Hi Jian/Hao/Ray Would you please review this patch? We need this feature in next stable tag as planned.
Thank you Yao Jiewen > -----Original Message----- > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Yao, Jiewen > Sent: Thursday, October 31, 2019 8:30 PM > To: devel@edk2.groups.io > Cc: Wang, Jian J <jian.j.w...@intel.com>; Wu, Hao A <hao.a...@intel.com>; > Ni, Ray <ray...@intel.com>; Lou, Yun <yun....@intel.com> > Subject: [edk2-devel] [PATCH V2 4/4] MdeModulePkg/Pci: Add DeviceSecurity > support. > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303 > > Whenever a PCI device is discovered, PCI bus calls the > EDKII_DEVICE_SECURITY_PROTOCOL to authenticate it. > If the function returns success, the PCI bus allocates > the resource and installs the PCI_IO for the device. > If the function returns fail, the PCI bus skips the device. > > It is similar to EFI_SECURITY_ARCH_PROTOCOL, which > is used to verify an EFI image. > > Cc: Jian J Wang <jian.j.w...@intel.com> > Cc: Hao A Wu <hao.a...@intel.com> > Cc: Ray Ni <ray...@intel.com> > Cc: Yun Lou <yun....@intel.com> > Signed-off-by: Jiewen Yao <jiewen....@intel.com> > --- > MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c | 12 +++- > MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h | 1 + > MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf | 4 +- > MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c | 63 > +++++++++++++++++++- > MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c | 4 +- > 5 files changed, 77 insertions(+), 7 deletions(-) > > diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c > b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c > index b020ce50ce..64284ac825 100644 > --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c > +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.c > @@ -8,7 +8,7 @@ > PCI Root Bridges. So it means platform needs install PCI Root Bridge IO > protocol for each > PCI Root Bus and install PCI Host Bridge Resource Allocation Protocol. > > -Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR> > +Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR> > SPDX-License-Identifier: BSD-2-Clause-Patent > > **/ > @@ -37,7 +37,7 @@ UINT64 gAllZero > = 0; > EFI_PCI_PLATFORM_PROTOCOL *gPciPlatformProtocol; > EFI_PCI_OVERRIDE_PROTOCOL *gPciOverrideProtocol; > EDKII_IOMMU_PROTOCOL *mIoMmuProtocol; > - > +EDKII_DEVICE_SECURITY_PROTOCOL *mDeviceSecurityProtocol; > > GLOBAL_REMOVE_IF_UNREFERENCED > EFI_PCI_HOTPLUG_REQUEST_PROTOCOL mPciHotPlugRequest = { > PciHotPlugRequestNotify > @@ -293,6 +293,14 @@ PciBusDriverBindingStart ( > ); > } > > + if (mDeviceSecurityProtocol == NULL) { > + gBS->LocateProtocol ( > + &gEdkiiDeviceSecurityProtocolGuid, > + NULL, > + (VOID **) &mDeviceSecurityProtocol > + ); > + } > + > if (PcdGetBool (PcdPciDisableBusEnumeration)) { > gFullEnumeration = FALSE; > } else { > diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h > b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h > index 504a1b1c12..d4113993c8 100644 > --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h > +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBus.h > @@ -27,6 +27,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include <Protocol/PciOverride.h> > #include <Protocol/PciEnumerationComplete.h> > #include <Protocol/IoMmu.h> > +#include <Protocol/DeviceSecurity.h> > > #include <Library/DebugLib.h> > #include <Library/UefiDriverEntryPoint.h> > diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf > b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf > index 05c22025b8..9284998f36 100644 > --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf > +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciBusDxe.inf > @@ -2,7 +2,7 @@ > # The PCI bus driver will probe all PCI devices and allocate MMIO and IO > space > for these devices. > # Please use PCD feature flag PcdPciBusHotplugDeviceSupport to enable hot > plug supporting. > # > -# Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR> > +# Copyright (c) 2006 - 2019, Intel Corporation. All rights reserved.