mirror of https://github.com/acidanthera/audk.git
SecurityPkg: TcgStorageOpalLib: Add TCG storage opal library.
Library APIs used to create commands defined by TCG storage opal spec. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong <eric.dong@intel.com> Reviewed-by: Feng Tian <feng.tian@intel.com>
This commit is contained in:
parent
085dcf01f7
commit
9dd05ddec3
|
@ -0,0 +1,831 @@
|
||||||
|
/** @file
|
||||||
|
Public API for Opal Core library.
|
||||||
|
|
||||||
|
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
|
||||||
|
This program and the accompanying materials
|
||||||
|
are licensed and made available under the terms and conditions of the BSD License
|
||||||
|
which accompanies this distribution. The full text of the license may be found at
|
||||||
|
http://opensource.org/licenses/bsd-license.php
|
||||||
|
|
||||||
|
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||||
|
|
||||||
|
**/
|
||||||
|
|
||||||
|
#ifndef _OPAL_CORE_H_
|
||||||
|
#define _OPAL_CORE_H_
|
||||||
|
|
||||||
|
#include <IndustryStandard/TcgStorageOpal.h>
|
||||||
|
|
||||||
|
#include <Library/TcgStorageCoreLib.h>
|
||||||
|
#include <Protocol/StorageSecurityCommand.h>
|
||||||
|
|
||||||
|
#pragma pack(1)
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
//
|
||||||
|
// Opal SSC 1 support (0 - not supported, 1 - supported)
|
||||||
|
//
|
||||||
|
UINT32 OpalSsc1 : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Opal SSC 2support (0 - not supported, 1 - supported)
|
||||||
|
//
|
||||||
|
UINT32 OpalSsc2 : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Opal SSC Lite support (0 - not supported, 1 - supported)
|
||||||
|
//
|
||||||
|
UINT32 OpalSscLite : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Pyrite SSC support (0 - not supported, 1 - supported)
|
||||||
|
//
|
||||||
|
UINT32 PyriteSsc : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Security protocol 1 support (0 - not supported, 1 - supported)
|
||||||
|
//
|
||||||
|
UINT32 Sp1 : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Security protocol 2 support (0 - not supported, 1 - supported)
|
||||||
|
//
|
||||||
|
UINT32 Sp2 : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Security protocol IEEE1667 support (0 - not supported, 1 - supported)
|
||||||
|
//
|
||||||
|
UINT32 SpIeee1667 : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Media encryption supported (0 - not supported, 1 - supported)
|
||||||
|
//
|
||||||
|
UINT32 MediaEncryption : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Initial C_PIN_SID PIN Indicator
|
||||||
|
// 0 - The initial C_PIN_SID PIN value is NOT equal to the C_PIN_MSID PIN value
|
||||||
|
// 1 - The initial C_PIN_SID PIN value is equal to the C_PIN_MSID PIN value
|
||||||
|
//
|
||||||
|
UINT32 InitCpinIndicator : 1;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Behavior of C_PIN_SID PIN upon TPer Revert
|
||||||
|
// 0 - The initial C_PIN_SID PIN value is NOT equal to the C_PIN_MSID PIN value
|
||||||
|
// 1 - The initial C_PIN_SID PIN value is equal to the C_PIN_MSID PIN value
|
||||||
|
//
|
||||||
|
UINT32 CpinUponRevert : 1;
|
||||||
|
} OPAL_DISK_SUPPORT_ATTRIBUTE;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Opal device ownership type
|
||||||
|
// The type indicates who was the determined owner of the device.
|
||||||
|
//
|
||||||
|
typedef enum {
|
||||||
|
//
|
||||||
|
// Represents the device ownership is unknown because starting a session as the SID authority with the ADMIN SP
|
||||||
|
//was unsuccessful with the provided PIN
|
||||||
|
//
|
||||||
|
OpalOwnershipUnknown,
|
||||||
|
|
||||||
|
//
|
||||||
|
// Represents that the ADMIN SP SID authority contains the same PIN as the MSID PIN
|
||||||
|
//
|
||||||
|
OpalOwnershipNobody,
|
||||||
|
} OPAL_OWNER_SHIP;
|
||||||
|
|
||||||
|
//
|
||||||
|
// Structure that is used to represent an Opal session.
|
||||||
|
// The structure must be initialized by calling OpalStartSession before being used as a parameter
|
||||||
|
// for any other Opal function.
|
||||||
|
// This structure should NOT be directly modified by the client of this library.
|
||||||
|
//
|
||||||
|
//
|
||||||
|
typedef struct {
|
||||||
|
UINT32 HostSessionId;
|
||||||
|
UINT32 TperSessionId;
|
||||||
|
UINT16 ComIdExtension;
|
||||||
|
|
||||||
|
UINT16 OpalBaseComId;
|
||||||
|
|
||||||
|
EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *Sscp;
|
||||||
|
UINT32 MediaId;
|
||||||
|
} OPAL_SESSION;
|
||||||
|
#pragma pack()
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function fills in the provided Buffer with the supported protocol list
|
||||||
|
of the device specified.
|
||||||
|
|
||||||
|
@param[in] Session OPAL_SESSION data.
|
||||||
|
@param[in] BufferSize Size of Buffer provided (in bytes)
|
||||||
|
@param[in] BuffAddress Buffer address to fill with security protocol list
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalRetrieveSupportedProtocolList(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
UINTN BufferSize,
|
||||||
|
VOID *BuffAddress
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function fills in the provided Buffer with the level 0 discovery Header
|
||||||
|
of the device specified.
|
||||||
|
|
||||||
|
@param[in] Session OPAL_SESSION data.
|
||||||
|
@param[in] BufferSize Size of Buffer provided (in bytes)
|
||||||
|
@param[in] BuffAddress Buffer address to fill with Level 0 Discovery response
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalRetrieveLevel0DiscoveryHeader(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
UINTN BufferSize,
|
||||||
|
VOID *BuffAddress
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Starts a session with a security provider (SP).
