tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-04-08 17:05:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg: Add DxeTcgPhysicalPresenceStorageLib.

Browse Source 
Tcg Physical Presence spec defined some actions used
for storage device. Add Dxe version library to handles
 these actions.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
This commit is contained in:
Eric Dong 2016-11-16 13:49:50 +08:00 committed by Star Zeng
parent 132b73dd5c
commit b54946e0fc
11 changed files with 1729 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

504
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcg2PhysicalPresenceStorage.c Normal file
View File

@ -0,0 +1,504 @@
/** @file
Tcg PP storage library instance that does support any storage specific PPI.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <PiDxe.h>
#include <Guid/Tcg2PhysicalPresenceData.h>
#include <Guid/TcgPhysicalPresenceStorageData.h>
#include <IndustryStandard/TcgPhysicalPresence.h>
#include <Protocol/VariableLock.h>
#include <Library/DebugLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiDriverEntryPoint.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PrintLib.h>
#include <Library/HiiLib.h>
#include <Library/HobLib.h>
#include <Library/Tcg2PhysicalPresenceLib.h>
#include <Library/TcgPhysicalPresenceStorageLib.h>
#include "DxeTcgPhysicalPresenceStorageLibInternal.h"
/**
Display the confirm text and get user confirmation.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] ManagementFlags BIOS TPM Management Flags.
@retval TRUE The user need to confirme the changes.
@retval FALSE The user doesn't need to confirme the changes.
**/
BOOLEAN
Tcg2PpNeedUserConfirm (
IN UINT8 OperationRequest,
IN UINT32 ManagementFlags
)
{
BOOLEAN NeedUserConfirm;
NeedUserConfirm = FALSE;
switch (OperationRequest) {
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
if ((ManagementFlags & TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) != 0) {
NeedUserConfirm = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
if ((ManagementFlags & TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) != 0) {
NeedUserConfirm = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
NeedUserConfirm = TRUE;
break;
default:
break;
}
return NeedUserConfirm;
}
/**
The handler for TPM physical presence function:
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] RequestParameter TPM physical presence operation request parameter.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
EFIAPI
Tcg2SubmitStorageRequest (
IN UINT32 OperationRequest,
IN UINT32 RequestParameter
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_TCG2_PHYSICAL_PRESENCE PpData;
DEBUG ((EFI_D_INFO, "[TPM Storage] SubmitRequestToPreOSFunction, Request = %x, %x\n", OperationRequest, RequestParameter));
//
// Get the Physical Presence storage variable
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = gRT->GetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&PpData
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Get PP variable failure! Status = %r\n", Status));
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
}
if ((OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) &&
(OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
//
// This library only support storage related actions.
//
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
}
if ((PpData.PPRequest != OperationRequest) ||
(PpData.PPRequestParameter != RequestParameter)) {
PpData.PPRequest = (UINT8)OperationRequest;
PpData.PPRequestParameter = RequestParameter;
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = gRT->SetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
DataSize,
&PpData
);
}
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status));
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
}
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS;
}
/**
Check if the pending TPM request needs user input to confirm.
The TPM request may come from OS. This API will check if TPM request exists and need user
input to confirmation.
@retval TRUE TPM needs input to confirm user physical presence.
@retval FALSE TPM doesn't need input to confirm user physical presence.
**/
BOOLEAN
EFIAPI
Tcg2NeedUserConfirm(
VOID
)
{
EFI_STATUS Status;
EFI_TCG2_PHYSICAL_PRESENCE TcgPpData;
UINTN DataSize;
EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS PpiFlags;
//
// Check S4 resume
//
if (GetBootModeHob () == BOOT_ON_S4_RESUME) {
DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n"));
return FALSE;
}
//
// Check Tpm requests
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = gRT->GetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&TcgPpData
);
if (EFI_ERROR (Status)) {
return FALSE;
}
DataSize = sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS);
Status = gRT->GetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
NULL,
&DataSize,
&PpiFlags
);
if (EFI_ERROR (Status)) {
PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;
}
if ((TcgPpData.PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) &&
(TcgPpData.PPRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN)) {
//
// This library only support storage related actions.
//
return FALSE;
}
return Tcg2PpNeedUserConfirm(TcgPpData.PPRequest, PpiFlags.PPFlags);
}
/**
The handler for TPM physical presence function:
Return TPM Operation Response to OS Environment.
@param[out] MostRecentRequest Most recent operation request.
@param[out] Response Response to the most recent operation request.
@return Return Code for Return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
Tcg2ReturnOperationResponseToOsFunction (
OUT UINT32 *MostRecentRequest,
OUT UINT32 *Response
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_TCG2_PHYSICAL_PRESENCE PpData;
DEBUG ((EFI_D_INFO, "[TPM Storage] ReturnOperationResponseToOsFunction\n"));
//
// Get the Physical Presence variable
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = gRT->GetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&PpData
);
if (EFI_ERROR (Status)) {
*MostRecentRequest = 0;
*Response = 0;
DEBUG ((EFI_D_ERROR, "[TPM Storage] Get PP variable failure! Status = %r\n", Status));
return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_FAILURE;
}
*MostRecentRequest = PpData.LastPPRequest;
*Response = PpData.PPResponse;
return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_SUCCESS;
}
/**
Check and execute the requested physical presence command.
This API should be invoked in BIOS boot phase to process pending request.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] OperationRequest TPM physical presence operation request.
@param[in, out] ManagementFlags BIOS TPM Management Flags.
@param[out] ResetRequired If reset is required to vendor settings in effect.
True, it indicates the reset is required.
False, it indicates the reset is not required.
@return TPM Operation Response to OS Environment.
**/
UINT32
Tcg2ExecutePendingRequest (
IN UINT8 OperationRequest,
IN OUT UINT32 *ManagementFlags,
OUT BOOLEAN *ResetRequired
)
{
ASSERT ((OperationRequest >= TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) &&
(OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION));
if (Tcg2PpNeedUserConfirm(OperationRequest, *ManagementFlags)) {
if (!TcgPpUserConfirm (OperationRequest)) {
return TCG_PP_OPERATION_RESPONSE_USER_ABORT;
}
}
switch (OperationRequest) {
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
*ManagementFlags|= TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
*ManagementFlags &= ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
*ManagementFlags |= TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
*ManagementFlags &= ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
*ManagementFlags |= TCG_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
*ManagementFlags &= ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
default:
break;
}
return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
}
/**
Check and execute the pending TPM request.
The TPM request may come from OS or BIOS. This API will display request information and wait
for user confirmation if TPM request exists. The TPM request will be sent to TPM device after
the TPM request is confirmed, and one or more reset may be required to make TPM request to
take effect.
This API should be invoked after console in and console out are all ready as they are required
to display request information and get user input to confirm the request.
@param[in] PlatformAuth platform auth value. NULL means no platform auth change.
**/
VOID
EFIAPI
Tcg2ProcessStorageRequest (
VOID
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_TCG2_PHYSICAL_PRESENCE TcgPpData;
EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol;
EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags;
EFI_TCG2_PHYSICAL_PRESENCE_FLAGS NewPpiFlags;
BOOLEAN ResetRequired;
//
// Check S4 resume
//
if (GetBootModeHob () == BOOT_ON_S4_RESUME) {
DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n"));
return ;
}
//
// Initialize physical presence variable.
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = gRT->GetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&TcgPpData
);
if (EFI_ERROR (Status)) {
ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData));
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = gRT->SetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
DataSize,
&TcgPpData
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Set physical presence variable failed, Status = %r\n", Status));
return ;
}
}
if ((TcgPpData.PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ||
(TcgPpData.PPRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
//
// This library only support storage related actions.
//
DEBUG ((EFI_D_INFO, "[TPM Storage] Only support TCG storage related PP actions, not support PPRequest=%x\n", TcgPpData.PPRequest));
return;
}
//
// Initialize physical presence flags.
//
DataSize = sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS);
Status = gRT->GetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
NULL,
&DataSize,
&PpiFlags
);
if (EFI_ERROR (Status)) {
PpiFlags.PPFlags = TCG_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
Status = gRT->SetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS),
&PpiFlags
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Set physical presence flag failed, Status = %r\n", Status));
return ;
}
}
DEBUG ((EFI_D_INFO, "[TPM Storage] PpiFlags = %x\n", PpiFlags.PPFlags));
//
// This flags variable controls whether physical presence is required for TPM command.
// It should be protected from malicious software. We set it as read-only variable here.
//
Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);
if (!EFI_ERROR (Status)) {
Status = VariableLockProtocol->RequestToLock (
VariableLockProtocol,
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Error when lock variable %s, Status = %r\n", TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, Status));
ASSERT_EFI_ERROR (Status);
}
}
DEBUG ((EFI_D_INFO, "[TPM Storage] Flags=%x, PPRequest=%x (LastPPRequest=%x)\n", PpiFlags.PPFlags, TcgPpData.PPRequest, TcgPpData.LastPPRequest));
NewPpiFlags.PPFlags = PpiFlags.PPFlags;
ResetRequired = FALSE;
TcgPpData.PPResponse = TCG_PP_OPERATION_RESPONSE_USER_ABORT;
TcgPpData.PPResponse = Tcg2ExecutePendingRequest (TcgPpData.PPRequest, &NewPpiFlags.PPFlags, &ResetRequired);
DEBUG ((EFI_D_INFO, "[TPM Storage] PPResponse = %x (LastPPRequest=%x, Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.PPFlags));
if (TcgPpData.PPResponse == TCG_PP_OPERATION_RESPONSE_USER_ABORT) {
return;
}
//
// Save the flags if it is updated.
//
if (CompareMem (&PpiFlags, &NewPpiFlags, sizeof(EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS)) != 0) {
Status = gRT->SetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS),
&NewPpiFlags
);
}
//
// Clear request
//
TcgPpData.LastPPRequest = TcgPpData.PPRequest;
TcgPpData.PPRequest = TCG2_PHYSICAL_PRESENCE_NO_ACTION;
TcgPpData.PPRequestParameter = 0;
//
// Save changes
//
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE);
Status = gRT->SetVariable (
TCG2_PHYSICAL_PRESENCE_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
DataSize,
&TcgPpData
);
if (EFI_ERROR (Status)) {
return;
}
if (!ResetRequired) {
return;
}
Print (L"Rebooting system to make TPM2 settings in effect\n");
gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
ASSERT (FALSE);
}

88
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcg2PhysicalPresenceStorage.h Normal file
View File

@ -0,0 +1,88 @@
/** @file
Tcg PP storage library instance that does support any storage specific PPI.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _TCG2_PHYSICAL_PRESENCE_STORAGE_H_
#define _TCG2_PHYSICAL_PRESENCE_STORAGE_H_
/**
The handler for TPM physical presence function:
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] RequestParameter TPM physical presence operation request parameter.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
Tcg2SubmitStorageRequest (
IN UINT32 OperationRequest,
IN UINT32 RequestParameter
);
/**
Check if the pending TPM request needs user input to confirm.
The TPM request may come from OS. This API will check if TPM request exists and need user
input to confirmation.
@retval TRUE TPM needs input to confirm user physical presence.
@retval FALSE TPM doesn't need input to confirm user physical presence.
**/
BOOLEAN
Tcg2NeedUserConfirm(
VOID
);
/**
The handler for TPM physical presence function:
Return TPM Operation Response to OS Environment.
@param[out] MostRecentRequest Most recent operation request.
@param[out] Response Response to the most recent operation request.
@return Return Code for Return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
Tcg2ReturnOperationResponseToOsFunction (
OUT UINT32 *MostRecentRequest,
OUT UINT32 *Response
);
/**
Check and execute the pending TPM request.
The TPM request may come from OS or BIOS. This API will display request information and wait
for user confirmation if TPM request exists. The TPM request will be sent to TPM device after
the TPM request is confirmed, and one or more reset may be required to make TPM request to
take effect.
This API should be invoked after console in and console out are all ready as they are required
to display request information and get user input to confirm the request.
@param[in] PlatformAuth platform auth value. NULL means no platform auth change.
**/
VOID
EFIAPI
Tcg2ProcessStorageRequest (
VOID
);
#endif

501
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorage.c Normal file
View File

@ -0,0 +1,501 @@
/** @file
Tcg PP storage library instance that does support any storage specific PPI.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <PiDxe.h>
#include <Guid/PhysicalPresenceData.h>
#include <Guid/TcgPhysicalPresenceStorageData.h>
#include <IndustryStandard/TcgPhysicalPresence.h>
#include <Protocol/VariableLock.h>
#include <Library/DebugLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiDriverEntryPoint.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PrintLib.h>
#include <Library/HiiLib.h>
#include <Library/HobLib.h>
#include <Library/TcgPhysicalPresenceStorageLib.h>
#include "DxeTcgPhysicalPresenceStorageLibInternal.h"
/**
Display the confirm text and get user confirmation.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] ManagementFlags BIOS TPM Management Flags.
@retval TRUE The user need to confirme the changes.
@retval FALSE The user doesn't need to confirme the changes.
**/
BOOLEAN
TcgPpNeedUserConfirm (
IN UINT8 OperationRequest,
IN UINT32 ManagementFlags
)
{
BOOLEAN NeedUserConfirm;
NeedUserConfirm = FALSE;
switch (OperationRequest) {
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
if ((ManagementFlags & TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) != 0) {
NeedUserConfirm = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
if ((ManagementFlags & TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) != 0) {
NeedUserConfirm = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
NeedUserConfirm = TRUE;
break;
default:
break;
}
return NeedUserConfirm;
}
/**
The handler for TPM physical presence function:
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] RequestParameter TPM physical presence operation request parameter.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
EFIAPI
TcgSubmitStorageRequest (
IN UINT32 OperationRequest,
IN UINT32 RequestParameter
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_PHYSICAL_PRESENCE PpData;
DEBUG ((EFI_D_INFO, "[TPM Storage] SubmitRequestToPreOSFunction, Request = %x, %x\n", OperationRequest, RequestParameter));
//
// Get the Physical Presence storage variable
//
DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
Status = gRT->GetVariable (
PHYSICAL_PRESENCE_VARIABLE,
&gEfiPhysicalPresenceGuid,
NULL,
&DataSize,
&PpData
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Get PP variable failure! Status = %r\n", Status));
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
}
if ((OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) &&
(OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
//
// This library only support storage related actions.
//
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
}
if (PpData.PPRequest != OperationRequest) {
PpData.PPRequest = (UINT8)OperationRequest;
DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
Status = gRT->SetVariable (
PHYSICAL_PRESENCE_VARIABLE,
&gEfiPhysicalPresenceGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
DataSize,
&PpData
);
}
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Set PP variable failure! Status = %r\n", Status));
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
}
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS;
}
/**
Check if the pending TPM request needs user input to confirm.
The TPM request may come from OS. This API will check if TPM request exists and need user
input to confirmation.
@retval TRUE TPM needs input to confirm user physical presence.
@retval FALSE TPM doesn't need input to confirm user physical presence.
**/
BOOLEAN
EFIAPI
TcgNeedUserConfirm(
VOID
)
{
EFI_STATUS Status;
EFI_PHYSICAL_PRESENCE TcgPpData;
UINTN DataSize;
EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS PpiFlags;
//
// Check S4 resume
//
if (GetBootModeHob () == BOOT_ON_S4_RESUME) {
DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n"));
return FALSE;
}
//
// Check Tpm requests
//
DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
Status = gRT->GetVariable (
PHYSICAL_PRESENCE_VARIABLE,
&gEfiPhysicalPresenceGuid,
NULL,
&DataSize,
&TcgPpData
);
if (EFI_ERROR (Status)) {
return FALSE;
}
DataSize = sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS);
Status = gRT->GetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
NULL,
&DataSize,
&PpiFlags
);
if (EFI_ERROR (Status)) {
PpiFlags.PPFlags = TCG_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
}
if ((TcgPpData.PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) &&
(TcgPpData.PPRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
//
// This library only support storage related actions.
//
return FALSE;
}
return TcgPpNeedUserConfirm(TcgPpData.PPRequest, PpiFlags.PPFlags);
}
/**
The handler for TPM physical presence function:
Return TPM Operation Response to OS Environment.
@param[out] MostRecentRequest Most recent operation request.
@param[out] Response Response to the most recent operation request.
@return Return Code for Return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
TcgReturnOperationResponseToOsFunction (
OUT UINT32 *MostRecentRequest,
OUT UINT32 *Response
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_PHYSICAL_PRESENCE PpData;
DEBUG ((EFI_D_INFO, "[TPM Storage] ReturnOperationResponseToOsFunction\n"));
//
// Get the Physical Presence variable
//
DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
Status = gRT->GetVariable (
PHYSICAL_PRESENCE_VARIABLE,
&gEfiPhysicalPresenceGuid,
NULL,
&DataSize,
&PpData
);
if (EFI_ERROR (Status)) {
*MostRecentRequest = 0;
*Response = 0;
DEBUG ((EFI_D_ERROR, "[TPM Storage] Get PP variable failure! Status = %r\n", Status));
return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_FAILURE;
}
*MostRecentRequest = PpData.LastPPRequest;
*Response = PpData.PPResponse;
return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_SUCCESS;
}
/**
Check and execute the requested physical presence command.
This API should be invoked in BIOS boot phase to process pending request.
Caution: This function may receive untrusted input.
If OperationRequest < 128, then ASSERT().
@param[in] OperationRequest TPM physical presence operation request.
@param[in, out] ManagementFlags BIOS TPM Management Flags.
@param[out] ResetRequired If reset is required to vendor settings in effect.
True, it indicates the reset is required.
False, it indicates the reset is not required.
@return TPM Operation Response to OS Environment.
**/
UINT32
TcgExecutePendingRequest (
IN UINT8 OperationRequest,
IN OUT UINT8 *ManagementFlags,
OUT BOOLEAN *ResetRequired
)
{
ASSERT ((OperationRequest >= TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) &&
(OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION));
if (TcgPpNeedUserConfirm(OperationRequest, *ManagementFlags)) {
if (!TcgPpUserConfirm (OperationRequest)) {
return TCG_PP_OPERATION_RESPONSE_USER_ABORT;
}
}
switch (OperationRequest) {
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
*ManagementFlags |= TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
*ManagementFlags &= ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
*ManagementFlags |= TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
*ManagementFlags &= ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
*ManagementFlags |= TCG_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
*ManagementFlags &= ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
default:
break;
}
return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
}
/**
Check and execute the pending TPM request.
The TPM request may come from OS or BIOS. This API will display request information and wait
for user confirmation if TPM request exists. The TPM request will be sent to TPM device after
the TPM request is confirmed, and one or more reset may be required to make TPM request to
take effect.
This API should be invoked after console in and console out are all ready as they are required
to display request information and get user input to confirm the request.
@param[in] PlatformAuth platform auth value. NULL means no platform auth change.
**/
VOID
EFIAPI
TcgProcessStorageRequest (
VOID
)
{
EFI_STATUS Status;
UINTN DataSize;
EFI_PHYSICAL_PRESENCE TcgPpData;
EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol;
EFI_PHYSICAL_PRESENCE_FLAGS PpiFlags;
EFI_PHYSICAL_PRESENCE_FLAGS NewPpiFlags;
BOOLEAN ResetRequired;
//
// Check S4 resume
//
if (GetBootModeHob () == BOOT_ON_S4_RESUME) {
DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n"));
return ;
}
//
// Initialize physical presence variable.
//
DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
Status = gRT->GetVariable (
PHYSICAL_PRESENCE_VARIABLE,
&gEfiPhysicalPresenceGuid,
NULL,
&DataSize,
&TcgPpData
);
if (EFI_ERROR (Status)) {
ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData));
DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
Status = gRT->SetVariable (
PHYSICAL_PRESENCE_VARIABLE,
&gEfiPhysicalPresenceGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
DataSize,
&TcgPpData
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Set physical presence variable failed, Status = %r\n", Status));
return ;
}
}
if ((TcgPpData.PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ||
(TcgPpData.PPRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
//
// This library only support storage related actions.
//
DEBUG ((EFI_D_INFO, "[TPM Storage] Only support TCG storage related PP actions, not support PPRequest=%x\n", TcgPpData.PPRequest));
return;
}
//
// Initialize physical presence storage flags.
//
DataSize = sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS);
Status = gRT->GetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
NULL,
&DataSize,
&PpiFlags
);
if (EFI_ERROR (Status)) {
PpiFlags.PPFlags = TCG_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
Status = gRT->SetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS),
&PpiFlags
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Set physical presence flag failed, Status = %r\n", Status));
return ;
}
}
DEBUG ((EFI_D_INFO, "[TPM Storage] PpiFlags = %x\n", PpiFlags.PPFlags));
//
// This flags variable controls whether physical presence is required for TPM command.
// It should be protected from malicious software. We set it as read-only variable here.
//
Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);
if (!EFI_ERROR (Status)) {
Status = VariableLockProtocol->RequestToLock (
VariableLockProtocol,
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid
);
if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM Storage] Error when lock variable %s, Status = %r\n", TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, Status));
ASSERT_EFI_ERROR (Status);
}
}
DEBUG ((EFI_D_INFO, "[TPM Storage] Flags=%x, PPRequest=%x (LastPPRequest=%x)\n", PpiFlags.PPFlags, TcgPpData.PPRequest, TcgPpData.LastPPRequest));
NewPpiFlags.PPFlags = PpiFlags.PPFlags;
ResetRequired = FALSE;
TcgPpData.PPResponse = TCG_PP_OPERATION_RESPONSE_USER_ABORT;
TcgPpData.PPResponse = TcgExecutePendingRequest (TcgPpData.PPRequest, &NewPpiFlags.PPFlags, &ResetRequired);
DEBUG ((EFI_D_INFO, "[TPM Storage] PPResponse = %x (LastPPRequest=%x, Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.PPFlags));
if (TcgPpData.PPResponse == TCG_PP_OPERATION_RESPONSE_USER_ABORT) {
return;
}
//
// Save the flags if it is updated.
//
if (CompareMem (&PpiFlags, &NewPpiFlags, sizeof(EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS)) != 0) {
Status = gRT->SetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS),
&NewPpiFlags
);
}
//
// Clear request
//
TcgPpData.LastPPRequest = TcgPpData.PPRequest;
TcgPpData.PPRequest = TCG_PHYSICAL_PRESENCE_NO_ACTION;
//
// Save changes
//
DataSize = sizeof (EFI_PHYSICAL_PRESENCE);
Status = gRT->SetVariable (
PHYSICAL_PRESENCE_VARIABLE,
&gEfiPhysicalPresenceGuid,
EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
DataSize,
&TcgPpData
);
if (EFI_ERROR (Status)) {
return;
}
if (!ResetRequired) {
return;
}
Print (L"Rebooting system to make TPM2 settings in effect\n");
gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
ASSERT (FALSE);
}

88
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorage.h Normal file
View File

@ -0,0 +1,88 @@
/** @file
Tcg PP storage library instance that does support any storage specific PPI.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _TCG_PHYSICAL_PRESENCE_STORAGE_H_
#define _TCG_PHYSICAL_PRESENCE_STORAGE_H_
/**
The handler for TPM physical presence function:
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] RequestParameter TPM physical presence operation request parameter.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
TcgSubmitStorageRequest (
IN UINT32 OperationRequest,
IN UINT32 RequestParameter
);
/**
Check if the pending TPM request needs user input to confirm.
The TPM request may come from OS. This API will check if TPM request exists and need user
input to confirmation.
@retval TRUE TPM needs input to confirm user physical presence.
@retval FALSE TPM doesn't need input to confirm user physical presence.
**/
BOOLEAN
TcgNeedUserConfirm(
VOID
);
/**
The handler for TPM physical presence function:
Return TPM Operation Response to OS Environment.
@param[out] MostRecentRequest Most recent operation request.
@param[out] Response Response to the most recent operation request.
@return Return Code for Return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
TcgReturnOperationResponseToOsFunction (
OUT UINT32 *MostRecentRequest,
OUT UINT32 *Response
);
/**
Check and execute the pending TPM request.
The TPM request may come from OS or BIOS. This API will display request information and wait
for user confirmation if TPM request exists. The TPM request will be sent to TPM device after
the TPM request is confirmed, and one or more reset may be required to make TPM request to
take effect.
This API should be invoked after console in and console out are all ready as they are required
to display request information and get user input to confirm the request.
@param[in] PlatformAuth platform auth value. NULL means no platform auth change.
**/
VOID
EFIAPI
TcgProcessStorageRequest (
VOID
);
#endif

390
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorageLib.c Normal file
View File

