SecurityPkg DxeTcg2PPLib: Lock Tcg2PhysicalPresenceFlags variable on S4

The code updates Tcg2PhysicalPresenceLibProcessRequest() to also lock
Tcg2PhysicalPresenceFlags variable on S4.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
This commit is contained in:
Star Zeng 2016-11-18 15:34:54 +08:00
parent 252b891b2b
commit 7b9b576c71
1 changed files with 17 additions and 17 deletions

View File

@ -794,6 +794,23 @@ Tcg2PhysicalPresenceLibProcessRequest (
if (EFI_ERROR (Status)) {
return ;
}
//
// This flags variable controls whether physical presence is required for TPM command.
// It should be protected from malicious software. We set it as read-only variable here.
//
Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);
if (!EFI_ERROR (Status)) {
Status = VariableLockProtocol->RequestToLock (
VariableLockProtocol,
TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Error when lock variable %s, Status = %r\n", TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status));
ASSERT_EFI_ERROR (Status);
}
}
//
// Check S4 resume
@ -832,23 +849,6 @@ Tcg2PhysicalPresenceLibProcessRequest (
}
}
DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags));
//
// This flags variable controls whether physical presence is required for TPM command.
// It should be protected from malicious software. We set it as read-only variable here.
//
Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);
if (!EFI_ERROR (Status)) {
Status = VariableLockProtocol->RequestToLock (
VariableLockProtocol,
TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Error when lock variable %s, Status = %r\n", TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status));
ASSERT_EFI_ERROR (Status);
}
}
//
// Initialize physical presence variable.