|
||||||
|
|
||||||
|
If a session is started successfully, the caller must end the session with OpalEndSession when finished
|
||||||
|
performing Opal actions.
|
||||||
|
|
||||||
|
@param[in/out] Session OPAL_SESSION to initialize.
|
||||||
|
@param[in] SpId Security provider ID to start the session with.
|
||||||
|
@param[in] Write Whether the session should be read-only (FALSE) or read/write (TRUE).
|
||||||
|
@param[in] HostChallengeLength Length of the host challenge. Length should be 0 if hostChallenge is NULL
|
||||||
|
@param[in] HostChallenge Host challenge for Host Signing Authority. If NULL, then no Host Challenge will be sent.
|
||||||
|
@param[in] HostSigningAuthority Host Signing Authority used for start session. If NULL, then no Host Signing Authority will be sent.
|
||||||
|
@param[in/out] MethodStatus Status of the StartSession method; only valid if TcgResultSuccess is returned.
|
||||||
|
|
||||||
|
@return TcgResultSuccess indicates that the function completed without any internal errors.
|
||||||
|
The caller must inspect the MethodStatus field to determine whether the method completed successfully.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalStartSession(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
TCG_UID SpId,
|
||||||
|
BOOLEAN Write,
|
||||||
|
UINT32 HostChallengeLength,
|
||||||
|
const VOID *HostChallenge,
|
||||||
|
TCG_UID HostSigningAuthority,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Close a session opened with OpalStartSession.
|
||||||
|
|
||||||
|
@param[in/out] Session OPAL_SESSION to end.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalEndSession(
|
||||||
|
OPAL_SESSION *Session
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
Reverts device using Admin SP Revert method.
|
||||||
|
|
||||||
|
@param[in] AdminSpSession OPAL_SESSION with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY to perform PSID revert.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalPsidRevert(
|
||||||
|
OPAL_SESSION *AdminSpSession
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function retrieves the MSID from the device specified
|
||||||
|
|
||||||
|
@param[in] AdminSpSession OPAL_SESSION with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY to perform PSID revert.
|
||||||
|
@param[in] MsidBufferSize Allocated buffer size (in bytes) for MSID allocated by caller
|
||||||
|
@param[in] Msid Variable length byte sequence representing MSID of device
|
||||||
|
@param[in] MsidLength Actual length of MSID retrieved from device
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalGetMsid(
|
||||||
|
OPAL_SESSION *AdminSpSession,
|
||||||
|
UINT32 MsidBufferSize,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 *MsidLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function activates the Locking SP.
|
||||||
|
Once activated, per Opal spec, the ADMIN SP SID PIN is copied over to the ADMIN1 LOCKING SP PIN.
|
||||||
|
If the Locking SP is already enabled, then TcgResultSuccess is returned and no action occurs.
|
||||||
|
|
||||||
|
@param[in] AdminSpSession OPAL_SESSION with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY to activate Locking SP
|
||||||
|
@param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalActivateLockingSp(
|
||||||
|
OPAL_SESSION *AdminSpSession,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function sets the PIN column of the specified cpinRowUid (authority) with the newPin value.
|
||||||
|
|
||||||
|
@param[in/out] Session OPAL_SESSION to set password
|
||||||
|
@param[in] CpinRowUid UID of row (authority) to update PIN column
|
||||||
|
@param[in] NewPin New Pin to set for cpinRowUid specified
|
||||||
|
@param[in] NewPinLength Length in bytes of newPin
|
||||||
|
@param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalSetPassword(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
TCG_UID CpinRowUid,
|
||||||
|
const VOID *NewPin,
|
||||||
|
UINT32 NewPinLength,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function retrieves the active key of the global locking range
|
||||||
|
and calls the GenKey method on the active key retrieved.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP to generate key
|
||||||
|
@param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalGlobalLockingRangeGenKey(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function updates the ReadLocked and WriteLocked columns of the Global Locking Range.
|
||||||
|
This funciton is required for a user1 authority, since a user1 authority shall only have access to ReadLocked and WriteLocked columns
|
||||||
|
(not ReadLockEnabled and WriteLockEnabled columns).
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP to generate key
|
||||||
|
@param[in] ReadLocked Value to set ReadLocked column for Global Locking Range
|
||||||
|
@param[in] WriteLocked Value to set WriteLocked column for Global Locking Range
|
||||||
|
@param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUpdateGlobalLockingRange(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
BOOLEAN ReadLocked,
|
||||||
|
BOOLEAN WriteLocked,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function updates the RangeStart, RangeLength, ReadLockedEnabled, WriteLockedEnabled, ReadLocked and WriteLocked columns
|
||||||
|
of the specified Locking Range. This function requires admin authority of a locking SP session.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP to generate key
|
||||||
|
@param[in] LockingRangeUid Locking range UID to set values
|
||||||
|
@param[in] RangeStart Value to set RangeStart column for Locking Range
|
||||||
|
@param[in] RangeLength Value to set RangeLength column for Locking Range
|
||||||
|
@param[in] ReadLockEnabled Value to set readLockEnabled column for Locking Range
|
||||||
|
@param[in] WriteLockEnabled Value to set writeLockEnabled column for Locking Range
|
||||||
|
@param[in] ReadLocked Value to set ReadLocked column for Locking Range
|
||||||
|
@param[in] WriteLocked Value to set WriteLocked column for Locking Range
|
||||||
|
@param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalSetLockingRange(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
TCG_UID LockingRangeUid,
|
||||||
|
UINT64 RangeStart,
|
||||||
|
UINT64 RangeLength,
|
||||||
|
BOOLEAN ReadLockEnabled,
|
||||||
|
BOOLEAN WriteLockEnabled,
|
||||||
|
BOOLEAN ReadLocked,
|
||||||
|
BOOLEAN WriteLocked,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function sets the Enabled column to TRUE for the authorityUid provided and updates the PIN column for the cpinRowUid provided
|
||||||
|
using the newPin provided. AuthorityUid and cpinRowUid should describe the same authority.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY to update
|
||||||
|
@param[in] CpinRowUid Row UID of C_PIN table of Locking SP to update PIN
|
||||||
|
@param[in] AuthorityUid UID of Locking SP authority to update Pin column with
|
||||||
|
@param[in] NewPin New Password used to set Pin column
|
||||||
|
@param[in] NewPinLength Length in bytes of new password
|
||||||
|
@param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalSetLockingSpAuthorityEnabledAndPin(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
TCG_UID CpinRowUid,
|
||||||
|
TCG_UID AuthorityUid,
|
||||||
|
const VOID *NewPin,
|
||||||
|
UINT32 NewPinLength,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function sets the Enabled column to FALSE for the USER1 authority.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY to disable User1
|
||||||
|
@param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalDisableUser(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function calls the Admin SP RevertSP method on the Locking SP. If KeepUserData is True, then the optional parameter
|
||||||
|
to keep the user data is set to True, otherwise the optional parameter is not provided.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY to revertSP
|
||||||
|
@param[in] KeepUserData Specifies whether or not to keep user data when performing RevertSP action. True = keeps user data.
|
||||||
|
@param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalAdminRevert(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
BOOLEAN KeepUserData,
|
||||||
|
UINT8 *MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function retrieves the TryLimit column for the specified rowUid (authority).
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP to retrieve try limit
|
||||||
|
@param[in] RowUid Row UID of the Locking SP C_PIN table to retrieve TryLimit column
|
||||||
|
@param[in/out] TryLimit Value from TryLimit column
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalGetTryLimit(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
TCG_UID RowUid,
|
||||||
|
UINT32 *TryLimit
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function populates the CreateStruct with a payload that will retrieve the global locking range active key.
|
||||||
|
It is intended to be called with a session that is already started with a valid credential.
|
||||||
|
The function does not send the payload.
|
||||||
|
|
||||||
|
@param[in] Session OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in/out] CreateStruct Structure to populate with encoded TCG command
|
||||||
|
@param[in/out] Size Size in bytes of the command created.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalCreateRetrieveGlobalLockingRangeActiveKey(
|
||||||
|
const OPAL_SESSION *Session,
|
||||||
|
TCG_CREATE_STRUCT *CreateStruct,
|
||||||
|
UINT32 *Size
|
||||||
|
);
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function acquires the activeKey specified for the Global Locking Range from the parseStruct.
|
||||||
|
|
||||||
|
@param[in] ParseStruct Structure that contains the device's response with the activekey
|
||||||
|
@param[in/out] ActiveKey The UID of the active key retrieved
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalParseRetrieveGlobalLockingRangeActiveKey(
|
||||||
|
TCG_PARSE_STRUCT *ParseStruct,
|
||||||
|
TCG_UID *ActiveKey
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
Get the support attribute info.
|
||||||
|
|
||||||
|
@param[in] Session OPAL_SESSION with OPAL_UID_LOCKING_SP to retrieve info.
|
||||||
|
@param[in/out] LockingFeature Return the Locking info.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalGetLockingInfo(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function determines whether or not all of the requirements for the Opal Feature (not full specification)
|
||||||
|
are met by the specified device.
|
||||||
|
|
||||||
|
@param[in] SupportedAttributes Opal device attribute.
|
||||||
|
|
||||||
|
**/
|
||||||
|
BOOLEAN
|
||||||
|
EFIAPI
|
||||||
|
OpalFeatureSupported(
|
||||||
|
OPAL_DISK_SUPPORT_ATTRIBUTE *SupportedAttributes
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function returns whether or not the device is Opal Enabled.
|
||||||
|
TRUE means that the device is partially or fully locked.
|
||||||
|
This will perform a Level 0 Discovery and parse the locking feature descriptor
|
||||||
|
|
||||||
|
@param[in] SupportedAttributes Opal device attribute.
|
||||||
|
@param[in] LockingFeature Opal device locking status.
|
||||||
|
|
||||||
|
|
||||||
|
**/
|
||||||
|
BOOLEAN
|
||||||
|
EFIAPI
|
||||||
|
OpalFeatureEnabled(
|
||||||
|
OPAL_DISK_SUPPORT_ATTRIBUTE *SupportedAttributes,
|
||||||
|
TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function returns whether or not the device is Opal Locked.
|
||||||
|
TRUE means that the device is partially or fully locked.
|
||||||
|
This will perform a Level 0 Discovery and parse the locking feature descriptor
|
||||||
|
|
||||||
|
@param[in] SupportedAttributes Opal device attribute.
|
||||||
|
@param[in] LockingFeature Opal device locking status.
|
||||||
|
|
||||||
|
**/
|
||||||
|
BOOLEAN
|
||||||
|
OpalDeviceLocked(
|
||||||
|
OPAL_DISK_SUPPORT_ATTRIBUTE *SupportedAttributes,
|
||||||
|
TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Trig the block sid action.
|
||||||
|
|
||||||
|
@param[in] Session OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] HardwareReset Whether need to do hardware reset.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalBlockSid(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
BOOLEAN HardwareReset
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
Get the support attribute info.
|
||||||
|
|
||||||
|
@param[in] Session OPAL_SESSION with OPAL_UID_LOCKING_SP to retrieve info.
|
||||||
|
@param[in/out] SupportedAttributes Return the support attribute info.
|
||||||
|
@param[out] OpalBaseComId Return the base com id info.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalGetSupportedAttributesInfo(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
OPAL_DISK_SUPPORT_ATTRIBUTE *SupportedAttributes,
|
||||||
|
UINT16 *OpalBaseComId
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Creates a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts device using Admin SP Revert method.
|
||||||
|
|
||||||
|
@param[in] AdminSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] Psid PSID of device to revert.
|
||||||
|
@param[in] PsidLength Length of PSID in bytes.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilPsidRevert(
|
||||||
|
OPAL_SESSION *AdminSpSession,
|
||||||
|
const VOID *Psid,
|
||||||
|
UINT32 PsidLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY,
|
||||||
|
sets the OPAL_UID_ADMIN_SP_C_PIN_SID column with the new password,
|
||||||
|
and activates the locking SP to copy SID PIN to Admin1 Locking SP PIN.