@ -0,0 +1,390 @@
/** @file
Tcg PP storage library instance that does support any storage specific PPI.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include <PiDxe.h>
#include <Guid/PhysicalPresenceData.h>
#include <Guid/Tcg2PhysicalPresenceData.h>
#include <Guid/TcgPhysicalPresenceStorageData.h>
#include <IndustryStandard/TcgPhysicalPresence.h>
#include <Protocol/VariableLock.h>
#include <Library/DebugLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiDriverEntryPoint.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/UefiLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PrintLib.h>
#include <Library/HiiLib.h>
#include <Library/HobLib.h>
#include <Library/TcgPhysicalPresenceStorageLib.h>
#include "DxeTcgPhysicalPresenceStorage.h"
#include "DxeTcg2PhysicalPresenceStorage.h"
#define CONFIRM_BUFFER_SIZE 4096
EFI_HII_HANDLE mTcgPpStorageStringPackHandle;
/**
Get string by string id from HII Interface.
@param[in] Id String ID.
@retval CHAR16 * String from ID.
@retval NULL If error occurs.
**/
CHAR16 *
TcgPpGetStringById (
IN EFI_STRING_ID Id
)
{
return HiiGetString (mTcgPpStorageStringPackHandle, Id, NULL);
}
/**
Read the specified key for user confirmation.
@retval TRUE User confirmed the changes by input.
@retval FALSE User discarded the changes.
**/
BOOLEAN
TcgPpStrageReadUserKey (
VOID
)
{
EFI_STATUS Status;
EFI_INPUT_KEY Key;
UINT16 InputKey;
InputKey = 0;
do {
Status = gBS->CheckEvent (gST->ConIn->WaitForKey);
if (!EFI_ERROR (Status)) {
Status = gST->ConIn->ReadKeyStroke (gST->ConIn, &Key);
if (Key.ScanCode == SCAN_ESC) {
InputKey = Key.ScanCode;
}
if ((Key.ScanCode == SCAN_F10)) {
InputKey = Key.ScanCode;
}
}
} while (InputKey == 0);
if (InputKey != SCAN_ESC) {
return TRUE;
}
return FALSE;
}
/**
Display the confirm text and get user confirmation.
@param[in] TpmPpCommand The requested TPM physical presence command.
@retval TRUE The user has confirmed the changes.
@retval FALSE The user doesn't confirm the changes.
**/
BOOLEAN
TcgPpUserConfirm (
IN UINT8 TpmPpCommand
)
{
CHAR16 *ConfirmText;
CHAR16 *TmpStr1;
CHAR16 *TmpStr2;
UINTN BufSize;
UINT16 Index;
CHAR16 DstStr[81];
TmpStr2 = NULL;
BufSize = CONFIRM_BUFFER_SIZE;
ConfirmText = AllocateZeroPool (BufSize);
ASSERT (ConfirmText != NULL);
switch (TpmPpCommand) {
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
TmpStr2 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_PP_ENABLE_BLOCK_SID));
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
TmpStr2 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_PP_ENABLE_BLOCK_SID));
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
TmpStr2 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_PP_DISABLE_BLOCK_SID));
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
TmpStr2 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_PP_DISABLE_BLOCK_SID));
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
TmpStr2 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_ENABLE_BLOCK_SID));
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
TmpStr2 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_DISABLE_BLOCK_SID));
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
default:
break;
}
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_ACCEPT_KEY));
StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
FreePool (TmpStr1);
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_NO_PPI_INFO));
StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
FreePool (TmpStr1);
TmpStr1 = TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_REJECT_KEY));
BufSize -= StrSize (ConfirmText);
UnicodeSPrint (ConfirmText + StrLen (ConfirmText), BufSize, TmpStr1, TmpStr2);
DstStr[80] = L'\0';
for (Index = 0; Index < StrLen (ConfirmText); Index += 80) {
StrnCpyS (DstStr, sizeof (DstStr) / sizeof (CHAR16), ConfirmText + Index, sizeof (DstStr) / sizeof (CHAR16) - 1);
Print (DstStr);
}
FreePool (TmpStr1);
FreePool (TmpStr2);
FreePool (ConfirmText);
if (TcgPpStrageReadUserKey ()) {
return TRUE;
}
return FALSE;
}
/**
The handler for TPM physical presence function:
Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
Caution: This function may receive untrusted input.
@param[in] OperationRequest TPM physical presence operation request.
@param[in] RequestParameter TPM physical presence operation request parameter.
@return Return Code for Submit TPM Operation Request to Pre-OS Environment and
Submit TPM Operation Request to Pre-OS Environment 2.
**/
UINT32
EFIAPI
TcgPhysicalPresenceStorageLibSubmitRequestToPreOSFunction (
IN UINT32 OperationRequest,
IN UINT32 RequestParameter
)
{
//
// Get Physical Presence command state
//
if (CompareGuid(PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)) {
return TcgSubmitStorageRequest (OperationRequest, RequestParameter);
} else {
return Tcg2SubmitStorageRequest (OperationRequest, RequestParameter);
}
}
/**
The handler for TPM physical presence function:
Return TPM Operation Response to OS Environment.
@param[out] MostRecentRequest Most recent operation request.
@param[out] Response Response to the most recent operation request.
@return Return Code for Return TPM Operation Response to OS Environment.
**/
UINT32
EFIAPI
TcgPhysicalPresenceStorageLibReturnOperationResponseToOsFunction (
OUT UINT32 *MostRecentRequest,
OUT UINT32 *Response
)
{
//
// Get Physical Presence command state
//
if (CompareGuid(PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)) {
return TcgReturnOperationResponseToOsFunction (MostRecentRequest, Response);
} else {
return Tcg2ReturnOperationResponseToOsFunction (MostRecentRequest, Response);
}
}
/**
Check if the pending TPM request needs user input to confirm.
The TPM request may come from OS. This API will check if TPM request exists and need user
input to confirmation.
@retval TRUE TPM needs input to confirm user physical presence.
@retval FALSE TPM doesn't need input to confirm user physical presence.
**/
BOOLEAN
EFIAPI
TcgPhysicalPresenceStorageLibNeedUserConfirm(
VOID
)
{
//
// Get Physical Presence command state
//
if (CompareGuid(PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)) {
return TcgNeedUserConfirm ();
} else {
return Tcg2NeedUserConfirm ();
}
}
/**
Check and execute the pending TPM request.
The TPM request may come from OS or BIOS. This API will display request information and wait
for user confirmation if TPM request exists. The TPM request will be sent to TPM device after
the TPM request is confirmed, and one or more reset may be required to make TPM request to
take effect.
This API should be invoked after console in and console out are all ready as they are required
to display request information and get user input to confirm the request.
@param[in] PlatformAuth platform auth value. NULL means no platform auth change.
**/
VOID
EFIAPI
TcgPhysicalPresenceStorageLibProcessRequest (
VOID
)
{
//
// Get Physical Presence command state
//
if (CompareGuid(PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm12Guid)) {
TcgProcessStorageRequest();
} else {
Tcg2ProcessStorageRequest ();
}
}
/**
The handler for TPM physical presence function:
Return TPM Operation flag variable.
@return Return Code for Return TPM Operation flag variable.
**/
UINT32
EFIAPI
TcgPhysicalPresenceStorageLibReturnStorageFlags (
VOID
)
{
UINTN DataSize;
EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS PpiFlags;
EFI_STATUS Status;
DataSize = sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS);
Status = gRT->GetVariable (
TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE,
&gEfiTcgPhysicalPresenceStorageGuid,
NULL,
&DataSize,
&PpiFlags
);
if (EFI_ERROR (Status)) {
return TCG_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
}
return PpiFlags.PPFlags;
}
/**
Install Boot Manager Menu driver.
@param ImageHandle The image handle.
@param SystemTable The system table.
@retval EFI_SUCEESS Install Boot manager menu success.
@retval Other Return error status.
**/
EFI_STATUS
EFIAPI
TcgPhysicalPresenceStorageLibConstructor (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
mTcgPpStorageStringPackHandle = HiiAddPackages (&gEfiTcgPhysicalPresenceStorageGuid, gImageHandle, DxeTcgPhysicalPresenceStorageLibStrings, NULL);
ASSERT (mTcgPpStorageStringPackHandle != NULL);
return EFI_SUCCESS;
}
/**
Unloads the application and its installed protocol.
@param[in] ImageHandle Handle that identifies the image to be unloaded.
@param[in] SystemTable System Table
@retval EFI_SUCCESS The image has been unloaded.
**/
EFI_STATUS
EFIAPI
TcgPhysicalPresenceStorageLibDestructor (
IN EFI_HANDLE ImageHandle,
IN EFI_SYSTEM_TABLE *SystemTable
)
{
HiiRemovePackages (mTcgPpStorageStringPackHandle);
return EFI_SUCCESS;
}

67
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorageLib.inf Normal file
View File

@ -0,0 +1,67 @@
## @file
# Tcg PP storage library instance that does support any storage specific PPI.
#
# Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = DxeTcgPhysicalPresenceStorageLib
MODULE_UNI_FILE = DxeTcgPhysicalPresenceStorageLib.uni
FILE_GUID = 51924AE9-BE81-4820-94BA-7C9546E702D0
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
LIBRARY_CLASS = TcgPhysicalPresenceStorageLib|DXE_RUNTIME_DRIVER DXE_SMM_DRIVER DXE_DRIVER
CONSTRUCTOR = TcgPhysicalPresenceStorageLibConstructor
DESTRUCTOR = TcgPhysicalPresenceStorageLibDestructor
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
DxeTcgPhysicalPresenceStorageLib.c
DxeTcgPhysicalPresenceStorageLibStrings.uni
DxeTcg2PhysicalPresenceStorage.c
DxeTcg2PhysicalPresenceStorage.h
DxeTcgPhysicalPresenceStorage.c
DxeTcgPhysicalPresenceStorage.h
DxeTcgPhysicalPresenceStorageLibInternal.h
[Packages]
MdePkg/MdePkg.dec
SecurityPkg/SecurityPkg.dec
MdeModulePkg/MdeModulePkg.dec
[LibraryClasses]
MemoryAllocationLib
UefiLib
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiRuntimeServicesTableLib
BaseMemoryLib
DebugLib
PrintLib
HiiLib
HobLib
[Guids]
gEfiTcgPhysicalPresenceStorageGuid ## SOMETIMES_CONSUMES ## HII
gEfiTpmDeviceInstanceTpm12Guid ## SOMETIMES_CONSUMES
gEfiPhysicalPresenceGuid ## SOMETIMES_CONSUMES
gEfiTcg2PhysicalPresenceGuid ## SOMETIMES_CONSUMES
[Pcd]
gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## CONSUMES
[Protocols]
gEdkiiVariableLockProtocolGuid ## SOMETIMES_CONSUMES

18
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorageLib.uni Normal file
View File

@ -0,0 +1,18 @@
// /** @file
// Tcg PP storage library instance that does support any storage specific PPI.
//
// Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
//
// This program and the accompanying materials
// are licensed and made available under the terms and conditions of the BSD License
// which accompanies this distribution. The full text of the license may be found at
// http://opensource.org/licenses/bsd-license.php
// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
// **/
#string STR_MODULE_ABSTRACT #language en-US "Tcg PP Storage library instance that supports any storage specific PPI"
#string STR_MODULE_DESCRIPTION #language en-US "Tcg PP Storage library instance that supports any storage specific PPI."

31
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorageLibInternal.h Normal file
View File

@ -0,0 +1,31 @@
/** @file
Tcg PP storage library instance that does support any storage specific PPI.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _TCG_PHYSICAL_PRESENCE_STORAGE_LIB_INTENAL_H_
#define _TCG_PHYSICAL_PRESENCE_STORAGE_LIB_INTENAL_H_
/**
Display the confirm text and get user confirmation.
@param[in] TpmPpCommand The requested TPM physical presence command.
@retval TRUE The user has confirmed the changes.
@retval FALSE The user doesn't confirm the changes.
**/
BOOLEAN
TcgPpUserConfirm (
IN UINT8 TpmPpCommand
);
#endif

31
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorageLibStrings.uni Normal file
View File

@ -0,0 +1,31 @@
/** @file
String definitions for TPM 1.2 & 2.0 physical presence storage related actions confirm text.
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#langdef en-US "English"
#string TCG_STORAGE_HEAD_STR #language en-US "A configuration change was requested to %s on subsequent boots\n\n"
#string TCG_STORAGE_PPI_HEAD_STR #language en-US "A configuration change was requested to allow the Operating System to %s without asking for user confirmation in the future.\n\n"
#string TCG_STORAGE_ACCEPT_KEY #language en-US "Press F10 "
#string TCG_STORAGE_CAUTION_KEY #language en-US "Press F12 "
#string TCG_STORAGE_REJECT_KEY #language en-US "to %s\nPress ESC to reject this change request and continue\n"
#string TCG_STORAGE_NO_PPI_INFO #language en-US "to approve future Operating System requests "
#string TCG_STORAGE_ENABLE_BLOCK_SID #language en-US "issue Block SID "
#string TCG_STORAGE_DISABLE_BLOCK_SID #language en-US "disable issuing Block SID "
#string TCG_STORAGE_PP_ENABLE_BLOCK_SID #language en-US "enable blocking SID authentication"
#string TCG_STORAGE_PP_DISABLE_BLOCK_SID #language en-US "disable blocking SID authentication"

9
SecurityPkg/SecurityPkg.dec
View File

@ -77,6 +77,11 @@
#
Tcg2PpVendorLib|Include/Library/TcgPpVendorLib.h
## @libraryclass Provides support for TCG Physical Presence Interface (PPI) specification
# >= 96 && < 128 Vendor Specific PPI Operation.
#
TcgPhysicalPresenceStorageLib|Include/Library/TcgPhysicalPresenceStorageLib.h
## @libraryclass Handle TPM 2.0 physical presence request from OS.
#
Tcg2PhysicalPresenceLib|Include/Library/Tcg2PhysicalPresenceLib.h
@ -146,6 +151,10 @@
# Include/Guid/Tcg2PhysicalPresenceData.h
gEfiTcg2PhysicalPresenceGuid = { 0xaeb9c5c1, 0x94f1, 0x4d02, { 0xbf, 0xd9, 0x46, 0x2, 0xdb, 0x2d, 0x3c, 0x54 }}
##
# Include/Guid/Tcg2PhysicalPresenceData.h
gEfiTcgPhysicalPresenceStorageGuid = { 0x2EBE3E34, 0xB3CD, 0x471A, { 0xBF, 0x87, 0xB3, 0xC6, 0x6E, 0xE0, 0x74, 0x9A}}
## GUID used for form browser, password credential and provider identifier.
# Include/Guid/PwdCredentialProviderHii.h
gPwdCredentialProviderGuid = { 0x78b9ec8b, 0xc000, 0x46c5, { 0xac, 0x93, 0x24, 0xa0, 0xc1, 0xbb, 0x0, 0xce }}

2
SecurityPkg/SecurityPkg.dsc
View File

@ -98,6 +98,7 @@
Tpm12DeviceLib|SecurityPkg/Library/Tpm12DeviceLibTcg/Tpm12DeviceLibTcg.inf
Tpm2DeviceLib|SecurityPkg/Library/Tpm2DeviceLibTcg2/Tpm2DeviceLibTcg2.inf
FileExplorerLib|MdeModulePkg/Library/FileExplorerLib/FileExplorerLib.inf
TcgPhysicalPresenceStorageLib|SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorageLib.inf
[LibraryClasses.common.UEFI_DRIVER, LibraryClasses.common.DXE_RUNTIME_DRIVER, LibraryClasses.common.DXE_SAL_DRIVER,]
HobLib|MdePkg/Library/DxeHobLib/DxeHobLib.inf
@ -205,6 +206,7 @@
SecurityPkg/Library/TcgStorageCoreLib/TcgStorageCoreLib.inf
SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalLib.inf
SecurityPkg/Library/OpalPasswordSupportLib/OpalPasswordSupportLib.inf
SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPresenceStorageLib.inf
#
# Other