[edk2-devel] mDeviceSecurityProtocol with SPDM

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

* [edk2-devel] mDeviceSecurityProtocol with SPDM
@ 2024-06-11  5:42 Alistair Francis
  2024-06-12  5:10 ` Andrew Fish via groups.io
  0 siblings, 1 reply; 2+ messages in thread
From: Alistair Francis @ 2024-06-11  5:42 UTC (permalink / raw)
  To: devel; +Cc: zhiqiang.zhao, qi1.zhang, Yao, Jiewen, wenxing.hou

Hello,

I'm trying to use SPDM over DOE as a EDKII_DEVICE_SECURITY_PROTOCOL
implementation.

I'm using the DeviceSecurity fork from staging, with my own DOE
implementation [5].

First I load `DeviceSecurityPolicyStub` [1], which consumes
`gEdkiiDeviceIdentifierTypePci
Guid` and produces
`gEdkiiDeviceSecurityPolicyProtocolGuid`.

Then I am loading `SpdmDeviceSecurityDxe` [2], which consumes
`gEdkiiDeviceSecurityPolicyProtocolGuid` and produces
`gEdkiiDeviceSecurityProtocolGuid`.

At which point I think the `gEdkiiDeviceSecurityProtocolGuid` should
work in PciBus [3]. Except the problem is that the PCIe bus is already
probed as `DeviceSecurityPolicyStub` consumes
`gEdkiiDeviceIdentifierTypePciGuid`. So I get stuck in a circular
loop.

Does anyone know how I can re-probe the `PciBusDxe` or somehow avoid
the circular dependency?

Or asking another way, is there a way to call the
`AuthenticatePciDevice()` [4] function after probing a PCIe device and
determining that the PCIe device supports DOE and SPDM? I don't see
any users of `gEfiDevicePathProtocolGuid` in upstream EDK2.

1: https://github.com/tianocore/edk2-staging/blob/DeviceSecurity/DeviceSecurityTestPkg/Test/DeviceSecurityPolicyStub/DeviceSecurityPolicyStub.inf#L36
2: https://github.com/tianocore/edk2-staging/blob/DeviceSecurity/DeviceSecurityTestPkg/SpdmDeviceSecurityDxe/SpdmDeviceSecurityDxe.inf#L56
3: https://github.com/tianocore/edk2-staging/blob/DeviceSecurity/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c#L299
4: https://github.com/tianocore/edk2-staging/blob/DeviceSecurity/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c#L2085
5: https://github.com/tianocore/edk2/pull/5715

PS: This is the second mail, the first didn't make it to the list

Alistair

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119556): https://edk2.groups.io/g/devel/message/119556
Mute This Topic: https://groups.io/mt/106627087/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [edk2-devel] mDeviceSecurityProtocol with SPDM
  2024-06-11  5:42 [edk2-devel] mDeviceSecurityProtocol with SPDM Alistair Francis
@ 2024-06-12  5:10 ` Andrew Fish via groups.io
  0 siblings, 0 replies; 2+ messages in thread
From: Andrew Fish via groups.io @ 2024-06-12  5:10 UTC (permalink / raw)
  To: edk2-devel-groups-io, alistair23
  Cc: zhiqiang.zhao, qi1.zhang, Yao, Jiewen, Wenxing Hou

[-- Attachment #1: Type: text/plain, Size: 4382 bytes --]

> On Jun 10, 2024, at 10:42 PM, Alistair Francis <alistair23@gmail.com> wrote:
> 
> Hello,
> 
> I'm trying to use SPDM over DOE as a EDKII_DEVICE_SECURITY_PROTOCOL
> implementation.
> 
> I'm using the DeviceSecurity fork from staging, with my own DOE
> implementation [5].
> 
> First I load `DeviceSecurityPolicyStub` [1], which consumes
> `gEdkiiDeviceIdentifierTypePci

