From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by mx.groups.io with SMTP id smtpd.web11.4133.1573134111097651298 for ; Thu, 07 Nov 2019 05:41:51 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.88, mailfrom: jiewen.yao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 05:41:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,278,1569308400"; d="scan'208";a="201040455" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga008.fm.intel.com with ESMTP; 07 Nov 2019 05:41:48 -0800 Received: from fmsmsx154.amr.corp.intel.com (10.18.116.70) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 7 Nov 2019 05:41:46 -0800 Received: from shsmsx153.ccr.corp.intel.com (10.239.6.53) by FMSMSX154.amr.corp.intel.com (10.18.116.70) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 7 Nov 2019 05:41:46 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.108]) by SHSMSX153.ccr.corp.intel.com ([169.254.12.215]) with mapi id 14.03.0439.000; Thu, 7 Nov 2019 21:41:44 +0800 From: "Yao, Jiewen" To: "devel@edk2.groups.io" , "Yao, Jiewen" Subject: Re: [edk2-devel] [PATCH V3 0/6] Add Device Security driver Thread-Topic: [edk2-devel] [PATCH V3 0/6] Add Device Security driver Thread-Index: AQHVlXCxGZw4C0QwJEGo4z7q0b2rOad/tzlg Date: Thu, 7 Nov 2019 13:41:44 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F842E11@shsmsx102.ccr.corp.intel.com> References: <15D4E4F6A90DA807.5771@groups.io> In-Reply-To: <15D4E4F6A90DA807.5771@groups.io> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMWQ3MWQ1MDYtZmZmNi00MDhhLTgyYjktNGI1NTg5ZDdjZmYyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoib0pkY0xyK2Nzd0t5OUN3MzFNbkc4cXY2THU5U2pzY3JLSkpmb2JtenlDVEdVa1JnelJya3d0QlhGSGdpSk9CMCJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiewen.yao@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I forget to mention that this patch is also pushed to git: The EDKII repo update is at https://github.com/jyao1/edk2/tree/DeviceSecur= ityMasterV3 The EDKII platform repo update is at https://github.com/jyao1/edk2-platfor= ms/tree/DeviceSecurityMasterV3 > -----Original Message----- > From: devel@edk2.groups.io On Behalf Of Yao, Jiew= en > Sent: Thursday, November 7, 2019 9:38 PM > To: devel@edk2.groups.io > Subject: [edk2-devel] [PATCH V3 0/6] Add Device Security driver >=20 > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D V3 =3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D >=20 > The V3 version addresses the feedback below: >=20 > Liming Gao: > 1. Add SPDM spec version and align to latest one 0.99a. >=20 > Rangasai Chaganty: > 1. put a reference to the spec at the file header, for Intel PCI securit= y spec. > 2. add some high level description above the structure definition that > describes the structure. > 3. on the services "GetDevicePolicy" and "SetDeviceState", Add more erro= r > return states >=20 > Ray Ni: > 1. add comments to each field of structures like > EDKII_DEVICE_SECURITY_POLICY > and EDKII_DEVICE_SECURITY_STATE. > 2. add comments to all the macros defined in this patch to explain the m= eaning > and more important how they are going to impact the logic. > 3. make the macro short > EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED -> > EDKII_DEVICE_MEASUREMENT_REQUIRED > EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED -> > EDKII_DEVICE_AUTHENTICATION_REQUIRED > 4. rename the SetDeviceState to NotifyDeviceState. > 5. add comments to explain clearly what SetDeviceState() needs to do. > 6. change the prototype so that caller needs to pass in a policy structu= re and > GetDevicePolicy() fills the structure buffer using CopyMem. > 7. add the version macro for > EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version, > securitypolicy.version and securitystate.version. > 8. add clear debug information for DvSec capability header. >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D V2 =3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D >=20 > This patch series add support for device security based > upon the DMTF SPDM specification. > https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.9= 5a > .zip >=20 > We did design review at 18 Oct, 2019. > https://edk2.groups.io/g/devel/files/Designs/2019/1018 > And the feedback from the meeting is addressed. > https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII- > Device%20Firmware%20Security%20v2.pdf >=20 > The Device security protocol is added in EDKII repo. > Here we add the producer what follows Intel PCI security spec > to do the device firmware measurement. > https://www.intel.com/content/www/us/en/io/pci-express/pcie-device- > security-enhancements-spec.html >=20 > The EDKII repo update is at > https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2 > The EDKII platform repo update is at https://github.com/jyao1/edk2- > platforms/tree/DeviceSecurityMasterV2 >=20 > The validation has been done on a Intel internal platform. > The device measurement can be shown in TCG event log. >=20 > signed-off-by: Jiewen Yao >=20 > Jiewen Yao (6): > IntelSiliconPkg/Include: Add Intel PciSecurity definition. > IntelSiliconPkg/Include: Add Platform Device Security Policy protocol > IntelSiliconPkg/dec: Add ProtocolGuid definition. > IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity. > IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy. > IntelSiliconPkg/dsc: Add Device Security component. >=20 > .../IntelPciDeviceSecurityDxe.c | 697 ++++++++++++++++++ > .../IntelPciDeviceSecurityDxe.inf | 45 ++ > .../TcgDeviceEvent.h | 178 +++++ > .../SamplePlatformDevicePolicyDxe.c | 204 +++++ > .../SamplePlatformDevicePolicyDxe.inf | 40 + > .../IndustryStandard/IntelPciSecurity.h | 92 +++ > .../Protocol/PlatformDeviceSecurityPolicy.h | 128 ++++ > .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 4 + > .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 + > 9 files changed, 1391 insertions(+) > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurit= yDxe/Int > elPciDeviceSecurityDxe.c > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurit= yDxe/Int > elPciDeviceSecurityDxe.inf > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurit= yDxe/Tcg > DeviceEvent.h > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP= olicyD > xe/SamplePlatformDevicePolicyDxe.c > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP= olicyD > xe/SamplePlatformDevicePolicyDxe.inf > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurity.= h > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityPol= icy.h >=20 > -- > 2.19.2.windows.1 >=20 >=20 >=20