2014-09-03 10:51:17 +02:00
|
|
|
|
<EFBFBD><EFBFBD>// /** @file
|
|
|
|
|
// Provides security features that conform to TCG/UEFI industry standards
|
|
|
|
|
//
|
|
|
|
|
// The security features include secure boot, measured boot and user identification.
|
|
|
|
|
// It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes)
|
|
|
|
|
// and libraries instances, which are used for those features.
|
|
|
|
|
//
|
2015-07-28 03:38:14 +02:00
|
|
|
|
// Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
|
2014-09-03 10:51:17 +02:00
|
|
|
|
//
|
|
|
|
|
// This program and the accompanying materials are licensed and made available under
|
|
|
|
|
// the terms and conditions of the BSD License which accompanies this distribution.
|
|
|
|
|
// The full text of the license may be found at
|
|
|
|
|
// http://opensource.org/licenses/bsd-license.php
|
|
|
|
|
//
|
|
|
|
|
// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
|
|
|
|
//
|
|
|
|
|
// **/
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#string STR_PACKAGE_ABSTRACT #language en-US "Provides security features that conform to TCG/UEFI industry standards"
|
|
|
|
|
|
|
|
|
|
#string STR_PACKAGE_DESCRIPTION #language en-US "The security features include secure boot, measured boot and user identification. It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes) and libraries instances, which are used for those features."
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdOptionRomImageVerificationPolicy_PROMPT #language en-US "Set policy for the image from OptionRom."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdOptionRomImageVerificationPolicy_HELP #language en-US "Image verification policy for OptionRom. Only following values are valid:<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\n"
|
|
|
|
|
"0x00000000 Always trust the image.<BR>\n"
|
|
|
|
|
"0x00000001 Never trust the image.<BR>\n"
|
|
|
|
|
"0x00000002 Allow execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000003 Defer execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000004 Deny execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000005 Query user when there is security violation.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_ERR_80000001 #language en-US "Invalid value provided."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdRemovableMediaImageVerificationPolicy_PROMPT #language en-US "Set policy for the image from removable media."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdRemovableMediaImageVerificationPolicy_HELP #language en-US "Image verification policy for removable media which includes CD-ROM, Floppy, USB and network. Only following values are valid:<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\n"
|
|
|
|
|
"0x00000000 Always trust the image.<BR>\n"
|
|
|
|
|
"0x00000001 Never trust the image.<BR>\n"
|
|
|
|
|
"0x00000002 Allow execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000003 Defer execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000004 Deny execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000005 Query user when there is security violation.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFixedMediaImageVerificationPolicy_PROMPT #language en-US "Set policy for the image from fixed media."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFixedMediaImageVerificationPolicy_HELP #language en-US "Image verification policy for fixed media which includes hard disk. Only following values are valid:<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\n"
|
|
|
|
|
"0x00000000 Always trust the image.<BR>\n"
|
|
|
|
|
"0x00000001 Never trust the image.<BR>\n"
|
|
|
|
|
"0x00000002 Allow execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000003 Defer execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000004 Deny execution when there is security violation.<BR>\n"
|
|
|
|
|
"0x00000005 Query user when there is security violation.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdDeferImageLoadPolicy_PROMPT #language en-US "Set policy whether trust image before user identification."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdDeferImageLoadPolicy_HELP #language en-US "Defer Image Load policy settings. The policy is bitwise. If a bit is set, the image from corresponding device will be trusted when loading. Or the image will be deferred. The deferred image will be checked after user is identified.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"BIT0 - Image from unknown device. <BR>\n"
|
|
|
|
|
"BIT1 - Image from firmware volume.<BR>\n"
|
|
|
|
|
"BIT2 - Image from OptionRom.<BR>\n"
|
|
|
|
|
"BIT3 - Image from removable media which includes CD-ROM, Floppy, USB and network.<BR>\n"
|
|
|
|
|
"BIT4 - Image from fixed media device which includes hard disk.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_ERR_80000002 #language en-US "Reserved bits must be set to zero."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFixedUsbCredentialProviderTokenFileName_PROMPT #language en-US "File name to save credential."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFixedUsbCredentialProviderTokenFileName_HELP #language en-US "Null-terminated Unicode string of the file name that is the default name to save USB credential. The specified file should be saved at the root directory of USB storage disk."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdMaxAppendVariableSize_PROMPT #language en-US "Max variable size for append operation."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdMaxAppendVariableSize_HELP #language en-US "The size of Append variable buffer. This buffer is reserved for runtime use, OS can append data into one existing variable. Note: This PCD is not been used."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmPlatformClass_PROMPT #language en-US "Select platform type."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmPlatformClass_HELP #language en-US "Specifies the type of TCG platform that contains TPM chip.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"If 0, TCG platform type is PC client.<BR>\n"
|
|
|
|
|
"If 1, TCG platform type is PC server.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmPhysicalPresence_PROMPT #language en-US "Physical presence of the platform operator."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmPhysicalPresence_HELP #language en-US "Indicates the presence or absence of the platform operator during firmware booting. If platform operator is not physical presnece during boot. TPM will be locked and the TPM commands that required operator physical presence can not run.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"TRUE - The platform operator is physically present.<BR>\n"
|
|
|
|
|
