[edk2-devel] [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers

Mistry, Nishant C nishant.c.mistry at intel.com
Wed Mar 18 03:13:37 UTC 2020 

Agree. I will make needed changes to remove CounterId parameter.

Regards,
Nishant

Message sent from Phone.

On Mar 17, 2020 7:59 PM, "Yao, Jiewen" <jiewen.yao at intel.com> wrote:

Thanks Nishant.



If the platform RPMC driver calls GetRpmcState(), then we should not define it in UEFI, because the variable driver does not have such knowledge.



I do see the complexity on the counter management requirement. Current API might be either insufficient or unnecessary.



To keep our work simple, l recommend remove CounterAddr from the API, and force BIOS use single counter.

It does not have to be 0, the RpmcLib can make decision. But the high level driver does not care.



We can revisit when we see more usage.



Thank you

Yao Jiewen



From: Mistry, Nishant C <nishant.c.mistry at intel.com>
Sent: Wednesday, March 18, 2020 10:53 AM
To: Yao, Jiewen <jiewen.yao at intel.com>
Cc: Wang, Jian J <jian.j.wang at intel.com>; devel at edk2.groups.io; Zhang, Chao B <chao.b.zhang at intel.com>
Subject: RE: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public headers



My thoughts below ...



Regards,

Nishant

Message sent from Phone.



On Mar 17, 2020 7:27 PM, "Yao, Jiewen" <jiewen.yao at intel.com<mailto:jiewen.yao at intel.com>> wrote:

Thanks Jian. Some comments and thought.

1) RPMC spec uses CounterAddress as the indicator. Can we use the same name instead of CounterId in the API definition? [Nishant] I agree. CounterId is what CSME has defined thus I asked Jian to go with this name. However, we should use industry spec naming.



2) How the caller known which CounterAddress it need to fill?
Do we need an API such as GetValidCounterAddress() ?[Nishant] The platform RPMC driver has an GetRpmcStatus() API that indicates how many counters supported as reported by CSME.

3) What is the value to add CounterAddress? Do can we guarantee that 2 drivers use 2 different counter address?
Or If 2 drivers may use same counter address, why not remove the counter address parameter at all ? [Nishant] It might be simpler to just use one counter Address (i.e. 0) for UEFI firmware. If there is a customer request in future we can introduce the Counter Address parameter. At this moment I don't see a value add for BIOS.

