From: Konstantin Kostiuk <kkostiuk@redhat.com>
To: "Yao, Jiewen" <jiewen.yao@intel.com>
Cc: "devel@edk2.groups.io" <devel@edk2.groups.io>,
Yan Vugenfirer <yvugenfi@redhat.com>,
Ard Biesheuvel <ardb+tianocore@kernel.org>,
Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
Date: Thu, 14 Mar 2024 13:43:12 +0200 [thread overview]
Message-ID: <CAPMcbCqGiuejoXjAY8HFRGUhEMf3gBMPxEOwE-18+ww-qZjXvQ@mail.gmail.com> (raw)
In-Reply-To: <MW4PR11MB587208A82F26B17FEC501DD88C292@MW4PR11MB5872.namprd11.prod.outlook.com>
[-- Attachment #1: Type: text/plain, Size: 8019 bytes --]
On Thu, Mar 14, 2024 at 12:28 PM Yao, Jiewen <jiewen.yao@intel.com> wrote:
> Question: What is the value to provide an *empty* HSTI table?
>
> IMHO, If the goal is to perform some security check, I think we need
> provide a *real* HSTI table.
>
HSTI is very vendor-specific and depends on features that a vendor
supports. Looking at
the HSTI spec a lot of the bits don't make sense for virtual machines. Some
feature depends on
hardware configuration and this check is a dummy in a virtual environment.
So, the main goal is to pass Microsoft SVVP with OVMF+QEMU.
Best Regards,
Konstantin Kostiuk.
>
> Thank you
> Yao, Jiewen
>
> > -----Original Message-----
> > From: Konstantin Kostiuk <kkostiuk@redhat.com>
> > Sent: Thursday, March 14, 2024 6:25 PM
> > To: devel@edk2.groups.io
> > Cc: Yan Vugenfirer <yvugenfi@redhat.com>; Ard Biesheuvel
> > <ardb+tianocore@kernel.org>; Yao, Jiewen <jiewen.yao@intel.com>; Gerd
> > Hoffmann <kraxel@redhat.com>
> > Subject: [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver
> >
> > The driver provides empty HSTI table.
> >
> > Signed-off-by: Konstantin Kostiuk <kkostiuk@redhat.com>
> > ---
> > OvmfPkg/VirtHstiDxe/VirtHstiDxe.c | 75 +++++++++++++++++++++++++++++
> > OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf | 64 ++++++++++++++++++++++++
> > 2 files changed, 139 insertions(+)
> > create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> > create mode 100644 OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> >
> > diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> > b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> > new file mode 100644
> > index 0000000000..b9ed189f33
> > --- /dev/null
> > +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.c
> > @@ -0,0 +1,75 @@
> > +/** @file
> >
> > + This file contains DXE driver for publishing empty HSTI table
> >
> > +
> >
> > +Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
> >
> > +Copyright (c) 2024, Red Hat. Inc
> >
> > +
> >
> > +SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +
> >
> > +**/
> >
> > +
> >
> > +#include <PiDxe.h>
> >
> > +#include <Library/BaseLib.h>
> >
> > +#include <Library/DebugLib.h>
> >
> > +#include <Library/BaseMemoryLib.h>
> >
> > +#include <Library/MemoryAllocationLib.h>
> >
> > +#include <Library/UefiBootServicesTableLib.h>
> >
> > +#include <Library/UefiLib.h>
> >
> > +#include <IndustryStandard/Hsti.h>
> >
> > +#include <Library/HstiLib.h>
> >
> > +
> >
> > +#define HSTI_PLATFORM_NAME L"Intel(R) 9-Series v1"
> >
> > +#define HSTI_SECURITY_FEATURE_SIZE 1
> >
> > +
> >
> > +ADAPTER_INFO_PLATFORM_SECURITY mHstiBase = {
> >
> > + PLATFORM_SECURITY_VERSION_VNEXTCS,
> >
> > + PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE,
> >
> > + { HSTI_PLATFORM_NAME },
> >
> > + HSTI_SECURITY_FEATURE_SIZE,
> >
> > +};
> >
> > +
> >
> > +/**
> >
> > + The driver's entry point.
> >
> > +
> >
> > + @param[in] ImageHandle The firmware allocated handle for the EFI
> image.
> >
> > + @param[in] SystemTable A pointer to the EFI System Table.
> >
> > +
> >
> > + @retval EFI_SUCCESS The entry point is executed successfully.
> >
> > + @retval other Some error occurs when executing this entry
> point.
