SecurityPkg/HddPassword: Add Security feature set support for ATA dev

REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1529

This commit will add the 'Security feature set' support for ATA devices.

According to the AT Attachment 8 - ATA/ATAPI Command Set (ATA8-ACS)
specification, the Security feature set is an optional feature. In
summary, the feature is a password system that restricts access to user
data stored on an ATA device. A more detailed introduction of this feature
can be referred from the ATA8-ACS spec.

The HddPassword driver is composed of 2 parts:
* A DXE driver and
* A PEI driver

The DXE driver consumes EFI_ATA_PASS_THRU_PROTOCOL instances and installs
an HII GUI to manage the devices. If the managing device supports Security
feature set, the HII page will provide the user with the ability to
set/update/disable the password for this device. Also, if a password is
being set via the Security feature set, a popup window will show during
boot requesting the user to input password.

Another feature supported by this driver is that for those managing
devices with password set, they will be automatically unlocked during the
S3 resume. This is done by the co-work of the DXE driver and the PEI
driver:

The DXE driver will save the password and the identification information
for these devices into a LockBox, which is only allowed to restore during
S3 resume.

The PEI driver, during S3 resume, will restore the content in the LockBox
and will consume EDKII_PEI_ATA_PASS_THRU_PPI instances to unlock devices.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
This commit is contained in:
Hao Wu 2019-01-15 16:33:09 +08:00
parent a3efbc29c4
commit e8959f8100
11 changed files with 3873 additions and 0 deletions

View File

@ -0,0 +1,188 @@
/** @file
HDD Password Configuration Formset.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
of the BSD License which accompanies this distribution. The
full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "HddPasswordHiiDataStruc.h"
formset
guid = HDD_PASSWORD_CONFIG_GUID,
title = STRING_TOKEN(STR_HDD_SECURITY_CONFIG),
help = STRING_TOKEN(STR_HDD_SECURITY_CONFIG),
classguid = EFI_HII_PLATFORM_SETUP_FORMSET_GUID,
varstore HDD_PASSWORD_CONFIG,
name = HDD_PASSWORD_CONFIG,
guid = HDD_PASSWORD_CONFIG_GUID;
form formid = FORMID_HDD_MAIN_FORM,
title = STRING_TOKEN(STR_HDD_SECURITY_CONFIG);
label HDD_DEVICE_ENTRY_LABEL;
label HDD_DEVICE_LABEL_END;
endform;
form
formid = FORMID_HDD_DEVICE_FORM,
title = STRING_TOKEN(STR_HDD_SECURITY_HD);
subtitle text = STRING_TOKEN(STR_SECURITY_HDD_PWD_DESC);
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_SECURITY_HDD_BANNER_ONE);
subtitle text = STRING_TOKEN(STR_SECURITY_HDD_BANNER_TWO);
subtitle text = STRING_TOKEN(STR_SECURITY_HDD_BANNER_THREE);
subtitle text = STRING_TOKEN(STR_SECURITY_HDD_BANNER_FOUR);
subtitle text = STRING_TOKEN(STR_SECURITY_HDD_BANNER_FIVE);
subtitle text = STRING_TOKEN(STR_NULL);
subtitle text = STRING_TOKEN(STR_HDD_PASSWORD_CONFIG);
subtitle text = STRING_TOKEN(STR_NULL);
grayoutif TRUE;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.Supported == 0;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_SEC_SUPPORTED),
text = STRING_TOKEN(STR_YES),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.Supported == 1;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_SEC_SUPPORTED),
text = STRING_TOKEN(STR_NO),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.Enabled == 0;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_SEC_ENABLED),
text = STRING_TOKEN(STR_YES),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.Enabled == 1;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_SEC_ENABLED),
text = STRING_TOKEN(STR_NO),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.Locked == 0;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_SEC_LOCKED),
text = STRING_TOKEN(STR_YES),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.Locked == 1;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_SEC_LOCKED),
text = STRING_TOKEN(STR_NO),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.Frozen == 0;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_SEC_FROZEN),
text = STRING_TOKEN(STR_YES),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.Frozen == 1;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_SEC_FROZEN),
text = STRING_TOKEN(STR_NO),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.UserPasswordStatus == 0;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_HDD_USER_PASSWORD_STS),
text = STRING_TOKEN(STR_INSTALLED),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.UserPasswordStatus == 1;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_HDD_USER_PASSWORD_STS),
text = STRING_TOKEN(STR_NOT_INSTALLED),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.MasterPasswordStatus == 0;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_HDD_MASTER_PASSWORD_STS),
text = STRING_TOKEN(STR_INSTALLED),
flags = 0,
key = 0;
endif;
suppressif ideqvallist HDD_PASSWORD_CONFIG.SecurityStatus.MasterPasswordStatus == 1;
text
help = STRING_TOKEN(STR_EMPTY),
text = STRING_TOKEN(STR_HDD_MASTER_PASSWORD_STS),
text = STRING_TOKEN(STR_NOT_INSTALLED),
flags = 0,
key = 0;
endif;
endif;
subtitle text = STRING_TOKEN(STR_NULL);
grayoutif ideqval HDD_PASSWORD_CONFIG.SecurityStatus.Supported == 0;
checkbox varid = HDD_PASSWORD_CONFIG.Request.UserPassword,
prompt = STRING_TOKEN(STR_HDD_USER_PASSWORD),
help = STRING_TOKEN(STR_HDD_USER_PASSWORD_HELP),
flags = INTERACTIVE | RESET_REQUIRED,
key = KEY_HDD_USER_PASSWORD,
endcheckbox;
endif;
grayoutif ideqval HDD_PASSWORD_CONFIG.SecurityStatus.Supported == 0;
checkbox varid = HDD_PASSWORD_CONFIG.Request.MasterPassword,
prompt = STRING_TOKEN(STR_HDD_MASTER_PASSWORD),
help = STRING_TOKEN(STR_HDD_MASTER_PASSWORD_HELP),
flags = INTERACTIVE | RESET_REQUIRED,
key = KEY_HDD_MASTER_PASSWORD,
endcheckbox;
endif;
endform;
endformset;

