什么是HSTI
HSTI的全称是Hardware Security Testability Interface,它由《Hardware Security Testability Specification》定义。
它是属于Windows设备的一个特性。
关于HSTI的介绍,可以参考如下的网站:
或者下面这个机翻的中文版:
本文简单介绍其使用。
作用
HSTI的作用是保证Windows设备上的关于安全的配置是正确的。
HSTI用于定义一系列的测试,这些测试会被传递给Windows系统,并最终决定设备的安全性。
UEFI接口
UEFI下提供了如下的接口:
///
/// EFI_ADAPTER_INFORMATION_PROTOCOL
/// The protocol for adapter provides the following services.
/// - Gets device state information from adapter.
/// - Sets device information for adapter.
/// - Gets a list of supported information types for this instance of the protocol.
///
struct _EFI_ADAPTER_INFORMATION_PROTOCOL {
EFI_ADAPTER_INFO_GET_INFO GetInformation;
EFI_ADAPTER_INFO_SET_INFO SetInformation;
EFI_ADAPTER_INFO_GET_SUPPORTED_TYPES GetSupportedTypes;
};
extern EFI_GUID gEfiAdapterInformationProtocolGuid;
这个接口有具体的设备来实现,以Intel的千兆网卡为例,它的UEFI驱动中有如下的文件:
它的代码中有如下的片段:
/** Initializes and installs Adapter Info Protocol on adapter
@param[in] UndiPrivateData Driver private data structure
@retval EFI_SUCCESS Protocol installed successfully
@retval !EFI_SUCCESS Failed to install and initialize protocol
**/
EFI_STATUS
InitAdapterInformationProtocol (
IN UNDI_PRIVATE_DATA *UndiPrivateData
)
{
EFI_STATUS Status;
EFI_ADAPTER_INFORMATION_TYPE_DESCRIPTOR InformationType;
EFI_GUID MediaStateGuid = EFI_ADAPTER_INFO_MEDIA_STATE_GUID;
EFI_GUID Ipv6SupportInfoGuid = EFI_ADAPTER_INFO_UNDI_IPV6_SUPPORT_GUID;
DEBUGPRINT (ADAPTERINFO, ("%a, %d\n", __FUNCTION__, __LINE__));
UndiPrivateData->AdapterInformation = gUndiAdapterInfo;
memset (&InformationType, 0, sizeof (EFI_ADAPTER_INFORMATION_TYPE_DESCRIPTOR));
CopyMem (&InformationType.Guid, &MediaStateGuid, sizeof (EFI_GUID));
InformationType.GetInformationBlock = GetMediaStateInformationBlock;
InformationType.SetInformationBlock = NULL;
AddSupportedInformationType (&InformationType);
memset (&InformationType, 0, sizeof (EFI_ADAPTER_INFORMATION_TYPE_DESCRIPTOR));
CopyMem (&InformationType.Guid, &Ipv6SupportInfoGuid, sizeof (EFI_GUID));
InformationType.GetInformationBlock = GetIpv6SupportInformationBlock;
InformationType.SetInformationBlock = NULL;
AddSupportedInformationType (&InformationType);
Status = gBS->InstallProtocolInterface (
&UndiPrivateData->DeviceHandle,
&gEfiAdapterInformationProtocolGuid,
EFI_NATIVE_INTERFACE,
&UndiPrivateData->AdapterInformation
);
if (EFI_ERROR (Status)) {
DEBUGPRINT (ADAPTERINFO, ("InstallProtocolInterface returned %r\n", Status));
return Status;
}
return Status;
}
通过EFI_ADAPTER_INFORMATION_PROTOCOL接口就可以获取到设备的相关安全信息,它的结构体如下:
typedef struct {
//
// Return PLATFORM_SECURITY_VERSION_VNEXTCS
//
UINT32 Version;
//
// The role of the publisher of this interface. Reference platform designers
// such as IHVs and IBVs are expected to return PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE
// and PLATFORM_SECURITY_ROLE_PLATFORM_IBV respectively.
// If the test modules from the designers are unable to fully verify all
// security features, then the platform implementers, OEMs and ODMs, will
// need to publish this interface with a role of Implementer.
//
UINT32 Role;
//
// Human readable vendor, model, & version of this implementation.
//
CHAR16 ImplementationID[256];
//
// The size in bytes of the SecurityFeaturesRequired and SecurityFeaturesEnabled arrays.
// The arrays must be the same size.
//
UINT32 SecurityFeaturesSize;
//
// IHV-defined bitfield corresponding to all security features which must be
// implemented to meet the security requirements defined by PLATFORM_SECURITY_VERSION Version.
//
//UINT8 SecurityFeaturesRequired[]; //Ignored for non-IHV
//
// Publisher-defined bitfield corresponding to all security features which
// have implemented programmatic tests in this module.
//
//UINT8 SecurityFeaturesImplemented[];
//
// Publisher-defined bitfield corresponding to all security features which
// have been verified implemented by this implementation.
//
//UINT8 SecurityFeaturesVerified[];
//
// A Null-terminated string, one failure per line (CR/LF terminated), with a
// unique identifier that the OEM/ODM can use to locate the documentation
// which will describe the steps to remediate the failure - a URL to the
// documentation is recommended.
//
//CHAR16 ErrorString[];
} ADAPTER_INFO_PLATFORM_SECURITY;
通过上述方式可以得到设备的安全相关的信息,这些信息怎么来有设备驱动决定,至于怎么传递给Windows系统,目前还不知道......
HSTI是Windows推的一个功能,它跟UEFI挂钩,但是这边也没有具体使用过,如有错误请见谅。