Reviewed-by: Ray Ni <ray...@intel.com> > -----Original Message----- > From: Yao, Jiewen <jiewen....@intel.com> > Sent: Thursday, November 7, 2019 9:39 PM > To: devel@edk2.groups.io > Cc: Ni, Ray <ray...@intel.com>; Chaganty, Rangasai V > <rangasai.v.chaga...@intel.com>; Lou, Yun <yun....@intel.com> > Subject: [PATCH V3 5/6] IntelSiliconPkg/SamplePlatformDevicePolicyDxe: > Add sample policy. > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2303 > > This driver provides the platform sample policy to measure a NVMe card. > > Cc: Ray Ni <ray...@intel.com> > Cc: Rangasai V Chaganty <rangasai.v.chaga...@intel.com> > Cc: Yun Lou <yun....@intel.com> > Signed-off-by: Jiewen Yao <jiewen....@intel.com> > --- > .../SamplePlatformDevicePolicyDxe.c | 204 ++++++++++++++++++ > .../SamplePlatformDevicePolicyDxe.inf | 40 ++++ > 2 files changed, 244 insertions(+) > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePoli > cyDxe/SamplePlatformDevicePolicyDxe.c > create mode 100644 > Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDevicePoli > cyDxe/SamplePlatformDevicePolicyDxe.inf > > diff --git > a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP > olicyDxe/SamplePlatformDevicePolicyDxe.c > b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP > olicyDxe/SamplePlatformDevicePolicyDxe.c > new file mode 100644 > index 0000000000..5b0897d6af > --- /dev/null > +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformD > +++ evicePolicyDxe/SamplePlatformDevicePolicyDxe.c > @@ -0,0 +1,204 @@ > +/** @file > + EDKII Device Security library for PCI device > + > +Copyright (c) 2019, Intel Corporation. All rights reserved.<BR> > +SPDX-License-Identifier: BSD-2-Clause-Patent > + > +**/ > + > +#include <Uefi.h> > +#include <IndustryStandard/Spdm.h> > +#include <IndustryStandard/Pci.h> > +#include <Protocol/PciIo.h> > +#include <Protocol/DeviceSecurity.h> > +#include <Protocol/PlatformDeviceSecurityPolicy.h> > +#include <Library/DebugLib.h> > +#include <Library/BaseMemoryLib.h> > +#include <Library/UefiBootServicesTableLib.h> > +#include <Library/MemoryAllocationLib.h> > + > +EDKII_DEVICE_SECURITY_POLICY mDeviceSecurityPolicyNone = { > + EDKII_DEVICE_SECURITY_POLICY_REVISION, > + 0, > + 0, > +}; > +EDKII_DEVICE_SECURITY_POLICY mDeviceSecurityPolicyMeasurement > = { > + EDKII_DEVICE_SECURITY_POLICY_REVISION, > + EDKII_DEVICE_MEASUREMENT_REQUIRED, > + 0, > +}; > + > +/** > + This function returns the device security policy associated with the > device. > + > + The device security driver may call this interface to get the > + platform policy for the specific device and determine if the > + measurement or authentication is required. > + > + @param[in] This The protocol instance pointer. > + @param[in] DeviceId The Identifier for the device. > + @param[out] DeviceSecurityPolicy The Device Security Policy associated > with the device. > + > + @retval EFI_SUCCESS The device security policy is returned > + @retval EFI_UNSUPPORTED The function is unsupported for the > specific Device. > +**/ > +EFI_STATUS > +EFIAPI > +GetDevicePolicy ( > + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, > + IN EDKII_DEVICE_IDENTIFIER *DeviceId, > + OUT EDKII_DEVICE_SECURITY_POLICY *DeviceSecurityPolicy > + ) > +{ > + EFI_STATUS Status; > + EFI_PCI_IO_PROTOCOL *PciIo; > + UINT16 PciVendorId; > + UINT16 PciDeviceId; > + > + CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyNone, > + sizeof(EDKII_DEVICE_SECURITY_POLICY)); > + > + DEBUG ((DEBUG_INFO, "GetDevicePolicy - 0x%g\n", > + &DeviceId->DeviceType)); > + > + if (!CompareGuid (&DeviceId->DeviceType, > &gEdkiiDeviceIdentifierTypePciGuid)) { > + return EFI_SUCCESS; > + } > + > + Status = gBS->HandleProtocol ( > + DeviceId->DeviceHandle, > + &gEdkiiDeviceIdentifierTypePciGuid, > + (VOID **)&PciIo > + ); > + if (EFI_ERROR(Status)) { > + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", > Status)); > + return EFI_SUCCESS; > + } > + > + Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, > + PCI_VENDOR_ID_OFFSET, 1, &PciVendorId); ASSERT_EFI_ERROR(Status); > + Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, > + PCI_DEVICE_ID_OFFSET, 1, &PciDeviceId); ASSERT_EFI_ERROR(Status); > + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, > + PciDeviceId)); > + > + if ((PciVendorId == 0x8086) && (PciDeviceId == 0x0B60)) { > + CopyMem (DeviceSecurityPolicy, &mDeviceSecurityPolicyMeasurement, > + sizeof(EDKII_DEVICE_SECURITY_POLICY)); > + } > + > + return EFI_SUCCESS; > +} > + > +/** > + This function sets the device state based upon the authentication result. > + > + The device security driver may call this interface to give the > + platform a notify based upon the measurement or authentication result. > + If the authentication or measurement fails, the platform may choose: > + 1) Do nothing. > + 2) Disable this device or slot temporarily and continue boot. > + 3) Reset the platform and retry again. > + 4) Disable this device or slot permanently. > + 5) Any other platform specific action. > + > + @param[in] This The protocol instance pointer. > + @param[in] DeviceId The Identifier for the device. > + @param[in] DeviceSecurityState The Device Security state associated > with the device. > + > + @retval EFI_SUCCESS The device state is set > + @retval EFI_UNSUPPORTED The function is unsupported for the > specific Device. > +**/ > +EFI_STATUS > +EFIAPI > +NotifyDeviceState ( > + IN EDKII_DEVICE_SECURITY_POLICY_PROTOCOL *This, > + IN EDKII_DEVICE_IDENTIFIER *DeviceId, > + IN EDKII_DEVICE_SECURITY_STATE *DeviceSecurityState > + ) > +{ > + EFI_STATUS Status; > + EFI_PCI_IO_PROTOCOL *PciIo; > + UINT16 PciVendorId; > + UINT16 PciDeviceId; > + UINTN Segment; > + UINTN Bus; > + UINTN Device; > + UINTN Function; > + > + DEBUG ((DEBUG_INFO, "NotifyDeviceState - 0x%g\n", > + &DeviceId->DeviceType)); > + > + if (!CompareGuid (&DeviceId->DeviceType, > &gEdkiiDeviceIdentifierTypePciGuid)) { > + return EFI_SUCCESS; > + } > + > + Status = gBS->HandleProtocol ( > + DeviceId->DeviceHandle, > + &gEdkiiDeviceIdentifierTypePciGuid, > + (VOID **)&PciIo > + ); > + if (EFI_ERROR(Status)) { > + DEBUG ((DEBUG_ERROR, "Locate - DeviceIdentifierTypePci - %r\n", > Status)); > + return EFI_SUCCESS; > + } > + > + Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, > + PCI_VENDOR_ID_OFFSET, 1, &PciVendorId); ASSERT_EFI_ERROR(Status); > + Status = PciIo->Pci.Read (PciIo, EfiPciIoWidthUint16, > + PCI_DEVICE_ID_OFFSET, 1, &PciDeviceId); ASSERT_EFI_ERROR(Status); > + DEBUG ((DEBUG_INFO, "PCI Info - %04x:%04x\n", PciVendorId, > + PciDeviceId)); > + > + Status = PciIo->GetLocation ( > + PciIo, > + &Segment, > + &Bus, > + &Device, > + &Function > + ); > + if (!EFI_ERROR(Status)) { > + DEBUG ((DEBUG_INFO, "PCI Loc - %04x:%02x:%02x:%02x\n", > + Segment, Bus, Device, Function)); } > + > + DEBUG ((DEBUG_INFO, "State - Measurement - 0x%08x, Authentication - > 0x%08x\n", > + DeviceSecurityState->MeasurementState, > + DeviceSecurityState->AuthenticationState > + )); > + > + return EFI_SUCCESS; > +} > + > +EDKII_DEVICE_SECURITY_POLICY_PROTOCOL mDeviceSecurityPolicy = { > + EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION, > + GetDevicePolicy, > + NotifyDeviceState, > +}; > + > +/** > + Entrypoint of the device security driver. > + > + @param[in] ImageHandle ImageHandle of the loaded driver @param[in] > + SystemTable Pointer to the System Table > + > + @retval EFI_SUCCESS The Protocol is installed. > + @retval EFI_OUT_OF_RESOURCES Not enough resources available to > initialize driver. > + @retval EFI_DEVICE_ERROR A device error occurred attempting to > initialize the driver. > + > +**/ > +EFI_STATUS > +EFIAPI > +MainEntryPoint ( > + IN EFI_HANDLE ImageHandle, > + IN EFI_SYSTEM_TABLE *SystemTable > + ) > +{ > + EFI_HANDLE Handle; > + EFI_STATUS Status; > + > + Handle = NULL; > + Status = gBS->InstallProtocolInterface ( > + &Handle, > + &gEdkiiDeviceSecurityPolicyProtocolGuid, > + EFI_NATIVE_INTERFACE, > + &mDeviceSecurityPolicy > + ); > + ASSERT_EFI_ERROR(Status); > + > + return Status; > +} > diff --git > a/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP > olicyDxe/SamplePlatformDevicePolicyDxe.inf > b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformDeviceP > olicyDxe/SamplePlatformDevicePolicyDxe.inf > new file mode 100644 > index 0000000000..a9b77d8371 > --- /dev/null > +++ b/Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/SamplePlatformD > +++ evicePolicyDxe/SamplePlatformDevicePolicyDxe.inf > @@ -0,0 +1,40 @@ > +## @file > +# EDKII Device Security library for PCI device # # Copyright (c) 2019, > +Intel Corporation. All rights reserved.<BR> # SPDX-License-Identifier: > +BSD-2-Clause-Patent # ## > + > +[Defines] > + INF_VERSION = 0x00010005 > + BASE_NAME = SamplePlatformDevicePolicyDxe > + FILE_GUID = 7EA7AACF-7ED3-4166-8271-B21156523620 > + MODULE_TYPE = DXE_DRIVER > + VERSION_STRING = 1.0 > + ENTRY_POINT = MainEntryPoint > + > +[Sources] > + SamplePlatformDevicePolicyDxe.c > + > +[Packages] > + MdePkg/MdePkg.dec > + MdeModulePkg/MdeModulePkg.dec > + IntelSiliconPkg/IntelSiliconPkg.dec > + > +[LibraryClasses] > + UefiRuntimeServicesTableLib > + UefiBootServicesTableLib > + UefiDriverEntryPoint > + MemoryAllocationLib > + DevicePathLib > + BaseMemoryLib > + PrintLib > + DebugLib > + > +[Protocols] > + gEdkiiDeviceSecurityPolicyProtocolGuid ## PRODUCES > + gEdkiiDeviceIdentifierTypePciGuid ## COMSUMES > + > +[Depex] > + TRUE > -- > 2.19.2.windows.1
-=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#50333): https://edk2.groups.io/g/devel/message/50333 Mute This Topic: https://groups.io/mt/46028057/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