> Guid` and produces
> `gEdkiiDeviceSecurityPolicyProtocolGuid`.
> 
> Then I am loading `SpdmDeviceSecurityDxe` [2], which consumes
> `gEdkiiDeviceSecurityPolicyProtocolGuid` and produces
> `gEdkiiDeviceSecurityProtocolGuid`.
> 
> At which point I think the `gEdkiiDeviceSecurityProtocolGuid` should
> work in PciBus [3]. Except the problem is that the PCIe bus is already
> probed as `DeviceSecurityPolicyStub` consumes
> `gEdkiiDeviceIdentifierTypePciGuid`. So I get stuck in a circular
> loop.
> 
> Does anyone know how I can re-probe the `PciBusDxe` or somehow avoid
> the circular dependency?
> 
> Or asking another way, is there a way to call the
> `AuthenticatePciDevice()` [4] function after probing a PCIe device and
> determining that the PCIe device supports DOE and SPDM? I don't see
> any users of `gEfiDevicePathProtocolGuid` in upstream EDK2.
> 

The gEfiDevicePathProtocolGuid is just a distributed namespace that is created by a UEFI bus driver as it enumerates. The bus driver inherits the Device Path of the parent (does not care what it looks like) and appends a Device Path node for the handle the bus driver is creating to represent the device. So it is basically just the name of the device. It came about since we needed to be able to make NVRAM Variables that pointed at hardware devices, so the hardware devices needed names that identified the devices even if the system got reconfigured. 

So for example when the PCI Bus driver enumerates PCI devices it will create child handles and add a PCI Device Path [1] node. This node contains the PCI Dev and Func. It does not contain the bus as that could change based on a configuration change.  The PCI bus driver will start enumerating at the root  (some device path that represents the chipset) and then you enumerate the 1st level (bus 0) devices, if that device is a PCI to PCI bridge then it will have children with its own set of devices and functions. So you can recurse down, and if some one inserts a card and you reset the system the route is the same, but the assigned bus numbers change. For PCI there is not much reason to consume the gEfiDevicePathProtocolGuid as the EFI_PCI_IO_PROTOCOL [2], that the bus driver will install on the same handle as the Device Path has all the info contained in the Device Path, and much more. 

[1] https://uefi.org/specs/UEFI/2.10/10_Protocols_Device_Path_Protocol.html#pci-device-path
[2] https://uefi.org/specs/UEFI/2.10/14_Protocols_PCI_Bus_Support.html#efi-pci-i-o-protocol

> 1: 2: https://github.com/tianocore/edk2-staging/blob/DeviceSecurity/DeviceSecurityTestPkg/SpdmDeviceSecurityDxe/SpdmDeviceSecurityDxe.inf#L56
https://github.com/tianocore/edk2-staging/blob/DeviceSecurity/DeviceSecurityTestPkg/Test/DeviceSecurityPolicyStub/DeviceSecurityPolicyStub.inf#L36
> 
> 
> 3: https://github.com/tianocore/edk2-staging/blob/DeviceSecurity/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c#L299
> 4: https://github.com/tianocore/edk2-staging/blob/DeviceSecurity/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c#L2085
> 5: https://github.com/tianocore/edk2/pull/5715
> 
> PS: This is the second mail, the first didn't make it to the list
> 

Alistair,

If you are not subscribed to the mailing list you mail gets stuck in a manual moderation bucket. So when it looks like the mail did not make it, you are just in with the people  trying to sell lights for chickens, and all the people from around the world trying to sell mailing lists of people who attended random conferences we have never go to? 

Thanks,

Andrew Fish

> Alistair
> 
> 
> 
> 
> 

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#119558): https://edk2.groups.io/g/devel/message/119558
Mute This Topic: https://groups.io/mt/106627087/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[-- Attachment #2: Type: text/html, Size: 6044 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2024-06-12  5:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-11  5:42 [edk2-devel] mDeviceSecurityProtocol with SPDM Alistair Francis
2024-06-12  5:10 ` Andrew Fish via groups.io

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox