UEFI实战——HSTI

什么是HSTI

HSTI的全称是Hardware Security Testability Interface，它由《Hardware Security Testability Specification》定义。

它是属于Windows设备的一个特性。

关于HSTI的介绍，可以参考如下的网站：

https://docs.microsoft.com/en-us/windows-hardware/test/hlk/testref/hardware-security-testability-specification

或者下面这个机翻的中文版：

https://docs.microsoft.com/zh-cn/windows-hardware/test/hlk/testref/hardware-security-testability-specification

本文简单介绍其使用。

作用

HSTI的作用是保证Windows设备上的关于安全的配置是正确的。

HSTI用于定义一系列的测试，这些测试会被传递给Windows系统，并最终决定设备的安全性。

UEFI接口

UEFI下提供了如下的接口：

///
/// EFI_ADAPTER_INFORMATION_PROTOCOL
/// The protocol for adapter provides the following services.
/// - Gets device state information from adapter.
/// - Sets device information for adapter.
/// - Gets a list of supported information types for this instance of the protocol.
///
struct _EFI_ADAPTER_INFORMATION_PROTOCOL {
  EFI_ADAPTER_INFO_GET_INFO              GetInformation;
  EFI_ADAPTER_INFO_SET_INFO              SetInformation;
  EFI_ADAPTER_INFO_GET_SUPPORTED_TYPES   GetSupportedTypes;
};

extern EFI_GUID gEfiAdapterInformationProtocolGuid;

这个接口有具体的设备来实现，以Intel的千兆网卡为例，它的UEFI驱动中有如下的文件：

它的代码中有如下的片段：

/** Initializes and installs Adapter Info Protocol on adapter

   @param[in]   UndiPrivateData   Driver private data structure

   @retval    EFI_SUCCESS   Protocol installed successfully
   @retval    !EFI_SUCCESS  Failed to install and initialize protocol
**/
EFI_STATUS
InitAdapterInformationProtocol (
  IN UNDI_PRIVATE_DATA *UndiPrivateData
  )
{
  EFI_STATUS                              Status;
  EFI_ADAPTER_INFORMATION_TYPE_DESCRIPTOR InformationType;

  EFI_GUID MediaStateGuid      = EFI_ADAPTER_INFO_MEDIA_STATE_GUID;
  EFI_GUID Ipv6SupportInfoGuid = EFI_ADAPTER_INFO_UNDI_IPV6_SUPPORT_GUID;

  DEBUGPRINT (ADAPTERINFO, ("%a, %d\n", __FUNCTION__, __LINE__));

  UndiPrivateData->AdapterInformation = gUndiAdapterInfo;

  memset (&InformationType, 0, sizeof (EFI_ADAPTER_INFORMATION_TYPE_DESCRIPTOR));
  CopyMem (&InformationType.Guid, &MediaStateGuid, sizeof (EFI_GUID));
  InformationType.GetInformationBlock = GetMediaStateInformationBlock;
  InformationType.SetInformationBlock = NULL;
  AddSupportedInformationType (&InformationType);

  memset (&InformationType, 0, sizeof (EFI_ADAPTER_INFORMATION_TYPE_DESCRIPTOR));
  CopyMem (&InformationType.Guid, &Ipv6SupportInfoGuid, sizeof (EFI_GUID));
  InformationType.GetInformationBlock = GetIpv6SupportInformationBlock;
  InformationType.SetInformationBlock = NULL;
  AddSupportedInformationType (&InformationType);


  Status = gBS->InstallProtocolInterface (
                  &UndiPrivateData->DeviceHandle,
                  &gEfiAdapterInformationProtocolGuid,
                  EFI_NATIVE_INTERFACE,
                  &UndiPrivateData->AdapterInformation
                );
  if (EFI_ERROR (Status)) {
    DEBUGPRINT (ADAPTERINFO, ("InstallProtocolInterface returned %r\n", Status));
    return Status;
  }

  return Status;
}

通过EFI_ADAPTER_INFORMATION_PROTOCOL接口就可以获取到设备的相关安全信息，它的结构体如下：

typedef struct {
  //
  //  Return PLATFORM_SECURITY_VERSION_VNEXTCS
  //
  UINT32  Version;
  //
  // The role of the publisher of this interface.  Reference platform designers
  // such as IHVs and IBVs are expected to return PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE
  // and PLATFORM_SECURITY_ROLE_PLATFORM_IBV respectively.
  // If the test modules from the designers are unable to fully verify all
  // security features, then the platform implementers, OEMs and ODMs, will
  // need to publish this interface with a role of Implementer.
  //
  UINT32  Role;
  //
  // Human readable vendor, model, & version of this implementation.
  //
  CHAR16  ImplementationID[256];
  //
  // The size in bytes of the SecurityFeaturesRequired and SecurityFeaturesEnabled arrays.
  // The arrays must be the same size.
  //
  UINT32  SecurityFeaturesSize;
  //
  // IHV-defined bitfield corresponding to all security features which must be
  // implemented to meet the security requirements defined by PLATFORM_SECURITY_VERSION Version.
  //
//UINT8   SecurityFeaturesRequired[];     //Ignored for non-IHV
  //
  // Publisher-defined bitfield corresponding to all security features which
  // have implemented programmatic tests in this module.
  //
//UINT8   SecurityFeaturesImplemented[];
  //
  // Publisher-defined bitfield corresponding to all security features which
  // have been verified implemented by this implementation.
  //
//UINT8   SecurityFeaturesVerified[];
  //
  // A Null-terminated string, one failure per line (CR/LF terminated), with a
  // unique identifier that the OEM/ODM can use to locate the documentation
  // which will describe the steps to remediate the failure - a URL to the
  // documentation is recommended.
  //
//CHAR16	ErrorString[];
} ADAPTER_INFO_PLATFORM_SECURITY;

通过上述方式可以得到设备的安全相关的信息，这些信息怎么来有设备驱动决定，至于怎么传递给Windows系统，目前还不知道......

HSTI是Windows推的一个功能，它跟UEFI挂钩，但是这边也没有具体使用过，如有错误请见谅。