|
||||||
|
|
||||||
|
@param[in] AdminSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] GeneratedSid Generated SID of disk
|
||||||
|
@param[in] SidLength Length of generatedSid in bytes
|
||||||
|
@param[in] Password New admin password to set
|
||||||
|
@param[in] PassLength Length of password in bytes
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetAdminPasswordAsSid(
|
||||||
|
OPAL_SESSION *AdminSpSession,
|
||||||
|
const VOID *GeneratedSid,
|
||||||
|
UINT32 SidLength,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PassLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
Opens a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
and updates the specified locking range with the provided column values.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] Password New admin password to set
|
||||||
|
@param[in] PassLength Length of password in bytes
|
||||||
|
@param[in] LockingRangeUid Locking range UID to set values
|
||||||
|
@param[in] RangeStart Value to set RangeStart column for Locking Range
|
||||||
|
@param[in] RangeLength Value to set RangeLength column for Locking Range
|
||||||
|
@param[in] ReadLockEnabled Value to set readLockEnabled column for Locking Range
|
||||||
|
@param[in] WriteLockEnabled Value to set writeLockEnabled column for Locking Range
|
||||||
|
@param[in] ReadLocked Value to set ReadLocked column for Locking Range
|
||||||
|
@param[in] WriteLocked Value to set WriteLocked column for Locking Range
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetOpalLockingRange(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PassLength,
|
||||||
|
TCG_UID LockingRangeUid,
|
||||||
|
UINT64 RangeStart,
|
||||||
|
UINT64 RangeLength,
|
||||||
|
BOOLEAN ReadLockEnabled,
|
||||||
|
BOOLEAN WriteLockEnabled,
|
||||||
|
BOOLEAN ReadLocked,
|
||||||
|
BOOLEAN WriteLocked
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY,
|
||||||
|
sets OPAL_UID_ADMIN_SP_C_PIN_SID with the new password,
|
||||||
|
and sets OPAL_LOCKING_SP_C_PIN_ADMIN1 with the new password.
|
||||||
|
|
||||||
|
@param[in] AdminSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] OldPassword Current admin password
|
||||||
|
@param[in] OldPasswordLength Length of current admin password in bytes
|
||||||
|
@param[in] NewPassword New admin password to set
|
||||||
|
@param[in] NewPasswordLength Length of new password in bytes
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetAdminPassword(
|
||||||
|
OPAL_SESSION *AdminSpSession,
|
||||||
|
const VOID *OldPassword,
|
||||||
|
UINT32 OldPasswordLength,
|
||||||
|
const VOID *NewPassword,
|
||||||
|
UINT32 NewPasswordLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY
|
||||||
|
and sets the User1 SP authority to enabled and sets the User1 password.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] OldPassword Current admin password
|
||||||
|
@param[in] OldPasswordLength Length of current admin password in bytes
|
||||||
|
@param[in] NewPassword New admin password to set
|
||||||
|
@param[in] NewPasswordLength Length of new password in bytes
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetUserPassword(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
const VOID *OldPassword,
|
||||||
|
UINT32 OldPasswordLength,
|
||||||
|
const VOID *NewPassword,
|
||||||
|
UINT32 NewPasswordLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Verify whether user input the correct password.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] Password Admin password
|
||||||
|
@param[in] PasswordLength Length of password in bytes
|
||||||
|
@param[in/out] HostSigningAuthority Use the Host signing authority type.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilVerifyPassword (
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
TCG_UID HostSigningAuthority
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY
|
||||||
|
and generates a new global locking range key to erase the Data.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] Password Admin or user password
|
||||||
|
@param[in] PasswordLength Length of password in bytes
|
||||||
|
@param[in/out] PasswordFailed indicates if password failed (start session didn't work)
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSecureErase(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
BOOLEAN *PasswordFailed
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY and disables the User1 authority.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] Password Admin password
|
||||||
|
@param[in] PasswordLength Length of password in bytes
|
||||||
|
@param[in/out] PasswordFailed indicates if password failed (start session didn't work)
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilDisableUser(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
BOOLEAN *PasswordFailed
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts the device using the RevertSP method.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param[in] KeepUserData TRUE to keep existing Data on the disk, or FALSE to erase it
|
||||||
|
@param[in] Password Admin password
|
||||||
|
@param[in] PasswordLength Length of password in bytes
|
||||||
|
@param[in/out] PasswordFailed indicates if password failed (start session didn't work)
|
||||||
|
@param[in] Msid Input Msid info.
|
||||||
|
@param[in] MsidLength Input Msid info length.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilRevert(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
BOOLEAN KeepUserData,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
BOOLEAN *PasswordFailed,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 MsidLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
After revert success, set SID to MSID.
|
||||||
|
|
||||||
|
@param[in] AdminSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param Password, Input password info.
|
||||||
|
@param PasswordLength, Input password length.
|
||||||
|
@param[in] Msid Input Msid info.
|
||||||
|
@param[in] MsidLength Input Msid info length.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetSIDtoMSID (
|
||||||
|
OPAL_SESSION *AdminSpSession,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 MsidLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Update global locking range.
|
||||||
|
|
||||||
|
@param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
|
||||||
|
@param Password, Input password info.
|
||||||
|
@param PasswordLength, Input password length.
|
||||||
|
@param ReadLocked, Read lock info.
|
||||||
|
@param WriteLocked write lock info.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilUpdateGlobalLockingRange(
|
||||||
|
OPAL_SESSION *LockingSpSession,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
BOOLEAN ReadLocked,
|
||||||
|
BOOLEAN WriteLocked
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
Update global locking range.
|
||||||
|
|
||||||
|
@param Session, The session info for one opal device.
|
||||||
|
@param Msid, The data buffer to save Msid info.
|
||||||
|
@param MsidBufferLength, The data buffer length for Msid.
