver

+#

+# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>

+# Copyright (c) Microsoft Corporation.<BR>

+# Copyright (c) 2024, Red Hat. Inc

+#

+# SPDX-License-Identifier: BSD-2-Clause-Patent

+#

+##

+

+[Defines]

+  INF_VERSION                    = 0x00010005

+  BASE_NAME                      = VirtHstiDxe

+  FILE_GUID                      = 60740CF3-D428-4500-80E6-04A5798241ED

+  MODULE_TYPE                    = DXE_DRIVER

+  VERSION_STRING                 = 1.0

+  ENTRY_POINT                    = VirtHstiDxeEntrypoint

+

+################################################################################

+#

+# Sources Section - list of files that are required for the build to succeed.

+#

+################################################################################

+

+[Sources]

+  VirtHstiDxe.c

+

+################################################################################

+#

+# Package Dependency Section - list of Package files that are required for

+#                              this module.

+#

+################################################################################

+

+[Packages]

+  MdePkg/MdePkg.dec

+

+################################################################################

+#

+# Library Class Section - list of Library Classes that are required for

+#                         this module.

+#

+################################################################################

+

+[LibraryClasses]

+  UefiDriverEntryPoint

+  UefiLib

+  BaseLib

+  BaseMemoryLib

+  MemoryAllocationLib

+  DebugLib

+  HstiLib

+  UefiBootServicesTableLib

+

+################################################################################

+#

+# Protocol C Name Section - list of Protocol and Protocol Notify C Names

+#                           that this module uses or produces.

+#

+################################################################################

+

+[Depex]

+  TRUE

-- 
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116858): https://edk2.groups.io/g/devel/message/116858
Mute This Topic: https://groups.io/mt/105014743/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[edk2-devel] [PATCH 2/2] OvmfPkg: Add VirtHstiDxe to OVMF firmware build

[Konstantin Kostiuk]

Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
---
 OvmfPkg/OvmfPkgIa32.dsc    | 2 ++
 OvmfPkg/OvmfPkgIa32.fdf    | 1 +
 OvmfPkg/OvmfPkgIa32X64.dsc | 2 ++
 OvmfPkg/OvmfPkgIa32X64.fdf | 1 +
 OvmfPkg/OvmfPkgX64.dsc     | 2 ++
 OvmfPkg/OvmfPkgX64.fdf     | 1 +
 6 files changed, 9 insertions(+)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 28379961a7..371c0b63fe 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -188,6 +188,7 @@
   PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf

   DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf

   ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf

+  HstiLib|MdePkg/Library/DxeHstiLib/DxeHstiLib.inf

 !if $(SMM_REQUIRE) == FALSE

   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf

 !endif

@@ -830,6 +831,7 @@
   OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf

   OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf

   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf

+  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf

 

   #

   # ISA Support

diff --git a/OvmfPkg/OvmfPkgIa32.fdf b/OvmfPkg/OvmfPkgIa32.fdf
index 501b4de469..3fdf4c807f 100644
--- a/OvmfPkg/OvmfPkgIa32.fdf
+++ b/OvmfPkg/OvmfPkgIa32.fdf
@@ -325,6 +325,7 @@ INF  OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf
 INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf

 INF  OvmfPkg/PlatformDxe/Platform.inf

 INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf

+INF  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf

 

 !if $(SMM_REQUIRE) == TRUE

 INF  OvmfPkg/SmmAccess/SmmAccess2Dxe.inf

diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 5e9eee628a..46fb925025 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -193,6 +193,7 @@
   PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf

   DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf

   ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf

+  HstiLib|MdePkg/Library/DxeHstiLib/DxeHstiLib.inf

 !if $(SMM_REQUIRE) == FALSE

   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf

 !endif

@@ -844,6 +845,7 @@
   OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf

   OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf

   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf

+  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf

 

   #

   # ISA Support

diff --git a/OvmfPkg/OvmfPkgIa32X64.fdf b/OvmfPkg/OvmfPkgIa32X64.fdf
index 74cfb58f06..8f01f9b06a 100644
--- a/OvmfPkg/OvmfPkgIa32X64.fdf
+++ b/OvmfPkg/OvmfPkgIa32X64.fdf
@@ -332,6 +332,7 @@ INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF  OvmfPkg/PlatformDxe/Platform.inf

 INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf

 INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf

+INF  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf

 

 !if $(SMM_REQUIRE) == TRUE

 INF  OvmfPkg/SmmAccess/SmmAccess2Dxe.inf

diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index bf4c7906c4..cbdc07fc4d 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -205,6 +205,7 @@
   PeiHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/PeiHardwareInfoLib.inf

   DxeHardwareInfoLib|OvmfPkg/Library/HardwareInfoLib/DxeHardwareInfoLib.inf

   ImagePropertiesRecordLib|MdeModulePkg/Library/ImagePropertiesRecordLib/ImagePropertiesRecordLib.inf

+  HstiLib|MdePkg/Library/DxeHstiLib/DxeHstiLib.inf

 

 !if $(SMM_REQUIRE) == FALSE

   LockBoxLib|OvmfPkg/Library/LockBoxLib/LockBoxBaseLib.inf

@@ -912,6 +913,7 @@
   OvmfPkg/QemuVideoDxe/QemuVideoDxe.inf

   OvmfPkg/QemuRamfbDxe/QemuRamfbDxe.inf

   OvmfPkg/VirtioGpuDxe/VirtioGpu.inf

+  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf

 

   #

   # ISA Support

diff --git a/OvmfPkg/OvmfPkgX64.fdf b/OvmfPkg/OvmfPkgX64.fdf
index f47ab1727e..206739a029 100644
--- a/OvmfPkg/OvmfPkgX64.fdf
+++ b/OvmfPkg/OvmfPkgX64.fdf
@@ -359,6 +359,7 @@ INF  OvmfPkg/VirtioGpuDxe/VirtioGpu.inf
 INF  OvmfPkg/PlatformDxe/Platform.inf

 INF  OvmfPkg/AmdSevDxe/AmdSevDxe.inf

 INF  OvmfPkg/IoMmuDxe/IoMmuDxe.inf

+INF  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf

 

 !if $(SMM_REQUIRE) == TRUE

 INF  OvmfPkg/SmmAccess/SmmAccess2Dxe.inf

-- 
2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116859): https://edk2.groups.io/g/devel/message/116859
Mute This Topic: https://groups.io/mt/105014745/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver

[Yao, Jiewen]

Question: What is the value to provide an *empty* HSTI table?

IMHO, If the goal is to perform some security check, I think we need provide a *real* HSTI table.

Thank you
Yao, Jiewen

> -----Original Message-----
> From: Konstantin Kostiuk <kkostiuk@redhat.com>
> Sent: Thursday, March 14, 2024 6:25 PM
> To: devel@edk2.groups.io
> Cc: Yan Vugenfirer <yvugenfi@redhat.com>; Ard Biesheuvel
> <ardb+tianocore@kernel.org>; Yao, Jiewen <jiewen.yao@intel.com>; Gerd
> Hoffmann <kraxel@redhat.com>
> Subject: [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
> 
> The driver provides empty HSTI table.
> 
> Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> ---
>  OvmfPkg/VirtHstiDxe/VirtHstiDxe.c   | 75 +++++++++++++++++++++++++++++
>  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 64 ++++++++++++++++++++++++
>  2 files changed, 139 insertions(+)
>  create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
>  create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> 
> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> new file mode 100644
> index 0000000000..b9ed189f33
> --- /dev/null
> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> @@ -0,0 +1,75 @@
> +/** @file
> 
> +  This file contains DXE driver for publishing empty HSTI table
> 
> +
> 
> +Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
> 
> +Copyright (c) 2024, Red Hat. Inc
> 
> +
> 
> +SPDX-License-Identifier: BSD-2-Clause-Patent
> 
> +
> 
> +**/
> 
> +
> 
> +#include <PiDxe.h>
> 
> +#include <Library/BaseLib.h>
> 
> +#include <Library/DebugLib.h>
> 
> +#include <Library/BaseMemoryLib.h>
> 
> +#include <Library/MemoryAllocationLib.h>
> 
> +#include <Library/UefiBootServicesTableLib.h>
> 
> +#include <Library/UefiLib.h>
> 
> +#include <IndustryStandard/Hsti.h>
> 
> +#include <Library/HstiLib.h>
> 
> +
> 
> +#define HSTI_PLATFORM_NAME          L"Intel(R) 9-Series v1"
> 
> +#define HSTI_SECURITY_FEATURE_SIZE  1
> 
> +
> 
> +ADAPTER_INFO_PLATFORM_SECURITY  mHstiBase = {
> 
> +  PLATFORM_SECURITY_VERSION_VNEXTCS,
> 
> +  PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE,
> 
> +  { HSTI_PLATFORM_NAME },
> 
> +  HSTI_SECURITY_FEATURE_SIZE,
> 
> +};
> 
> +
> 
> +/**
> 
> +  The driver's entry point.
> 
> +
> 
> +  @param[in] ImageHandle  The firmware allocated handle for the EFI image.
> 
> +  @param[in] SystemTable  A pointer to the EFI System Table.
> 
> +
> 
> +  @retval EFI_SUCCESS     The entry point is executed successfully.
> 
> +  @retval other           Some error occurs when executing this entry point.
> 
> +**/
> 
> +EFI_STATUS
> 
> +EFIAPI
> 
> +VirtHstiDxeEntrypoint (
> 
> +  IN EFI_HANDLE        ImageHandle,
> 
> +  IN EFI_SYSTEM_TABLE  *SystemTable
> 
> +  )
> 
> +{
> 
> +  EFI_STATUS  Status;
> 
> +
> 
> +  // Allocate memory for HSTI struct
> 
> +  // 3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE is for the 3 arrays
> 
> +  //   UINT8   SecurityFeaturesRequired[];
> 
> +  //   UINT8   SecurityFeaturesImplemented[];
> 
> +  //   UINT8   SecurityFeaturesVerified[];
> 
> +  // sizeof (CHAR16) is for the NULL terminator of ErrorString
> 
> +  //   CHAR16 ErrorString[]
> 
> +  UINTN  HstiSize = sizeof (ADAPTER_INFO_PLATFORM_SECURITY) +
> 
> +                    3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE +
> 
> +                    sizeof (CHAR16);
> 
> +  VOID  *HstiStruct = AllocateZeroPool (HstiSize);
> 
> +
> 
> +  if (HstiStruct == NULL) {
> 
> +    return EFI_OUT_OF_RESOURCES;
> 
> +  }
> 
> +
> 
> +  CopyMem (HstiStruct, &mHstiBase, sizeof
> (ADAPTER_INFO_PLATFORM_SECURITY));
> 
> +
> 
> +  Status = HstiLibSetTable (HstiStruct, HstiSize);
> 
> +  if (EFI_ERROR (Status)) {
> 
> +    if (Status != EFI_ALREADY_STARTED) {
> 
> +      ASSERT_EFI_ERROR (Status);
> 
> +    }
> 
> +  }
> 
> +
> 
> +  return EFI_SUCCESS;
> 
> +}
> 
> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> new file mode 100644
> index 0000000000..270aa60026
> --- /dev/null
> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> @@ -0,0 +1,64 @@
> +## @file
> 
> +#  Component description file for Virt Hsti Driver
> 
> +#
> 
> +# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
> 
> +# Copyright (c) Microsoft Corporation.<BR>
> 
> +# Copyright (c) 2024, Red Hat. Inc
> 
> +#
> 
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
> 
> +#
> 
> +##
> 
> +
> 
> +[Defines]
> 
> +  INF_VERSION                    = 0x00010005
> 
> +  BASE_NAME                      = VirtHstiDxe
> 
> +  FILE_GUID                      = 60740CF3-D428-4500-80E6-04A5798241ED
> 
> +  MODULE_TYPE                    = DXE_DRIVER
> 
> +  VERSION_STRING                 = 1.0
> 
> +  ENTRY_POINT                    = VirtHstiDxeEntrypoint
> 
> +
> 
> +################################################################
> ################
> 
> +#
> 
> +# Sources Section - list of files that are required for the build to succeed.
> 
> +#
> 
> +################################################################
> ################
> 
> +
> 
> +[Sources]
> 
> +  VirtHstiDxe.c
> 
> +
> 
> +################################################################
> ################
> 
> +#
> 
> +# Package Dependency Section - list of Package files that are required for
> 
> +#                              this module.
> 
> +#
> 
> +################################################################
> ################
> 
> +
> 
> +[Packages]
> 
> +  MdePkg/MdePkg.dec
> 
> +
> 
> +################################################################
> ################
> 
> +#
> 
> +# Library Class Section - list of Library Classes that are required for
> 
> +#                         this module.
> 
> +#
> 
> +################################################################
> ################
> 
> +
> 
> +[LibraryClasses]
> 
> +  UefiDriverEntryPoint
> 
> +  UefiLib
> 
> +  BaseLib
> 
> +  BaseMemoryLib
> 
> +  MemoryAllocationLib
> 
> +  DebugLib
> 
> +  HstiLib
> 
> +  UefiBootServicesTableLib
> 
> +
> 
> +################################################################
> ################
> 
> +#
> 
> +# Protocol C Name Section - list of Protocol and Protocol Notify C Names
> 
> +#                           that this module uses or produces.
> 
> +#
> 
> +################################################################
> ################
> 
> +
> 
> +[Depex]
> 
> +  TRUE
> 
> --
> 2.44.0



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116737): https://edk2.groups.io/g/devel/message/116737
Mute This Topic: https://groups.io/mt/104923813/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver

[Konstantin Kostiuk]

[-- Attachment #1: Type: text/plain, Size: 8019 bytes --]

On Thu, Mar 14, 2024 at 12:28 PM Yao, Jiewen <jiewen.yao@intel.com> wrote:

> Question: What is the value to provide an *empty* HSTI table?
>
> IMHO, If the goal is to perform some security check, I think we need
> provide a *real* HSTI table.
>

HSTI is very vendor-specific and depends on features that a vendor
supports. Looking at
the HSTI spec a lot of the bits don't make sense for virtual machines. Some
feature depends on
hardware configuration and this check is a dummy in a virtual environment.

So, the main goal is to pass Microsoft SVVP with OVMF+QEMU.

Best Regards,
Konstantin Kostiuk.


>
> Thank you
> Yao, Jiewen
>
> > -----Original Message-----
> > From: Konstantin Kostiuk <kkostiuk@redhat.com>
> > Sent: Thursday, March 14, 2024 6:25 PM
> > To: devel@edk2.groups.io
> > Cc: Yan Vugenfirer <yvugenfi@redhat.com>; Ard Biesheuvel
> > <ardb+tianocore@kernel.org>; Yao, Jiewen <jiewen.yao@intel.com>; Gerd
> > Hoffmann <kraxel@redhat.com>
> > Subject: [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
> >
> > The driver provides empty HSTI table.
> >
> > Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> > ---
> >  OvmfPkg/VirtHstiDxe/VirtHstiDxe.c   | 75 +++++++++++++++++++++++++++++
> >  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 64 ++++++++++++++++++++++++
> >  2 files changed, 139 insertions(+)
> >  create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> >  create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> >
> > diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> > b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> > new file mode 100644
> > index 0000000000..b9ed189f33
> > --- /dev/null
> > +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> > @@ -0,0 +1,75 @@
> > +/** @file
> >
> > +  This file contains DXE driver for publishing empty HSTI table
> >
> > +
> >
> > +Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
> >
> > +Copyright (c) 2024, Red Hat. Inc
> >
> > +
> >
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +
> >
> > +**/
> >
> > +
> >
> > +#include <PiDxe.h>
> >
> > +#include <Library/BaseLib.h>
> >
> > +#include <Library/DebugLib.h>
> >
> > +#include <Library/BaseMemoryLib.h>
> >
> > +#include <Library/MemoryAllocationLib.h>
> >
> > +#include <Library/UefiBootServicesTableLib.h>
> >
> > +#include <Library/UefiLib.h>
> >
> > +#include <IndustryStandard/Hsti.h>
> >
> > +#include <Library/HstiLib.h>
> >
> > +
> >
> > +#define HSTI_PLATFORM_NAME          L"Intel(R) 9-Series v1"
> >
> > +#define HSTI_SECURITY_FEATURE_SIZE  1
> >
> > +
> >
> > +ADAPTER_INFO_PLATFORM_SECURITY  mHstiBase = {
> >
> > +  PLATFORM_SECURITY_VERSION_VNEXTCS,
> >
> > +  PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE,
> >
> > +  { HSTI_PLATFORM_NAME },
> >
> > +  HSTI_SECURITY_FEATURE_SIZE,
> >
> > +};
> >
> > +
> >
> > +/**
> >
> > +  The driver's entry point.
> >
> > +
> >
> > +  @param[in] ImageHandle  The firmware allocated handle for the EFI
> image.
> >
> > +  @param[in] SystemTable  A pointer to the EFI System Table.
> >
> > +
> >
> > +  @retval EFI_SUCCESS     The entry point is executed successfully.
> >
> > +  @retval other           Some error occurs when executing this entry
> point.
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +VirtHstiDxeEntrypoint (
> >
> > +  IN EFI_HANDLE        ImageHandle,
> >
> > +  IN EFI_SYSTEM_TABLE  *SystemTable
> >
> > +  )
> >
> > +{
> >
> > +  EFI_STATUS  Status;
> >
> > +
> >
> > +  // Allocate memory for HSTI struct
> >
> > +  // 3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE is for the 3 arrays
> >
> > +  //   UINT8   SecurityFeaturesRequired[];
> >
> > +  //   UINT8   SecurityFeaturesImplemented[];
> >
> > +  //   UINT8   SecurityFeaturesVerified[];
> >
> > +  // sizeof (CHAR16) is for the NULL terminator of ErrorString
> >
> > +  //   CHAR16 ErrorString[]
> >
> > +  UINTN  HstiSize = sizeof (ADAPTER_INFO_PLATFORM_SECURITY) +
> >
> > +                    3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE +
> >
> > +                    sizeof (CHAR16);
> >
> > +  VOID  *HstiStruct = AllocateZeroPool (HstiSize);
> >
> > +
> >
> > +  if (HstiStruct == NULL) {
> >
> > +    return EFI_OUT_OF_RESOURCES;
> >
> > +  }
> >
> > +
> >
> > +  CopyMem (HstiStruct, &mHstiBase, sizeof
> > (ADAPTER_INFO_PLATFORM_SECURITY));
> >
> > +
> >
> > +  Status = HstiLibSetTable (HstiStruct, HstiSize);
> >
> > +  if (EFI_ERROR (Status)) {
> >
> > +    if (Status != EFI_ALREADY_STARTED) {
> >
> > +      ASSERT_EFI_ERROR (Status);
> >
> > +    }
> >
> > +  }
> >
> > +
> >
> > +  return EFI_SUCCESS;
> >
> > +}
> >
> > diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> > b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> > new file mode 100644
> > index 0000000000..270aa60026
> > --- /dev/null
> > +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> > @@ -0,0 +1,64 @@
> > +## @file
> >
> > +#  Component description file for Virt Hsti Driver
> >
> > +#
> >
> > +# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
> >
> > +# Copyright (c) Microsoft Corporation.<BR>
> >
> > +# Copyright (c) 2024, Red Hat. Inc
> >
> > +#
> >
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +#
> >
> > +##
> >
> > +
> >
> > +[Defines]
> >
> > +  INF_VERSION                    = 0x00010005
> >
> > +  BASE_NAME                      = VirtHstiDxe
> >
> > +  FILE_GUID                      = 60740CF3-D428-4500-80E6-04A5798241ED
> >
> > +  MODULE_TYPE                    = DXE_DRIVER
> >
> > +  VERSION_STRING                 = 1.0
> >
> > +  ENTRY_POINT                    = VirtHstiDxeEntrypoint
> >
> > +
> >
> > +################################################################
> > ################
> >
> > +#
> >
> > +# Sources Section - list of files that are required for the build to
> succeed.
> >
> > +#
> >
> > +################################################################
> > ################
> >
> > +
> >
> > +[Sources]
> >
> > +  VirtHstiDxe.c
> >
> > +
> >
> > +################################################################
> > ################
> >
> > +#
> >
> > +# Package Dependency Section - list of Package files that are required
> for
> >
> > +#                              this module.
> >
> > +#
> >
> > +################################################################
> > ################
> >
> > +
> >
> > +[Packages]
> >
> > +  MdePkg/MdePkg.dec
> >
> > +
> >
> > +################################################################
> > ################
> >
> > +#
> >
> > +# Library Class Section - list of Library Classes that are required for
> >
> > +#                         this module.
> >
> > +#
> >
> > +################################################################
> > ################
> >
> > +
> >
> > +[LibraryClasses]
> >
> > +  UefiDriverEntryPoint
> >
> > +  UefiLib
> >
> > +  BaseLib
> >
> > +  BaseMemoryLib
> >
> > +  MemoryAllocationLib
> >
> > +  DebugLib
> >
> > +  HstiLib
> >
> > +  UefiBootServicesTableLib
> >
> > +
> >
> > +################################################################
> > ################
> >
> > +#
> >
> > +# Protocol C Name Section - list of Protocol and Protocol Notify C Names
> >
> > +#                           that this module uses or produces.
> >
> > +#
> >
> > +################################################################
> > ################
> >
> > +
> >
> > +[Depex]
> >
> > +  TRUE
> >
> > --
> > 2.44.0
>
>


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116860): https://edk2.groups.io/g/devel/message/116860
Mute This Topic: https://groups.io/mt/104923813/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 11588 bytes --]

Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver

[Yao, Jiewen]

[-- Attachment #1: Type: text/plain, Size: 9110 bytes --]

I agree that not all bits make sense to virtual machine.
However, I do see some bits should be there if we really want to add HSTI to report security propery.

Please take a look at the HSTI spec - https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification
For example:
Do you use RSA 2048 and SHA256 only (or higher but not lower than this)
Compatibility Support Modules (CSM)
Firmware Code must be present in protected storage
Secure firmware update process
Do you have backdoors to override SecureBoot
Protection from internal and external DMA


Another question: I notice you report platform as “Intel(R) 9-Series v1”.
Is that right configuration for current OVMF?
I think there is some configuration detection, such as https://github.com/tianocore/edk2/blob/master/OvmfPkg/PlatformPei/Platform.c.


All in all, I don’t think it is a right way to provide an *empty* one just to pass the SVVP.
That totally looses the value to having HSTI in the SVVP program.

I recommend we provide a real HSTI based on the OVMF threat model (without and with configuration computing) and current real implementation.

Thank you
Yao, Jiewen


From: Konstantin Kostiuk <kkostiuk@redhat.com>
Sent: Thursday, March 14, 2024 7:43 PM
To: Yao, Jiewen <jiewen.yao@intel.com>
Cc: devel@edk2.groups.io; Yan Vugenfirer <yvugenfi@redhat.com>; Ard Biesheuvel <ardb+tianocore@kernel.org>; Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver



On Thu, Mar 14, 2024 at 12:28 PM Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>> wrote:
Question: What is the value to provide an *empty* HSTI table?

IMHO, If the goal is to perform some security check, I think we need provide a *real* HSTI table.

HSTI is very vendor-specific and depends on features that a vendor supports. Looking at
the HSTI spec a lot of the bits don't make sense for virtual machines. Some feature depends on
hardware configuration and this check is a dummy in a virtual environment.

So, the main goal is to pass Microsoft SVVP with OVMF+QEMU.

Best Regards,
Konstantin Kostiuk.


Thank you
Yao, Jiewen

> -----Original Message-----
> From: Konstantin Kostiuk <kkostiuk@redhat.com<mailto:kkostiuk@redhat.com>>
> Sent: Thursday, March 14, 2024 6:25 PM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Yan Vugenfirer <yvugenfi@redhat.com<mailto:yvugenfi@redhat.com>>; Ard Biesheuvel
> <ardb+tianocore@kernel.org<mailto:ardb%2Btianocore@kernel.org>>; Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>; Gerd
> Hoffmann <kraxel@redhat.com<mailto:kraxel@redhat.com>>
> Subject: [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
>
> The driver provides empty HSTI table.
>
> Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com<mailto:kkostiuk@redhat.com>>
> ---
>  OvmfPkg/VirtHstiDxe/VirtHstiDxe.c   | 75 +++++++++++++++++++++++++++++
>  OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 64 ++++++++++++++++++++++++
>  2 files changed, 139 insertions(+)
>  create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
>  create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
>
> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> new file mode 100644
> index 0000000000..b9ed189f33
> --- /dev/null
> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> @@ -0,0 +1,75 @@
> +/** @file
>
> +  This file contains DXE driver for publishing empty HSTI table
>
> +
>
> +Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
>
> +Copyright (c) 2024, Red Hat. Inc
>
> +
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#include <PiDxe.h>
>
> +#include <Library/BaseLib.h>
>
> +#include <Library/DebugLib.h>
>
> +#include <Library/BaseMemoryLib.h>
>
> +#include <Library/MemoryAllocationLib.h>
>
> +#include <Library/UefiBootServicesTableLib.h>
>
> +#include <Library/UefiLib.h>
>
> +#include <IndustryStandard/Hsti.h>
>
> +#include <Library/HstiLib.h>
>
> +
>
> +#define HSTI_PLATFORM_NAME          L"Intel(R) 9-Series v1"
>
> +#define HSTI_SECURITY_FEATURE_SIZE  1
>
> +
>
> +ADAPTER_INFO_PLATFORM_SECURITY  mHstiBase = {
>
> +  PLATFORM_SECURITY_VERSION_VNEXTCS,
>
> +  PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE,
>
> +  { HSTI_PLATFORM_NAME },
>
> +  HSTI_SECURITY_FEATURE_SIZE,
>
> +};
>
> +
>
> +/**
>
> +  The driver's entry point.
>
> +
>
> +  @param[in] ImageHandle  The firmware allocated handle for the EFI image.
>
> +  @param[in] SystemTable  A pointer to the EFI System Table.
>
> +
>
> +  @retval EFI_SUCCESS     The entry point is executed successfully.
>
> +  @retval other           Some error occurs when executing this entry point.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +VirtHstiDxeEntrypoint (
>
> +  IN EFI_HANDLE        ImageHandle,
>
> +  IN EFI_SYSTEM_TABLE  *SystemTable
>
> +  )
>
> +{
>
> +  EFI_STATUS  Status;
>
> +
>
> +  // Allocate memory for HSTI struct
>
> +  // 3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE is for the 3 arrays
>
> +  //   UINT8   SecurityFeaturesRequired[];
>
> +  //   UINT8   SecurityFeaturesImplemented[];
>
> +  //   UINT8   SecurityFeaturesVerified[];
>
> +  // sizeof (CHAR16) is for the NULL terminator of ErrorString
>
> +  //   CHAR16 ErrorString[]
>
> +  UINTN  HstiSize = sizeof (ADAPTER_INFO_PLATFORM_SECURITY) +
>
> +                    3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE +
>
> +                    sizeof (CHAR16);
>
> +  VOID  *HstiStruct = AllocateZeroPool (HstiSize);
>
> +
>
> +  if (HstiStruct == NULL) {
>
> +    return EFI_OUT_OF_RESOURCES;
>
> +  }
>
> +
>
> +  CopyMem (HstiStruct, &mHstiBase, sizeof
> (ADAPTER_INFO_PLATFORM_SECURITY));
>
> +
>
> +  Status = HstiLibSetTable (HstiStruct, HstiSize);
>
> +  if (EFI_ERROR (Status)) {
>
> +    if (Status != EFI_ALREADY_STARTED) {
>
> +      ASSERT_EFI_ERROR (Status);
>
> +    }
>
> +  }
>
> +
>
> +  return EFI_SUCCESS;
>
> +}
>
> diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> new file mode 100644
> index 0000000000..270aa60026
> --- /dev/null
> +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> @@ -0,0 +1,64 @@
> +## @file
>
> +#  Component description file for Virt Hsti Driver
>
> +#
>
> +# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
>
> +# Copyright (c) Microsoft Corporation.<BR>
>
> +# Copyright (c) 2024, Red Hat. Inc
>
> +#
>
> +# SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +#
>
> +##
>
> +
>
> +[Defines]
>
> +  INF_VERSION                    = 0x00010005
>
> +  BASE_NAME                      = VirtHstiDxe
>
> +  FILE_GUID                      = 60740CF3-D428-4500-80E6-04A5798241ED
>
> +  MODULE_TYPE                    = DXE_DRIVER
>
> +  VERSION_STRING                 = 1.0
>
> +  ENTRY_POINT                    = VirtHstiDxeEntrypoint
>
> +
>
> +################################################################
> ################
>
> +#
>
> +# Sources Section - list of files that are required for the build to succeed.
>
> +#
>
> +################################################################
> ################
>
> +
>
> +[Sources]
>
> +  VirtHstiDxe.c
>
> +
>
> +################################################################
> ################
>
> +#
>
> +# Package Dependency Section - list of Package files that are required for
>
> +#                              this module.
>
> +#
>
> +################################################################
> ################
>
> +
>
> +[Packages]
>
> +  MdePkg/MdePkg.dec
>
> +
>
> +################################################################
> ################
>
> +#
>
> +# Library Class Section - list of Library Classes that are required for
>
> +#                         this module.
>
> +#
>
> +################################################################
> ################
>
> +
>
> +[LibraryClasses]
>
> +  UefiDriverEntryPoint
>
> +  UefiLib
>
> +  BaseLib
>
> +  BaseMemoryLib
>
> +  MemoryAllocationLib
>
> +  DebugLib
>
> +  HstiLib
>
> +  UefiBootServicesTableLib
>
> +
>
> +################################################################
> ################
>
> +#
>
> +# Protocol C Name Section - list of Protocol and Protocol Notify C Names
>
> +#                           that this module uses or produces.
>
> +#
>
> +################################################################
> ################
>
> +
>
> +[Depex]
>
> +  TRUE
>
> --
> 2.44.0