View File

@ -0,0 +1,61 @@
/** @file
HDD Password common header file.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
of the BSD License which accompanies this distribution. The
full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _HDD_PASSWORD_COMMON_H_
#define _HDD_PASSWORD_COMMON_H_
//
// The payload length of HDD related ATA commands
//
#define HDD_PAYLOAD 512
#define ATA_SECURITY_SET_PASSWORD_CMD 0xF1
#define ATA_SECURITY_UNLOCK_CMD 0xF2
#define ATA_SECURITY_FREEZE_LOCK_CMD 0xF5
#define ATA_SECURITY_DIS_PASSWORD_CMD 0xF6
//
// The max retry count specified in ATA 8 spec.
//
#define MAX_HDD_PASSWORD_RETRY_COUNT 5
//
// According to ATA spec, the max length of hdd password is 32 bytes
//
#define HDD_PASSWORD_MAX_LENGTH 32
#define HDD_PASSWORD_DEVICE_INFO_GUID { 0x96d877ad, 0x48af, 0x4b39, { 0x9b, 0x27, 0x4d, 0x97, 0x43, 0x9, 0xae, 0x47 } }
typedef struct {
UINT8 Bus;
UINT8 Device;
UINT8 Function;
UINT8 Reserved;
UINT16 Port;
UINT16 PortMultiplierPort;
} HDD_PASSWORD_DEVICE;
//
// It will be used to unlock HDD password for S3.
//
typedef struct {
HDD_PASSWORD_DEVICE Device;
CHAR8 Password[HDD_PASSWORD_MAX_LENGTH];
UINT32 DevicePathLength;
EFI_DEVICE_PATH_PROTOCOL DevicePath[];
} HDD_PASSWORD_DEVICE_INFO;
#endif // _HDD_PASSWORD_COMMON_H_

