mirror of https://github.com/acidanthera/audk.git
Add Physical Presence request UI detection logic. Refine UIConfirm ReadKey logic
Signed-off-by : chao zhang <chao.b.zhang@intel.com> Reviewed-by : dong guo <guo.dong@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13908 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
parent
16cd325fc1
commit
482114024e
SecurityPkg
|
@ -2,7 +2,7 @@
|
||||||
Ihis library is intended to be used by BDS modules.
|
Ihis library is intended to be used by BDS modules.
|
||||||
This library will lock TPM after executing TPM request.
|
This library will lock TPM after executing TPM request.
|
||||||
|
|
||||||
Copyright (c) 2011, Intel Corporation. All rights reserved.<BR>
|
Copyright (c) 2011 - 2012, Intel Corporation. All rights reserved.<BR>
|
||||||
This program and the accompanying materials
|
This program and the accompanying materials
|
||||||
are licensed and made available under the terms and conditions of the BSD License
|
are licensed and made available under the terms and conditions of the BSD License
|
||||||
which accompanies this distribution. The full text of the license may be found at
|
which accompanies this distribution. The full text of the license may be found at
|
||||||
|
@ -35,4 +35,20 @@ TcgPhysicalPresenceLibProcessRequest (
|
||||||
VOID
|
VOID
|
||||||
);
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Check if the pending TPM request needs user input to confirm.
|
||||||
|
|
||||||
|
The TPM request may come from OS. This API will check if TPM request exists and need user
|
||||||
|
input to confirmation.
|
||||||
|
|
||||||
|
@retval TRUE TPM needs input to confirm user physical presence.
|
||||||
|
@retval FALSE TPM doesn't need input to confirm user physical presence.
|
||||||
|
|
||||||
|
**/
|
||||||
|
BOOLEAN
|
||||||
|
EFIAPI
|
||||||
|
TcgPhysicalPresenceLibNeedUserConfirm(
|
||||||
|
VOID
|
||||||
|
);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -440,7 +440,7 @@ ExecutePhysicalPresence (
|
||||||
If false, F10 is used as confirm key.
|
If false, F10 is used as confirm key.
|
||||||
|
|
||||||
@retval TRUE User confirmed the changes by input.
|
@retval TRUE User confirmed the changes by input.
|
||||||
@retval FALSE User discarded the changes.
|
@retval FALSE User discarded the changes or device error.
|
||||||
|
|
||||||
**/
|
**/
|
||||||
BOOLEAN
|
BOOLEAN
|
||||||
|
@ -451,12 +451,20 @@ ReadUserKey (
|
||||||
EFI_STATUS Status;
|
EFI_STATUS Status;
|
||||||
EFI_INPUT_KEY Key;
|
EFI_INPUT_KEY Key;
|
||||||
UINT16 InputKey;
|
UINT16 InputKey;
|
||||||
|
UINTN Index;
|
||||||
|
|
||||||
InputKey = 0;
|
InputKey = 0;
|
||||||
do {
|
do {
|
||||||
Status = gBS->CheckEvent (gST->ConIn->WaitForKey);
|
|
||||||
if (!EFI_ERROR (Status)) {
|
|
||||||
Status = gST->ConIn->ReadKeyStroke (gST->ConIn, &Key);
|
Status = gST->ConIn->ReadKeyStroke (gST->ConIn, &Key);
|
||||||
|
if (Status == EFI_NOT_READY) {
|
||||||
|
gBS->WaitForEvent (1, &gST->ConIn->WaitForKey, &Index);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (Status == EFI_DEVICE_ERROR) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
if (Key.ScanCode == SCAN_ESC) {
|
if (Key.ScanCode == SCAN_ESC) {
|
||||||
InputKey = Key.ScanCode;
|
InputKey = Key.ScanCode;
|
||||||
}
|
}
|
||||||
|
@ -466,7 +474,6 @@ ReadUserKey (
|
||||||
if ((Key.ScanCode == SCAN_F12) && CautionKey) {
|
if ((Key.ScanCode == SCAN_F12) && CautionKey) {
|
||||||
InputKey = Key.ScanCode;
|
InputKey = Key.ScanCode;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
} while (InputKey == 0);
|
} while (InputKey == 0);
|
||||||
|
|
||||||
if (InputKey != SCAN_ESC) {
|
if (InputKey != SCAN_ESC) {
|
||||||
|
@ -885,6 +892,103 @@ UserConfirm (
|
||||||
return FALSE;
|
return FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Check if there is a valid physical presence command request. Also updates parameter value
|
||||||
|
to whether the requested physical presence command already confirmed by user
|
||||||
|
|
||||||
|
@param[in] TcgProtocol EFI TCG Protocol instance.
|
||||||
|
@param[out] RequestConfirmed If the physical presence operation command required user confirm from UI.
|
||||||
|
True, it indicates the command doesn't require user confirm, or already confirmed
|
||||||
|
in last boot cycle by user.
|
||||||
|
False, it indicates the command need user confirm from UI.
|
||||||
|
|
||||||
|
@retval TRUE Physical Presence operation command is valid.
|
||||||
|
@retval FALSE Physical Presence operation command is invalid.
|
||||||
|
|
||||||
|
**/
|
||||||
|
BOOLEAN
|
||||||
|
HaveValidTpmRequest (
|
||||||
|
IN EFI_PHYSICAL_PRESENCE *TcgPpData,
|
||||||
|
OUT BOOLEAN *RequestConfirmed
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 Flags;
|
||||||
|
|
||||||
|
Flags = TcgPpData->Flags;
|
||||||
|
*RequestConfirmed = FALSE;
|
||||||
|
|
||||||
|
switch (TcgPpData->PPRequest) {
|
||||||
|
case PHYSICAL_PRESENCE_NO_ACTION:
|
||||||
|
*RequestConfirmed = TRUE;
|
||||||
|
return TRUE;
|
||||||
|
case PHYSICAL_PRESENCE_ENABLE:
|
||||||
|
case PHYSICAL_PRESENCE_DISABLE:
|
||||||
|
case PHYSICAL_PRESENCE_ACTIVATE:
|
||||||
|
case PHYSICAL_PRESENCE_DEACTIVATE:
|
||||||
|
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE:
|
||||||
|
case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE:
|
||||||
|
case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE:
|
||||||
|
case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_FALSE:
|
||||||
|
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_OWNER_TRUE:
|
||||||
|
case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE_OWNER_FALSE:
|
||||||
|
case PHYSICAL_PRESENCE_SET_OPERATOR_AUTH:
|
||||||
|
if ((Flags & FLAG_NO_PPI_PROVISION) != 0) {
|
||||||
|
*RequestConfirmed = TRUE;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PHYSICAL_PRESENCE_CLEAR:
|
||||||
|
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR:
|
||||||
|
if ((Flags & FLAG_NO_PPI_CLEAR) != 0) {
|
||||||
|
*RequestConfirmed = TRUE;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PHYSICAL_PRESENCE_DEFERRED_PP_UNOWNERED_FIELD_UPGRADE:
|
||||||
|
if ((Flags & FLAG_NO_PPI_MAINTENANCE) != 0) {
|
||||||
|
*RequestConfirmed = TRUE;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE:
|
||||||
|
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE:
|
||||||
|
if ((Flags & FLAG_NO_PPI_CLEAR) != 0 && (Flags & FLAG_NO_PPI_PROVISION) != 0) {
|
||||||
|
*RequestConfirmed = TRUE;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_FALSE:
|
||||||
|
case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_FALSE:
|
||||||
|
case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_FALSE:
|
||||||
|
*RequestConfirmed = TRUE;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_TRUE:
|
||||||
|
case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE:
|
||||||
|
case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_TRUE:
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
//
|
||||||
|
// Wrong Physical Presence command
|
||||||
|
//
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((Flags & FLAG_RESET_TRACK) != 0) {
|
||||||
|
//
|
||||||
|
// It had been confirmed in last boot, it doesn't need confirm again.
|
||||||
|
//
|
||||||
|
*RequestConfirmed = TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Physical Presence command is correct
|
||||||
|
//
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
Check and execute the requested physical presence command.
|
Check and execute the requested physical presence command.
|
||||||
|
|
||||||
|
@ -904,62 +1008,16 @@ ExecutePendingTpmRequest (
|
||||||
{
|
{
|
||||||
EFI_STATUS Status;
|
EFI_STATUS Status;
|
||||||
UINTN DataSize;
|
UINTN DataSize;
|
||||||
UINT8 Flags;
|
|
||||||
BOOLEAN RequestConfirmed;
|
BOOLEAN RequestConfirmed;
|
||||||
|
|
||||||
Flags = TcgPpData->Flags;
|
if (TcgPpData->PPRequest == PHYSICAL_PRESENCE_NO_ACTION) {
|
||||||
RequestConfirmed = FALSE;
|
//
|
||||||
switch (TcgPpData->PPRequest) {
|
// No operation request
|
||||||
case PHYSICAL_PRESENCE_NO_ACTION:
|
//
|
||||||
return;
|
return;
|
||||||
case PHYSICAL_PRESENCE_ENABLE:
|
|
||||||
case PHYSICAL_PRESENCE_DISABLE:
|
|
||||||
case PHYSICAL_PRESENCE_ACTIVATE:
|
|
||||||
case PHYSICAL_PRESENCE_DEACTIVATE:
|
|
||||||
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE:
|
|
||||||
case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE:
|
|
||||||
case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE:
|
|
||||||
case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_FALSE:
|
|
||||||
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_OWNER_TRUE:
|
|
||||||
case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE_OWNER_FALSE:
|
|
||||||
case PHYSICAL_PRESENCE_SET_OPERATOR_AUTH:
|
|
||||||
if ((Flags & FLAG_NO_PPI_PROVISION) != 0) {
|
|
||||||
RequestConfirmed = TRUE;
|
|
||||||
}
|
}
|
||||||
break;
|
|
||||||
|
|
||||||
case PHYSICAL_PRESENCE_CLEAR:
|
if (!HaveValidTpmRequest(TcgPpData, &RequestConfirmed)) {
|
||||||
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR:
|
|
||||||
if ((Flags & FLAG_NO_PPI_CLEAR) != 0) {
|
|
||||||
RequestConfirmed = TRUE;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PHYSICAL_PRESENCE_DEFERRED_PP_UNOWNERED_FIELD_UPGRADE:
|
|
||||||
if ((Flags & FLAG_NO_PPI_MAINTENANCE) != 0) {
|
|
||||||
RequestConfirmed = TRUE;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE:
|
|
||||||
case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE:
|
|
||||||
if ((Flags & FLAG_NO_PPI_CLEAR) != 0 && (Flags & FLAG_NO_PPI_PROVISION) != 0) {
|
|
||||||
RequestConfirmed = TRUE;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_FALSE:
|
|
||||||
case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_FALSE:
|
|
||||||
case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_FALSE:
|
|
||||||
RequestConfirmed = TRUE;
|
|
||||||
break;
|
|
||||||
|
|
||||||
case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_TRUE:
|
|
||||||
case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE:
|
|
||||||
case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_TRUE:
|
|
||||||
break;
|
|
||||||
|
|
||||||
default:
|
|
||||||
//
|
//
|
||||||
// Invalid operation request.