Thank you
Yao Jiewen



> -----Original Message-----
> From: Wang, Jian J <jian.j.wang at intel.com<mailto:jian.j.wang at intel.com>>
> Sent: Wednesday, March 18, 2020 10:13 AM
> To: devel at edk2.groups.io<mailto:devel at edk2.groups.io>
> Cc: Yao, Jiewen <jiewen.yao at intel.com<mailto:jiewen.yao at intel.com>>; Zhang, Chao B
> <chao.b.zhang at intel.com<mailto:chao.b.zhang at intel.com>>; Mistry, Nishant C <nishant.c.mistry at intel.com<mailto:nishant.c.mistry at intel.com>>
> Subject: [PATCH v3 1/3] SecurityPkg: add RpmcLib and VariableKeyLib public
> headers
>
> > v3: update retval description in RpmcLib.h
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2594
>
> RpmcLib.h and VariableKeyLib.h are header files required to access RPMC
> device and Key generator from platform. They will be used to ensure the
> integrity and confidentiality of NV variables.
>
> Cc: Jiewen Yao <jiewen.yao at intel.com<mailto:jiewen.yao at intel.com>>
> Cc: Chao Zhang <chao.b.zhang at intel.com<mailto:chao.b.zhang at intel.com>>
> Cc: Nishant C Mistry <nishant.c.mistry at intel.com<mailto:nishant.c.mistry at intel.com>>
> Signed-off-by: Jian J Wang <jian.j.wang at intel.com<mailto:jian.j.wang at intel.com>>
> ---
>  SecurityPkg/Include/Library/RpmcLib.h        | 46 +++++++++++++++
>  SecurityPkg/Include/Library/VariableKeyLib.h | 59 ++++++++++++++++++++
>  SecurityPkg/SecurityPkg.dec                  |  8 +++
>  3 files changed, 113 insertions(+)
>  create mode 100644 SecurityPkg/Include/Library/RpmcLib.h
>  create mode 100644 SecurityPkg/Include/Library/VariableKeyLib.h
>
> diff --git a/SecurityPkg/Include/Library/RpmcLib.h
> b/SecurityPkg/Include/Library/RpmcLib.h
> new file mode 100644
> index 0000000000..f548ad2c9f
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/RpmcLib.h
> @@ -0,0 +1,46 @@
> +/** @file
>
> +  Public definitions for the Replay Protected Monotonic Counter (RPMC) Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _RPMC_LIB_H_
>
> +#define _RPMC_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> +  Requests the current monotonic counter from the designated RPMC counter.
>
> +
>
> +  @param[in]    CounterId               Monotonic Counter Id.
>
> +  @param[out]   CounterValue            A pointer to a buffer to store the RPMC
> value.
>
> +
>
> +  @retval       EFI_SUCCESS             The operation completed successfully.
>
> +  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting
> to update the counter.
>
> +  @retval       EFI_UNSUPPORTED         The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RequestMonotonicCounter (
>
> +  IN  UINT8   CounterId,
>
> +  OUT UINT32  *CounterValue
>
> +  );
>
> +
>
> +/**
>
> +  Increments the designated monotonic counter in the SPI flash device by 1.
>
> +
>
> +  @param[in]    CounterId              Monotonic Counter Id.
>
> +
>
> +  @retval       EFI_SUCCESS             The operation completed successfully.
>
> +  @retval       EFI_DEVICE_ERROR        A device error occurred while attempting
> to update the counter.
>
> +  @retval       EFI_UNSUPPORTED         The operation is un-supported.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +IncrementMonotonicCounter (
>
> +  IN  UINT8   CounterId
>
> +  );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/Include/Library/VariableKeyLib.h
> b/SecurityPkg/Include/Library/VariableKeyLib.h
> new file mode 100644
> index 0000000000..fe642b3d66
> --- /dev/null
> +++ b/SecurityPkg/Include/Library/VariableKeyLib.h
> @@ -0,0 +1,59 @@
> +/** @file
>
> +  Public definitions for Variable Key Library.
>
> +
>
> +Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
>
> +SPDX-License-Identifier: BSD-2-Clause-Patent
>
> +
>
> +**/
>
> +
>
> +#ifndef _VARIABLE_KEY_LIB_H_
>
> +#define _VARIABLE_KEY_LIB_H_
>
> +
>
> +#include <Uefi/UefiBaseType.h>
>
> +
>
> +/**
>
> +  Retrieves the variable root key.
>
> +
>
> +  @param[out]     VariableRootKey         A pointer to pointer for the variable
> root key buffer.
>
> +  @param[in,out]  VariableRootKeySize     The size in bytes of the variable root
> key.
>
> +
>
> +  @retval       EFI_SUCCESS             The variable root key was returned.
>
> +  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to get
> the variable root key.
>
> +  @retval       EFI_ACCESS_DENIED       The function was invoked after locking
> the key interface.
>
> +  @retval       EFI_UNSUPPORTED         The variable root key is not supported in
> the current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +GetVariableRootKey (
>
> +      OUT VOID    **VariableRootKey,
>
> +  IN  OUT UINTN   *VariableRootKeySize
>
> +  );
>
> +
>
> +/**
>
> +  Regenerates the variable root key.
>
> +
>
> +  @retval       EFI_SUCCESS             The variable root key was regenerated
> successfully.
>
> +  @retval       EFI_DEVICE_ERROR        An error occurred while attempting to
> regenerate the root key.
>
> +  @retval       EFI_ACCESS_DENIED       The function was invoked after locking
> the key interface.
>
> +  @retval       EFI_UNSUPPORTED         Key regeneration is not supported in the
> current boot configuration.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +RegenerateKey (
>
> +  VOID
>
> +  );
>
> +
>
> +/**
>
> +  Locks the regenerate key interface.
>
> +
>
> +  @retval       EFI_SUCCESS             The key interface was locked successfully.
>
> +  @retval       EFI_UNSUPPORTED         Locking the key interface is not supported
> in the current boot configuration.
>
> +  @retval       Others                  An error occurred while attempting to lock the
> key interface.
>
> +**/
>
> +EFI_STATUS
>
> +EFIAPI
>
> +LockKeyInterface (
>
> +  VOID
>
> +  );
>
> +
>
> +#endif
> \ No newline at end of file
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
> index 5335cc5397..2cdfb02cc5 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -76,6 +76,14 @@
>    #
>
>    TcgStorageOpalLib|Include/Library/TcgStorageOpalLib.h
>
>
>
> +  ## @libraryclass  Provides interfaces to access RPMC device.
>
> +  #
>
> +  RpmcLib|Include/Library/RpmcLib.h
>
> +
>
> +  ## @libraryclass  Provides interfaces to access variable root key.
>
> +  #
>
> +  VariableKeyLib|Include/Library/VariableKeyLib.h
>
> +
>
>  [Guids]
>
>    ## Security package token space guid.
>
>    # Include/Guid/SecurityPkgTokenSpace.h
>
> --
> 2.24.0.windows.2




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#55972): https://edk2.groups.io/g/devel/message/55972
Mute This Topic: https://groups.io/mt/72040979/1813853
Group Owner: devel+owner at edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [edk2-devel-archive at redhat.com]
-=-=-=-=-=-=-=-=-=-=-=-

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/edk2-devel-archive/attachments/20200318/77c09397/attachment.htm>

More information about the edk2-devel-archive mailing list