SecurityPkg: add DeviceSecurity support
This patch implement the SpdmSecurityLib, which is the core of DeviceSecurity. And the SpdmSecurityLib include Device Authentication and Measurement. The other library is to support SpdmSecurityLib. Cc: Jiewen Yao <jiewen.yao@intel.com> Signed-off-by: Wenxing Hou <wenxing.hou@intel.com> Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
This commit is contained in:
		
				
					committed by
					
						![mergify[bot]](/avatar/e3df20cd7a67969c41a65f03bea54961?size=40) mergify[bot]
						mergify[bot]
					
				
			
			
				
	
			
			
			
						parent
						
							c3f615a1bd
						
					
				
				
					commit
					750d763623
				
			
							
								
								
									
										133
									
								
								SecurityPkg/Include/Protocol/DeviceSecurityPolicy.h
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										133
									
								
								SecurityPkg/Include/Protocol/DeviceSecurityPolicy.h
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,133 @@ | ||||
| /** @file | ||||
|   Platform Device Security Policy Protocol definition | ||||
|  | ||||
|   Copyright (c) 2024, Intel Corporation. All rights reserved.<BR> | ||||
|   SPDX-License-Identifier: BSD-2-Clause-Patent | ||||
|  | ||||
| **/ | ||||
|  | ||||
| #ifndef EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H_ | ||||
| #define EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_H_ | ||||
|  | ||||
| #include <Uefi.h> | ||||
| #include <Protocol/DeviceSecurity.h> | ||||
|  | ||||
| typedef struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL EDKII_DEVICE_SECURITY_POLICY_PROTOCOL; | ||||
|  | ||||
| // | ||||
| // Revision The revision to which the DEVICE_SECURITY_POLICY protocol interface adheres. | ||||
| //          All future revisions must be backwards compatible. | ||||
| //          If a future version is not back wards compatible it is not the same GUID. | ||||
| // | ||||
| #define EDKII_DEVICE_SECURITY_POLICY_PROTOCOL_REVISION  0x00010000 | ||||
|  | ||||
| // | ||||
| // Revision The revision to which the DEVICE_SECURITY_POLICY structure adheres. | ||||
| //          All future revisions must be backwards compatible. | ||||
| // | ||||
| #define EDKII_DEVICE_SECURITY_POLICY_REVISION  0x00010000 | ||||
|  | ||||
| /// | ||||
| /// The macro for the policy defined in EDKII_DEVICE_SECURITY_POLICY | ||||
| /// | ||||
| #define EDKII_DEVICE_MEASUREMENT_REQUIRED     BIT0 | ||||
| #define EDKII_DEVICE_AUTHENTICATION_REQUIRED  BIT0 | ||||
|  | ||||
| /// | ||||
| /// The device security policy data structure | ||||
| /// | ||||
| typedef struct { | ||||
|   UINT32    Revision; | ||||
|   UINT32    MeasurementPolicy; | ||||
|   UINT32    AuthenticationPolicy; | ||||
| } EDKII_DEVICE_SECURITY_POLICY; | ||||
|  | ||||
| // | ||||
| // Revision The revision to which the DEVICE_SECURITY_STATE structure adheres. | ||||
| //          All future revisions must be backwards compatible. | ||||
| // | ||||
| #define EDKII_DEVICE_SECURITY_STATE_REVISION  0x00010000 | ||||
|  | ||||
| /// | ||||
| /// The macro for the state defined in EDKII_DEVICE_SECURITY_STATE | ||||
| /// | ||||
| #define EDKII_DEVICE_SECURITY_STATE_SUCCESS                         0 | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR                           BIT31 | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_UNSUPPORTED          (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x0) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_GET_POLICY_PROTOCOL  (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x1) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_UEFI_OUT_OF_RESOURCE      (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x2) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_DEVICE_NO_CAPABILITIES    (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x10) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_DEVICE_ERROR              (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x11) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_TCG_EXTEND_TPM_PCR        (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x20) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_MEASUREMENT_AUTH_FAILURE  (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x21) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_CHALLENGE_FAILURE         (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x30) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_CERTIFIACTE_FAILURE       (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x31) | ||||
| #define EDKII_DEVICE_SECURITY_STATE_ERROR_NO_CERT_PROVISION         (EDKII_DEVICE_SECURITY_STATE_ERROR + 0x32) | ||||
|  | ||||
| /// | ||||
| /// The device security state data structure | ||||
| /// | ||||
| typedef struct { | ||||
|   UINT32    Revision; | ||||
|   UINT32    MeasurementState; | ||||
|   UINT32    AuthenticationState; | ||||
| } EDKII_DEVICE_SECURITY_STATE; | ||||
|  | ||||
| /** | ||||
|   This function returns the device security policy associated with the device. | ||||
|  | ||||
|   The device security driver may call this interface to get the platform policy | ||||
|   for the specific device and determine if the measurement or authentication | ||||
|   is required. | ||||
|  | ||||
|   @param[in]  This                   The protocol instance pointer. | ||||
|   @param[in]  DeviceId               The Identifier for the device. | ||||
|   @param[out] DeviceSecurityPolicy   The Device Security Policy associated with the device. | ||||
|  | ||||
|   @retval EFI_SUCCESS                The device security policy is returned | ||||
|   @retval EFI_UNSUPPORTED            The function is unsupported for the specific Device. | ||||
| **/ | ||||
| typedef | ||||
|   EFI_STATUS | ||||
| (EFIAPI *EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY)( | ||||
|   IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This, | ||||
|   IN  EDKII_DEVICE_IDENTIFIER                *DeviceId, | ||||
|   OUT EDKII_DEVICE_SECURITY_POLICY           *DeviceSecurityPolicy | ||||
|   ); | ||||
|  | ||||
| /** | ||||
|   This function sets the device state based upon the authentication result. | ||||
|  | ||||
|   The device security driver may call this interface to give the platform | ||||
|   a notify based upon the measurement or authentication result. | ||||
|   If the authentication or measurement fails, the platform may choose: | ||||
|   1) Do nothing. | ||||
|   2) Disable this device or slot temporarily and continue boot. | ||||
|   3) Reset the platform and retry again. | ||||
|   4) Disable this device or slot permanently. | ||||
|   5) Any other platform specific action. | ||||
|  | ||||
|   @param[in]  This                   The protocol instance pointer. | ||||
|   @param[in]  DeviceId               The Identifier for the device. | ||||
|   @param[in]  DeviceSecurityState    The Device Security state associated with the device. | ||||
|  | ||||
|   @retval EFI_SUCCESS                The device state is set. | ||||
|   @retval EFI_UNSUPPORTED            The function is unsupported for the specific Device. | ||||
| **/ | ||||
| typedef | ||||
|   EFI_STATUS | ||||
| (EFIAPI *EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE)( | ||||
|   IN  EDKII_DEVICE_SECURITY_POLICY_PROTOCOL  *This, | ||||
|   IN  EDKII_DEVICE_IDENTIFIER                *DeviceId, | ||||
|   IN  EDKII_DEVICE_SECURITY_STATE            *DeviceSecurityState | ||||
|   ); | ||||
|  | ||||
| struct _EDKII_DEVICE_SECURITY_POLICY_PROTOCOL { | ||||
|   UINT32                                       Revision; | ||||
|   EDKII_DEVICE_SECURITY_GET_DEVICE_POLICY      GetDevicePolicy; | ||||
|   EDKII_DEVICE_SECURITY_NOTIFY_DEVICE_STATE    NotifyDeviceState; | ||||
| }; | ||||
|  | ||||
| extern EFI_GUID  gEdkiiDeviceSecurityPolicyProtocolGuid; | ||||
|  | ||||
| #endif | ||||
		Reference in New Issue
	
	Block a user