"FALSE - The platform operator is not physically present.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceLifetimeLock_PROMPT #language en-US "Lock TPM physical presence asserting method."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceLifetimeLock_HELP #language en-US "Indicates whether TPM physical presence is locked during platform initialization. Once it is locked, it can not be unlocked for TPM life time.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"TRUE - Lock TPM physical presence asserting method.<BR>\n"
|
|
|
|
|
"FALSE - Not lock TPM physical presence asserting method.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceCmdEnable_PROMPT #language en-US "Enable software method of asserting physical presence."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceCmdEnable_HELP #language en-US "Indicates whether the platform supports the software method of asserting physical presence.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"TRUE - Supports the software method of asserting physical presence.<BR>\n"
|
|
|
|
|
"FALSE - Does not support the software method of asserting physical presence.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceHwEnable_PROMPT #language en-US "Enable hardware method of asserting physical presence."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceHwEnable_HELP #language en-US "Indicates whether the platform supports the hardware method of asserting physical presence.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"TRUE - Supports the hardware method of asserting physical presence.<BR>\n"
|
|
|
|
|
"FALSE - Does not support the hardware method of asserting physical presence.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFirmwareDebuggerInitialized_PROMPT #language en-US "Firmware debugger status."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFirmwareDebuggerInitialized_HELP #language en-US "This PCD indicates if debugger exists. <BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"TRUE - Firmware debugger exists.<BR>\n"
|
|
|
|
|
"FALSE - Firmware debugger doesn't exist.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2InitializationPolicy_PROMPT #language en-US "TPM 2.0 device initialization policy.<BR>"
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2InitializationPolicy_HELP #language en-US "This PCD indicates the initialization policy for TPM 2.0.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"If 0, no initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.<BR>\n"
|
|
|
|
|
"If 1, initialization needed.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmInitializationPolicy_PROMPT #language en-US "TPM 1.2 device initialization policy."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmInitializationPolicy_HELP #language en-US "This PCD indicates the initialization policy for TPM 1.2.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"If 0, no initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.<BR>\n"
|
|
|
|
|
"If 1, initialization needed.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2SelfTestPolicy_PROMPT #language en-US "TPM 2.0 device selftest."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2SelfTestPolicy_HELP #language en-US "This PCD indicates the TPM 2.0 SelfTest policy.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"if 0, no SelfTest needed - most likely used for fTPM, because it might already be tested.<BR>\n"
|
|
|
|
|
"if 1, SelfTest needed.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2ScrtmPolicy_PROMPT #language en-US "SCRTM policy setting for TPM 2.0 device."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2ScrtmPolicy_HELP #language en-US "This PCD indicates Static Core Root of Trust for Measurement (SCRTM) policy using TPM 2.0.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"if 0, no SCRTM measurement needed - In this case, it is already done.<BR>\n"
|
|
|
|
|
"if 1, SCRTM measurement done by BIOS.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmScrtmPolicy_PROMPT #language en-US "SCRTM policy setting for TPM 1.2 device"
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmScrtmPolicy_HELP #language en-US "This PCD indicates Static Core Root of Trust for Measurement (SCRTM) policy using TPM 1.2.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"if 0, no SCRTM measurement needed - In this case, it is already done.<BR>\n"
|
|
|
|
|
"if 1, SCRTM measurement done by BIOS.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmInstanceGuid_PROMPT #language en-US "TPM device type identifier"
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmInstanceGuid_HELP #language en-US "Guid name to identify TPM instance.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"TPM_DEVICE_INTERFACE_NONE means disable.<BR>\n"
|
|
|
|
|
"TPM_DEVICE_INTERFACE_TPM12 means TPM 1.2 DTPM.<BR>\n"
|
2015-05-14 07:03:55 +02:00
|
|
|
|
"TPM_DEVICE_INTERFACE_DTPM2 means TPM 2.0 DTPM.<BR>\n"
|
|
|
|
|
"Other GUID value means other TPM 2.0 device.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2HashMask_PROMPT #language en-US "Hash mask for TPM 2.0"
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2HashMask_HELP #language en-US "This PCD indicates Hash mask for TPM 2.0.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"If this bit is set, that means this algorithm is needed to extend to PCR.<BR>\n"
|
|
|
|
|
"If this bit is clear, that means this algorithm is NOT needed to extend to PCR.<BR>\n"
|
|
|
|
|
"BIT0 - SHA1.<BR>\n"
|
|
|
|
|
"BIT1 - SHA256.<BR>\n"
|
|
|
|
|
"BIT2 - SHA384.<BR>\n"
|
|
|
|
|
"BIT3 - SHA512.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmAutoDetection_PROMPT #language en-US "TPM type detection."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmAutoDetection_HELP #language en-US "This PCD indicates if BIOS auto detect TPM1.2 or dTPM2.0.<BR><BR>\n"
|
2014-09-03 10:51:17 +02:00
|
|
|
|
"FALSE - No auto detection.<BR>\n"
|
|
|
|
|
"TRUE - Auto detection.<BR>"
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmBaseAddress_PROMPT #language en-US "TPM device address."
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmBaseAddress_HELP #language en-US "This PCD indicates TPM base address.<BR><BR>"
|
|
|
|
|
|
2015-07-28 03:38:14 +02:00
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdStatusCodeSubClassTpmDevice_PROMPT #language en-US "Status Code for TPM device definitions"
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdStatusCodeSubClassTpmDevice_HELP #language en-US "Progress Code for TPM device subclass definitions.<BR><BR>\n"
|
|
|
|
|
"EFI_PERIPHERAL_TPM = (EFI_PERIPHERAL | 0x000D0000) = 0x010D0000<BR>"
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdRsa2048Sha256PublicKeyBuffer_PROMPT #language en-US "One or more SHA 256 Hashes of RSA 2048 bit public keys used to verify Recovery and Capsule Update images"
|
|
|
|
|
|
|
|
|
|
#string STR_gEfiSecurityPkgTokenSpaceGuid_PcdRsa2048Sha256PublicKeyBuffer_HELP #language en-US "Provides one or more SHA 256 Hashes of the RSA 2048 public keys used to verify Recovery and Capsule Update images\n"
|
|
|
|
|
|
2014-08-28 07:49:39 +02:00
|
|
|
|
|