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116750): https://edk2.groups.io/g/devel/message/116750
Mute This Topic: https://groups.io/mt/104923813/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 17792 bytes --]

Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver

[Gerd Hoffmann]

On Thu, Mar 14, 2024 at 12:05:28PM +0000, Yao, Jiewen wrote:
> I agree that not all bits make sense to virtual machine.
> However, I do see some bits should be there if we really want to add HSTI to report security propery.

Setting the bits which are obviously correct makes sense indeed.

> Please take a look at the HSTI spec - https://learn.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification
> For example:
> Do you use RSA 2048 and SHA256 only (or higher but not lower than this)

Hmm.  That single line (and the spec doesn't have more) is not very
helpful.  Consider this corner case:

The virtual TPM supported by qemu has banks for sha1, sha256, sha384 and
sha512.  The default configuration created by libvirt enables only the
sha256 bank.  But it's possible to go into the firmware setup and turn
on the sha1 bank too.

How should the HSTI driver handle that?

> Compatibility Support Modules (CSM)

That one is easy, CSM support is gone, we can set it.

> Firmware Code must be present in protected storage

Typically this is the case (ROM or read-only flash), although qemu
does not enforce that the code flash is actually read-only, it can
be configured in writable mode.

Hmm.

> Secure firmware update process

IMHO doesn't apply to virtual machines.  Firmware updates are usually
handled by updating the images on the host machine, that is very
different from a physical machine.  All the questions about key handling
do not make any sense.

> Do you have backdoors to override SecureBoot

No (you can only turn it off altogether).  I think we can set this (in
secure boot enabled builds).

Use "FeaturePcdGet (PcdSecureBootSupported)" to figure whenever a given
build supports secure boot or not.

> Protection from internal and external DMA

I don't think qemu supports DMA access to NV (aka flash) storage.
Is that good enough to set that bit?

> Another question: I notice you report platform as “Intel(R) 9-Series v1”.
> Is that right configuration for current OVMF?

Probably refers to q35 (aka INTEL_Q35_MCH_DEVICE_ID).

> I think there is some configuration detection, such as https://github.com/tianocore/edk2/blob/master/OvmfPkg/PlatformPei/Platform.c.

Looking at PlatformInfoHob->HostBridgeDevId and setting the name
accordingly makes sense indeed.

take care,
  Gerd



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116813): https://edk2.groups.io/g/devel/message/116813
Mute This Topic: https://groups.io/mt/104923813/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-