> >
> > +**/
> >
> > +EFI_STATUS
> >
> > +EFIAPI
> >
> > +VirtHstiDxeEntrypoint (
> >
> > + IN EFI_HANDLE ImageHandle,
> >
> > + IN EFI_SYSTEM_TABLE *SystemTable
> >
> > + )
> >
> > +{
> >
> > + EFI_STATUS Status;
> >
> > +
> >
> > + // Allocate memory for HSTI struct
> >
> > + // 3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE is for the 3 arrays
> >
> > + // UINT8 SecurityFeaturesRequired[];
> >
> > + // UINT8 SecurityFeaturesImplemented[];
> >
> > + // UINT8 SecurityFeaturesVerified[];
> >
> > + // sizeof (CHAR16) is for the NULL terminator of ErrorString
> >
> > + // CHAR16 ErrorString[]
> >
> > + UINTN HstiSize = sizeof (ADAPTER_INFO_PLATFORM_SECURITY) +
> >
> > + 3 * sizeof (UINT8) * HSTI_SECURITY_FEATURE_SIZE +
> >
> > + sizeof (CHAR16);
> >
> > + VOID *HstiStruct = AllocateZeroPool (HstiSize);
> >
> > +
> >
> > + if (HstiStruct == NULL) {
> >
> > + return EFI_OUT_OF_RESOURCES;
> >
> > + }
> >
> > +
> >
> > + CopyMem (HstiStruct, &mHstiBase, sizeof
> > (ADAPTER_INFO_PLATFORM_SECURITY));
> >
> > +
> >
> > + Status = HstiLibSetTable (HstiStruct, HstiSize);
> >
> > + if (EFI_ERROR (Status)) {
> >
> > + if (Status != EFI_ALREADY_STARTED) {
> >
> > + ASSERT_EFI_ERROR (Status);
> >
> > + }
> >
> > + }
> >
> > +
> >
> > + return EFI_SUCCESS;
> >
> > +}
> >
> > diff --git a/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> > b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> > new file mode 100644
> > index 0000000000..270aa60026
> > --- /dev/null
> > +++ b/OvmfPkg/VirtHstiDxe/VirtHstiDxe.inf
> > @@ -0,0 +1,64 @@
> > +## @file
> >
> > +# Component description file for Virt Hsti Driver
> >
> > +#
> >
> > +# Copyright (c) 2017, Intel Corporation. All rights reserved.<BR>
> >
> > +# Copyright (c) Microsoft Corporation.<BR>
> >
> > +# Copyright (c) 2024, Red Hat. Inc
> >
> > +#
> >
> > +# SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> > +#
> >
> > +##
> >
> > +
> >
> > +[Defines]
> >
> > + INF_VERSION = 0x00010005
> >
> > + BASE_NAME = VirtHstiDxe
> >
> > + FILE_GUID = 60740CF3-D428-4500-80E6-04A5798241ED
> >
> > + MODULE_TYPE = DXE_DRIVER
> >
> > + VERSION_STRING = 1.0
> >
> > + ENTRY_POINT = VirtHstiDxeEntrypoint
> >
> > +
> >
> > +################################################################
> > ################
> >
> > +#
> >
> > +# Sources Section - list of files that are required for the build to
> succeed.
> >
> > +#
> >
> > +################################################################
> > ################
> >
> > +
> >
> > +[Sources]
> >
> > + VirtHstiDxe.c
> >
> > +
> >
> > +################################################################
> > ################
> >
> > +#
> >
> > +# Package Dependency Section - list of Package files that are required
> for
> >
> > +# this module.
> >
> > +#
> >
> > +################################################################
> > ################
> >
> > +
> >
> > +[Packages]
> >
> > + MdePkg/MdePkg.dec
> >
> > +
> >
> > +################################################################
> > ################
> >
> > +#
> >
> > +# Library Class Section - list of Library Classes that are required for
> >
> > +# this module.
> >
> > +#
> >
> > +################################################################
> > ################
> >
> > +
> >
> > +[LibraryClasses]
> >
> > + UefiDriverEntryPoint
> >
> > + UefiLib
> >
> > + BaseLib
> >
> > + BaseMemoryLib
> >
> > + MemoryAllocationLib
> >
> > + DebugLib
> >
> > + HstiLib
> >
> > + UefiBootServicesTableLib
> >
> > +
> >
> > +################################################################
> > ################
> >
> > +#
> >
> > +# Protocol C Name Section - list of Protocol and Protocol Notify C Names
> >
> > +# that this module uses or produces.
> >
> > +#
> >
> > +################################################################
> > ################
> >
> > +
> >
> > +[Depex]
> >
> > + TRUE
> >
> > --
> > 2.44.0
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#116860): https://edk2.groups.io/g/devel/message/116860
Mute This Topic: https://groups.io/mt/104923813/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
[-- Attachment #2: Type: text/html, Size: 11588 bytes --]
next prev parent reply other threads:[~2024-03-18 23:17 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-14 10:24 [edk2-devel] [PATCH 0/2] OvmfPkg: Implement minimal HSTI driver Konstantin Kostiuk
2024-03-14 10:24 ` [edk2-devel] [PATCH 1/2] OvmfPkg: Add VirtHstiDxe driver Konstantin Kostiuk
2024-03-14 10:27 ` Yao, Jiewen
2024-03-14 11:43 ` Konstantin Kostiuk [this message]
2024-03-14 12:05 ` Yao, Jiewen
2024-03-15 11:29 ` Gerd Hoffmann
2024-03-14 10:24 ` [edk2-devel] [PATCH 2/2] OvmfPkg: Add VirtHstiDxe to OVMF firmware build Konstantin Kostiuk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPMcbCqGiuejoXjAY8HFRGUhEMf3gBMPxEOwE-18+ww-qZjXvQ@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox