SecurityPkg/OpalPassword: Add PCD to skip password prompt

https://bugzilla.tianocore.org/show_bug.cgi?id=1801 Add a PCD for skipping password prompt in device unlocked status. Previous change only support if storage device is in locked status. This change is added to support the case that security status of the storage device is unlocked. Signed-off-by: Maggie Chu <maggie.chu@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com>
2019-05-22 15:04:43 +08:00 · 2019-05-22 15:04:43 +08:00 · 6cbed0e36f
parent 9fc1b85fd1
commit 6cbed0e36f
3 changed files with 20 additions and 8 deletions
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@ -422,11 +422,11 @@
  # @Prompt Possible TPM2 Interrupt Number buffer
  gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x00, 0x00, 0x00, 0x00}|VOID*|0x0001001D

-  ## Indicates if Opal DXE driver skip unlock device flow.<BR><BR>
-  #   TRUE  - Skip unlock device flow.<BR>
-  #   FALSE - Does not skip unlock device flow.<BR>
-  # @Prompt Skip Opal DXE driver unlock device flow.
-  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0x00010020
+  ## Indicates if Opal DXE driver skip password prompt.<BR><BR>
+  #   TRUE  - Skip password prompt.<BR>
+  #   FALSE - Does not skip password prompt.<BR>
+  # @Prompt Skip Opal DXE driver password prompt.
+  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt|FALSE|BOOLEAN|0x00010020

 [PcdsDynamic, PcdsDynamicEx]

--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
@ -899,8 +899,20 @@ OpalDriverRequestPassword (

    IsLocked = OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes, &Dev->OpalDisk.LockingFeature);

-    if (IsLocked && PcdGetBool (PcdSkipOpalDxeUnlock)) {
-      return;
+    //
+    // Add PcdSkipOpalPasswordPrompt to determin whether to skip password prompt.
+    // Due to board design, device may not power off during system warm boot, which result in
+    // security status remain unlocked status, hence we add device security status check here.
+    //
+    // If device is in the locked status, device keeps locked and system continues booting.
+    // If device is in the unlocked status, system is forced shutdown to support security requirement.
+    //
+    if (PcdGetBool (PcdSkipOpalPasswordPrompt)) {
+      if (IsLocked) {
+        return;
+      } else {
+        gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);
+      }
    }

    while (Count < MAX_PASSWORD_TRY_COUNT) {
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
@ -71,7 +71,7 @@
  gS3StorageDeviceInitListGuid                  ## SOMETIMES_PRODUCES ## UNDEFINED

 [Pcd]
-  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock  ## CONSUMES
+  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt  ## CONSUMES

 [Depex]
  gEfiHiiStringProtocolGuid AND gEfiHiiDatabaseProtocolGuid