tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-04-08 17:05:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg/TcgMor: move TPer Reset operation to this module

Browse Source 
The TPer Reset operation is a common logic. So it's added into
SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf module and
would be triggered at EndOfDxe.

By this way, all encrypted drives which produce EFI_STORAGE_SECURITY_
RPOTOCOL interface would be force reset when MOR is set.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Tian Feng <feng.tian@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>

git-svn-id: https://svn.code.sf.net/p/edk2/code/trunk/edk2@17718 6f19259b-4bc3-4df7-8a09-765794883524
This commit is contained in:
Tian Feng 2015-06-26 08:42:46 +00:00 committed by erictian
parent 857ce453d4
commit 495ee9b851
3 changed files with 292 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

264
SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.c
View File

@ -2,9 +2,10 @@
TCG MOR (Memory Overwrite Request) Control Driver.
This driver initilize MemoryOverwriteRequestControl variable. It
will clear MOR_CLEAR_MEMORY_BIT bit if it is set.
will clear MOR_CLEAR_MEMORY_BIT bit if it is set. It will also do TPer Reset for
those encrypted drives through EFI_STORAGE_SECURITY_COMMAND_PROTOCOL at EndOfDxe.
Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@ -63,6 +64,242 @@ OnReadyToBoot (
}
}
/**
Send TPer Reset command to reset eDrive to lock all protected bands.
Typically, there are 2 mechanism for resetting eDrive. They are:
1. TPer Reset through IEEE 1667 protocol.
2. TPer Reset through native TCG protocol.
This routine will detect what protocol the attached eDrive comform to, TCG or
IEEE 1667 protocol. Then send out TPer Reset command separately.
@param[in] Ssp The pointer to EFI_STORAGE_SECURITY_COMMAND_PROTOCOL instance.
@param[in] MediaId ID of the medium to receive data from or send data to.
**/
VOID
InitiateTPerReset (
IN EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *Ssp,
IN UINT32 MediaId
)
{
EFI_STATUS Status;
UINT8 *Buffer;
UINTN XferSize;
UINTN Len;
UINTN Index;
BOOLEAN TcgFlag;
BOOLEAN IeeeFlag;
SUPPORTED_SECURITY_PROTOCOLS_PARAMETER_DATA *Data;
Buffer = NULL;
TcgFlag = FALSE;
IeeeFlag = FALSE;
//
// ATA8-ACS 7.57.6.1 indicates the Transfer Length field requirements a multiple of 512.
// If the length of the TRUSTED RECEIVE parameter data is greater than the Transfer Length,
// then the device shall return the TRUSTED RECEIVE parameter data truncated to the requested Transfer Length.
//
Len = ROUNDUP512(sizeof(SUPPORTED_SECURITY_PROTOCOLS_PARAMETER_DATA));
Buffer = AllocateZeroPool(Len);
if (Buffer == NULL) {
return;
}
//
// When the Security Protocol field is set to 00h, and SP Specific is set to 0000h in a TRUSTED RECEIVE
// command, the device basic information data shall be returned.
//
Status = Ssp->ReceiveData (
Ssp,
MediaId,
100000000, // Timeout 10-sec
0, // SecurityProtocol
0, // SecurityProtocolSpecifcData
Len, // PayloadBufferSize,
Buffer, // PayloadBuffer
&XferSize
);
if (EFI_ERROR (Status)) {
goto Exit;
}
//
// In returned data, the ListLength field indicates the total length, in bytes,
// of the supported security protocol list.
//
Data = (SUPPORTED_SECURITY_PROTOCOLS_PARAMETER_DATA*)Buffer;
Len = ROUNDUP512(sizeof (SUPPORTED_SECURITY_PROTOCOLS_PARAMETER_DATA) +
(Data->SupportedSecurityListLength[0] << 8) +
(Data->SupportedSecurityListLength[1])
);
//
// Free original buffer and allocate new buffer.
//
FreePool(Buffer);
Buffer = AllocateZeroPool(Len);
if (Buffer == NULL) {
return;
}
//
// Read full supported security protocol list from device.
//
Status = Ssp->ReceiveData (
Ssp,
MediaId,
100000000, // Timeout 10-sec
0, // SecurityProtocol
0, // SecurityProtocolSpecifcData
Len, // PayloadBufferSize,
Buffer, // PayloadBuffer
&XferSize
);
if (EFI_ERROR (Status)) {
goto Exit;
}
Data = (SUPPORTED_SECURITY_PROTOCOLS_PARAMETER_DATA*)Buffer;
Len = (Data->SupportedSecurityListLength[0] << 8) + Data->SupportedSecurityListLength[1];
//
// Iterate full supported security protocol list to check if TCG or IEEE 1667 protocol
// is supported.
//
for (Index = 0; Index < Len; Index++) {
if (Data->SupportedSecurityProtocol[Index] == SECURITY_PROTOCOL_TCG) {
//
// Found a TCG device.
//
TcgFlag = TRUE;
DEBUG ((EFI_D_INFO, "This device is a TCG protocol device\n"));
break;
}
if (Data->SupportedSecurityProtocol[Index] == SECURITY_PROTOCOL_IEEE1667) {
//
// Found a IEEE 1667 device.
//
IeeeFlag = TRUE;
DEBUG ((EFI_D_INFO, "This device is a IEEE 1667 protocol device\n"));
break;
}
}
if (!TcgFlag && !IeeeFlag) {
DEBUG ((EFI_D_INFO, "Neither a TCG nor IEEE 1667 protocol device is found\n"));
goto Exit;
}
if (TcgFlag) {
//
// As long as TCG protocol is supported, send out a TPer Reset
// TCG command to the device via the TrustedSend command with a non-zero Transfer Length.
//
Status = Ssp->SendData (
Ssp,
MediaId,
100000000, // Timeout 10-sec
SECURITY_PROTOCOL_TCG, // SecurityProtocol
0x0400, // SecurityProtocolSpecifcData
512, // PayloadBufferSize,
Buffer // PayloadBuffer
);
if (!EFI_ERROR (Status)) {
DEBUG ((EFI_D_INFO, "Send TPer Reset Command Successfully !\n"));
} else {
DEBUG ((EFI_D_INFO, "Send TPer Reset Command Fail !\n"));
}
}
if (IeeeFlag) {
//
// TBD : Perform a TPer Reset via IEEE 1667 Protocol
//
DEBUG ((EFI_D_INFO, "IEEE 1667 Protocol didn't support yet!\n"));
}
Exit:
if (Buffer != NULL) {
FreePool(Buffer);
}
}
/**
Notification function of END_OF_DXE.
This is a notification function registered on END_OF_DXE event.
It is to get VarCheckPcdBin.
@param[in] Event Event whose notification function is being invoked.
@param[in] Context Pointer to the notification function's context.
**/
VOID
EFIAPI
TPerResetAtEndOfDxe (
IN EFI_EVENT Event,
IN VOID *Context
)
{
EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *Ssp;
EFI_BLOCK_IO_PROTOCOL *BlockIo;
EFI_STATUS Status;
UINTN HandleCount;
EFI_HANDLE *HandleBuffer;
UINTN Index;
//
// Locate all SSP protocol instances.
//
HandleCount = 0;
HandleBuffer = NULL;
Status = gBS->LocateHandleBuffer (
ByProtocol,
&gEfiStorageSecurityCommandProtocolGuid,
NULL,
&HandleCount,
&HandleBuffer
);
if (EFI_ERROR (Status) || (HandleCount == 0) || (HandleBuffer == NULL)) {
return;
}
for (Index = 0; Index < HandleCount; Index ++) {
//
// Get the SSP interface.
//
Status = gBS->HandleProtocol(
HandleBuffer[Index],
&gEfiStorageSecurityCommandProtocolGuid,
(VOID **) &Ssp
);
if (EFI_ERROR (Status)) {
continue;
}
Status = gBS->HandleProtocol(
HandleBuffer[Index],
&gEfiBlockIoProtocolGuid,
(VOID **) &BlockIo
);
if (EFI_ERROR (Status)) {
continue;
}
InitiateTPerReset (Ssp, BlockIo->Media->MediaId);
}
}
/**
Entry Point for TCG MOR Control driver.
@ -120,8 +357,27 @@ MorDriverEntryPoint (
NULL,
&Event
);
}
if (EFI_ERROR (Status)) {
return Status;
}
//
// Register EFI_END_OF_DXE_EVENT_GROUP_GUID event.
//
DEBUG ((EFI_D_INFO, "TcgMor: Create EndofDxe Event for Mor TPer Reset!\n"));
Status = gBS->CreateEventEx (
EVT_NOTIFY_SIGNAL,
TPL_CALLBACK,
TPerResetAtEndOfDxe,
NULL,
&gEfiEndOfDxeEventGroupGuid,
&Event
);
if (EFI_ERROR (Status)) {
return Status;
}
}
return Status;
}

22
SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.h
View File

@ -1,7 +1,7 @@
/** @file
The header file for TcgMor.
Copyright (c) 2009 - 2012, Intel Corporation. All rights reserved.<BR>
Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@ -20,9 +20,29 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#include <Guid/MemoryOverwriteControl.h>
#include <Library/UefiDriverEntryPoint.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/DebugLib.h>
#include <Library/UefiLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Protocol/StorageSecurityCommand.h>
#include <Protocol/BlockIo.h>
//
// Supported Security Protocols List Description.
// Refer to ATA8-ACS Spec 7.57.6.2 Table 69 or SPC4 7.7.1.3 Table 511.
//
typedef struct {
UINT8 Reserved1[6];
UINT8 SupportedSecurityListLength[2];
UINT8 SupportedSecurityProtocol[1];
} SUPPORTED_SECURITY_PROTOCOLS_PARAMETER_DATA;
#define SECURITY_PROTOCOL_TCG 0x02
#define SECURITY_PROTOCOL_IEEE1667 0xEE
#define ROUNDUP512(x) (((x) % 512 == 0) ? (x) : ((x) / 512 + 1) * 512)
#endif

13
SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf
View File

@ -1,9 +1,11 @@
## @file
# Initilizes MemoryOverwriteRequestControl variable
#
# This module will clear MOR_CLEAR_MEMORY_BIT bit if it is set.
# This module will clear MOR_CLEAR_MEMORY_BIT bit if it is set. It will also do
# TPer Reset for those encrypted drives through EFI_STORAGE_SECURITY_COMMAND_PROTOCOL
# at EndOfDxe.
#
# Copyright (c) 2009 - 2014, Intel Corporation. All rights reserved.<BR>
# Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@ -39,15 +41,22 @@
[LibraryClasses]
UefiDriverEntryPoint
UefiBootServicesTableLib
UefiRuntimeServicesTableLib
ReportStatusCodeLib
DebugLib
UefiLib
MemoryAllocationLib
[Guids]
## SOMETIMES_CONSUMES ## Variable:L"MemoryOverwriteRequestControl"
## PRODUCES ## Variable:L"MemoryOverwriteRequestControl"
gEfiMemoryOverwriteControlDataGuid
gEfiEndOfDxeEventGroupGuid ## SOMETIMES_CONSUMES ## Event
[Protocols]
gEfiStorageSecurityCommandProtocolGuid ## SOMETIMES_CONSUMES
gEfiBlockIoProtocolGuid ## SOMETIMES_CONSUMES
[Depex]
gEfiVariableArchProtocolGuid AND