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,148 @@
/** @file
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
of the BSD License which accompanies this distribution. The
full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _HDD_PASSWORD_DXE_H_
#define _HDD_PASSWORD_DXE_H_
#include <Uefi.h>
#include <IndustryStandard/Atapi.h>
#include <IndustryStandard/Pci.h>
#include <Protocol/AtaPassThru.h>
#include <Protocol/PciIo.h>
#include <Protocol/HiiConfigAccess.h>
#include <Protocol/VariableLock.h>
#include <Guid/MdeModuleHii.h>
#include <Guid/EventGroup.h>
#include <Guid/S3StorageDeviceInitList.h>
#include <Library/DebugLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/UefiRuntimeServicesTableLib.h>
#include <Library/UefiDriverEntryPoint.h>
#include <Library/UefiBootServicesTableLib.h>
#include <Library/DxeServicesTableLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/UefiHiiServicesLib.h>
#include <Library/HiiLib.h>
#include <Library/DevicePathLib.h>
#include <Library/PrintLib.h>
#include <Library/UefiLib.h>
#include <Library/LockBoxLib.h>
#include <Library/S3BootScriptLib.h>
#include <Library/PciLib.h>
#include <Library/BaseCryptLib.h>
#include "HddPasswordCommon.h"
#include "HddPasswordHiiDataStruc.h"
//
// This is the generated IFR binary data for each formset defined in VFR.
// This data array is ready to be used as input of HiiAddPackages() to
// create a packagelist (which contains Form packages, String packages, etc).
//
extern UINT8 HddPasswordBin[];
//
// This is the generated String package data for all .UNI files.
// This data array is ready to be used as input of HiiAddPackages() to
// create a packagelist (which contains Form packages, String packages, etc).
//
extern UINT8 HddPasswordDxeStrings[];
#define HDD_PASSWORD_DXE_PRIVATE_SIGNATURE SIGNATURE_32 ('H', 'D', 'D', 'P')
typedef struct _HDD_PASSWORD_CONFIG_FORM_ENTRY {
LIST_ENTRY Link;
EFI_HANDLE Controller;
UINTN Bus;
UINTN Device;
UINTN Function;
UINT16 Port;
UINT16 PortMultiplierPort;
EFI_DEVICE_PATH_PROTOCOL *DevicePath;
CHAR16 HddString[64];
CHAR8 Password[HDD_PASSWORD_MAX_LENGTH];
EFI_STRING_ID TitleToken;
EFI_STRING_ID TitleHelpToken;
HDD_PASSWORD_CONFIG IfrData;
EFI_ATA_PASS_THRU_PROTOCOL *AtaPassThru;
} HDD_PASSWORD_CONFIG_FORM_ENTRY;
typedef struct _HDD_PASSWORD_DXE_PRIVATE_DATA {
UINTN Signature;
EFI_HANDLE DriverHandle;
EFI_HII_HANDLE HiiHandle;
EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess;
HDD_PASSWORD_CONFIG_FORM_ENTRY *Current;
} HDD_PASSWORD_DXE_PRIVATE_DATA;
#define HDD_PASSWORD_DXE_PRIVATE_FROM_THIS(a) CR (a, HDD_PASSWORD_DXE_PRIVATE_DATA, ConfigAccess, HDD_PASSWORD_DXE_PRIVATE_SIGNATURE)
//
//Iterate through the doule linked list. NOT delete safe
//
#define EFI_LIST_FOR_EACH(Entry, ListHead) \
for (Entry = (ListHead)->ForwardLink; Entry != (ListHead); Entry = Entry->ForwardLink)
#define PASSWORD_SALT_SIZE 32
#define HDD_PASSWORD_REQUEST_VARIABLE_NAME L"HddPasswordRequest"
//
// It needs to be locked before EndOfDxe.
//
#define HDD_PASSWORD_VARIABLE_NAME L"HddPassword"
#pragma pack(1)
typedef struct {
HDD_PASSWORD_DEVICE Device;
HDD_PASSWORD_REQUEST Request;
} HDD_PASSWORD_REQUEST_VARIABLE;
//
// It will be used to validate HDD password when the device is at frozen state.
//
typedef struct {
HDD_PASSWORD_DEVICE Device;
UINT8 PasswordHash[SHA256_DIGEST_SIZE];
UINT8 PasswordSalt[PASSWORD_SALT_SIZE];
} HDD_PASSWORD_VARIABLE;
///
/// HII specific Vendor Device Path definition.
///
typedef struct {
VENDOR_DEVICE_PATH VendorDevicePath;
EFI_DEVICE_PATH_PROTOCOL End;
} HII_VENDOR_DEVICE_PATH;
#pragma pack()
//
// Time out value for ATA pass through protocol
//
#define ATA_TIMEOUT EFI_TIMER_PERIOD_SECONDS (3)
typedef struct {
UINT32 Address;
S3_BOOT_SCRIPT_LIB_WIDTH Width;
} HDD_HC_PCI_REGISTER_SAVE;
#endif

View File

@ -0,0 +1,75 @@
## @file
# HddPasswordDxe driver which is used to set/clear hdd password at attached harddisk
# devices.
#
# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = HddPasswordDxe
FILE_GUID = 9BD549CD-86D1-4925-9F7D-3686DDD876FC
MODULE_TYPE = DXE_DRIVER
VERSION_STRING = 1.0
ENTRY_POINT = HddPasswordDxeInit
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
HddPasswordDxe.c
HddPasswordDxe.h
HddPasswordHiiDataStruc.h
HddPassword.vfr
HddPasswordStrings.uni
HddPasswordCommon.h
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
CryptoPkg/CryptoPkg.dec
[LibraryClasses]
BaseLib
MemoryAllocationLib
UefiBootServicesTableLib
UefiDriverEntryPoint
UefiHiiServicesLib
UefiRuntimeServicesTableLib
DxeServicesTableLib
BaseMemoryLib
DebugLib
HiiLib
PrintLib
UefiLib
LockBoxLib
S3BootScriptLib
PciLib
BaseCryptLib
[Guids]
gEfiIfrTianoGuid ## CONSUMES ## GUID
gEfiEndOfDxeEventGroupGuid ## CONSUMES ## Event
gS3StorageDeviceInitListGuid ## SOMETIMES_PRODUCES ## UNDEFINED
[Protocols]
gEfiHiiConfigAccessProtocolGuid ## PRODUCES
gEfiAtaPassThruProtocolGuid ## CONSUMES
gEfiPciIoProtocolGuid ## CONSUMES
gEdkiiVariableLockProtocolGuid ## CONSUMES
[Depex]
gEfiVariableWriteArchProtocolGuid

View File

@ -0,0 +1,63 @@
/** @file
HddPassword HII data structure used by the driver.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
of the BSD License which accompanies this distribution. The
full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _HDD_PASSWORD_HII_DATASTRUC_H_
#define _HDD_PASSWORD_HII_DATASTRUC_H_
#include <Guid/HiiPlatformSetupFormset.h>
#define HDD_PASSWORD_CONFIG_GUID \
{ \
0x737cded7, 0x448b, 0x4801, { 0xb5, 0x7d, 0xb1, 0x94, 0x83, 0xec, 0x60, 0x6f } \
}
#define FORMID_HDD_MAIN_FORM 1
#define FORMID_HDD_DEVICE_FORM 2
#define HDD_DEVICE_ENTRY_LABEL 0x1234
#define HDD_DEVICE_LABEL_END 0xffff
#define KEY_HDD_DEVICE_ENTRY_BASE 0x1000
#define KEY_HDD_USER_PASSWORD 0x101
#define KEY_HDD_MASTER_PASSWORD 0x102
#pragma pack(1)
typedef struct {
UINT8 Supported:1;
UINT8 Enabled:1;
UINT8 Locked:1;
UINT8 Frozen:1;
UINT8 UserPasswordStatus:1;
UINT8 MasterPasswordStatus:1;
UINT8 Reserved:2;
} HDD_PASSWORD_SECURITY_STATUS;
typedef struct {
UINT8 UserPassword:1;
UINT8 MasterPassword:1;
UINT8 Reserved:6;
} HDD_PASSWORD_REQUEST;
typedef struct _HDD_PASSWORD_CONFIG {
HDD_PASSWORD_SECURITY_STATUS SecurityStatus;
HDD_PASSWORD_REQUEST Request;
} HDD_PASSWORD_CONFIG;
#pragma pack()
#endif

View File

@ -0,0 +1,374 @@
/** @file
HddPassword PEI module which is used to unlock HDD password for S3.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
of the BSD License which accompanies this distribution. The
full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#include "HddPasswordPei.h"
EFI_GUID mHddPasswordDeviceInfoGuid = HDD_PASSWORD_DEVICE_INFO_GUID;
/**
Send unlock hdd password cmd through ATA PassThru PPI.
@param[in] AtaPassThru The pointer to the ATA PassThru PPI.
@param[in] Port The port number of the ATA device.
@param[in] PortMultiplierPort The port multiplier port number of the ATA device.
@param[in] Identifier The identifier to set user or master password.
@param[in] Password The hdd password of attached ATA device.
@retval EFI_SUCCESS Successful to send unlock hdd password cmd.
@retval EFI_INVALID_PARAMETER The parameter passed-in is invalid.
@retval EFI_OUT_OF_RESOURCES Not enough memory to send unlock hdd password cmd.
@retval EFI_DEVICE_ERROR Can not send unlock hdd password cmd.
**/
EFI_STATUS
UnlockDevice (
IN EDKII_PEI_ATA_PASS_THRU_PPI *AtaPassThru,
IN UINT16 Port,
IN UINT16 PortMultiplierPort,
IN CHAR8 Identifier,
IN CHAR8 *Password
)
{
EFI_STATUS Status;
EFI_ATA_COMMAND_BLOCK Acb;
EFI_ATA_STATUS_BLOCK *Asb;
EFI_ATA_PASS_THRU_COMMAND_PACKET Packet;
UINT8 Buffer[HDD_PAYLOAD];
if ((AtaPassThru == NULL) || (Password == NULL)) {
return EFI_INVALID_PARAMETER;
}
//
// The 'Asb' field (a pointer to the EFI_ATA_STATUS_BLOCK structure) in
// EFI_ATA_PASS_THRU_COMMAND_PACKET is required to be aligned specified by
// the 'IoAlign' field in the EFI_ATA_PASS_THRU_MODE structure. Meanwhile,
// the structure EFI_ATA_STATUS_BLOCK is composed of only UINT8 fields, so it
// may not be aligned when allocated on stack for some compilers. Hence, we
// use the API AllocateAlignedPages to ensure this structure is properly
// aligned.
//
Asb = AllocateAlignedPages (
EFI_SIZE_TO_PAGES (sizeof (EFI_ATA_STATUS_BLOCK)),
AtaPassThru->Mode->IoAlign
);
if (Asb == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Prepare for ATA command block.
//
ZeroMem (&Acb, sizeof (Acb));
ZeroMem (Asb, sizeof (EFI_ATA_STATUS_BLOCK));
Acb.AtaCommand = ATA_SECURITY_UNLOCK_CMD;
Acb.AtaDeviceHead = (UINT8) (PortMultiplierPort == 0xFFFF ? 0 : (PortMultiplierPort << 4));
//
// Prepare for ATA pass through packet.
//
ZeroMem (&Packet, sizeof (Packet));
Packet.Protocol = EFI_ATA_PASS_THRU_PROTOCOL_PIO_DATA_OUT;
Packet.Length = EFI_ATA_PASS_THRU_LENGTH_BYTES;
Packet.Asb = Asb;
Packet.Acb = &Acb;
((CHAR16 *) Buffer)[0] = Identifier & BIT0;
CopyMem (&((CHAR16 *) Buffer)[1], Password, HDD_PASSWORD_MAX_LENGTH);
Packet.OutDataBuffer = Buffer;
Packet.OutTransferLength = sizeof (Buffer);
Packet.Timeout = ATA_TIMEOUT;
Status = AtaPassThru->PassThru (
AtaPassThru,
Port,
PortMultiplierPort,
&Packet
);
if (!EFI_ERROR (Status) &&
((Asb->AtaStatus & ATA_STSREG_ERR) != 0) &&
((Asb->AtaError & ATA_ERRREG_ABRT) != 0)) {
Status = EFI_DEVICE_ERROR;
}
FreeAlignedPages (Asb, EFI_SIZE_TO_PAGES (sizeof (EFI_ATA_STATUS_BLOCK)));
ZeroMem (Buffer, sizeof (Buffer));
DEBUG ((DEBUG_INFO, "%a() - %r\n", __FUNCTION__, Status));
return Status;
}
/**
Send security freeze lock cmd through ATA PassThru PPI.
@param[in] AtaPassThru The pointer to the ATA PassThru PPI.
@param[in] Port The port number of the ATA device.
@param[in] PortMultiplierPort The port multiplier port number of the ATA device.
@retval EFI_SUCCESS Successful to send security freeze lock cmd.
@retval EFI_INVALID_PARAMETER The parameter passed-in is invalid.
@retval EFI_OUT_OF_RESOURCES Not enough memory to send unlock hdd password cmd.
@retval EFI_DEVICE_ERROR Can not send security freeze lock cmd.
**/
EFI_STATUS
FreezeLockDevice (
IN EDKII_PEI_ATA_PASS_THRU_PPI *AtaPassThru,
IN UINT16 Port,
IN UINT16 PortMultiplierPort
)
{
EFI_STATUS Status;
EFI_ATA_COMMAND_BLOCK Acb;
EFI_ATA_STATUS_BLOCK *Asb;
EFI_ATA_PASS_THRU_COMMAND_PACKET Packet;
if (AtaPassThru == NULL) {
return EFI_INVALID_PARAMETER;
}
//
// The 'Asb' field (a pointer to the EFI_ATA_STATUS_BLOCK structure) in
// EFI_ATA_PASS_THRU_COMMAND_PACKET is required to be aligned specified by
// the 'IoAlign' field in the EFI_ATA_PASS_THRU_MODE structure. Meanwhile,
// the structure EFI_ATA_STATUS_BLOCK is composed of only UINT8 fields, so it
// may not be aligned when allocated on stack for some compilers. Hence, we
// use the API AllocateAlignedPages to ensure this structure is properly
// aligned.
//
Asb = AllocateAlignedPages (
EFI_SIZE_TO_PAGES (sizeof (EFI_ATA_STATUS_BLOCK)),
AtaPassThru->Mode->IoAlign
);
if (Asb == NULL) {
return EFI_OUT_OF_RESOURCES;
}
//
// Prepare for ATA command block.
//
ZeroMem (&Acb, sizeof (Acb));
ZeroMem (Asb, sizeof (EFI_ATA_STATUS_BLOCK));
Acb.AtaCommand = ATA_SECURITY_FREEZE_LOCK_CMD;
Acb.AtaDeviceHead = (UINT8) (PortMultiplierPort == 0xFFFF ? 0 : (PortMultiplierPort << 4));
//
// Prepare for ATA pass through packet.
//
ZeroMem (&Packet, sizeof (Packet));
Packet.Protocol = EFI_ATA_PASS_THRU_PROTOCOL_ATA_NON_DATA;
Packet.Length = EFI_ATA_PASS_THRU_LENGTH_NO_DATA_TRANSFER;
Packet.Asb = Asb;
Packet.Acb = &Acb;
Packet.Timeout = ATA_TIMEOUT;
Status = AtaPassThru->PassThru (
AtaPassThru,
Port,
PortMultiplierPort,
&Packet
);
if (!EFI_ERROR (Status) &&
((Asb->AtaStatus & ATA_STSREG_ERR) != 0) &&
((Asb->AtaError & ATA_ERRREG_ABRT) != 0)) {
Status = EFI_DEVICE_ERROR;
}
FreeAlignedPages (Asb, EFI_SIZE_TO_PAGES (sizeof (EFI_ATA_STATUS_BLOCK)));
DEBUG ((DEBUG_INFO, "%a() - %r\n", __FUNCTION__, Status));
return Status;
}
/**
Unlock HDD password for S3.
@param[in] AtaPassThruPpi Pointer to the EDKII_PEI_ATA_PASS_THRU_PPI instance.
**/
VOID
UnlockHddPassword (
IN EDKII_PEI_ATA_PASS_THRU_PPI *AtaPassThruPpi
)
{
EFI_STATUS Status;
VOID *Buffer;
UINTN Length;
UINT8 DummyData;
HDD_PASSWORD_DEVICE_INFO *DevInfo;
UINT16 Port;
UINT16 PortMultiplierPort;
EFI_DEVICE_PATH_PROTOCOL *DevicePath;
UINTN DevicePathLength;
//
// Get HDD password device info from LockBox.
//
Buffer = (VOID *) &DummyData;
Length = sizeof (DummyData);
Status = RestoreLockBox (&mHddPasswordDeviceInfoGuid, Buffer, &Length);
if (Status == EFI_BUFFER_TOO_SMALL) {
Buffer = AllocatePages (EFI_SIZE_TO_PAGES (Length));
if (Buffer != NULL) {
Status = RestoreLockBox (&mHddPasswordDeviceInfoGuid, Buffer, &Length);
}
}
if ((Buffer == NULL) || (Buffer == (VOID *) &DummyData)) {
return;
} else if (EFI_ERROR (Status)) {
FreePages (Buffer, EFI_SIZE_TO_PAGES (Length));
return;
}
Status = AtaPassThruPpi->GetDevicePath (AtaPassThruPpi, &DevicePathLength, &DevicePath);
if (EFI_ERROR (Status) || (DevicePathLength <= sizeof (EFI_DEVICE_PATH_PROTOCOL))) {
goto Exit;
}
//
// Go through all the devices managed by the AtaPassThru PPI instance.
//
Port = 0xFFFF;
while (TRUE) {
Status = AtaPassThruPpi->GetNextPort (AtaPassThruPpi, &Port);
if (EFI_ERROR (Status)) {
//
// We cannot find more legal port then we are done.
//
break;
}
PortMultiplierPort = 0xFFFF;
while (TRUE) {
Status = AtaPassThruPpi->GetNextDevice (AtaPassThruPpi, Port, &PortMultiplierPort);
if (EFI_ERROR (Status)) {
//
// We cannot find more legal port multiplier port number for ATA device
// on the port, then we are done.
//
break;
}
//
// Search the device in the restored LockBox.
//
DevInfo = (HDD_PASSWORD_DEVICE_INFO *) Buffer;
while ((UINTN) DevInfo < ((UINTN) Buffer + Length)) {
//
// Find the matching device.
//
if ((DevInfo->Device.Port == Port) &&
(DevInfo->Device.PortMultiplierPort == PortMultiplierPort) &&
(DevInfo->DevicePathLength >= DevicePathLength) &&
(CompareMem (
DevInfo->DevicePath,
DevicePath,
DevicePathLength - sizeof (EFI_DEVICE_PATH_PROTOCOL)) == 0)) {
//
// If device locked, unlock first.
//
if (!IsZeroBuffer (DevInfo->Password, HDD_PASSWORD_MAX_LENGTH)) {
UnlockDevice (AtaPassThruPpi, Port, PortMultiplierPort, 0, DevInfo->Password);
}
//
// Freeze lock the device.
//
FreezeLockDevice (AtaPassThruPpi, Port, PortMultiplierPort);
break;
}
DevInfo = (HDD_PASSWORD_DEVICE_INFO *)
((UINTN) DevInfo + sizeof (HDD_PASSWORD_DEVICE_INFO) + DevInfo->DevicePathLength);
}
}
}
Exit:
ZeroMem (Buffer, Length);
FreePages (Buffer, EFI_SIZE_TO_PAGES (Length));
}
/**
Entry point of the notification callback function itself within the PEIM.
It is to unlock HDD password for S3.
@param PeiServices Indirect reference to the PEI Services Table.
@param NotifyDescriptor Address of the notification descriptor data structure.
@param Ppi Address of the PPI that was installed.
@return Status of the notification.
The status code returned from this function is ignored.
**/
EFI_STATUS
EFIAPI
HddPasswordAtaPassThruNotify (
IN EFI_PEI_SERVICES **PeiServices,
IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDesc,
IN VOID *Ppi
)
{
DEBUG ((DEBUG_INFO, "%a() - enter at S3 resume\n", __FUNCTION__));
UnlockHddPassword ((EDKII_PEI_ATA_PASS_THRU_PPI *) Ppi);
DEBUG ((DEBUG_INFO, "%a() - exit at S3 resume\n", __FUNCTION__));
return EFI_SUCCESS;
}
EFI_PEI_NOTIFY_DESCRIPTOR mHddPasswordAtaPassThruPpiNotifyDesc = {
(EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST),
&gEdkiiPeiAtaPassThruPpiGuid,
HddPasswordAtaPassThruNotify
};
/**
Main entry for this module.
@param FileHandle Handle of the file being invoked.
@param PeiServices Pointer to PEI Services table.
@return Status from PeiServicesNotifyPpi.
**/
EFI_STATUS
EFIAPI
HddPasswordPeiInit (
IN EFI_PEI_FILE_HANDLE FileHandle,
IN CONST EFI_PEI_SERVICES **PeiServices
)
{
EFI_STATUS Status;
EFI_BOOT_MODE BootMode;
Status = PeiServicesGetBootMode (&BootMode);
if ((EFI_ERROR (Status)) || (BootMode != BOOT_ON_S3_RESUME)) {
return EFI_UNSUPPORTED;
}
DEBUG ((DEBUG_INFO, "%a: Enters in S3 path.\n", __FUNCTION__));
Status = PeiServicesNotifyPpi (&mHddPasswordAtaPassThruPpiNotifyDesc);
ASSERT_EFI_ERROR (Status);
return Status;
}

View File

@ -0,0 +1,42 @@
/** @file
HddPassword PEI module which is used to unlock HDD password for S3.
Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
of the BSD License which accompanies this distribution. The
full text of the license may be found at
http://opensource.org/licenses/bsd-license.php
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
**/
#ifndef _HDD_PASSWORD_PEI_H_
#define _HDD_PASSWORD_PEI_H_
#include <PiPei.h>
#include <IndustryStandard/Atapi.h>
#include <Library/DebugLib.h>
#include <Library/BaseLib.h>
#include <Library/BaseMemoryLib.h>
#include <Library/MemoryAllocationLib.h>
#include <Library/PeimEntryPoint.h>
#include <Library/PeiServicesLib.h>
#include <Library/PciLib.h>
#include <Library/LockBoxLib.h>
#include <Ppi/AtaPassThru.h>
#include "HddPasswordCommon.h"
//
// Time out value for ATA PassThru PPI
//
#define ATA_TIMEOUT 30000000
#endif

View File

@ -0,0 +1,54 @@
## @file
# HddPassword PEI module which is used to unlock HDD password for S3.
#
# Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
#
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
# http://opensource.org/licenses/bsd-license.php
#
# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
#
##
[Defines]
INF_VERSION = 0x00010005
BASE_NAME = HddPasswordPei
FILE_GUID = 91AD7375-8E8E-49D2-A343-68BC78273955
MODULE_TYPE = PEIM
VERSION_STRING = 1.0
ENTRY_POINT = HddPasswordPeiInit
#
# The following information is for reference only and not required by the build tools.
#
# VALID_ARCHITECTURES = IA32 X64 IPF EBC
#
[Sources]
HddPasswordPei.c
HddPasswordPei.h
HddPasswordCommon.h
[Packages]
MdePkg/MdePkg.dec
MdeModulePkg/MdeModulePkg.dec
[LibraryClasses]
PeimEntryPoint
PeiServicesLib
DebugLib
BaseLib
BaseMemoryLib
MemoryAllocationLib
PciLib
LockBoxLib
[Ppis]
gEdkiiPeiAtaPassThruPpiGuid ## NOTIFY
[Depex]
gEfiPeiMasterBootModePpiGuid

View File

@ -0,0 +1,48 @@
// /** @file
// String definitions for HddPassword Setup Form.
//
// Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
//
// This program and the accompanying materials
// are licensed and made available under the terms and conditions
// of the BSD License which accompanies this distribution. The
// full text of the license may be found at
// http://opensource.org/licenses/bsd-license.php
//
// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
//
// **/
#langdef en-US "English"
#string STR_HDD_SECURITY_CONFIG #language en-US "HDD Security Configuration"
#string STR_SECURITY_HDD_PWD_DESC #language en-US "HDD Password Description :"
#string STR_SECURITY_HDD_BANNER_ONE #language en-US "Allows Access to Set, Modify and Clear HardDisk User and"
#string STR_SECURITY_HDD_BANNER_TWO #language en-US "Master Passwords."
#string STR_SECURITY_HDD_BANNER_THREE #language en-US "User Password need to be installed for Enabling Security."
#string STR_SECURITY_HDD_BANNER_FOUR #language en-US "Master Password can be modified only when succesfully"
#string STR_SECURITY_HDD_BANNER_FIVE #language en-US "unlocked with User Password in POST."
#string STR_HDD_SECURITY_HD #language en-US "HDD Password"
#string STR_HDD_SECURITY_HELP #language en-US "Set HDD Password"
#string STR_HDD_PASSWORD_CONFIG #language en-US "HDD PASSWORD CONFIGURATION:"
#string STR_SEC_SUPPORTED #language en-US "Security Supported :"
#string STR_SEC_ENABLED #language en-US "Security Enabled :"
#string STR_SEC_LOCKED #language en-US "Security Locked :"
#string STR_SEC_FROZEN #language en-US "Security Frozen :"
#string STR_YES #language en-US "Yes"
#string STR_NO #language en-US "No"
#string STR_HDD_USER_PASSWORD #language en-US "Request to set User Password"
#string STR_HDD_USER_PASSWORD_HELP #language en-US "Request to set HDD User Password. \n*** Reset is required for the request to be processed in next boot *** \n*** G3 circle is required to disable freeze state when Security Frozen state is Yes, otherwise the request will be ignored. *** "
#string STR_HDD_MASTER_PASSWORD #language en-US "Request to set Master Password"
#string STR_HDD_MASTER_PASSWORD_HELP #language en-US "Request to set HDD Master Password. \n*** Reset is required for the request to be processed in next boot *** \n*** G3 circle is required to disable freeze state when Security Frozen state is Yes, otherwise the request will be ignored. *** "
#string STR_INSTALLED #language en-US "INSTALLED"
#string STR_NOT_INSTALLED #language en-US "NOT INSTALLED"
#string STR_HDD_USER_PASSWORD_STS #language en-US "HDD User Password Status :"
#string STR_HDD_MASTER_PASSWORD_STS #language en-US "HDD Master Password Status:"
#string STR_NULL #language en-US ""
#string STR_EMPTY #language en-US ""

View File

@ -287,6 +287,12 @@
SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordPei.inf SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordPei.inf
#
# HDD Password solution
#
SecurityPkg/HddPassword/HddPasswordDxe.inf
SecurityPkg/HddPassword/HddPasswordPei.inf
[BuildOptions] [BuildOptions]
MSFT:*_*_IA32_DLINK_FLAGS = /ALIGN:256 MSFT:*_*_IA32_DLINK_FLAGS = /ALIGN:256
INTEL:*_*_IA32_DLINK_FLAGS = /ALIGN:256 INTEL:*_*_IA32_DLINK_FLAGS = /ALIGN:256