SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt

https://bugzilla.tianocore.org/show_bug.cgi?id=1876 Add a PCD for skipping Hdd password prompt. If device is in the locked status while attempting to skip password prompt, device will keep locked and system continue to boot. If device is in the unlocked status while attempting to skip password prompt, system will be forced shutdown. Signed-off-by: Maggie Chu <maggie.chu@intel.com> Cc: Chao Zhang <chao.b.zhang@intel.com> Cc: Jiewen Yao <jiewen.yao@intel.com> Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-06-10 18:19:27 +08:00 · 2019-06-10 18:19:27 +08:00 · 9e2416ae2e
parent e5b4d825af
commit 9e2416ae2e
3 changed files with 26 additions and 0 deletions
--- a/SecurityPkg/HddPassword/HddPasswordDxe.c
+++ b/SecurityPkg/HddPassword/HddPasswordDxe.c
@ -1345,6 +1345,22 @@ HddPasswordRequestPassword (
  //
  if ((ConfigFormEntry->IfrData.SecurityStatus.Supported) &&
      (ConfigFormEntry->IfrData.SecurityStatus.Enabled)) {
+
+     //
+     // Add PcdSkipHddPasswordPrompt to determin whether to skip password prompt.
+     // Due to board design, device may not power off during system warm boot, which result in
+     // security status remain unlocked status, hence we add device security status check here.
+     //
+     // If device is in the locked status, device keeps locked and system continues booting.
+     // If device is in the unlocked status, system is forced shutdown for security concern.
+     //
+     if (PcdGetBool (PcdSkipHddPasswordPrompt)) {
+       if (ConfigFormEntry->IfrData.SecurityStatus.Locked) {
+         return;
+       } else {
+         gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);
+       }
+    }
    //
    // As soon as the HDD password is in enabled state, we pop up a window to unlock hdd
    // no matter it's really in locked or unlocked state.
--- a/SecurityPkg/HddPassword/HddPasswordDxe.inf
+++ b/SecurityPkg/HddPassword/HddPasswordDxe.inf
@ -34,6 +34,7 @@
  MdePkg/MdePkg.dec
  MdeModulePkg/MdeModulePkg.dec
  CryptoPkg/CryptoPkg.dec
+  SecurityPkg/SecurityPkg.dec

 [LibraryClasses]
  BaseLib
@ -64,6 +65,9 @@
  gEfiPciIoProtocolGuid                         ## CONSUMES
  gEdkiiVariableLockProtocolGuid                ## CONSUMES

+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt  ## CONSUMES
+
 [Depex]
  gEfiVariableWriteArchProtocolGuid

--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@ -428,6 +428,12 @@
  # @Prompt Skip Opal DXE driver password prompt.
  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt|FALSE|BOOLEAN|0x00010020

+  ## Indicates if Hdd Password driver skip password prompt.<BR><BR>
+  #   TRUE  - Skip password prompt.<BR>
+  #   FALSE - Does not skip password prompt.<BR>
+  # @Prompt Skip Hdd Password prompt.
+  gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt|FALSE|BOOLEAN|0x00010021
+
 [PcdsDynamic, PcdsDynamicEx]

  ## This PCD indicates Hash mask for TPM 2.0. Bit definition strictly follows TCG Algorithm Registry.<BR><BR>