Enhance TCG driver to provide TPM physical presence lifetime lock capability.

Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13555 6f19259b-4bc3-4df7-8a09-765794883524
2012-07-26 05:11:47 +00:00 · 2012-07-26 05:11:47 +00:00 · 5a50033236
parent 4a23eaa9e0
commit 5a50033236
3 changed files with 63 additions and 12 deletions
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@ -147,3 +147,17 @@
  ## This PCD indicates the presence or absence of the platform operator.
  gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001

+[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+  ## This PCD indicates whether to set TPM physicalPresenceLifetimeLock bit.
+  ## Once this bit is set, it can not be cleared (It is locked for TPM life time).
+  gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceLifetimeLock|FALSE|BOOLEAN|0x00010003
+  
+[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+  ## This PCD is used to specify the default value for physicalPresenceCMDEnable bit when setting physicalPresenceLifetimeLock bit.
+  ## If PcdPhysicalPresenceCmdEnable is set to TRUE, physicalPresenceCMDEnable bit will be set, else this bit will be cleared.
+  gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceCmdEnable|TRUE|BOOLEAN|0x00010004
+  
+[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
+  ## This PCD is used to specify the default value for physicalPresenceHWEnable bit when setting physicalPresenceLifetimeLock bit.
+  ## If PcdPhysicalPresenceHwEnable is set to TRUE, physicalPresenceHWEnable bit will be set, else this bit will be cleared.
+  gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceHwEnable|TRUE|BOOLEAN|0x00010005
--- a/SecurityPkg/Tcg/TcgPei/TcgPei.c
+++ b/SecurityPkg/Tcg/TcgPei/TcgPei.c
@ -1,7 +1,7 @@
 /** @file
  Initialize TPM device and measure FVs before handing off control to DXE.

-Copyright (c) 2005 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
 This program and the accompanying materials 
 are licensed and made available under the terms and conditions of the BSD License 
 which accompanies this distribution.  The full text of the license may be found at 
@ -379,7 +379,8 @@ FirmwareVolmeInfoPpiNotifyCallback (
 }

 /**
-  Lock physical presence if needed.
+  Set physicalPresenceLifetimeLock, physicalPresenceHWEnable and physicalPresenceCMDEnable bit by corresponding PCDs.
+  And lock physical presence if needed.

  @param[in] PeiServices        An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation
  @param[in] NotifyDescriptor   Address of the notification descriptor data structure.
@ -403,23 +404,56 @@ PhysicalPresencePpiNotifyCallback (
  BOOLEAN                           LifetimeLock;
  BOOLEAN                           CmdEnable;
  TIS_TPM_HANDLE                    TpmHandle;
+  TPM_PHYSICAL_PRESENCE             PhysicalPresenceValue;

  TpmHandle        = (TIS_TPM_HANDLE) (UINTN) TPM_BASE_ADDRESS;
-  LockPhysicalPresencePpi = (PEI_LOCK_PHYSICAL_PRESENCE_PPI *) Ppi;
-
-  if (!LockPhysicalPresencePpi->LockPhysicalPresence ((CONST EFI_PEI_SERVICES**) PeiServices)) {
-    return EFI_SUCCESS;
-  }
-
-  //
-  // Lock TPM physical presence.
-  //

  Status = TpmCommGetCapability (PeiServices, TpmHandle, NULL, &LifetimeLock, &CmdEnable);
  if (EFI_ERROR (Status)) {
    return Status;
  }

+  //
+  // 1. Set physicalPresenceLifetimeLock, physicalPresenceHWEnable and physicalPresenceCMDEnable bit by PCDs.
+  //
+  if (PcdGetBool (PcdPhysicalPresenceLifetimeLock) && !LifetimeLock) {
+    //
+    // Lock TPM LifetimeLock is required, and LifetimeLock is not locked yet. 
+    //
+    PhysicalPresenceValue = TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK;
+
+    if (PcdGetBool (PcdPhysicalPresenceCmdEnable)) {
+      PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_CMD_ENABLE;
+      CmdEnable = TRUE;
+    } else {
+      PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_CMD_DISABLE;
+      CmdEnable = FALSE;
+    }
+
+    if (PcdGetBool (PcdPhysicalPresenceHwEnable)) {
+      PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_HW_ENABLE;
+    } else {
+      PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_HW_DISABLE;
+    }      
+     
+    Status = TpmCommPhysicalPresence (
+               PeiServices,
+               TpmHandle,
+               PhysicalPresenceValue
+               );
+    if (EFI_ERROR (Status)) {
+      return Status;
+    }
+  }
+  
+  //
+  // 2. Lock physical presence if it is required.
+  //
+  LockPhysicalPresencePpi = (PEI_LOCK_PHYSICAL_PRESENCE_PPI *) Ppi;
+  if (!LockPhysicalPresencePpi->LockPhysicalPresence ((CONST EFI_PEI_SERVICES**) PeiServices)) {
+    return EFI_SUCCESS;
+  }
+
  if (!CmdEnable) {
    if (LifetimeLock) {
      //
--- a/SecurityPkg/Tcg/TcgPei/TcgPei.inf
+++ b/SecurityPkg/Tcg/TcgPei/TcgPei.inf
@ -1,7 +1,7 @@
 ## @file
 #  This module will initialize TPM device and measure FVs in PEI phase.
 #
-# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
 # This program and the accompanying materials
 # are licensed and made available under the terms and conditions of the BSD License
 # which accompanies this distribution. The full text of the license may be found at
@ -57,6 +57,9 @@

 [Pcd]
  gEfiSecurityPkgTokenSpaceGuid.PcdHideTpm
+  gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceLifetimeLock
+  gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceCmdEnable
+  gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceHwEnable

 [FixedPcd]
  gEfiSecurityPkgTokenSpaceGuid.PcdHideTpmSupport