|
// Invalid operation request.
|
||||||
//
|
//
|
||||||
|
@ -977,13 +1035,6 @@ ExecutePendingTpmRequest (
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((Flags & FLAG_RESET_TRACK) != 0) {
|
|
||||||
//
|
|
||||||
// It had been confirmed in last boot, it doesn't need confirm again.
|
|
||||||
//
|
|
||||||
RequestConfirmed = TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!RequestConfirmed) {
|
if (!RequestConfirmed) {
|
||||||
//
|
//
|
||||||
// Print confirm text and wait for approval.
|
// Print confirm text and wait for approval.
|
||||||
|
@ -1149,3 +1200,88 @@ TcgPhysicalPresenceLibProcessRequest (
|
||||||
TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_NOTPRESENT | TPM_PHYSICAL_PRESENCE_LOCK);
|
TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_NOTPRESENT | TPM_PHYSICAL_PRESENCE_LOCK);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Check if the pending TPM request needs user input to confirm.
|
||||||
|
|
||||||
|
The TPM request may come from OS. This API will check if TPM request exists and need user
|
||||||
|
input to confirmation.
|
||||||
|
|
||||||
|
@retval TRUE TPM needs input to confirm user physical presence.
|
||||||
|
@retval FALSE TPM doesn't need input to confirm user physical presence.
|
||||||
|
|
||||||
|
**/
|
||||||
|
BOOLEAN
|
||||||
|
EFIAPI
|
||||||
|
TcgPhysicalPresenceLibNeedUserConfirm(
|
||||||
|
VOID
|
||||||
|
)
|
||||||
|
{
|
||||||
|
EFI_STATUS Status;
|
||||||
|
EFI_PHYSICAL_PRESENCE TcgPpData;
|
||||||
|
UINTN DataSize;
|
||||||
|
BOOLEAN RequestConfirmed;
|
||||||
|
BOOLEAN LifetimeLock;
|
||||||
|
BOOLEAN CmdEnable;
|
||||||
|
EFI_TCG_PROTOCOL *TcgProtocol;
|
||||||
|
|
||||||
|
Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol);
|
||||||
|
if (EFI_ERROR (Status)) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Check Tpm requests
|
||||||
|
//
|
||||||
|
DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
|
||||||
|
Status = gRT->GetVariable (
|
||||||
|
PHYSICAL_PRESENCE_VARIABLE,
|
||||||
|
&gEfiPhysicalPresenceGuid,
|
||||||
|
NULL,
|
||||||
|
&DataSize,
|
||||||
|
&TcgPpData
|
||||||
|
);
|
||||||
|
if (EFI_ERROR (Status)) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (TcgPpData.PPRequest == PHYSICAL_PRESENCE_NO_ACTION) {
|
||||||
|
//
|
||||||
|
// No operation request
|
||||||
|
//
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!HaveValidTpmRequest(&TcgPpData, &RequestConfirmed)) {
|
||||||
|
//
|
||||||
|
// Invalid operation request.
|
||||||
|
//
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Check Tpm Capability
|
||||||
|
//
|
||||||
|
Status = GetTpmCapability (TcgProtocol, &LifetimeLock, &CmdEnable);
|
||||||
|
if (EFI_ERROR (Status)) {
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!CmdEnable) {
|
||||||
|
if (LifetimeLock) {
|
||||||
|
//
|
||||||
|
// physicalPresenceCMDEnable is locked, can't execute physical presence command.
|
||||||
|
//
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!RequestConfirmed) {
|
||||||
|
//
|
||||||
|
// Need UI to confirm
|
||||||
|
//
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue