Current Intel Device Authentication implementation violates UEFI 2.10 Specification (Bugzilla Bug 4833)

[tianocore-issues]

This issue was created automatically with bugzilla2github

Bugzilla Bug 4833

Date: 2024-08-19T06:32:29+00:00
From: sachinganesh
To: unassigned <>
CC: @lgao4, @jyao1, @SaiChaganty, @niruiyu, vdhanaraj, yun.lou

Last updated: 2024-09-04T20:39:34+00:00

[tianocore-issues]

Comment 23330

Date: 2024-08-19 06:32:29 +0000
From: sachinganesh

• Industry Specification: ---
• Release Observed: EDK II Master
• Releases to Fix: EDK II Master
• Target OS: ---
• Bugzilla Assignee(s): unassigned <>

Support was added for PCI device authentication in Silicon/Intel/IntelSiliconPkg/Feature/PcieSecurity/IntelPciDeviceSecurityDxe/

Here, DeviceAuthentication() calls GetDevicePolicy() from Device Security Policy Protocol which uses Read API from PciIo protocol to get the Vendor ID and Device ID.

As per UEFI 2.10 spec Section 32.7.1:

"After the bus or device driver passes all verification for the device, the bus or device driver then enables the device on the UEFI firmware environment. For example, a PCI bus driver will assign bus number, allocate PCI IO/MMIO bar, and install EFI_PCI_IO_PROTOCOL for the PCI device."

So it cannot be assumed that PciIo protocol will be installed before authentication is done.

[tianocore-issues]

Comment 23366

Date: 2024-09-04 20:39:34 +0000
From: @lgao4

[email protected]: have you any comment for this issue?