|
||||||
|
@param MsidLength, The actual data length for Msid.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilGetMsid(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 MsidBufferLength,
|
||||||
|
UINT32 *MsidLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function determines who owns the device by attempting to start a session with different credentials.
|
||||||
|
If the SID PIN matches the MSID PIN, the no one owns the device.
|
||||||
|
If the SID PIN matches the ourSidPin, then "Us" owns the device. Otherwise it is unknown.
|
||||||
|
|
||||||
|
|
||||||
|
@param[in] Session The session info for one opal device.
|
||||||
|
@param Msid, The Msid info.
|
||||||
|
@param MsidLength, The data length for Msid.
|
||||||
|
|
||||||
|
**/
|
||||||
|
OPAL_OWNER_SHIP
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilDetermineOwnership(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 MsidLength
|
||||||
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function returns if admin password exists.
|
||||||
|
|
||||||
|
@param[in] OwnerShip The owner ship of the opal device.
|
||||||
|
@param[in] LockingFeature The locking info of the opal device.
|
||||||
|
|
||||||
|
@retval TRUE Admin password existed.
|
||||||
|
@retval FALSE Admin password not existed.
|
||||||
|
|
||||||
|
**/
|
||||||
|
BOOLEAN
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilAdminPasswordExists(
|
||||||
|
IN UINT16 OwnerShip,
|
||||||
|
IN TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature
|
||||||
|
);
|
||||||
|
|
||||||
|
#endif // _OPAL_CORE_H_
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,50 @@
|
||||||
|
## @file
|
||||||
|
# This is a Tcg storage Opal library.
|
||||||
|
#
|
||||||
|
# This module is used to provide API used by Opal password solution.
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
|
||||||
|
# This program and the accompanying materials
|
||||||
|
# are licensed and made available under the terms and conditions of the BSD License
|
||||||
|
# which accompanies this distribution. The full text of the license may be found at
|
||||||
|
# http://opensource.org/licenses/bsd-license.php
|
||||||
|
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||||
|
#
|
||||||
|
##
|
||||||
|
[Defines]
|
||||||
|
INF_VERSION = 0x00010017
|
||||||
|
BASE_NAME = TcgStorageOpalLib
|
||||||
|
FILE_GUID = F8B56221-FD5D-4215-B578-C3574AD1E253
|
||||||
|
VERSION_STRING = 1.0
|
||||||
|
MODULE_TYPE = BASE
|
||||||
|
LIBRARY_CLASS = TcgStorageOpalLib|DXE_DRIVER DXE_CORE DXE_SMM_DRIVER
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following information is for reference only and not required by the build tools.
|
||||||
|
#
|
||||||
|
# VALID_ARCHITECTURES = IA32 X64
|
||||||
|
#
|
||||||
|
|
||||||
|
[Sources]
|
||||||
|
TcgStorageOpalCore.c
|
||||||
|
TcgStorageOpalUtil.c
|
||||||
|
|
||||||
|
[LibraryClasses]
|
||||||
|
BaseLib
|
||||||
|
BaseMemoryLib
|
||||||
|
PrintLib
|
||||||
|
DebugLib
|
||||||
|
TimerLib
|
||||||
|
TcgStorageCoreLib
|
||||||
|
UefiLib
|
||||||
|
|
||||||
|
[Packages]
|
||||||
|
MdePkg/MdePkg.dec
|
||||||
|
SecurityPkg/SecurityPkg.dec
|
||||||
|
|
||||||
|
[Protocols]
|
||||||
|
gEfiStorageSecurityCommandProtocolGuid ## CONSUMES
|
||||||
|
|
||||||
|
[BuildOptions]
|
||||||
|
MSFT:*_*_*_CC_FLAGS = /Od /GL-
|
|
@ -0,0 +1,913 @@
|
||||||
|
/** @file
|
||||||
|
Public API for Opal Core library.
|
||||||
|
|
||||||
|
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
|
||||||
|
This program and the accompanying materials
|
||||||
|
are licensed and made available under the terms and conditions of the BSD License
|
||||||
|
which accompanies this distribution. The full text of the license may be found at
|
||||||
|
http://opensource.org/licenses/bsd-license.php
|
||||||
|
|
||||||
|
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
|
||||||
|
|
||||||
|
**/
|
||||||
|
#include <uefi.h>
|
||||||
|
#include <Library/BaseLib.h>
|
||||||
|
#include <Library/DebugLib.h>
|
||||||
|
#include <Library/TcgStorageOpalLib.h>
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
Creates a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts device using Admin SP Revert method.
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] Psid PSID of device to revert.
|
||||||
|
@param[in] PsidLength Length of PSID in bytes.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilPsidRevert(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *Psid,
|
||||||
|
UINT32 PsidLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Psid);
|
||||||
|
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_ADMIN_SP,
|
||||||
|
TRUE,
|
||||||
|
PsidLength,
|
||||||
|
Psid,
|
||||||
|
OPAL_ADMIN_SP_PSID_AUTHORITY,
|
||||||
|
&MethodStatus);
|
||||||
|
if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = OpalPsidRevert(Session);
|
||||||
|
if (Ret != TcgResultSuccess) {
|
||||||
|
//
|
||||||
|
// If revert was successful, session was already ended by TPer, so only end session on failure
|
||||||
|
//
|
||||||
|
OpalEndSession(Session);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY,
|
||||||
|
sets the OPAL_UID_ADMIN_SP_C_PIN_SID column with the new password,
|
||||||
|
and activates the locking SP to copy SID PIN to Admin1 Locking SP PIN
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] GeneratedSid Generated SID of disk
|
||||||
|
@param[in] SidLength Length of generatedSid in bytes
|
||||||
|
@param[in] Password New admin password to set
|
||||||
|
@param[in] PassLength Length of password in bytes
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetAdminPasswordAsSid(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *GeneratedSid,
|
||||||
|
UINT32 SidLength,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PassLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(GeneratedSid);
|
||||||
|
NULL_CHECK(Password);
|
||||||
|
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_ADMIN_SP,
|
||||||
|
TRUE,
|
||||||
|
SidLength,
|
||||||
|
GeneratedSid,
|
||||||
|
OPAL_ADMIN_SP_SID_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "start session with admin SP as SID authority failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// 1. Update SID = new Password
|
||||||
|
//
|
||||||
|
Ret = OpalSetPassword(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_ADMIN_SP_C_PIN_SID,
|
||||||
|
Password,
|
||||||
|
PassLength,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
OpalEndSession(Session);
|
||||||
|
DEBUG ((DEBUG_INFO, "set Password failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// 2. Activate locking SP
|
||||||
|
//
|
||||||
|
Ret = OpalActivateLockingSp(Session, &MethodStatus);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "activate locking SP failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
Opens a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
and updates the specified locking range with the provided column values
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] Password New admin password to set
|
||||||
|
@param[in] PassLength Length of password in bytes
|
||||||
|
@param[in] LockingRangeUid Locking range UID to set values
|
||||||
|
@param[in] RangeStart Value to set RangeStart column for Locking Range
|
||||||
|
@param[in] RangeLength Value to set RangeLength column for Locking Range
|
||||||
|
@param[in] ReadLockEnabled Value to set readLockEnabled column for Locking Range
|
||||||
|
@param[in] WriteLockEnabled Value to set writeLockEnabled column for Locking Range
|
||||||
|
@param[in] ReadLocked Value to set ReadLocked column for Locking Range
|
||||||
|
@param[in] WriteLocked Value to set WriteLocked column for Locking Range
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetOpalLockingRange(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PassLength,
|
||||||
|
TCG_UID LockingRangeUid,
|
||||||
|
UINT64 RangeStart,
|
||||||
|
UINT64 RangeLength,
|
||||||
|
BOOLEAN ReadLockEnabled,
|
||||||
|
BOOLEAN WriteLockEnabled,
|
||||||
|
BOOLEAN ReadLocked,
|
||||||
|
BOOLEAN WriteLocked
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Password);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Start session with Locking SP using current admin Password
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
PassLength,
|
||||||
|
Password,
|
||||||
|
OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
&MethodStatus);
|
||||||
|
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) {
|
||||||
|
DEBUG ((DEBUG_INFO, "start session with locking SP failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Enable locking range
|
||||||
|
//
|
||||||
|
Ret = OpalSetLockingRange(
|
||||||
|
Session,
|
||||||
|
LockingRangeUid,
|
||||||
|
RangeStart,
|
||||||
|
RangeLength,
|
||||||
|
ReadLockEnabled,
|
||||||
|
WriteLockEnabled,
|
||||||
|
ReadLocked,
|
||||||
|
WriteLocked,
|
||||||
|
&MethodStatus);
|
||||||
|
|
||||||
|
OpalEndSession(Session);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "set locking range failed: Ret=%d MethodStatus=0x%x\n", Ret, MethodStatus));
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY,
|
||||||
|
sets OPAL_UID_ADMIN_SP_C_PIN_SID with the new password,
|
||||||
|
and sets OPAL_LOCKING_SP_C_PIN_ADMIN1 with the new password.
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] OldPassword Current admin password
|
||||||
|
@param[in] OldPasswordLength Length of current admin password in bytes
|
||||||
|
@param[in] NewPassword New admin password to set
|
||||||
|
@param[in] NewPasswordLength Length of new password in bytes
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetAdminPassword(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *OldPassword,
|
||||||
|
UINT32 OldPasswordLength,
|
||||||
|
const VOID *NewPassword,
|
||||||
|
UINT32 NewPasswordLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(OldPassword);
|
||||||
|
NULL_CHECK(NewPassword);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Unknown ownership
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_ADMIN_SP,
|
||||||
|
TRUE,
|
||||||
|
OldPasswordLength,
|
||||||
|
OldPassword,
|
||||||
|
OPAL_ADMIN_SP_SID_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "start session with admin SP using old Password failed\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Update SID = new pw
|
||||||
|
//
|
||||||
|
Ret = OpalSetPassword(Session, OPAL_UID_ADMIN_SP_C_PIN_SID, NewPassword, NewPasswordLength, &MethodStatus);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "set new admin SP Password failed\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
OldPasswordLength,
|
||||||
|
OldPassword,
|
||||||
|
OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "start session with locking SP using old Password failed\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Update admin locking SP to new pw
|
||||||
|
//
|
||||||
|
Ret = OpalSetPassword(Session, OPAL_LOCKING_SP_C_PIN_ADMIN1, NewPassword, NewPasswordLength, &MethodStatus);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "set new locking SP Password failed\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY
|
||||||
|
and sets the User1 SP authority to enabled and sets the User1 password.
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] OldPassword Current admin password
|
||||||
|
@param[in] OldPasswordLength Length of current admin password in bytes
|
||||||
|
@param[in] NewPassword New admin password to set
|
||||||
|
@param[in] NewPasswordLength Length of new password in bytes
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetUserPassword(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *OldPassword,
|
||||||
|
UINT32 OldPasswordLength,
|
||||||
|
const VOID *NewPassword,
|
||||||
|
UINT32 NewPasswordLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(OldPassword);
|
||||||
|
NULL_CHECK(NewPassword);
|
||||||
|
|
||||||
|
//
|
||||||
|
// See if updating user1 authority
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
OldPasswordLength,
|
||||||
|
OldPassword,
|
||||||
|
OPAL_LOCKING_SP_USER1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = OpalSetPassword(
|
||||||
|
Session,
|
||||||
|
OPAL_LOCKING_SP_C_PIN_USER1,
|
||||||
|
NewPassword,
|
||||||
|
NewPasswordLength,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Setting Password for first time or setting Password as admin
|
||||||
|
//
|
||||||
|
|
||||||
|
//
|
||||||
|
// Start session with Locking SP using current admin Password
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
OldPasswordLength,
|
||||||
|
OldPassword,
|
||||||
|
OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "StartSession with locking SP as admin1 authority failed\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Enable User1 and set its PIN
|
||||||
|
//
|
||||||
|
Ret = OpalSetLockingSpAuthorityEnabledAndPin(
|
||||||
|
Session,
|
||||||
|
OPAL_LOCKING_SP_C_PIN_USER1,
|
||||||
|
OPAL_LOCKING_SP_USER1_AUTHORITY,
|
||||||
|
NewPassword,
|
||||||
|
NewPasswordLength,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "OpalSetLockingSpAuthorityEnabledAndPin failed\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Verify whether user input the correct password.