<BR> > # > # SPDX-License-Identifier: BSD-2-Clause-Patent > # > @@ -90,6 +90,8 @@ > gEfiIncompatiblePciDeviceSupportProtocolGuid ## SOMETIMES_CONSUMES > gEfiLoadFile2ProtocolGuid ## SOMETIMES_PRODUCES > gEdkiiIoMmuProtocolGuid ## SOMETIMES_CONSUMES > + gEdkiiDeviceSecurityProtocolGuid ## SOMETIMES_CONSUMES > + gEdkiiDeviceIdentifierTypePciGuid ## SOMETIMES_CONSUMES > gEfiLoadedImageDevicePathProtocolGuid ## CONSUMES > > [FeaturePcd] > diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > index c7eafff593..df3d1c8fcc 100644 > --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciEnumeratorSupport.c > @@ -10,6 +10,7 @@ SPDX-License-Identifier: BSD-2-Clause-Patent > #include "PciBus.h" > > extern CHAR16 *mBarTypeStr[]; > +extern EDKII_DEVICE_SECURITY_PROTOCOL > *mDeviceSecurityProtocol; > > #define OLD_ALIGN 0xFFFFFFFFFFFFFFFFULL > #define EVEN_ALIGN 0xFFFFFFFFFFFFFFFEULL > @@ -2092,9 +2093,10 @@ CreatePciIoDevice ( > IN UINT8 Func > ) > { > - PCI_IO_DEVICE *PciIoDevice; > - EFI_PCI_IO_PROTOCOL *PciIo; > - EFI_STATUS Status; > + PCI_IO_DEVICE *PciIoDevice; > + EFI_PCI_IO_PROTOCOL *PciIo; > + EFI_STATUS Status; > + EDKII_DEVICE_IDENTIFIER DeviceIdentifier; > > PciIoDevice = AllocateZeroPool (sizeof (PCI_IO_DEVICE)); > if (PciIoDevice == NULL) { > @@ -2156,6 +2158,61 @@ CreatePciIoDevice ( > PciIoDevice->IsPciExp = TRUE; > } > > + // > + // Now we can do the authentication check for the device. > + // > + if (mDeviceSecurityProtocol != NULL) { > + // > + // Prepare the parameter > + // > + DeviceIdentifier.Version = EDKII_DEVICE_IDENTIFIER_REVISION; > + CopyGuid (&DeviceIdentifier.DeviceType, > &gEdkiiDeviceIdentifierTypePciGuid); > + DeviceIdentifier.DeviceHandle = NULL; > + Status = gBS->InstallMultipleProtocolInterfaces ( > + &DeviceIdentifier.DeviceHandle, > + &gEfiDevicePathProtocolGuid, > + PciIoDevice->DevicePath, > + &gEdkiiDeviceIdentifierTypePciGuid, > + &PciIoDevice->PciIo, > + NULL > + ); > + if (EFI_ERROR(Status)) { > + if (PciIoDevice->DevicePath != NULL) { > + FreePool (PciIoDevice->DevicePath); > + } > + FreePool (PciIoDevice); > + return NULL; > + } > + > + // > + // Do DeviceAuthentication > + // > + Status = mDeviceSecurityProtocol->DeviceAuthenticate > (mDeviceSecurityProtocol, &DeviceIdentifier); > + // > + // Always uninstall, because they are only for Authentication. > + // No need to check return Status. > + // > + gBS->UninstallMultipleProtocolInterfaces ( > + DeviceIdentifier.DeviceHandle, > + &gEfiDevicePathProtocolGuid, > + PciIoDevice->DevicePath, > + &gEdkiiDeviceIdentifierTypePciGuid, > + &PciIoDevice->PciIo, > + NULL > + ); > + > + // > + // If authentication fails, skip this device. > + // > + if (EFI_ERROR(Status)) { > + if (PciIoDevice->DevicePath != NULL) { > + FreePool (PciIoDevice->DevicePath); > + } > + FreePool (PciIoDevice); > + return NULL; > + } > + } > + > if (PcdGetBool (PcdAriSupport)) { > // > // Check if the device is an ARI device. > diff --git a/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c > b/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c > index 5b55fb5d3b..72690ab647 100644 > --- a/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c > +++ b/MdeModulePkg/Bus/Pci/PciBusDxe/PciLib.c > @@ -1054,7 +1054,9 @@ PciScanBus ( > &PciDevice > ); > > - ASSERT (!EFI_ERROR (Status)); > + if (EFI_ERROR (Status)) { > + continue; > + } > > PciAddress = EFI_PCI_ADDRESS (StartBusNumber, Device, Func, 0); > > -- > 2.19.2.windows.1 > > > -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50046): https://edk2.groups.io/g/devel/message/50046 Mute This Topic: https://groups.io/mt/43426533/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
