From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web09.5898.1573190064874736244 for ; Thu, 07 Nov 2019 21:14:25 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: jiewen.yao@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Nov 2019 21:14:24 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,280,1569308400"; d="scan'208";a="286203846" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by orsmga001.jf.intel.com with ESMTP; 07 Nov 2019 21:14:24 -0800 Received: from FMSMSX109.amr.corp.intel.com (10.18.116.9) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 7 Nov 2019 21:14:23 -0800 Received: from shsmsx107.ccr.corp.intel.com (10.239.4.96) by fmsmsx109.amr.corp.intel.com (10.18.116.9) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 7 Nov 2019 21:14:23 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.108]) by SHSMSX107.ccr.corp.intel.com ([169.254.9.63]) with mapi id 14.03.0439.000; Fri, 8 Nov 2019 13:14:21 +0800 From: "Yao, Jiewen" To: "Javeed, Ashraf" , "devel@edk2.groups.io" Subject: Re: [edk2-devel] [PATCH V3 0/6] Add Device Security driver Thread-Topic: [edk2-devel] [PATCH V3 0/6] Add Device Security driver Thread-Index: AQHVlXC4GZw4C0QwJEGo4z7q0b2rOaeArFYQgAAPLjA= Date: Fri, 8 Nov 2019 05:14:20 +0000 Message-ID: <74D8A39837DF1E4DA445A8C0B3885C503F84464D@shsmsx102.ccr.corp.intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> <95C5C2B113DE604FB208120C742E9824579098B2@BGSMSX101.gar.corp.intel.com> In-Reply-To: <95C5C2B113DE604FB208120C742E9824579098B2@BGSMSX101.gar.corp.intel.com> Accept-Language: zh-CN, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNmQ4NGE1YjUtZjQzZC00YjA5LTlmZTItNWM5M2U5M2UzMDBjIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiSU5PRElEWklUN0tpZGNEV0J2VXVJcG1rZE8xM2E5QUZZcmpzVTNJbFUra0o4d0pXSkFUZUk4WEhUclBvQlRzVSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: jiewen.yao@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Right. I have put them to edk2-platforms\Silicon\Intel\IntelSiliconPkg\Feat= ure\PcieSecurity. Similar to Capsule, SmmAccess, VTd. Thank you Yao Jiewen > -----Original Message----- > From: Javeed, Ashraf > Sent: Friday, November 8, 2019 12:23 PM > To: devel@edk2.groups.io; Yao, Jiewen > Subject: RE: [edk2-devel] [PATCH V3 0/6] Add Device Security driver >=20 > Jiewen, > It could be better to organize your PcieSecurity driver stack under a co= mmon > "Pci" folder; like under the following path: > "Intel/IntelSiliconPkg/Feature/Pci" >=20 > Thanks > Ashraf >=20 > > -----Original Message----- > > From: devel@edk2.groups.io On Behalf Of Yao, > Jiewen > > Sent: Thursday, November 7, 2019 7:08 PM > > To: devel@edk2.groups.io > > Subject: [edk2-devel] [PATCH V3 0/6] Add Device Security driver > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D V3 =3D=3D=3D=3D=3D=3D=3D= = =3D=3D=3D=3D=3D=3D=3D=3D > > > > The V3 version addresses the feedback below: > > > > Liming Gao: > > 1. Add SPDM spec version and align to latest one 0.99a. > > > > Rangasai Chaganty: > > 1. put a reference to the spec at the file header, for Intel PCI secur= ity spec. > > 2. add some high level description above the structure definition that > > describes the structure. > > 3. on the services "GetDevicePolicy" and "SetDeviceState", Add more er= ror > > return states > > > > Ray Ni: > > 1. add comments to each field of structures like > > EDKII_DEVICE_SECURITY_POLICY > > and EDKII_DEVICE_SECURITY_STATE. > > 2. add comments to all the macros defined in this patch to explain the= meaning > > and more important how they are going to impact the logic. > > 3. make the macro short > > EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED -> > > EDKII_DEVICE_MEASUREMENT_REQUIRED > > EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED -> > > EDKII_DEVICE_AUTHENTICATION_REQUIRED > > 4. rename the SetDeviceState to NotifyDeviceState. > > 5. add comments to explain clearly what SetDeviceState() needs to do. > > 6. change the prototype so that caller needs to pass in a policy struc= ture and > > GetDevicePolicy() fills the structure buffer using CopyMem. > > 7. add the version macro for > > EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version, > > securitypolicy.version and securitystate.version. > > 8. add clear debug information for DvSec capability header. > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D V2 =3D=3D=3D=3D=3D=3D=3D= = =3D=3D=3D=3D=3D=3D=3D=3D > > > > This patch series add support for device security based upon the DMTF = SPDM > > specification. > > > https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0.9= 5a > > .zip > > > > We did design review at 18 Oct, 2019. > > https://edk2.groups.io/g/devel/files/Designs/2019/1018 > > And the feedback from the meeting is addressed. > > https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII- > > Device%20Firmware%20Security%20v2.pdf > > > > The Device security protocol is added in EDKII repo. > > Here we add the producer what follows Intel PCI security spec to do th= e device > > firmware measurement. > > https://www.intel.com/content/www/us/en/io/pci-express/pcie-device- > > security-enhancements-spec.html > > > > The EDKII repo update is at > > https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2 > > The EDKII platform repo update is at https://github.com/jyao1/edk2- > > platforms/tree/DeviceSecurityMasterV2 > > > > The validation has been done on a Intel internal platform. > > The device measurement can be shown in TCG event log. > > > > signed-off-by: Jiewen Yao > > > > Jiewen Yao (6): > > IntelSiliconPkg/Include: Add Intel PciSecurity definition. > > IntelSiliconPkg/Include: Add Platform Device Security Policy protoco= l > > IntelSiliconPkg/dec: Add ProtocolGuid definition. > > IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity. > > IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy. > > IntelSiliconPkg/dsc: Add Device Security component. > > > > .../IntelPciDeviceSecurityDxe.c | 697 +++++++++++++++++= + > > .../IntelPciDeviceSecurityDxe.inf | 45 ++ > > .../TcgDeviceEvent.h | 178 +++++ > > .../SamplePlatformDevicePolicyDxe.c | 204 +++++ > > .../SamplePlatformDevicePolicyDxe.inf | 40 + > > .../IndustryStandard/IntelPciSecurity.h | 92 +++ > > .../Protocol/PlatformDeviceSecurityPolicy.h | 128 ++++ > > .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 4 + > > .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 + > > 9 files changed, 1391 insertions(+) > > create mode 100644 > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurit= yDxe/Int > > elPciDeviceSecurityDxe.c > > create mode 100644 > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurit= yDxe/Int > > elPciDeviceSecurityDxe.inf > > create mode 100644 > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurit= yDxe/Tcg > > DeviceEvent.h > > create mode 100644 > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP= olicyD > > xe/SamplePlatformDevicePolicyDxe.c > > create mode 100644 > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP= olicyD > > xe/SamplePlatformDevicePolicyDxe.inf > > create mode 100644 > > Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecurit= y.h > > create mode 100644 > > Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurityP= olicy.h > > > > -- > > 2.19.2.windows.1 > > > > > >=20