tyler.durden/audk
1
0
Fork 0
mirror of https://github.com/acidanthera/audk.git synced 2025-07-28 08:04:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

SecurityPkg Tcg2PPLib: Support BlockSID related actions

Browse Source 
Then Tcg2PhysicalPresenceLib can support TCG2 PP TPM2,
storage management and vendor specific requests according
to Physical Presence Interface Specification.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
This commit is contained in:
Star Zeng 2016-11-23 16:38:33 +08:00
parent 6a82ceb690
commit e92ddda2b5
4 changed files with 217 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
View File

@ -43,6 +43,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
// //
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID BIT16 #define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID BIT16
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID BIT17 #define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID BIT17
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID BIT18
// //
// Default value // Default value
@ -52,6 +53,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS | \ TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS | \
TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS) TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS)
//
// Default value
//
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT (TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID | \
TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID)
/** /**
Check and execute the pending TPM request. Check and execute the pending TPM request.

239
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
View File

@ -163,9 +163,6 @@ Tcg2ExecutePhysicalPresence (
EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap; EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;
UINT32 ActivePcrBanks; UINT32 ActivePcrBanks;
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
ASSERT_EFI_ERROR (Status);
switch (CommandCode) { switch (CommandCode) {
case TCG2_PHYSICAL_PRESENCE_CLEAR: case TCG2_PHYSICAL_PRESENCE_CLEAR:
case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR: case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR:
@ -187,6 +184,8 @@ Tcg2ExecutePhysicalPresence (
return TCG_PP_OPERATION_RESPONSE_SUCCESS; return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS: case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
ASSERT_EFI_ERROR (Status);
Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter); Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
@ -203,6 +202,8 @@ Tcg2ExecutePhysicalPresence (
} }
case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS: case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:
Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
ASSERT_EFI_ERROR (Status);
Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, TpmHashAlgorithmBitmap); Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, TpmHashAlgorithmBitmap);
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
@ -210,6 +211,30 @@ Tcg2ExecutePhysicalPresence (
return TCG_PP_OPERATION_RESPONSE_SUCCESS; return TCG_PP_OPERATION_RESPONSE_SUCCESS;
} }
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID;
return TCG_PP_OPERATION_RESPONSE_SUCCESS;
default: default:
if (CommandCode <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) { if (CommandCode <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
return TCG_PP_OPERATION_RESPONSE_SUCCESS; return TCG_PP_OPERATION_RESPONSE_SUCCESS;
@ -340,22 +365,6 @@ Tcg2UserConfirm (
UINT32 CurrentPCRBanks; UINT32 CurrentPCRBanks;
EFI_STATUS Status; EFI_STATUS Status;
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
ASSERT_EFI_ERROR (Status);
ProtocolCapability.Size = sizeof(ProtocolCapability);
Status = Tcg2Protocol->GetCapability (
Tcg2Protocol,
&ProtocolCapability
);
ASSERT_EFI_ERROR (Status);
Status = Tcg2Protocol->GetActivePcrBanks (
Tcg2Protocol,
&CurrentPCRBanks
);
ASSERT_EFI_ERROR (Status);
TmpStr2 = NULL; TmpStr2 = NULL;
CautionKey = FALSE; CautionKey = FALSE;
NoPpiInfo = FALSE; NoPpiInfo = FALSE;
@ -363,6 +372,9 @@ Tcg2UserConfirm (
ConfirmText = AllocateZeroPool (BufSize); ConfirmText = AllocateZeroPool (BufSize);
ASSERT (ConfirmText != NULL); ASSERT (ConfirmText != NULL);
mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL);
ASSERT (mTcg2PpStringPackHandle != NULL);
switch (TpmPpCommand) { switch (TpmPpCommand) {
case TCG2_PHYSICAL_PRESENCE_CLEAR: case TCG2_PHYSICAL_PRESENCE_CLEAR:
@ -404,6 +416,22 @@ Tcg2UserConfirm (
break; break;
case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS: case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
ASSERT_EFI_ERROR (Status);
ProtocolCapability.Size = sizeof(ProtocolCapability);
Status = Tcg2Protocol->GetCapability (
Tcg2Protocol,
&ProtocolCapability
);
ASSERT_EFI_ERROR (Status);
Status = Tcg2Protocol->GetActivePcrBanks (
Tcg2Protocol,
&CurrentPCRBanks
);
ASSERT_EFI_ERROR (Status);
CautionKey = TRUE; CautionKey = TRUE;
TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_SET_PCR_BANKS)); TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_SET_PCR_BANKS));
@ -450,6 +478,39 @@ Tcg2UserConfirm (
break; break;
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_ENABLE_BLOCK_SID));
TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_DISABLE_BLOCK_SID));
TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
NoPpiInfo = TRUE;
TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PP_ENABLE_BLOCK_SID));
TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PPI_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
NoPpiInfo = TRUE;
TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PP_DISABLE_BLOCK_SID));
TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PPI_HEAD_STR));
UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
FreePool (TmpStr1);
break;
default: default:
; ;
@ -505,6 +566,7 @@ Tcg2UserConfirm (
FreePool (TmpStr1); FreePool (TmpStr1);
FreePool (TmpStr2); FreePool (TmpStr2);
FreePool (ConfirmText); FreePool (ConfirmText);
HiiRemovePackages (mTcg2PpStringPackHandle);
if (Tcg2ReadUserKey (CautionKey)) { if (Tcg2ReadUserKey (CautionKey)) {
return TRUE; return TRUE;
@ -519,10 +581,10 @@ Tcg2UserConfirm (
@param[in] TcgPpData EFI Tcg2 Physical Presence request data. @param[in] TcgPpData EFI Tcg2 Physical Presence request data.
@param[in] Flags The physical presence interface flags. @param[in] Flags The physical presence interface flags.
@param[out] RequestConfirmed If the physical presence operation command required user confirm from UI. @param[out] RequestConfirmed If the physical presence operation command required user confirm from UI.
True, it indicates the command doesn't require user confirm, or already confirmed True, it indicates the command doesn't require user confirm, or already confirmed
in last boot cycle by user. in last boot cycle by user.
False, it indicates the command need user confirm from UI. False, it indicates the command need user confirm from UI.
@retval TRUE Physical Presence operation command is valid. @retval TRUE Physical Presence operation command is valid.
@retval FALSE Physical Presence operation command is invalid. @retval FALSE Physical Presence operation command is invalid.
@ -535,10 +597,22 @@ Tcg2HaveValidTpmRequest (
OUT BOOLEAN *RequestConfirmed OUT BOOLEAN *RequestConfirmed
) )
{ {
BOOLEAN IsRequestValid; EFI_TCG2_PROTOCOL *Tcg2Protocol;
EFI_STATUS Status;
BOOLEAN IsRequestValid;
*RequestConfirmed = FALSE; *RequestConfirmed = FALSE;
if (TcgPpData->PPRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
//
// Need TCG2 protocol.
//
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
if (EFI_ERROR (Status)) {
return FALSE;
}
}
switch (TcgPpData->PPRequest) { switch (TcgPpData->PPRequest) {
case TCG2_PHYSICAL_PRESENCE_NO_ACTION: case TCG2_PHYSICAL_PRESENCE_NO_ACTION:
*RequestConfirmed = TRUE; *RequestConfirmed = TRUE;
@ -576,6 +650,27 @@ Tcg2HaveValidTpmRequest (
*RequestConfirmed = TRUE; *RequestConfirmed = TRUE;
break; break;
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) == 0) {
*RequestConfirmed = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) == 0) {
*RequestConfirmed = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
*RequestConfirmed = TRUE;
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
break;
default: default:
if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
IsRequestValid = Tcg2PpVendorLibHasValidRequest (TcgPpData->PPRequest, Flags.PPFlags, RequestConfirmed); IsRequestValid = Tcg2PpVendorLibHasValidRequest (TcgPpData->PPRequest, Flags.PPFlags, RequestConfirmed);
@ -613,15 +708,15 @@ Tcg2HaveValidTpmRequest (
TcgPpData variable is external input, so this function will validate TcgPpData variable is external input, so this function will validate
its data structure to be valid value. its data structure to be valid value.
@param[in] PlatformAuth platform auth value. NULL means no platform auth change. @param[in] PlatformAuth platform auth value. NULL means no platform auth change.
@param[in] TcgPpData Point to the physical presence NV variable. @param[in, out] TcgPpData Pointer to the physical presence NV variable.
@param[in] Flags The physical presence interface flags. @param[in, out] Flags Pointer to the physical presence interface flags.
**/ **/
VOID VOID
Tcg2ExecutePendingTpmRequest ( Tcg2ExecutePendingTpmRequest (
IN TPM2B_AUTH *PlatformAuth, OPTIONAL IN TPM2B_AUTH *PlatformAuth, OPTIONAL
IN EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData, IN OUT EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData,
IN EFI_TCG2_PHYSICAL_PRESENCE_FLAGS Flags IN OUT EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *Flags
) )
{ {
EFI_STATUS Status; EFI_STATUS Status;
@ -638,7 +733,7 @@ Tcg2ExecutePendingTpmRequest (
return; return;
} }
if (!Tcg2HaveValidTpmRequest(TcgPpData, Flags, &RequestConfirmed)) { if (!Tcg2HaveValidTpmRequest(TcgPpData, *Flags, &RequestConfirmed)) {
// //
// Invalid operation request. // Invalid operation request.
// //
@ -664,7 +759,7 @@ Tcg2ExecutePendingTpmRequest (
ResetRequired = FALSE; ResetRequired = FALSE;
if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
NewFlags = Flags; NewFlags = *Flags;
NewPPFlags = NewFlags.PPFlags; NewPPFlags = NewFlags.PPFlags;
TcgPpData->PPResponse = Tcg2PpVendorLibExecutePendingRequest (PlatformAuth, TcgPpData->PPRequest, &NewPPFlags, &ResetRequired); TcgPpData->PPResponse = Tcg2PpVendorLibExecutePendingRequest (PlatformAuth, TcgPpData->PPRequest, &NewPPFlags, &ResetRequired);
NewFlags.PPFlags = NewPPFlags; NewFlags.PPFlags = NewPPFlags;
@ -680,7 +775,7 @@ Tcg2ExecutePendingTpmRequest (
// Execute requested physical presence command // Execute requested physical presence command
// //
TcgPpData->PPResponse = TCG_PP_OPERATION_RESPONSE_USER_ABORT; TcgPpData->PPResponse = TCG_PP_OPERATION_RESPONSE_USER_ABORT;
NewFlags = Flags; NewFlags = *Flags;
if (RequestConfirmed) { if (RequestConfirmed) {
TcgPpData->PPResponse = Tcg2ExecutePhysicalPresence ( TcgPpData->PPResponse = Tcg2ExecutePhysicalPresence (
PlatformAuth, PlatformAuth,
@ -694,7 +789,8 @@ Tcg2ExecutePendingTpmRequest (
// //
// Save the flags if it is updated. // Save the flags if it is updated.
// //
if (CompareMem (&Flags, &NewFlags, sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) { if (CompareMem (Flags, &NewFlags, sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) {
*Flags = NewFlags;
Status = gRT->SetVariable ( Status = gRT->SetVariable (
TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid, &gEfiTcg2PhysicalPresenceGuid,
@ -745,6 +841,16 @@ Tcg2ExecutePendingTpmRequest (
case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS: case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:
break; break;
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
return;
default: default:
if (TcgPpData->LastPPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { if (TcgPpData->LastPPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
if (ResetRequired) { if (ResetRequired) {
@ -786,15 +892,9 @@ Tcg2PhysicalPresenceLibProcessRequest (
EFI_STATUS Status; EFI_STATUS Status;
UINTN DataSize; UINTN DataSize;
EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; EFI_TCG2_PHYSICAL_PRESENCE TcgPpData;
EFI_TCG2_PROTOCOL *Tcg2Protocol;
EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol;
EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags;
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
if (EFI_ERROR (Status)) {
return ;
}
// //
// This flags variable controls whether physical presence is required for TPM command. // This flags variable controls whether physical presence is required for TPM command.
// It should be protected from malicious software. We set it as read-only variable here. // It should be protected from malicious software. We set it as read-only variable here.
@ -820,9 +920,6 @@ Tcg2PhysicalPresenceLibProcessRequest (
return ; return ;
} }
mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL);
ASSERT (mTcg2PpStringPackHandle != NULL);
// //
// Initialize physical presence flags. // Initialize physical presence flags.
// //
@ -835,7 +932,7 @@ Tcg2PhysicalPresenceLibProcessRequest (
&PpiFlags &PpiFlags
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
Status = gRT->SetVariable ( Status = gRT->SetVariable (
TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid, &gEfiTcg2PhysicalPresenceGuid,
@ -848,7 +945,6 @@ Tcg2PhysicalPresenceLibProcessRequest (
return ; return ;
} }
} }
DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags));
// //
// Initialize physical presence variable. // Initialize physical presence variable.
@ -882,7 +978,7 @@ Tcg2PhysicalPresenceLibProcessRequest (
// //
// Execute pending TPM request. // Execute pending TPM request.
// //
Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, PpiFlags); Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, &PpiFlags);
DEBUG ((EFI_D_INFO, "[TPM2] PPResponse = %x (LastPPRequest=%x, Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.PPFlags)); DEBUG ((EFI_D_INFO, "[TPM2] PPResponse = %x (LastPPRequest=%x, Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.PPFlags));
} }
@ -907,14 +1003,8 @@ Tcg2PhysicalPresenceLibNeedUserConfirm(
EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; EFI_TCG2_PHYSICAL_PRESENCE TcgPpData;
UINTN DataSize; UINTN DataSize;
BOOLEAN RequestConfirmed; BOOLEAN RequestConfirmed;
EFI_TCG2_PROTOCOL *Tcg2Protocol;
EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags;
Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);
if (EFI_ERROR (Status)) {
return FALSE;
}
// //
// Check S4 resume // Check S4 resume
// //
@ -1065,10 +1155,7 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
} }
if ((OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) && if ((OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) &&
(OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) { (OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
//
// This command requires UI to prompt user for Auth data.
//
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED; return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
} }
@ -1084,11 +1171,10 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
DataSize, DataSize,
&PpData &PpData
); );
} if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status));
if (EFI_ERROR (Status)) { return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status)); }
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
} }
if (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { if (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
@ -1101,10 +1187,41 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
&Flags &Flags
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
} }
return Tcg2PpVendorLibSubmitRequestToPreOSFunction (OperationRequest, Flags.PPFlags, RequestParameter); return Tcg2PpVendorLibSubmitRequestToPreOSFunction (OperationRequest, Flags.PPFlags, RequestParameter);
} }
return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS; return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS;
} }
/**
Return TPM2 ManagementFlags set by PP interface.
@retval ManagementFlags TPM2 Management Flags.
**/
UINT32
EFIAPI
Tcg2PhysicalPresenceLibGetManagementFlags (
VOID
)
{
EFI_STATUS Status;
EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags;
UINTN DataSize;
DEBUG ((EFI_D_INFO, "[TPM2] GetManagementFlags\n"));
DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS);
Status = gRT->GetVariable (
TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
&gEfiTcg2PhysicalPresenceGuid,
NULL,
&DataSize,
&PpiFlags
);
if (EFI_ERROR (Status)) {
PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
}
return PpiFlags.PPFlags;
}

4
SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.c
View File

@ -3,7 +3,7 @@
This library will get TPM 2.0 physical presence information. This library will get TPM 2.0 physical presence information.
Copyright (c) 2015, Intel Corporation. All rights reserved.<BR> Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at which accompanies this distribution. The full text of the license may be found at
@ -53,7 +53,7 @@ Tcg2PhysicalPresenceLibGetManagementFlags (
&PpiFlags &PpiFlags
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
} }
return PpiFlags.PPFlags; return PpiFlags.PPFlags;
} }

41
SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c
View File

@ -130,10 +130,7 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx (
} }
if ((*OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) && if ((*OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) &&
(*OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) { (*OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
//
// This command requires UI to prompt user for Auth data.
//
ReturnCode = TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED; ReturnCode = TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
goto EXIT; goto EXIT;
} }
@ -150,12 +147,11 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx (
DataSize, DataSize,
&PpData &PpData
); );
} if (EFI_ERROR (Status)) {
DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status));
if (EFI_ERROR (Status)) { ReturnCode = TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status)); goto EXIT;
ReturnCode = TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; }
goto EXIT;
} }
if (*OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { if (*OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
@ -168,7 +164,7 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx (
&Flags &Flags
); );
if (EFI_ERROR (Status)) { if (EFI_ERROR (Status)) {
Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
} }
ReturnCode = Tcg2PpVendorLibSubmitRequestToPreOSFunction (*OperationRequest, Flags.PPFlags, *RequestParameter); ReturnCode = Tcg2PpVendorLibSubmitRequestToPreOSFunction (*OperationRequest, Flags.PPFlags, *RequestParameter);
} }
@ -318,6 +314,27 @@ Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
RequestConfirmed = TRUE; RequestConfirmed = TRUE;
break; break;
case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) == 0) {
RequestConfirmed = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) == 0) {
RequestConfirmed = TRUE;
}
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:
RequestConfirmed = TRUE;
break;
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:
case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:
break;
default: default:
if (OperationRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) { if (OperationRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
RequestConfirmed = TRUE; RequestConfirmed = TRUE;
@ -341,7 +358,7 @@ Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
} }
/** /**
The constructor function register UNI strings into imageHandle. The constructor function locates SmmVariable protocol.
It will ASSERT() if that operation fails and it will always return EFI_SUCCESS. It will ASSERT() if that operation fails and it will always return EFI_SUCCESS.