From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by mx.groups.io with SMTP id smtpd.web10.8145.1573208730030277177 for ; Fri, 08 Nov 2019 02:25:30 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.31, mailfrom: ashraf.javeed@intel.com) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Nov 2019 02:25:29 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.68,281,1569308400"; d="scan'208";a="404415375" Received: from fmsmsx104.amr.corp.intel.com ([10.18.124.202]) by fmsmga006.fm.intel.com with ESMTP; 08 Nov 2019 02:25:29 -0800 Received: from fmsmsx161.amr.corp.intel.com (10.18.125.9) by fmsmsx104.amr.corp.intel.com (10.18.124.202) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 8 Nov 2019 02:25:28 -0800 Received: from bgsmsx153.gar.corp.intel.com (10.224.23.4) by FMSMSX161.amr.corp.intel.com (10.18.125.9) with Microsoft SMTP Server (TLS) id 14.3.439.0; Fri, 8 Nov 2019 02:25:28 -0800 Received: from bgsmsx101.gar.corp.intel.com ([169.254.1.199]) by BGSMSX153.gar.corp.intel.com ([169.254.2.14]) with mapi id 14.03.0439.000; Fri, 8 Nov 2019 15:55:25 +0530 From: "Javeed, Ashraf" To: "Yao, Jiewen" , "devel@edk2.groups.io" Subject: Re: [edk2-devel] [PATCH V3 0/6] Add Device Security driver Thread-Topic: [edk2-devel] [PATCH V3 0/6] Add Device Security driver Thread-Index: AQHVlXC4rgpkAZhPsUqQd4fATBl8y6eArFYQ//+zVQCAALDxsA== Date: Fri, 8 Nov 2019 10:25:25 +0000 Message-ID: <95C5C2B113DE604FB208120C742E9824579099E8@BGSMSX101.gar.corp.intel.com> References: <20191107133831.22412-1-jiewen.yao@intel.com> <95C5C2B113DE604FB208120C742E9824579098B2@BGSMSX101.gar.corp.intel.com> <74D8A39837DF1E4DA445A8C0B3885C503F84464D@shsmsx102.ccr.corp.intel.com> In-Reply-To: <74D8A39837DF1E4DA445A8C0B3885C503F84464D@shsmsx102.ccr.corp.intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNmQ4NGE1YjUtZjQzZC00YjA5LTlmZTItNWM5M2U5M2UzMDBjIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiSU5PRElEWklUN0tpZGNEV0J2VXVJcG1rZE8xM2E5QUZZcmpzVTNJbFUra0o4d0pXSkFUZUk4WEhUclBvQlRzVSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.2.0.6 dlp-reaction: no-action x-originating-ip: [10.223.10.10] MIME-Version: 1.0 Return-Path: ashraf.javeed@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable True, thought PCI is a vast topic, could be many more sample drivers in fut= ure, thus having under one" Pci" folder would be better. I know this is you= r third version already, and I could have reviewed it earlier and made this= point. No issues now, could be moved in future. Regards Ashraf > -----Original Message----- > From: Yao, Jiewen > Sent: Friday, November 8, 2019 10:44 AM > To: Javeed, Ashraf ; devel@edk2.groups.io > Subject: RE: [edk2-devel] [PATCH V3 0/6] Add Device Security driver >=20 > Right. I have put them to edk2- > platforms\Silicon\Intel\IntelSiliconPkg\Feature\PcieSecurity. Similar to= Capsule, > SmmAccess, VTd. >=20 > Thank you > Yao Jiewen >=20 > > -----Original Message----- > > From: Javeed, Ashraf > > Sent: Friday, November 8, 2019 12:23 PM > > To: devel@edk2.groups.io; Yao, Jiewen > > Subject: RE: [edk2-devel] [PATCH V3 0/6] Add Device Security driver > > > > Jiewen, > > It could be better to organize your PcieSecurity driver stack under a > > common "Pci" folder; like under the following path: > > "Intel/IntelSiliconPkg/Feature/Pci" > > > > Thanks > > Ashraf > > > > > -----Original Message----- > > > From: devel@edk2.groups.io On Behalf Of Yao, > > Jiewen > > > Sent: Thursday, November 7, 2019 7:08 PM > > > To: devel@edk2.groups.io > > > Subject: [edk2-devel] [PATCH V3 0/6] Add Device Security driver > > > > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D2303 > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D V3 =3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > > > The V3 version addresses the feedback below: > > > > > > Liming Gao: > > > 1. Add SPDM spec version and align to latest one 0.99a. > > > > > > Rangasai Chaganty: > > > 1. put a reference to the spec at the file header, for Intel PCI sec= urity spec. > > > 2. add some high level description above the structure definition th= at > > > describes the structure. > > > 3. on the services "GetDevicePolicy" and "SetDeviceState", Add more = error > > > return states > > > > > > Ray Ni: > > > 1. add comments to each field of structures like > > > EDKII_DEVICE_SECURITY_POLICY > > > and EDKII_DEVICE_SECURITY_STATE. > > > 2. add comments to all the macros defined in this patch to explain t= he > meaning > > > and more important how they are going to impact the logic. > > > 3. make the macro short > > > EDKII_DEVICE_MEASUREMENT_POLICY_REQUIRED -> > > > EDKII_DEVICE_MEASUREMENT_REQUIRED > > > EDKII_DEVICE_AUTHENTICATION_POLICY_REQUIRED -> > > > EDKII_DEVICE_AUTHENTICATION_REQUIRED > > > 4. rename the SetDeviceState to NotifyDeviceState. > > > 5. add comments to explain clearly what SetDeviceState() needs to do= . > > > 6. change the prototype so that caller needs to pass in a policy str= ucture and > > > GetDevicePolicy() fills the structure buffer using CopyMem. > > > 7. add the version macro for > > > EDKII_DEVICE_SECURITY_POLICY_PROTOCOL.Version, > > > securitypolicy.version and securitystate.version. > > > 8. add clear debug information for DvSec capability header. > > > > > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D V2 =3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D > > > > > > This patch series add support for device security based upon the > > > DMTF SPDM specification. > > > > > https://www.dmtf.org/sites/default/files/standards/documents/DSP0274_0 > > .95a > > > .zip > > > > > > We did design review at 18 Oct, 2019. > > > https://edk2.groups.io/g/devel/files/Designs/2019/1018 > > > And the feedback from the meeting is addressed. > > > https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII- > > > Device%20Firmware%20Security%20v2.pdf > > > > > > The Device security protocol is added in EDKII repo. > > > Here we add the producer what follows Intel PCI security spec to do > > > the device firmware measurement. > > > https://www.intel.com/content/www/us/en/io/pci-express/pcie-device- > > > security-enhancements-spec.html > > > > > > The EDKII repo update is at > > > https://github.com/jyao1/edk2/tree/DeviceSecurityMasterV2 > > > The EDKII platform repo update is at https://github.com/jyao1/edk2- > > > platforms/tree/DeviceSecurityMasterV2 > > > > > > The validation has been done on a Intel internal platform. > > > The device measurement can be shown in TCG event log. > > > > > > signed-off-by: Jiewen Yao > > > > > > Jiewen Yao (6): > > > IntelSiliconPkg/Include: Add Intel PciSecurity definition. > > > IntelSiliconPkg/Include: Add Platform Device Security Policy proto= col > > > IntelSiliconPkg/dec: Add ProtocolGuid definition. > > > IntelSiliconPkg/IntelPciDeviceSecurityDxe: Add PciSecurity. > > > IntelSiliconPkg/SamplePlatformDevicePolicyDxe: Add sample policy. > > > IntelSiliconPkg/dsc: Add Device Security component. > > > > > > .../IntelPciDeviceSecurityDxe.c | 697 +++++++++++++++= +++ > > > .../IntelPciDeviceSecurityDxe.inf | 45 ++ > > > .../TcgDeviceEvent.h | 178 +++++ > > > .../SamplePlatformDevicePolicyDxe.c | 204 +++++ > > > .../SamplePlatformDevicePolicyDxe.inf | 40 + > > > .../IndustryStandard/IntelPciSecurity.h | 92 +++ > > > .../Protocol/PlatformDeviceSecurityPolicy.h | 128 ++++ > > > .../Intel/IntelSiliconPkg/IntelSiliconPkg.dec | 4 + > > > .../Intel/IntelSiliconPkg/IntelSiliconPkg.dsc | 3 + > > > 9 files changed, 1391 insertions(+) create mode 100644 > > > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecur > > ityDxe/Int > > > elPciDeviceSecurityDxe.c > > > create mode 100644 > > > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecur > > ityDxe/Int > > > elPciDeviceSecurityDxe.inf > > > create mode 100644 > > > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecur > > ityDxe/Tcg > > > DeviceEvent.h > > > create mode 100644 > > > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevic > > ePolicyD > > > xe/SamplePlatformDevicePolicyDxe.c > > > create mode 100644 > > > > > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevic > > ePolicyD > > > xe/SamplePlatformDevicePolicyDxe.inf > > > create mode 100644 > > > Silicon/Intel/IntelSiliconPkg/Include/IndustryStandard/IntelPciSecur > > > ity.h > > > create mode 100644 > > > Silicon/Intel/IntelSiliconPkg/Include/Protocol/PlatformDeviceSecurit > > > yPolicy.h > > > > > > -- > > > 2.19.2.windows.1 > > > > > > > > >=20