1. Device Firmware Security in EDKII (Intel)
Presenter: Jiewen Yao
Slides: https://edk2.groups.io/g/devel/files/Designs/2019/1018/EDKII-Device%20Firmware%20Security.pdf

* Background
Page #3, #4: HOST firmware is signed but device firmware is not.
Page #5: Device Authentication & Measurement.
Page #6, #7: DMTF defines Secure Protocol Data Model.
PCI-SIG/USB define the hardware channel.
Measurement and Authentication are both optional.

* Measurement
Page #11: High level flow
Allow: follow existing flow to enable devices and report them out to SW world.
Deny: Do not install any device related protocol (UsbIo/PciIo) so no SW stack is running over this device. IO/MMIO resource allcoation is skipped as well.
Page #12: Final PCR/EventType will be decided by PC Client group.

* Authentication
Where to store the Root certs? 1). "devdb" and "devdbx" 2). reuse existing secureboot variable. POC code will use option 1).

* Open
@Mike: If component doesn't have updatable firmware, is this required?
@Jiewen: For root of trust device, it's not required. In this design, platform policy controls (Page #20).

@Mike: How to handle the hot-plug devices? A root cert can be used for all oproms. Each USB device has its own cert?
@Jiewen: Similar to oproms to use root certs to eliminate big numbers of certs in uefi variable.

@Liming: DeviceSecurityLib (Page #20) causes platform DSC impact. Could protocol be used?
@Jiewen: Protocol with revision is fine.

@Mike: Why not use Handle over DeviceId in page #20 because the Handle can be destroyed later if DeviceCheck() returns failure status? UEFI driver model guarantees the upper driver stack doesn't run until the PciBus driver DriverBindingStart() exits.
@Jiewen: Protocol notification callback is called immediately when Handle is created. Not using Handle is to resolve this concern.
@Mike: Is interaction only through PCI config space?
@Jiewen: Yes for now.
@Mike: How about producing handle with limited PciIo functionality (access config only)? Current proposal hides PciIo handle but the hardware config space is still open to public.
@Jiewen: Exposing PciIo handle may cause other drivers that improperly parse the malformed config space.
@Mike: Asking for using Handle because based on experience Handle is better in UEFI driver model development. All information can be queried through Handle.
@Jiewen: Will discuss offline.

@Ray: what does SetDeviceState() do in Page #20?
@Jiewen: Platform can choose to specifically disable the device or do nothing.

@Mike: Full boot enumerates all devices. Fast boot doesn't. May miss to measure devices. Especially for the USB devices.
@Jiewen: Same fast boot flow produces same PCRs. Similar strategy is chosen for existing TCG trusted boot.

Thanks,
Ray