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] Password Admin password
|
||||||
|
@param[in] PasswordLength Length of password in bytes
|
||||||
|
@param[in/out] HostSigningAuthority Use the Host signing authority type.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilVerifyPassword (
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
TCG_UID HostSigningAuthority
|
||||||
|
)
|
||||||
|
{
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Password);
|
||||||
|
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
PasswordLength,
|
||||||
|
Password,
|
||||||
|
HostSigningAuthority,
|
||||||
|
&MethodStatus);
|
||||||
|
if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
OpalEndSession(Session);
|
||||||
|
return TcgResultSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
return TcgResultFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY
|
||||||
|
and generates a new global locking range key to erase the Data.
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] Password Admin or user password
|
||||||
|
@param[in] PasswordLength Length of password in bytes
|
||||||
|
@param[in/out] PasswordFailed indicates if password failed (start session didn't work)
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSecureErase(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
BOOLEAN *PasswordFailed
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Password);
|
||||||
|
NULL_CHECK(PasswordFailed);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Try to generate a new key with admin1
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
PasswordLength,
|
||||||
|
Password,
|
||||||
|
OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = OpalGlobalLockingRangeGenKey(Session, &MethodStatus);
|
||||||
|
*PasswordFailed = FALSE;
|
||||||
|
OpalEndSession(Session);
|
||||||
|
} else {
|
||||||
|
//
|
||||||
|
// Try to generate a new key with user1
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
PasswordLength,
|
||||||
|
Password,
|
||||||
|
OPAL_LOCKING_SP_USER1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = OpalGlobalLockingRangeGenKey(Session, &MethodStatus);
|
||||||
|
*PasswordFailed = FALSE;
|
||||||
|
OpalEndSession(Session);
|
||||||
|
} else {
|
||||||
|
*PasswordFailed = TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY and disables the User1 authority.
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] Password Admin password
|
||||||
|
@param[in] PasswordLength Length of password in bytes
|
||||||
|
@param[in/out] PasswordFailed indicates if password failed (start session didn't work)
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilDisableUser(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
BOOLEAN *PasswordFailed
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Password);
|
||||||
|
NULL_CHECK(PasswordFailed);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Start session with Locking SP using current admin Password
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
PasswordLength,
|
||||||
|
Password,
|
||||||
|
OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "StartSession with Locking SP as Admin1 failed\n"));
|
||||||
|
*PasswordFailed = TRUE;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
*PasswordFailed = FALSE;
|
||||||
|
Ret = OpalDisableUser(Session, &MethodStatus);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts the device using the RevertSP method.
|
||||||
|
|
||||||
|
@param[in] Session, The session info for one opal device.
|
||||||
|
@param[in] KeepUserData TRUE to keep existing Data on the disk, or FALSE to erase it
|
||||||
|
@param[in] Password Admin password
|
||||||
|
@param[in] PasswordLength Length of password in bytes
|
||||||
|
@param[in/out] PasswordFailed indicates if password failed (start session didn't work)
|
||||||
|
@param[in] Msid Msid info.
|
||||||
|
@param[in] MsidLength Msid data length.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilRevert(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
BOOLEAN KeepUserData,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
BOOLEAN *PasswordFailed,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 MsidLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Msid);
|
||||||
|
NULL_CHECK(Password);
|
||||||
|
NULL_CHECK(PasswordFailed);
|
||||||
|
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
PasswordLength,
|
||||||
|
Password,
|
||||||
|
OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "error starting session: Ret=%d, MethodStatus=%u\n", Ret, MethodStatus));
|
||||||
|
*PasswordFailed = TRUE;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
*PasswordFailed = FALSE;
|
||||||
|
//
|
||||||
|
// Try to revert with admin1
|
||||||
|
//
|
||||||
|
Ret = OpalAdminRevert(Session, KeepUserData, &MethodStatus);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
//
|
||||||
|
// Device ends the session on successful revert, so only call OpalEndSession when fail.
|
||||||
|
//
|
||||||
|
DEBUG ((DEBUG_INFO, "OpalAdminRevert as admin failed\n"));
|
||||||
|
OpalEndSession(Session);
|
||||||
|
}
|
||||||
|
|
||||||
|
Ret = OpalUtilSetSIDtoMSID (Session, Password, PasswordLength, Msid, MsidLength);
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
After revert success, set SID to MSID.
|
||||||
|
|
||||||
|
@param Session, The session info for one opal device.
|
||||||
|
@param Password, Input password info.
|
||||||
|
@param PasswordLength, Input password length.
|
||||||
|
@param Msid Msid info.
|
||||||
|
@param MsidLength Msid data length.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilSetSIDtoMSID (
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 MsidLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Msid);
|
||||||
|
NULL_CHECK(Password);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Start session with admin sp to update SID to MSID
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_ADMIN_SP,
|
||||||
|
TRUE,
|
||||||
|
PasswordLength,
|
||||||
|
Password,
|
||||||
|
OPAL_ADMIN_SP_SID_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Update SID pin
|
||||||
|
//
|
||||||
|
Ret = OpalSetPassword(Session, OPAL_UID_ADMIN_SP_C_PIN_SID, Msid, MsidLength, &MethodStatus);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Update global locking range.
|
||||||
|
|
||||||
|
@param Session, The session info for one opal device.
|
||||||
|
@param Password, Input password info.
|
||||||
|
@param PasswordLength, Input password length.
|
||||||
|
@param ReadLocked, Read lock info.
|
||||||
|
@param WriteLocked write lock info.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilUpdateGlobalLockingRange(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
const VOID *Password,
|
||||||
|
UINT32 PasswordLength,
|
||||||
|
BOOLEAN ReadLocked,
|
||||||
|
BOOLEAN WriteLocked
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Password);
|
||||||
|
|
||||||
|
//
|
||||||
|
// Try to start session with Locking SP as admin1 authority
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
PasswordLength,
|
||||||
|
Password,
|
||||||
|
OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = OpalUpdateGlobalLockingRange(
|
||||||
|
Session,
|
||||||
|
ReadLocked,
|
||||||
|
WriteLocked,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (MethodStatus == TCG_METHOD_STATUS_CODE_AUTHORITY_LOCKED_OUT) {
|
||||||
|
DEBUG ((DEBUG_INFO, "unlock as admin failed with AUTHORITY_LOCKED_OUT\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
//
|
||||||
|
// Try user1 authority
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_LOCKING_SP,
|
||||||
|
TRUE,
|
||||||
|
PasswordLength,
|
||||||
|
Password,
|
||||||
|
OPAL_LOCKING_SP_USER1_AUTHORITY,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
DEBUG ((DEBUG_INFO, "StartSession with Locking SP as User1 failed\n"));
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
Ret = OpalUpdateGlobalLockingRange(Session, ReadLocked, WriteLocked, &MethodStatus);
|
||||||
|
OpalEndSession(Session);
|
||||||
|
|
||||||
|
done:
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
Update global locking range.
|
||||||
|
|
||||||
|
@param Session, The session info for one opal device.
|
||||||
|
@param Msid, The data buffer to save Msid info.
|
||||||
|
@param MsidBufferLength, The data buffer length for Msid.
|
||||||
|
@param MsidLength, The actual data length for Msid.
|
||||||
|
|
||||||
|
**/
|
||||||
|
TCG_RESULT
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilGetMsid(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 MsidBufferLength,
|
||||||
|
UINT32 *MsidLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Msid);
|
||||||
|
NULL_CHECK(MsidLength);
|
||||||
|
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_ADMIN_SP,
|
||||||
|
TRUE,
|
||||||
|
0,
|
||||||
|
NULL,
|
||||||
|
TCG_UID_NULL,
|
||||||
|
&MethodStatus
|
||||||
|
);
|
||||||
|
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) {
|
||||||
|
Ret = OpalGetMsid (Session, MsidBufferLength, Msid, MsidLength);
|
||||||
|
OpalEndSession (Session);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {
|
||||||
|
Ret = TcgResultFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
return Ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function determines who owns the device by attempting to start a session with different credentials.
|
||||||
|
If the SID PIN matches the MSID PIN, the no one owns the device.
|
||||||
|
If the SID PIN matches the ourSidPin, then "Us" owns the device. Otherwise it is unknown.
|
||||||
|
|
||||||
|
|
||||||
|
@param[in] Session The session info for one opal device.
|
||||||
|
@param Msid, The Msid info.
|
||||||
|
@param MsidLength, The data length for Msid.
|
||||||
|
|
||||||
|
**/
|
||||||
|
OPAL_OWNER_SHIP
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilDetermineOwnership(
|
||||||
|
OPAL_SESSION *Session,
|
||||||
|
UINT8 *Msid,
|
||||||
|
UINT32 MsidLength
|
||||||
|
)
|
||||||
|
{
|
||||||
|
UINT8 MethodStatus;
|
||||||
|
TCG_RESULT Ret;
|
||||||
|
OPAL_OWNER_SHIP Owner;
|
||||||
|
|
||||||
|
NULL_CHECK(Session);
|
||||||
|
NULL_CHECK(Msid);
|
||||||
|
|
||||||
|
Owner = OpalOwnershipUnknown;
|
||||||
|
//
|
||||||
|
// Start Session as SID_UID with ADMIN_SP using MSID PIN
|
||||||
|
//
|
||||||
|
Ret = OpalStartSession(
|
||||||
|
Session,
|
||||||
|
OPAL_UID_ADMIN_SP,
|
||||||
|
TRUE,
|
||||||
|
MsidLength,
|
||||||
|
Msid,
|
||||||
|
OPAL_ADMIN_SP_SID_AUTHORITY,
|
||||||
|
&MethodStatus);
|
||||||
|
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) {
|
||||||
|
//
|
||||||
|
// now we know that SID PIN == MSID PIN
|
||||||
|
//
|
||||||
|
Owner = OpalOwnershipNobody;
|
||||||
|
|
||||||
|
OpalEndSession(Session);
|
||||||
|
}
|
||||||
|
|
||||||
|
return Owner;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
|
||||||
|
The function returns if admin password exists.
|
||||||
|
|
||||||
|
@param[in] OwnerShip The owner ship of the opal device.
|
||||||
|
@param[in] LockingFeature The locking info of the opal device.
|
||||||
|
|
||||||
|
@retval TRUE Admin password existed.
|
||||||
|
@retval FALSE Admin password not existed.
|
||||||
|
|
||||||
|
**/
|
||||||
|
BOOLEAN
|
||||||
|
EFIAPI
|
||||||
|
OpalUtilAdminPasswordExists(
|
||||||
|
IN UINT16 OwnerShip,
|
||||||
|
IN TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature
|
||||||
|
)
|
||||||
|
{
|
||||||
|
NULL_CHECK(LockingFeature);
|
||||||
|
|
||||||
|
// if it is Unknown who owns the device
|
||||||
|
// then someone has set password previously through our UI
|
||||||
|
// because the SID would no longer match the generated SID (ownership us)
|
||||||
|
// or someone has set password using 3rd party software
|
||||||
|
|
||||||
|
//
|
||||||
|
// Locking sp enabled is checked b/c it must be enabled to change the PIN of the Admin1.
|
||||||
|
//
|
||||||
|
return (OwnerShip == OpalOwnershipUnknown && LockingFeature->LockingEnabled);
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue