Commit Graph

950 Commits

Author SHA1 Message Date
Laszlo Ersek eccb856f01 SecurityPkg/DxeImageVerificationHandler: remove "else" after return/break
In the code structure

  if (condition) {
    //
    // block1
    //
    return;
  } else {
    //
    // block2
    //
  }

nesting "block2" in an "else" branch is superfluous, and harms
readability. It can be transformed to:

  if (condition) {
    //
    // block1
    //
    return;
  }
  //
  // block2
  //

with identical behavior, and improved readability (less nesting).

The same applies to "break" (instead of "return") in a loop body.

Perform these transformations on DxeImageVerificationHandler().

This patch is a no-op for behavior. Use

  git show -b -W

for reviewing it more easily.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200116190705.18816-3-lersek@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
 Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
 <d3fbb76dabed4e1987c512c328c82810@intel.com>]
2020-01-31 09:35:31 +00:00
Laszlo Ersek 1e0f973b65 SecurityPkg/DxeImageVerificationHandler: simplify "VerifyStatus"
In the DxeImageVerificationHandler() function, the "VerifyStatus" variable
can only contain one of two values: EFI_SUCCESS and EFI_ACCESS_DENIED.
Furthermore, the variable is only consumed with EFI_ERROR().

Therefore, using the EFI_STATUS type for the variable is unnecessary.
Worse, given the complex meanings of the function's return values, using
EFI_STATUS for "VerifyStatus" is actively confusing.

Rename the variable to "IsVerified", and make it a simple BOOLEAN.

This patch is a no-op, regarding behavior.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=2129
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Message-Id: <20200116190705.18816-2-lersek@redhat.com>
Reviewed-by: Michael D Kinney <michael.d.kinney@intel.com>
[lersek@redhat.com: push with Mike's R-b due to Chinese New Year
 Holiday: <https://edk2.groups.io/g/devel/message/53429>; msgid
 <d3fbb76dabed4e1987c512c328c82810@intel.com>]
2020-01-31 09:35:31 +00:00
Jiewen Yao 0286fe8176 SecurityPkg/Tcg2Pei: Add TCG PFP 105 support.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2439

Use EV_EFI_PLATFORM_FIRMWARE_BLOB2 if the TCG PFP revision is >= 105.
Use FvName as the description for the FV.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-01-06 06:23:19 +00:00
Jiewen Yao 4fa25853cd SecurityPkg/Tcg2Dxe: Add Tcg2Dxe to support 800-155 event.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2439

The TCG2 DXE supports to parse the 800-155 event GUID from PEI
and puts to the beginning of the TCG2 event.

The TCG2 DXE also supports a DXE driver produces 800-155 event
and let TCG2 DXE driver record.

The 800-155 is a NO-ACTION event which does not need extend
anything to TPM2. The TCG2 DXE also supports that.

Multiple 800-155 events are supported. All of them will be put
to the beginning of the TCG2 event, just after the SpecId event.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-01-06 06:23:19 +00:00
Jiewen Yao df73a69faf SecurityPkg/Guid: Add TCG 800-155 event GUID definition.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2439

The PEIM can produce the 800-155 event and the event
will be recorded to TCG event log by the TCG2 DXE.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2020-01-06 06:23:19 +00:00
Jiewen Yao 7e55cf6b48 SecurityPkg/Tcg2Smm: Measure the table before patch.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1940

According to TCG PFP specification: the ACPI table must be
measured prior to any modification, and the measurement
must be same cross every boot cycle.

There is a fix 3a63c17ebc
for the HID data. However that is not enough.
The LAML/LASA and PCD configuration change may also cause
similar problem.

We need measure the table before any update.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jiewen Yao <Jiewen.Yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-12-10 08:00:14 +00:00
Michael D Kinney 566c45a533 SecurityPkg: Add YAML files for CI builds
https://bugzilla.tianocore.org/show_bug.cgi?id=2315

Add YAML file to the package directory with the
configuration of the checks to perform during a
CI build.

Use BaseCryptLibNull for package CI builds to reduce package
build times.  Enabled with CONTINUOUS_INTEGRATION in YAML
files.  By default CONTINUOUS_INTEGRATION is not defined,
and the original lib mappings are preserved.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-11-11 13:02:30 -08:00
Derek Lin 3a63c17ebc SecurityPkg: Fix TPM2 ACPI measurement.
We have discussed in this thread.
https://edk2.groups.io/g/devel/topic/32205028

Before the change, TPM FW upgrade will impact TPM2 ACPI PCR value because
TPM2 ACPI HID include FW version.

This change make the measurement before TPM2 HID fixup. So, after TPM FW
upgrade, the ACPI PCR record remains the same.

Signed-off-by: Derek Lin <derek.lin2@hpe.com>
Reviewed by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-11-07 13:11:34 +08:00
Chu, Maggie 1a04951309 SecurityPkg/OpalPassword: Remove dependency on EFI_BLOCK_IO_PROTOCOL
https://bugzilla.tianocore.org/show_bug.cgi?id=2327

RAID drivers abstract their physical drives that make up
the array into a single unit, and do not supply individual
EFI_BLOCK_IO_PROTOCOL instances for each physical drive in the array.
This breaks support for the Security Storage Command Protocol,
which currently requires an EFI_BLOCK_IO_PROTOCOL to be associated
with the same device the protocol is installed on and provide
all the same parameters.

This patch remove dependency on EFI_BLOCK_IO_PROTOCOL and
allows access to Opal drive members of a RAID array.

Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
2019-11-06 16:16:18 +08:00
Sean Brogan d6b926e76e SecurityPkg: Fix spelling errors
https://bugzilla.tianocore.org/show_bug.cgi?id=2265

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-23 10:23:23 -07:00
Michael D Kinney 6e7e9b9578 SecurityPkg: Change EFI_D_INFO to DEBUG_INFO
Update DEBUG() macro to use DEBUG_INFO to address PatchCheck.py error.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-23 10:23:17 -07:00
Liming Gao e026bb4c39 SecurityPkg Tcg2Dxe: Add Variable Arch protocol dependency
commit a7e2d20193 introduces the code to
get PcdTpm2AcpiTableRev in the driver entry point. This PCD is designed as
DynamicHii or DynamicHiiEx PCD. So, this PCD depends on Variable service.
To make sure PcdTpm2AcpiTableRev value be got, add Variable service as Depex.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: jiewen Yao <jiewen.yao@intel.com>
2019-10-18 08:41:50 +08:00
Jiewen Yao a7e2d20193 SecurityPkg/Tcg2: Add Support Laml, Lasa for TPM2 ACPI.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=978

Tcg2Dxe produces PcdTpm2AcpiTableLaml/Lasa for event log address.
Tcg2Smm consumes PcdTpm2AcpiTableLaml/Lasa to fill TPM2 ACPI table.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-11 10:06:51 +08:00
Jiewen Yao 1fca55285b SecurityPkg/dsc: Add PCD for Laml, Lasa for TPM2.
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=978

Those PCDs will be used for TPM2 ACPI table.
Tcg2Dxe need produce those for event log address.
Tcg2Smm need consume those to fill TPM2 ACPI table.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-10-11 10:06:51 +08:00
Laszlo Ersek fcf8bdcd53 SecurityPkg: stop abusing EFI_EVENT for protocol notify registration
EfiCreateProtocolNotifyEvent() takes a (VOID**) for "Registration",
similarly to gBS->RegisterProtocolNotify(). We should pass the address of
an actual pointer-to-VOID, and not the address of an EFI_EVENT. EFI_EVENT
just happens to be specified as (VOID*), and has nothing to do with the
registration.

This change is a no-op in practice; it's a semantic improvement.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-10-09 09:40:10 +02:00
Laszlo Ersek a629d5b9ef SecurityPkg: fix UninstallMultipleProtocolInterfaces() calls
Unlike the InstallMultipleProtocolInterfaces() boot service, which takes
an (EFI_HANDLE*) as first parameter, the
UninstallMultipleProtocolInterfaces() boot service takes an EFI_HANDLE as
first parameter.

These are actual bugs. They must have remained hidden until now because
they are all in Unload() functions, which are probably exercised
infrequently. Fix the UninstallMultipleProtocolInterfaces() calls.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-10-09 09:40:10 +02:00
Liming Gao 26fc074a5f SecurityPkg Tcg2Config: Move common definitions to new Tcg2Internal.h
Common definitions are not consumed by VFR. They are not required to be
defined in Tcg2ConfigNvData.h with WA way. New shared internal header
file is added to include those common definitions.

Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-09-17 09:39:03 +08:00
Shenglei Zhang 49a2f8ceee SecurityPkg/SecurityPkg.dec: Update TcgPpVendorLib.h to Tcg2PpVendorLib.h
Tcg2PpVendorLib library class header should be
Include/Library/Tcg2PpVendorLib.h instead of
Include/Library/TcgPpVendorLib.h.
https://bugzilla.tianocore.org/show_bug.cgi?id=2146

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-09-17 09:37:23 +08:00
Jian J Wang f516a5144e SecurityPkg/SecurityPkg.uni: Add missing strings for new PCDs
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=2026

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Shenglei Zhang <shenglei.zhang@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-08-16 09:53:24 +08:00
Shenglei Zhang e18d1c37e8 SecurityPkg/SecurityPkg.dec: Remove trailing white space
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-08-05 09:33:06 +08:00
Shenglei Zhang f32a49f10b SecurityPkg/FvReportPei: Change HashAlgoId to HashAlgId
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-08-02 14:19:13 +08:00
Imran Desai c027f68030 SecurityPkg: set SM3 bit in TPM 2.0 hash mask by default
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1781
GITHUB: https://github.com/idesai/edk2/tree/enable_sm3_measured_boot_v6

EDK2 Support for SM3 digest algorithm is needed to enable TPM with SM3 PCR
banks. This digest algorithm is part of the China Crypto algorithm suite.
This integration has dependency on the openssl_1_1_1b integration into
edk2.

This patch sets SM3 bit in TPM2.0 hash mask by default.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>

Signed-off-by: Imran Desai <imran.desai@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Message-Id: <20190718225326.40839-4-imran.desai@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2019-07-19 14:31:59 +02:00
Imran Desai 7c1126d394 SecurityPkg/HashLibBaseCryptoRouter: recognize the SM3 digest algorithm
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1781
GITHUB: https://github.com/idesai/edk2/tree/enable_sm3_measured_boot_v6

EDK2 Support for SM3 digest algorithm is needed to enable TPM with SM3 PCR
banks. This digest algorithm is part of the China Crypto algorithm suite.
This integration has dependency on the openssl_1_1_1b integration into
edk2.

This patch adds SM3 as an available digest algorithm to crypto router.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>

Signed-off-by: Imran Desai <imran.desai@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Message-Id: <20190718225326.40839-3-imran.desai@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2019-07-19 14:31:55 +02:00
Imran Desai edf6ef246d SecurityPkg: introduce the SM3 digest algorithm
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1781
GITHUB: https://github.com/idesai/edk2/tree/enable_sm3_measured_boot_v6

EDK2 Support for SM3 digest algorithm is needed to enable TPM with SM3 PCR
banks. This digest algorithm is part of the China Crypto algorithm suite.
This integration has dependency on the openssl_1_1_1b integration into
edk2.

This patch add SM3 algorithm in the hashinstance library.

Delta in v7:
1. Dropped 95a040cff from v6 to address https://edk2.groups.io/g/devel/topic/
32454898?p=,,,20,0,0,0::Created,,sm3,20,2,0,32454898,ct=1&ct=1
2. Relocated SM3 GUID definition from MdePkg to SecurityPkg in 9728b54f4

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>

Signed-off-by: Imran Desai <imran.desai@intel.com>
Message-Id: <20190718225326.40839-2-imran.desai@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-07-19 14:31:52 +02:00
Laszlo Ersek a9faafb156 Revert "SecurityPkg: introduce the SM3 digest algorithm"
This reverts commit 06dd5863b6.

The reason is that said commit directly depends on commit 49c1e683c4
("MdePkg/Protocol/Hash: introduce GUID for SM3", 2019-07-03), and the
latter commit is going to be reverted, due to its review process not
having followed established edk2 norms.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Imran Desai <imran.desai@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1781
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
2019-07-04 17:50:48 +02:00
Laszlo Ersek 29a1a6eff7 Revert "SecurityPkg/HashLibBaseCryptoRouter: recognize the SM3 digest algorithm"
This reverts commit 542d04e2a4.

The reason is that said commit indirectly depends on commit 49c1e683c4
("MdePkg/Protocol/Hash: introduce GUID for SM3", 2019-07-03), and the
latter commit is going to be reverted, due to its review process not
having followed established edk2 norms.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Imran Desai <imran.desai@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1781
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
2019-07-04 17:50:46 +02:00
Laszlo Ersek 0d823bfd8d Revert "SecurityPkg: set SM3 bit in TPM 2.0 hash mask by default"
This reverts commit d5af8fc5a9.

The reason is that said commit indirectly depends on commit 49c1e683c4
("MdePkg/Protocol/Hash: introduce GUID for SM3", 2019-07-03), and the
latter commit is going to be reverted, due to its review process not
having followed established edk2 norms.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Imran Desai <imran.desai@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1781
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
2019-07-04 17:50:44 +02:00
Imran Desai d5af8fc5a9 SecurityPkg: set SM3 bit in TPM 2.0 hash mask by default
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1781

EDK2 Support for SM3 digest algorithm is needed to enable TPM with SM3 PCR
banks. This digest algorithm is part of the China Crypto algorithm suite.
This integration has dependency on the openssl_1_1_1b integration into
edk2.
This patch sets SM3 bit in TPM2.0 hash mask by default.

Signed-off-by: Imran Desai <imran.desai@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: jiewen.yao@intel.com
2019-07-03 16:31:55 +08:00
Imran Desai 542d04e2a4 SecurityPkg/HashLibBaseCryptoRouter: recognize the SM3 digest algorithm
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1781

EDK2 Support for SM3 digest algorithm is needed to enable TPM with SM3 PCR
banks. This digest algorithm is part of the China Crypto algorithm suite.
This integration has dependency on the openssl_1_1_1b integration into
edk2.
This patch adds SM3 as an available digest algorithm to crypto router.

Signed-off-by: Imran Desai <imran.desai@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: jiewen.yao@intel.com
2019-07-03 16:31:55 +08:00
Imran Desai 06dd5863b6 SecurityPkg: introduce the SM3 digest algorithm
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1781

EDK2 Support for SM3 digest algorithm is needed to enable TPM with SM3 PCR
banks. This digest algorithm is part of the China Crypto algorithm suite.
This integration has dependency on the openssl_1_1_1b integration into
edk2.
This patch add SM3 algorithm in the hashinstance library.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Signed-off-by: Imran Desai <imran.desai@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: jiewen.yao@intel.com
2019-07-03 16:31:54 +08:00
Shenglei Zhang b7cd36a224 SecurityPkg: Remove DxeDeferImageLoadLib in DSC
The current version will cause build fail because DxeDeferImageLoadLib
exists in DSC file but it was actually deleted. So it should be removed.
https://bugzilla.tianocore.org/show_bug.cgi?id=1919

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-07-01 14:24:18 +08:00
Shenglei Zhang d316662118 SecurityPkg/DxeDeferImageLoadLib: Remove DxeDeferImageLoadLib
The library DxeDeferImageLoadLib supports UID feature and it is conflicted
with the driver SecurityStubDxe (Defer3rdPartyImageLoad.c).
And the UID feature is dropped. So it should be removed from SecurityPkg.
https://bugzilla.tianocore.org/show_bug.cgi?id=1919

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-28 13:20:19 +08:00
Jian J Wang 8b6f0b5cd3 SecurityPkg: add FvReportPei.inf in dsc for build validation
https://bugzilla.tianocore.org/show_bug.cgi?id=1617

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: "Hernandez Beltran, Jorge" <jorge.hernandez.beltran@intel.com>
Cc: Harry Han <harry.han@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-06-26 21:18:43 +08:00
Jian J Wang 3743e71a06 SecurityPkg/FvReportPei: implement a common FV verifier and reporter
https://bugzilla.tianocore.org/show_bug.cgi?id=1617

This driver implements a common checker, verifier and reporter which is
independent of hardware based root-of-trust.

Usually the hardware based root-of-trust will not verify all BIOS but
part of it. For example, Boot Guard will only verify IBB segment. The IBB
needs to verify other part of BIOS, i.e. other FVs to transfer control to
from IBB. This driver plays the role in IBB to verify FVs not covered by
hardware root-of-trust to make sure integrity of the chain of trust.

To be hardware/platform independent, PPI

  gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid

is introduced for platform to pass digest information to this driver.
This PPI should include all information needed to verify required FVs in
required boot mode.

struct _EDKII_PEI_FIRMWARE_VOLUME_INFO_STORED_HASH_FV_PPI {
  FV_HASH_INFO            HashInfo;
  UINTN                   FvNumber;
  HASHED_FV_INFO          FvInfo[1];
};

To avoid TOCTOU issue, all FVs to be verified will be copied to memory
before hash calculation. That also means this driver has to be run after
permanent memory has been discovered.

For a measured boot, this driver will install

  gEdkiiPeiFirmwareVolumeInfoPrehashedFvPpiGuid

to report digest of each FV to TCG driver.

For a verified boot, this driver will verify the final hash value
(calculated from the concatenation of each FV's hash) for indicated
FVs against the hash got from platform/hardware.

If pass, it will build EFI_HOB_TYPE_FV (consumed by DXE core) and/or
install gEfiPeiFirmwareVolumeInfoPpiGuid (consumed by PEI core), and
then report status code PcdStatusCodeFvVerificationPass.

If fail, it just report status code PcdStatusCodeFvVerificationFail
and go to dead loop if status report returns.

The platform can register customized handler to process pass and fail
cases differently.

Currently, this driver only supports hash (sha256/384/512) verification
for the performance consideration.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: "Hernandez Beltran, Jorge" <jorge.hernandez.beltran@intel.com>
Cc: Harry Han <harry.han@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-06-26 21:18:43 +08:00
Jian J Wang beda3f76af SecurityPkg: add definitions for OBB verification
https://bugzilla.tianocore.org/show_bug.cgi?id=1617

gEdkiiPeiFirmwareVolumeInfoStoredHashFvPpiGuid should be installed by
platform to pass FV hash information to the common FV verify/report
driver, in which the hash value will be calculated again based on the
information fed in and then verified.

The information passed in this PPI include:
  - FVs location in flash and length
  - Hash values for different boot mode

The hash value must be calculated in following way (if 3 FVs to calc):

  FV1 -> Hash1
  FV2 -> Hash2
  FV3 -> Hash3
  Hash1 + Hash2 + Hash3 -> HashAll

Only HashAll is stored in this PPI. The purposes for this algorithm
are two:

  1. To report each FV's hash to TCG driver and verify HashAll at the
     same time without the burden to calculate the hash twice;
  2. To save hash value storage due to potential hardware limitation

Different boot mode may have its own hash value so that each mode can
decide which FV will be verified. For example, for the sake of performance,
S3 may choose to skip some FVs verification and normal boot will verify
all FVs it concerns.

So in this PPI, each FV information has flag to indicate which boot mode
it will be taken into hash calculation.

And if multiple hash values passed in this PPI, each has a flag to indicate
which boot mode it's used for. Note one hash value supports more than one
boot modes if they're just the same.

PcdStatusCodeFvVerificationPass and PcdStatusCodeFvVerificationFail are
introduced to report status back to platform, and platform can choose how
to act upon verification success and failure.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: "Hernandez Beltran, Jorge" <jorge.hernandez.beltran@intel.com>
Cc: Harry Han <harry.han@intel.com>
Signed-off-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-06-26 21:18:43 +08:00
Bret Barkelew 2f3435c234 SecurityPkg: Add missing instances for build only
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1902

Add the missing instance to the [Components] of dsc file
for build only.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Zhichao gao <zhichao.gao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-06-26 16:35:45 +08:00
Chu, Maggie 9e2416ae2e SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt
https://bugzilla.tianocore.org/show_bug.cgi?id=1876
Add a PCD for skipping Hdd password prompt.
If device is in the locked status while attempting to skip
password prompt, device will keep locked and system
continue to boot.
If device is in the unlocked status while attempting to skip
password prompt, system will be forced shutdown.

Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-06-12 09:12:05 +08:00
Chu, Maggie 6cbed0e36f SecurityPkg/OpalPassword: Add PCD to skip password prompt
https://bugzilla.tianocore.org/show_bug.cgi?id=1801
Add a PCD for skipping password prompt in device unlocked status.
Previous change only support if storage device is in locked status.
This change is added to support the case that security status of the
storage device is unlocked.

Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
2019-06-10 14:16:07 +08:00
Zhichao Gao e90ea9470a SecurityPkg/AuthSeriableLib: Always delete variable in certdb
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1783

While cleaning the certdb, always delete the variable data in
the certdb regardless of its attribute.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-05-15 13:00:37 +08:00
Joe Richey 4000f249ba SecurityPkg: Remove double \r
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Signed-off-by: Joe Richey <joerichey@google.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by : Chao Zhang <chao.b.zhang@intel.com>
2019-05-15 12:57:20 +08:00
Eric Dong 46e696088a SecurityPkg/OpalPassword: Fix "Enable Feature" Menu disappear issue
https://bugzilla.tianocore.org/show_bug.cgi?id=1782

After change behavior to send BlockSid command at EndOfDxe point,
check device ownership command will return un-authority error, it
finally caused opal driver can't show "Enable Feature" menu.

Update the code logic to send detect device ownership command
before send BlockSID command.

Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
2019-05-09 14:32:52 +08:00
Eric Dong 539a6c9318 SecurityPkg/OpalPassword: Change send BlockSID policy
https://bugzilla.tianocore.org/show_bug.cgi?id=1782

Change Send BlockSID command time from ReadyToBoot to
EndOfDxe.

Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
2019-05-09 14:32:49 +08:00
Eric Dong e0972cfc7d SecurityPkg/SecurityPkg.dec: Change BlockSID default policy
https://bugzilla.tianocore.org/show_bug.cgi?id=1782

Change BlockSID default policy, default enable BlockSid.

Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao A Wu <hao.a.wu@intel.com>
2019-05-09 14:32:46 +08:00
Chu, Maggie f5245a1db1 SecurityPkg/OpalPassword: Add warning message for Secure Erase
https://bugzilla.tianocore.org/show_bug.cgi?id=1753
Add pop-up warning messages before secure erase action.
In order to notify user the secure erase action will take a longer time.
This change also fix some pop-up windows are unable to show up
complete message due to some strings are too long.

Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-05-08 09:17:36 +08:00
Zhichao Gao 930fcd9f3a SecurityPkg/Tcg2Dxe: Change comments of ShutdownTpmOnReset
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1460

Refer to Uefi spec 2.8, the ResetData is valid while ResetStatus
is EFI_SUCCESS regardless of the ResetType is EfiResetPlatformSpecific
or not.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Cc: Michael Turner <Michael.Turner@microsoft.com>
Cc: Bret Barkelew <Bret.Barkelew@microsoft.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-04-28 09:40:13 +08:00
Michael D Kinney 289b714b77 SecurityPkg: Replace BSD License with BSD+Patent License
https://bugzilla.tianocore.org/show_bug.cgi?id=1373

Replace BSD 2-Clause License with BSD+Patent License.  This change is
based on the following emails:

  https://lists.01.org/pipermail/edk2-devel/2019-February/036260.html
  https://lists.01.org/pipermail/edk2-devel/2018-October/030385.html

RFCs with detailed process for the license change:

  V3: https://lists.01.org/pipermail/edk2-devel/2019-March/038116.html
  V2: https://lists.01.org/pipermail/edk2-devel/2019-March/037669.html
  V1: https://lists.01.org/pipermail/edk2-devel/2019-March/037500.html

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-04-09 10:58:23 -07:00
Eric Dong f4c5200926 SecurityPkg/OpalPassword: Fix incorrect line ending issue.
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-03-22 10:05:59 +08:00
Shenglei Zhang 6ef95e4da7 SecurityPkg/SecurityPkg.uni: Add the prompt and help information
The prompt and help information are missing in SecurityPkg.uni.
https://bugzilla.tianocore.org/show_bug.cgi?id=1600

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
2019-03-19 15:22:01 +08:00
Dandan Bi c8eada5ca0 SecurityPkg: Remove duplicated BSD license
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1612

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jian Wang <jian.j.wang@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Liming Gao <liming.gao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-03-12 23:08:17 -07:00
Hao Wu e8959f8100 SecurityPkg/HddPassword: Add Security feature set support for ATA dev
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1529

This commit will add the 'Security feature set' support for ATA devices.

According to the AT Attachment 8 - ATA/ATAPI Command Set (ATA8-ACS)
specification, the Security feature set is an optional feature. In
summary, the feature is a password system that restricts access to user
data stored on an ATA device. A more detailed introduction of this feature
can be referred from the ATA8-ACS spec.

The HddPassword driver is composed of 2 parts:
* A DXE driver and
* A PEI driver

The DXE driver consumes EFI_ATA_PASS_THRU_PROTOCOL instances and installs
an HII GUI to manage the devices. If the managing device supports Security
feature set, the HII page will provide the user with the ability to
set/update/disable the password for this device. Also, if a password is
being set via the Security feature set, a popup window will show during
boot requesting the user to input password.

Another feature supported by this driver is that for those managing
devices with password set, they will be automatically unlocked during the
S3 resume. This is done by the co-work of the DXE driver and the PEI
driver:

The DXE driver will save the password and the identification information
for these devices into a LockBox, which is only allowed to restore during
S3 resume.

The PEI driver, during S3 resume, will restore the content in the LockBox
and will consume EDKII_PEI_ATA_PASS_THRU_PPI instances to unlock devices.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-02-22 08:20:08 +08:00
Hao Wu a3efbc29c4 SecurityPkg/OpalPassword: Remove HW init codes and consume SSC PPI
REF:https://bugzilla.tianocore.org/show_bug.cgi?id=1409

For the current implementation of OpalPassword drivers, it has a feature
to support devices being automatically unlocked in the S3 resume. For this
feature, two types of devices are supported:

* ATA hard disks working under AHCI mode
* NVM Express devices

The support of this feature requires the above 2 types of device to be
initialized at the PEI phase during S3 resume, which is done by the
co-work of the OpalPasswordDxe driver and the OpalPasswordPei driver.

More specifically, the OpalPasswordDxe will handle:

* Pre-allocate MMIO resource and save it in a driver internal LockBox for
  OpalPasswordPei to retrieve;
* Save the PCI configuration space of ATA controllers into boot script.

Meanwhile, the OpalPasswordPei will handle:

* Rely on the boot script for the PCI configuration space program of ATA
  controllers;
* Restore the driver internal LockBox to get the MMIO resource;
* Complete the PCI configuration space program for ATA and NVME
  controllers;
* Initialize ATA and NVME controllers and devices.

This commit will remove these hardware initialization related codes from
the OpalPassword drivers. The hardware initialization will be covered by
PEI storage device drivers (e.g. NvmExpressPei & AhciPei in the
MdeModulePkg).

After such codes removal, the OpalPasswordDxe will only handle:

* Construct/update the S3StorageDeviceInitList LockBox with the managing
  ATA and NVME devices.

And the OpalPasswordPei will only handle:

* Locate Storage Security Command PPI instances to perform the device
  automatic unlock during the S3 resume.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Ray Ni <ray.ni@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-02-22 08:20:08 +08:00
Gonzalez Del Cueto, Rodrigo b49758c112 SecurityPkg/TcgConfigDxe: Allow enabling TPM 1.2 device from disabled state.
BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1511

Currently the TCG config setup form defaults the physical presence action to
PHYSICAL_PRESENCE_ENABLE, this prevents the action from being called. When a TPM
1.2 device is in Disabled and Activated state it is not possible to issue the
PHYSICAL_PRESENCE_ENABLE using the menu action.

By having the form default to PHYSICAL_PRESENCE_NO_ACTION, the user is now able
to select PHYSICAL_PRESENCE_ENABLE and toggle the TPM 1.2 device enable state.

Contributed-under: TianoCore Contribution Agreement 1.1

Signed-off-by: Rodrigo Gonzalez del Cueto <rodrigo.gonzalez.del.cueto@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2019-02-20 21:44:14 +08:00
Eric Dong d72d8561fb SecurityPkg/OpalPassword: Add NULL pointer check before using it
https://bugzilla.tianocore.org/show_bug.cgi?id=1503
A pointer variable should be checked if it is NULL or Valid before
using it.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-02-14 14:53:14 +08:00
Eric Dong 315873959e SecurityPkg/OpalPassword: Update strings on Opal Setup page
https://bugzilla.tianocore.org/show_bug.cgi?id=1506
Updated some descriptions on SETUP page to avoid user confusion.
Currently it shows "1.0 UEFI Opal Driver", however it may be mislead user to think
it is only for Opal drive but not for Pyrite drive.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-02-14 13:37:27 +08:00
Leif Lindholm 2f0a1e6542 SecurityPkg: fix package build on ARM
The CompilerIntrinsicsLib and BaseStackCheckLib need to be included in
order for an ARM build of the package .dsc to succeed - so add them.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
Reviewed-by: jiewen.yao@intel.com
2019-02-04 17:09:14 +00:00
Bret Barkelew 5f3b0250d0 SecurityPkg/Tcg: Fix typos in TcgDxe.c and Tcg2Dxe.c
Change EFI_RETURNING_FROM_EFI_APPLICATOIN to
EFI_RETURNING_FROM_EFI_APPLICATION.
https://bugzilla.tianocore.org/show_bug.cgi?id=1368

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Shenglei Zhang <shenglei.zhang@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2019-01-31 20:19:10 +08:00
Chu, Maggie 8a9301cdd7 SecurityPkg: Add a PCD to skip Opal password prompt
https://bugzilla.tianocore.org/show_bug.cgi?id=1484
Add a PCD for skipping password prompt and device unlock flow.
so that other pre-OS applications are able to take over Opal
devices unlock flow.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-01-31 10:49:16 +08:00
Zhang, Chao B b909b8b91d SecurityPkg/TCG: Upgrade UEFI supporting TCG spec info
Update "TCG ACPI Specification Level 00 Revision 00.37" to "TCG ACPI Specification 1.2 Revision 8"
https://trustedcomputinggroup.org/wp-content/uploads/TCG_ACPIGeneralSpecification_v1.20_r8.pdf

Upgrade TCG PC Client Platform Physical Presence Interface Specification Version 1.3 Revision 0.52" to Errata Version 0.4
https://trustedcomputinggroup.org/wp-content/uploads/Errata-Version-0.4-for-TCG-PC-Client-Platform-Physical-Presence-Interface-Version-1.30-Revision-0.52.pdf

Upgrade "TCG EFI Protocol Specification for Family 2.0 Level 00" to Errata 0.5
https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-Errata-v.5.pdf

Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Yao Jiewen <jiewen.yao@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2019-01-28 22:47:41 +08:00
Ard Biesheuvel c5386c7898 SecurityPkg/PlatformSecureLibNull: permit use by MM_STANDALONE modules
Add MM_STANDALONE to the list of module types that are permitted to
link to this library. Also, since the constructor prototype is
different between MM_STANDALONE and DXE_DRIVER type libraries,
convert the library into BASE type.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2019-01-21 13:42:49 +01:00
Chen A Chen 514c55c185 SecurityPkg: Remove code under UserIdentification folder.
BZ:https://bugzilla.tianocore.org/show_bug.cgi?id=1427

1. UserIdentifyManagerDxe is used to provide UserManagerProtocol.
2. UserProfileManagerDxe provides UI setting
3. PwdCredentialProviderDxe & UsbCredentialProviderDxe are implementation
   examples.

Remove above features because of no platform use it.

Cc: Zhang Chao B <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen <chen.a.chen@intel.com>
Reviewed-by: Zhang Chao B <chao.b.zhang@intel.com>
2019-01-14 08:55:35 +08:00
Chu, Maggie 4ec00f82ed SecurityPkg: Incorrect warning message for Opal admin revert action
https://bugzilla.tianocore.org/show_bug.cgi?id=1421
"revert action will take long time..." warning should be removed
from pop up message when keep user data selected.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2019-01-08 09:53:21 +08:00
Jagadeesh Ujja 38f3c1b0d2 SecurityPkg/AuthVariableLib: allow MM_STANDALONE drivers to use this library
AuthVariableLib library can be used by MM_STANDALONE drivers as well.
So add MM_STANDALONE to the list of module types this library supports.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jagadeesh Ujja <jagadeesh.ujja@arm.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2019-01-04 11:38:05 +01:00
Zhang, Chao B 39699d078c SecurityPkg/Tcg: Fix Warnings and Remarks reported by IASL
Addressed warnings and remarks reported by IASL.EXE. Some methods had
unused arguments. A method was returning a value when it should not.

Cc: Zhang Chao B <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Thomas Rydman <thomas.j.rydman@intel.com>
Reviewed-by: Zhang Chao B <chao.b.zhang@intel.com>
2019-01-03 23:05:41 +08:00
Star Zeng aa8c6e2ad3 SecurityPkg Tcg(2)Pei: Remove the using of PcdPeiCoreMaxFvSupported
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1405

Background as below.

Problem:
As static configuration from the PCDs, the binary PeiCore (for example
in FSP binary with dispatch mode) could not predict how many FVs,
Files or PPIs for different platforms.

Burden:
Platform developers need configure the PCDs accordingly for different
platforms.

To solve the problem and remove the burden, we can update PeiCore to
remove the using of PcdPeiCoreMaxFvSupported, PcdPeiCoreMaxPeimPerFv
and PcdPeiCoreMaxPpiSupported by extending buffer dynamically for FV,
File and PPI management.

This patch removes the using of PcdPeiCoreMaxFvSupported in Tcg(2)Pei.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2018-12-19 12:33:28 +08:00
Chen A Chen f4c8c1bbf1 SecurityPkg: Remove dead code and inf redundant definitions.
Fix BZ1065, https://bugzilla.tianocore.org/show_bug.cgi?id=1065.
Remove dead code and inf redundant definitions from SecurityPkg.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen <chen.a.chen@intel.com>
Cc: Zhang Chao B <chao.b.zhang@intel.com>
Reviewed-by: Zhang Chao B <chao.b.zhang@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2018-12-10 15:56:32 +08:00
Zhang, Chao B 3cc9af5ce3 SecurityPkg: Update TCG PFP spec revision.
UEFI TCG has aligned with TCG PFP 1.03 v51 along with Errata Version 1.0.
Update spec version accordingly.
Spec Link:
https://trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v51.pdf
https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-Firmware-Profile-for-TPM-2-0-v1p03_r51-errata-v1p0_170426.pdf

Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2018-11-21 10:06:36 +08:00
Eric Dong d2aefa0adf SecurityPkg/Include/Library/TcgStorageOpalLib.h: Update Pyrite spec revision.
Pyrite 2.0 spec has been published, update the spec link info for this file.

Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-10-26 09:44:47 +08:00
shenglei 83c10d2e8c SecurityPkg/Tcg2Dxe: Remove unused PCDs
The PCDs below are unused, so they have been removed from inf.
gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemId
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemTableId
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultOemRevision
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorId
gEfiMdeModulePkgTokenSpaceGuid.PcdAcpiDefaultCreatorRevision

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: shenglei <shenglei.zhang@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-09-30 07:39:01 +08:00
shenglei 3e11c27f67 SecurityPkg/Tcg2ConfigPei: Remove an unused PCD
The PCD below is unused, so it has been removed from inf.
gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: shenglei <shenglei.zhang@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-09-30 07:39:01 +08:00
Eric Dong a8beaf8f90 SecurityPkg/TcgStorageOpalLib: Fixed correct user password not works issue.
After admin password reach the TryLimit value, code logic will direct return
error password result no matter which password been inputted. So even correct
user password will return TryLimit error.

Now update code logic to also check user password. Only when both user/admin
password reach the TryLimit count, code will return exceed TryLimit error.

Change-Id: I17fbd1425b77150eb933a5002a1f87a0f0032e9b
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-09-21 14:42:53 +08:00
Ard Biesheuvel f199664ce7 SecurityPkg: remove PE/COFF header workaround for ELILO on IPF
Now that Itanium support has been dropped, we can remove the various
occurrences of the ELILO on Itanium PE/COFF header workaround.

Link: https://bugzilla.tianocore.org/show_bug.cgi?id=816
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Zhang Chao B <chao.b.zhang@intel.com>
2018-09-20 22:01:50 +08:00
Zhang, Chao B 3a34753312 SecurityPkg: HashLib: Change dos format
Change file format to DOS

Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang Chao B <chao.b.zhang@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>
2018-09-10 09:43:15 +08:00
Laszlo Ersek 1bf5007428 SecurityPkg/SecureBootConfigDxe: replace OpenFileByDevicePath() with UefiLib API
Replace the OpenFileByDevicePath() function with EfiOpenFileByDevicePath()
from UefiLib, correcting the following issues:

- imprecise comments on OpenFileByDevicePath(),
- code duplication between this module and other modules,
- local variable name "EfiSimpleFileSystemProtocol" starting with "Efi"
  prefix,
- bogus "FileHandle = NULL" assignments,
- leaking "Handle1" when the device path type/subtype check or the
  realignment-motivated AllocateCopyPool() fails in the loop,
- stale SHELL_FILE_HANDLE reference in a comment.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Roman Bacik <roman.bacik@broadcom.com>
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1008
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Jaben Carsey <jaben.carsey@intel.com>
2018-08-16 20:02:50 +02:00
Eric Dong 0ca81c0d37 SecurityPkg/TcgStorageCoreLib.h: Use ascii instead of unicode.
_FILE_ parameter is an ASCII string. Current implementation used
as unicode string instead of ascii string. This patch fixed this
issue.

BZ: https://bugzilla.tianocore.org/show_bug.cgi?id=1081

Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed_off_by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-08-16 08:41:59 +08:00
Zhang, Chao B b3e1e343fe SecurityPkg: HashLib: Update HashLib file GUID
2 file GUIDs conflict with existing SHA256 Lib. Update them.

Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
Reviewed-by: Long, Qin <qin.long@intel.com>
2018-08-10 09:05:27 +08:00
Marc-André Lureau 3781f14c31 SecurityPkg/Library/Tpm2DeviceLibDTpm: fix s/Constructor/CONSTRUCTOR
The library constructor is not being called because of the typo,
causing TPM2 detection/initialization to fail.

This fixes OVMF TPM2 regression since commit f15cb995bb.
https://bugzilla.tianocore.org/show_bug.cgi?id=1075

Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Zhang Chao B <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Fixes: f15cb995bb
Contributed-under: TianoCore Contribution Agreement 1.1
Reported-by: Ricardo Araújo <ricardo@lsd.ufcg.edu.br>
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2018-08-09 19:13:32 +02:00
Zhang, Chao B 69e259e5e9 SecurityPkg:DSC: Fix 2 DSC build error
Error is caused by SHA384/SHA512 hash lib change in.

Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1

Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>
2018-07-28 13:49:13 +08:00
Zhang, Chao B 8d7aef3d1e SecurityPkg: HashLib: Add SHA384, SHA512 HashLib
Add SHA384, 512 Hash lib support. Now only CryptoPkg support PEI/DXE
version.

Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang Chao B <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-07-27 17:58:38 +08:00
Dandan Bi d9c5beb159 SecurityPkg/Tcg: Add use case for new Perf macro
Add an example case for the usage of
PERF_CALLBACK_BEGIN/PERF_CALLBACK_END

Cc: Liming Gao <liming.gao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Chao Zhang<chao.b.zhang@intel.com>
2018-07-26 13:37:59 +08:00
Zhang, Chao B d9e206d4bf MdeModulePkg: TpmMeasureLib: Re-prioritize TCG/TCG2 protocol
TPM1.2 is obsoleted by TPM2.0. switch TCG/TCG2 protocol check to apply this
trend

Cc: Long, Qin <qin.long@intel.com>
Cc: Yao, Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
Reviewed-by: Yao, Jiewen <jiewen.yao@intel.com>
2018-07-23 08:36:12 +08:00
Zhang, Chao B 831bb137a8 SecurityPkg: TcgSmm: Handle invalid parameter in MOR SMI handler
Add more logic to filter invalid function parameter in MOR Control SMI handler

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-07-21 09:46:49 +08:00
Zhang, Chao B 60ee3bd8db SecurityPkg:Tcg: Fix comment typos
"Triggle" is a typo. Replace it with "Trigger"

Cc: Long Qin <qin.long@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-07-17 07:47:04 +08:00
Roman Bacik 79b10d4ce4 SecurityPkg: Fix assert when setting key from eMMC/SD/USB
When secure boot is enabled, if one loads keys from a FAT formatted
eMMC/SD/USB when trying to provision PK/KEK/DB keys via the menu,
an assert in StrLen() occurs.
This is because the filename starts on odd address, which is not a uint16
aligned boundary: https://bugzilla.tianocore.org/show_bug.cgi?id=1003

There are further known issues with the OpenFileByDevicePath() function;
those are tracked by
<https://bugzilla.tianocore.org/show_bug.cgi?id=1008>.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Vladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Roman Bacik <roman.bacik@broadcom.com>
Reviewed-by: "Yao, Jiewen" <jiewen.yao@intel.com>
[lersek@redhat.com: whitespace fixes]
[lersek@redhat.com: reference TianoCore BZ#1008]
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2018-07-12 23:33:56 +02:00
Eric Dong e4e314b1b6 SecurityPkg/OpalPassword: Fixed input correct password not works issue
When user input error password exceed the max allowed times, opal device
will return Invalid type error code even user input the correct password.
In this case, opal driver needs to force user shutdown the system before
let user input new password.

Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-07-11 11:16:06 +08:00
Eric Dong 54ae532cd4 SecurityPkg/TcgStorageOpalLib: Return AUTHORITY_LOCKED_OUT error.
Caller need to known this error to handle specially, but current
error status not has specified value for this type. In order to
keep compatibility, here use TcgResultFailureInvalidType as an
replacement.

Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-07-11 11:12:20 +08:00
chenc2 4cecd19a44 SecurityPkg: Removing ipf which is no longer supported from edk2.
Removing rules for Ipf sources file:
* Remove the source file which path with "ipf" and also listed in
  [Sources.IPF] section of INF file.
* Remove the source file which listed in [Components.IPF] section
  of DSC file and not listed in any other [Components] section.
* Remove the embedded Ipf code for MDE_CPU_IPF.

Removing rules for Inf file:
* Remove IPF from VALID_ARCHITECTURES comments.
* Remove DXE_SAL_DRIVER from LIBRARY_CLASS in [Defines] section.
* Remove the INF which only listed in [Components.IPF] section in DSC.
* Remove statements from [BuildOptions] that provide IPF specific flags.
* Remove any IPF sepcific sections.

Removing rules for Dec file:
* Remove [Includes.IPF] section from Dec.

Removing rules for Dsc file:
* Remove IPF from SUPPORTED_ARCHITECTURES in [Defines] section of DSC.
* Remove any IPF specific sections.
* Remove statements from [BuildOptions] that provide IPF specific flags.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chen A Chen <chen.a.chen@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-06-29 16:19:48 +08:00
Liming Gao b3548d32dd SecurityPkg: Clean up source files
1. Do not use tab characters
2. No trailing white space in one line
3. All files must end with CRLF

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
2018-06-28 11:19:50 +08:00
Liming Gao 975478f6bb SecurityPkg Tpm2DeviceLibDTpm: Update enum type name to match the one in lib
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2018-06-27 22:54:07 +08:00
Zhang, Chao B 631976706d SecurityPkg: Tpm2DeviceLib: Enable CapCRBIdleBypass support
Directly transition from CMD completion to CMD Ready state if device
supports IdleByPass

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-06-27 09:31:01 +08:00
Bi, Dandan e1dea56be3 SecurityPkg: Use new added Perf macros
Replace old Perf macros with the new added ones.

Cc: Liming Gao <liming.gao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-06-26 15:37:02 +08:00
Zhang, Chao B f15cb995bb SecurityPkg: Cache TPM interface type info
Cache TPM interface type info to avoid excessive interface ID register read

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-06-25 10:55:08 +08:00
Nickle Wang 488aab257f SecurityPkg/SecureBootConfigDxe: Fix invalid NV data issue.
Check the return value of HiiGetBrowserData() before calling HiiSetBrowserData().
HiiGetBrowserData() failed to retrieve NV data during action EFI_BROWSER_ACTION_RETRIEVE.
If NV data is invalid, stop sending it to form browser.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Nickle Wang <nickle.wang@hpe.com>
Signed-off-by: cinnamon shia <cinnamon.shia@hpe.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2018-06-15 23:30:35 +08:00
Zhang, Chao B 6c7ac681f4 SecurityPkg/Tcg2Smm: Correct function parameter attribute
Correct UpdatePossibleResource parameter attribute to align to comment

Change-Id: Id8f8be975f0e8666573decc3fbaaf326b7767ba8
Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-05-29 13:37:33 +08:00
Eric Dong 4b8552d794 SecurityPkg/TcgStorage*Lib.h: Fix ECC reported issues.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
2018-05-24 10:48:32 +08:00
Zhang, Chao B 1ea08a3dcd SecurityPkg:Tcg2Smm: Update TcgNvs info after memory is allocated
Update package format info in _PRS to TcgNvs after memory is allocated.

Change-Id: Icfadb350e60d3ed2df332e92c257ce13309c0018
Contributed-under: TianoCore Contribution Agreement 1.1
Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Long Qin <qin.long@intel.com>
Signed-off-by: Zhang, Chao B <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-05-22 08:48:56 +08:00
Eric Dong 4b8067392d SecurityPkg/TcgSTorage*Lib.h: Add referenced spec information.
Add link and version info for the referenced spec.

Cc: Jiewen yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-05-17 14:14:50 +08:00
Eric Dong 63c76537c6 SecurityPkg/OpalPassword: Fix PSID revert no hint message.
For no warning message when do the PSID revert action, the
message in the popup dialog is not enough. The error use
of NULL for CreatePopUp function caused this regression.
This change fixed it.

Passed Unit Test:
1. Check PSID revert with/without warning message cases.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-05-15 08:24:35 +08:00
Eric Dong 5a1d521dee SecurityPkg/TcgStorageOpalLib: Fix GCC build failure.
Function definition different with function implementation
caused this build failure. Change code to make them
consistent to pass the build.

Done Unit Test:
1. Pass GCC build.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-05-15 08:24:26 +08:00
Eric Dong 40d32e7942 SecurityPkg/OpalPassword: Add support for pyrite 2.0 devices.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-05-07 15:03:24 +08:00
Eric Dong a3068f06e6 SecurityPkg/TcgStorageOpalLib: Add supports for pyrite 2.0 spec.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-05-07 15:03:24 +08:00
Thomas Palmer 3ff82ee5fc SecurityPkg/UserProfileManagerDxe: Update RouteConfig function
According to UEFI spec, the RouteConfig protocol function should populate
the Progress pointer with an address inside Configuration.  This patch
ensures that these functions are compliant when EFI_NOT_FOUND is returned.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2018-05-03 10:50:00 +08:00
Thomas Palmer 546603d39d SecurityPkg/UserIdentifyManagerDxe: Update RouteConfig function
According to UEFI spec, the RouteConfig protocol function should populate
the Progress pointer with an address inside Configuration.  This patch
ensures that these functions are compliant when EFI_NOT_FOUND is returned.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2018-05-03 10:49:58 +08:00
Thomas Palmer b59ac35e7a SecurityPkg/PwdCredentialProviderDxe: Update RouteConfig function
According to UEFI spec, the RouteConfig protocol function should populate
the Progress pointer with an address inside Configuration.  This patch
ensures that these functions are compliant when EFI_NOT_FOUND is returned.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2018-05-03 10:49:55 +08:00
Thomas Palmer efa5343a23 SecurityPkg/Tcg2Config: Update RouteConfig function
According to UEFI spec, the RouteConfig protocol function should populate
the Progress pointer with an address inside Configuration.  This patch
ensures that these functions are compliant when EFI_NOT_FOUND is returned.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2018-05-03 10:49:49 +08:00
Star Zeng d4ccf26491 SecurityPkg FmpAuthenticationLibRsa2048Sha256: Remove PCD reference
PcdRsa2048Sha256PublicKeyBuffer is referenced but not used in the
library, that makes me a little confusing.
Actually, the PublicKeyData should be from the caller of
AuthenticateFmpImage() as input parameter, for example
EdkiiSystemCapsuleLib.

This patch is to remove the PCD reference in this library instance
to be aligned with FmpAuthenticationLibPkcs7 that does not reference
PcdPkcs7CertBuffer.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-04-20 14:28:48 +08:00
Zhang, Chao B 28892d768b SecurityPkg Tpm12CommandLib: Fix TPM12 GetCapability response error
TPM12 command lib doesn't convert Response Size before using. Add logic
to fix the issue.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2018-03-21 16:43:35 +08:00
Zhang, Chao B dd577319e8 SecurityPkg Tpm2CommandLib: Fix TPM2.0 response memory overflow
TPM2.0 command lib always assumes TPM device and transmission channel can
respond correctly. But it is not true when communication channel is exploited
and wrong data is spoofed. Add more logic to prohibit memory overflow attack.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2018-03-21 16:43:34 +08:00
Star Zeng aa0857304e SecurityPkg OpalPasswordDxe:Fix wrong BufferSize input to UnicodeSPrint
Current code uses string length as BufferSize input to UnicodeSPrint,
it is wrong and makes the pop up string trimmed. The BufferSize input
to UnicodeSPrint should be the size, in bytes, of the output buffer.

This is to use sizeof (mPopUpString) as the BufferSize input to
UnicodeSPrint, it also updates array size of mPopUpString from 256 to
100 that is enough, otherwise the pop up string may be too long.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-17 15:49:01 +08:00
Star Zeng e3df050e51 SecurityPkg OpalPasswordPei: Go next when AhciModeInitialize is failed
Go to next loop instead of going to unlock OPAL password when
AhciModeInitialize is failed.

It is just error handling.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-17 15:48:55 +08:00
Star Zeng 849c684b86 SecurityPkg OpalPasswordDxe: Move OPAL request variable definition
Move OPAL request variable definition from OpalHiiFormValues.h to
OpalHii.h.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-17 15:48:54 +08:00
Star Zeng fbe1328a51 SecurityPkg OpalPasswordDxe: Return directly if no any device
Return directly if no any device in EndOfDxe notification.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-17 15:41:03 +08:00
Jiewen Yao 89b1612fcf SecurityPkg/dec: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:54 +08:00
Jiewen Yao f5a343f5ef SecurityPkg/include: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:53 +08:00
Jiewen Yao 8afbd22eea SecurityPkg/TrEEVendorLib: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:52 +08:00
Jiewen Yao a35ecb70b1 SecurityPkg/TrEEPhysicalPresenceLib: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:51 +08:00
Jiewen Yao 64047cb68c SecurityPkg/Tpm2DeviceLibTrEE: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:50 +08:00
Jiewen Yao a5baa7b914 SecurityPkg/TrEEConfig: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:50 +08:00
Jiewen Yao e1b3759079 SecurityPkg/TrEEPei: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:49 +08:00
Jiewen Yao 9aeebd913e SecurityPkg/TrEEDxe: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:48 +08:00
Jiewen Yao 53a6b65604 SecurityPkg/TrEESmm: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:47 +08:00
Jiewen Yao ff469eae2c SecurityPkg/dsc: remove TrEE.
TrEE is deprecated. We need use Tcg2.

Cc: Chao B Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2018-03-16 14:19:46 +08:00
Laszlo Ersek 7548947d04 SecurityPkg/TcgPei: drop PeiReadOnlyVariable from Depex
TcgPei doesn't actually use the PEI-phase read-only variable service, so
drop that from the Depex.

This patch was inspired by commit ab9e11da66 ("SecurityPkg/Tcg2Pei: drop
PeiReadOnlyVariable from Depex", 2018-03-09).

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Suggested-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
2018-03-10 16:27:57 +01:00
Marc-André Lureau ab9e11da66 SecurityPkg/Tcg2Pei: drop PeiReadOnlyVariable from Depex
The module doesn't use read-only variable.

Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-09 18:07:39 +01:00
Marc-Andr? Lureau 73ee3abab1 SecurityPkg: also clear HashInterfaceHob.SupportedHashMask
Commit 4cc2b63bd8 fixed an out of bounds
ZeroMem() call. However, as Laszlo Ersek pointed out, the intent was
to clear all but the Identifier (to revert the effect of
RegisterHashInterfaceLib()). For that, it should clear the
SupportedHashMask too.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2018-03-08 22:41:50 +08:00
Star Zeng a998027ba8 SecurityPkg OpalPasswordExtraInfoVariable.h: Remove it
Remove OpalPasswordExtraInfoVariable.h as it is not been used
anymore.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-08 21:33:51 +08:00
Star Zeng 1101ffbf84 SecurityPkg OpalPasswordSupportLib: Remove it
Remove OpalPasswordSupportLib as it is not been used
anymore.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-08 21:33:51 +08:00
Star Zeng 957024c1bc SecurityPkg OpalPassword: Remove old solution
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-08 21:33:50 +08:00
Star Zeng 112e584ba0 SecurityPkg OpalPassword: Add solution without SMM device code
After IOMMU is enabled in S3, original solution with SMM device
code (OpalPasswordSmm) to unlock OPAL device for S3 will not work
as the DMA operation will be aborted without granted DMA buffer.
Instead, this solution is to add OpalPasswordPei to eliminate
SMM device code, and OPAL setup UI produced by OpalPasswordDxe
will be updated to send requests (set password, update password,
and etc), and then the requests will be processed in next boot
before SmmReadyToLock, password and device info will be saved to
lock box used by OpalPasswordPei to unlock OPAL device for S3.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-08 21:33:50 +08:00
Star Zeng d62cb7bb0c SecurityPkg TcgStorageCoreLib: Make it be base type really
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-08 21:33:49 +08:00
Star Zeng 6accc5fad4 SecurityPkg TcgStorageOpalLib: Make it be base type really
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-08 21:33:49 +08:00
Dandan Bi 3d1872b780 SecurityPkg/SmmTcg2PhysicalPresenceLib: Fix coding style issue
Boolean values do not need to use explicit comparisons
to TRUE or FALSE.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by:Chao Zhang <chao.b.zhang@intel.com>
2018-03-08 08:58:49 +08:00
Marc-Andr? Lureau 4cc2b63bd8 SecurityPkg: only clear HashInterface information
The ZeroMem() call goes beyond the HashInterfaceHob structure, causing
HOB list corruption. Instead, just clear the HashInterface fields, as
I suppose was originally intended.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Marc-Andr? Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2018-03-07 21:46:11 +08:00
Marc-André Lureau a39e722670 SecurityPkg/Tcg2Pei: drop Tcg2PhysicalPresenceLib dependency
Apparently, unnecessary. Avoids extra build dependency and churn.

CC: Laszlo Ersek <lersek@redhat.com>
CC: Stefan Berger <stefanb@linux.vnet.ibm.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2018-03-02 15:23:12 +01:00
Zhang, Chao B 28fd7b090d SecurityPkg: Tcg2Smm: Refine type cast in pointer abstraction
Pointer subtraction is not performed by pointers to elements of the same
array object. Such behavior is undefined by C11 standard and might lead to
potential issues, Refine pointer subtraction by first casting each pointer
to UINTN.

Cc: Hao Wu <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Hao Wu <hao.a.wu@intel.com>
2018-02-08 16:09:33 +08:00
Liming Gao 1662676d58 SecurityPkg: Don't build AuthVariableLib for EBC arch
EBC build failure is caused by d7a09cb86a.
It changes MAX_UINTN definition as below. AuthVariableLib uses MAX_UINTN
in the global data initialization. New style has >> operator, and not
supported by EBC compiler. The fix is not to build AuthVariableLib for EBC.

#define MAX_UINTN  ((UINTN) ~0)
==>
#define MAX_UINTN  ((UINTN)(~0ULL >> (64 - sizeof (INTN) * 8)))

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2018-02-07 09:16:15 +08:00
Zhang, Chao B 449083a3f8 SecurityPkg:Tcg2Smm: Fix compile issue
Update Tcg2Smm _PRS patching logic to fix compile issue

Cc: Liming Gao <liming.gao@intel.com>
Cc: Dandan Bi <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Liming Gao <liming.gao@intel.com>
2018-02-07 09:03:59 +08:00
Zhang, Chao B 84391f5795 SecurityPkg: Support PP version lower than 1.3
TCG PP 1.2 & PP 1.3 spec defined different Opcodes.
Update code to support both.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2018-02-06 12:59:15 +08:00
Zhang, Chao B a02a5f3dbf SecurityPkg: Add UNI string for 2 PCDs
Add prompt & help string for PcdTpm2CurrentIrqNum, PcdTpm2PossibleIrqNumBuf

Cc: Dandan Bi <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
2018-02-05 09:13:59 +08:00
Zhang, Chao B 5552ac4231 SecurityPkg: Disable TPM interrupt in DEC
Disable TPM interrupt support in DEC by default to keep compatibility

Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2018-01-30 10:24:05 +08:00
Zhang, Chao B c4122dcaad SecurityPkg: Tcg2Smm: Enable TPM2.0 interrupt support
1. Expose _CRS, _SRS, _PRS control method to support TPM interrupt
2. Provide 2 PCDs to configure _CRS and _PRS returned data

Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Ronald Aigner <Ronald.Aigner@microsoft.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2018-01-29 15:09:23 +08:00
Zhang, Chao B 11cf02f6d0 SecurityPkg:Tpm2DeviceLibDTpm: Support TPM command cancel
Support TPM Command cancel if executing command timeouts. Cancel could
happen in long running command case

Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Chinnusamy Rajkumar K <rajkumar.k.chinnusamy@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2018-01-25 22:14:28 +08:00
Zhang, Chao B b921c62943 SecurityPkg: Update package version to 0.98
Update package version of SecurityPkg to 0.98.

Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2018-01-23 08:47:03 +08:00
Zhang, Chao B d02a848e32 SecurityPkg/PhysicalPresenceLib: Reject illegal PCR bank allocation
According to TCG PP1.3 spec, error PCR bank allocation input should be
rejected by Physical Presence. Firmware has to ensure that at least one
PCR banks is active.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2018-01-15 16:40:11 +08:00
Liming Gao dcd70885ca SecurityPkg: Convert source file to DOS format
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Qin Long <qin.long@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-12-28 12:48:02 +08:00
Long Qin b6ee737979 SecurityPkg: Remove RngTest Application from SecurityPkg
BZ#: https://bugzilla.tianocore.org/show_bug.cgi?id=820
Remove the RngTest application from SecurityPkg, which was only for
unit test.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-12-27 02:29:00 +08:00
Star Zeng e9dfa1b519 SecurityPkg TcgMor: Remove wrong comments
and free the HandleBuffer after used.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-12-19 09:34:47 +08:00
Zhang, Chao B 73d777329f SecurityPkg:Tcg2Smm: Update Interrupt resource name
Update TPM interrupt resource descriptor name for better compatibility to
old ASL compiler.

Cc: Long Qin <qin.long@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-12-12 22:12:18 +08:00
Zhang, Chao B af9743ef44 SecurityPkg:Tcg2Smm: Add MSFT copyright
Add MSFT copyright for TPM SIRQ feature.

Cc: Long Qin <qin.long@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-12-12 15:03:39 +08:00
Zhang, Chao B edf7647bae SecurityPkg:Tcg2Smm:Enabling TPM SIRQ interrupt support
1. Report TPM SIRQ interrupt resource through _CRS
2. Expose _SRS to update interrupt resource & FIFO/TIS interrupt related registers
   defined in TCG PC Client Platform TPM Profile (PTP) Specification spec
https://trustedcomputinggroup.org/wp-content/uploads/PC-Client-Specific-Platform-TPM-Profile-for-TPM-2-0-v43-150126.pdf
Note: IHV/OEM need to carefully verify this feature with OS TPM driver to make sure there is no impact to system/HW

Cc: Long Qin <qin.long@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-12-09 13:17:26 +08:00
chenc2 c3cb333e09 SecurityPkg/SecureBootConfigDxe: Fix deleting signature data issue.
Replace "(UINT8 *)NewVariableData" with (UINT8 *)NewVariableData + Offset"
to avoid the header of EFI_SIGNATURE_LIST being copied to the front of
NewVariableData every time and update ListWalker when handling the current
EFI_SIGNATURE_LIST finishes.

Cc: Zhang Chao <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: chenc2 <chen.a.chen@intel.com>
Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>
2017-11-27 10:25:21 +08:00
chenc2 62ba0febf5 SecurityPkg/AuthVariableLib: Use EFI_CERT_DATA to parse certificate
The function Pkcs7GetSigners return certificate stack as binary buffer.
Use EFI_CERT_DATA to parsing certificate stack more clearly, and access
certificate by the field of EFI_CERT_DATA structure.

Cc: Long Qin <qin.long@intel.com>
Cc: Zhang Chao <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 <chen.a.chen@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Zhang Chao <chao.b.zhang@intel.com>
2017-11-07 22:06:54 +08:00
Zhang, Chao B 0130fddeb3 SecurityPkg: Remove Counter Based AuthVariable support
Remove counter based auth variable support. also modify several function
descriptors to accommodate the change

Cc: Long Qin <qin.long@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-11-01 22:24:59 +08:00
chenc2 3539e850eb SecurityPkg/SecureBootConfigDxe: Handle lack of STR_SIGNATURE_* tokens
Add check to avoid NULL ptr dereference. The function HiiGetString
will return NULL pointer when the platform does not install the
appropriate string or call HiiGetString fail.(For example, HII not
support specified language.)

Cc: Zhang Chao <chao.b.zhang@intel.com>
Cc: Wu Hao <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 <chen.a.chen@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Wu Hao <hao.a.wu@intel.com>
2017-10-19 22:22:30 +08:00
Long Qin 6ded19558a SecurityPkg/Pkcs7Verify: Add the comments to address security problem
Add the comments to address security problems in the Pkcs7Verify Protocol
per UEFI 2.7 updates.

The Pkcs7Verifier function VerifySignature() has problematic use cases
where it might be used to unwittingly bypass security checks.  The specific
problem is that if the supplied hash is a different algorithm from the
blacklist hash, the hash will be approved even if it should have been
denied. The added comments place a strong warning about the problem.
It is possible to use the protocol reliably, either by agreeing a hash to
use for all time (like sha256) or by looping over all supported hashes when
using the protocol.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-10-18 23:03:38 +08:00
Laszlo Ersek 11b74aa472 SecurityPkg/AuthVariableLib: fix GCC build error
Commit 53c6ff1803 ("SecurityPkg:AuthVariableLib:Implement ECR1707 for
Private Auth Variable", 2017-09-12) introduced the following build
failure under several GCC toolchain versions:

> SecurityPkg/Library/AuthVariableLib/AuthService.c: In function
> 'CalculatePrivAuthVarSignChainSHA256Digest':
> SecurityPkg/Library/AuthVariableLib/AuthService.c:1567:58: error:
> pointer targets in passing argument 3 of 'X509GetCommonName' differ in
> signedness [-Werror=pointer-sign]
>    Status = X509GetCommonName(SignerCert, SignerCertSize, CertCommonName, &CertCommonNameSize);
>                                                           ^~~~~~~~~~~~~~
> In file included from
> SecurityPkg/Library/AuthVariableLib/AuthServiceInternal.h:34:0,
>                  from
>                  SecurityPkg/Library/AuthVariableLib/AuthService.c:32:
> CryptoPkg/Include/Library/BaseCryptLib.h:2202:1: note: expected 'CHAR8 *
> {aka char *}' but argument is of type 'UINT8 * {aka unsigned char *}'
>  X509GetCommonName (
>  ^~~~~~~~~~~~~~~~~
> cc1: all warnings being treated as errors

Fix it by changing the type of "CertCommonName" to array-of-CHAR8.

Locations where "CertCommonName" is used in the
CalculatePrivAuthVarSignChainSHA256Digest() function:

- it is taken the size of -- not impacted by this patch;

- passed to X509GetCommonName() as an argument -- the patch fixes the
  build error;

- passed to Sha256Update() as argument for "IN CONST VOID  *Data" -- not
  impacted by the patch;

- passed to AsciiStrLen() as argument -- drop the now-superfluous explicit
  cast.

Since we are touching the Sha256Update() function call, fix the coding
style too:

- the line is overlong, so break each argument to its own line;

- insert a space between "AsciiStrLen" and the opening paren "(".

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Gary Lin <glin@suse.com>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Long Qin <qin.long@intel.com>
Reported-by: Gary Lin <glin@suse.com>
Suggested-by: Gary Lin <glin@suse.com>
Suggested-by: Long Qin <qin.long@intel.com>
Fixes: 53c6ff1803
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2017-10-17 21:46:21 +02:00
Brijesh Singh 071f1d19dd SecurityPkg: make PcdOptionRomImageVerificationPolicy dynamic
By default the image verification policy for option ROM images is 0x4
(DENY_EXECUTE_ON_SECURITY_VIOLATION) but the following OvmfPkg commit:

1fea9ddb4e OvmfPkg: execute option ROM images regardless of Secure Boot

set it to 0x0 (ALWAYS_EXECUTE). This is fine because typically option
ROMs comes from host-side and most of the time cloud provider (i.e
hypervisor) have full access over a guest anyway. But when secure boot
is enabled, we would like to deny the execution of option ROM when
SEV is active. Having dynamic Pcd will give us flexibility to set the
security policy at the runtime.

Fixes: https://bugzilla.tianocore.org/show_bug.cgi?id=728
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-10-17 21:28:26 +02:00
chenc2 65c77f0210 SecurityPkg/SecureBootConfigDxe: Change the declaring of buffer.
The change doesn't impact the functionality.
To avoid magic code is helpful for maintaining the codes.
Use stack variable for known max length variable is more
clear and safe than heap buffer.

Cc: Zhang Chao B <chao.b.zhang@intel.com>
Cc: Wu Hao A <hao.a.wu@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: chenc2 <chen.a.chen@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-10-17 22:03:42 +08:00
chenc2 0085d619dd SecurityPkg/SecureBootConfigDxe: Fix coding style issue
The change doesn't impact the functionality.

Cc: Bi Dandan <dandan.bi@intel.com>
Cc: Zhang Chao <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: chenc2 <chen.a.chen@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-10-17 16:47:45 +08:00
Dandan Bi 5f2b325e4d Security/OpalHii.c: Handle NULL Request or Request with no elements
According to UEFI spec, for the ExtractConfig function in
EFI_HII_CONFIG_ACCESS_PROTOCOL,If a NULL is passed in for the Request
field or if a ConfigHdr is passed in with no request elements, all of
the settings being abstracted by this function will be returned in the
Results field.

The implementation of ExtractConfig function in OpalHii.c misses to
handle above cases.This patch is to do the enhancements.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2017-10-17 13:23:06 +08:00
Zhang, Chao B d7c054f985 SecurityPkg\Tcg2Pei: FV measure performance enhancement
1. Leverage Pre-Hashed FV PPI to reduce duplicated hash
2. Only measure BFV at the beginning. Other FVs are measured in FVinfo callback with nested
   FV check. https://bugzilla.tianocore.org/show_bug.cgi?id=662

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Sean Brogan <sean.brogan@microsoft.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-10-15 08:16:36 +08:00
Zhang, Chao B 53c6ff1803 SecurityPkg:AuthVariableLib:Implement ECR1707 for Private Auth Variable
ECR1707 for UEFI2.7 clarified certificate management rule for private time-based
AuthVariable.Trusted cert rule changed from whole signer's certificate stack to
top-level issuer cert tbscertificate + SignerCert CN for better management compatibility.
Hash is used to reduce storage overhead.

Cc: Long Qin <qin.long@intel.com>
Cc: Chen Chen <chen.a.chen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>'
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Chen Chen <chen.a.chen@intel.com>
2017-10-14 22:27:14 +08:00
Liming Gao f37bcdd60d SecurityPkg: Update Guid usage in INF file to match source code logic
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-10-10 18:10:22 +08:00
chenc2 85974aef13 SecurityPkg/SecureBootConfigImpl.c: Secure Boot DBX UI Enhancement
Use 2-level format to display signature list and signature data.
Support batch delete operation to delete signature list or signature data.
Display more useful information for each signature data.

Contributed-under: TianoCore Contribution Agreement 1.0
Cc: Zhang Chao B <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Signed-off-by: Chen A Chen <chen.a.chen@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Zhang Chao B <chao.b.zhang@intel.com>
2017-09-28 15:02:00 +08:00
Zhang, Chao B 265e5c82f5 SecurityPkg\SmmTcg2PhysicalPresenceLib.c Handle reserved or unimplemented PP Operation
Several PP operations < 128(Vendor Specific) are reserved or unimplemented.
Follow TCG PC Client Platform Physical Presence Interface Specification to return
not implemented.
https://trustedcomputinggroup.org/wp-content/uploads/Physical-Presence-Interface_1-30_0-52.pdf

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2017-09-28 11:29:42 +08:00
Peter Jones 56e88e9e5f Pkcs7VerifyDxe: Don't allow Pkcs7Verify to install protocols twice
This patch makes Pkcs7VerifyDxe check that it has not already been
installed before installing its protocols.  This prevents the case
where loading it as an external driver (either manually, through
Driver#### variables, etc.) will refuse to add a second provider of
the API.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Peter Jones <pjones@redhat.com>
Reviewed-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-09-05 15:55:42 +08:00
Long Qin a2481f81b3 SecurityPkg/Pkcs7Verify: Complete the Pkcs7VerifyDxe protocol
VerifySignature can be implemented using a mirror of the
AuthenticodeVerify function that's already in use in the
ImageVerificationDXE environment, so this patch simply wires up
VerifySignature using that code.
<NOTE: Only Authenticode-signature verification was supported by
       this VerifySignature() implementation now.)

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-09-05 15:47:31 +08:00
Long Qin 10cd747d33 SecurityPkg: Add ARM/AARCH64 arch to enable RngTest module build.
Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=680

Adding ARM and AARCH64 to SUPPORTED_ARCHITECTURES in SecurityPkg.dsc
to enable RngTest module build, since this is one platform-independent
application.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
2017-08-30 11:34:34 +08:00
Ruiyu Ni 9d5dfe9d74 SecurityPkg/Tcg2Dxe: Properly shutdown TPM before reset
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Chao B Zhang <chao.b.zhang@intel.com>
2017-08-25 16:59:08 +08:00
Michael D Kinney 2a98de0344 edk2: Move License.txt file to root
https://bugzilla.tianocore.org/show_bug.cgi?id=642

Add top level License.txt file with the BSD 2-Clause
License that is used by the majority of the EKD II open
source project content.  Merge copyright statements
from the BSD 2-Clause License files in each package
directory and remove the duplication License.txt
file from package directories.

Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Andrew Fish <afish@apple.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2017-08-03 11:02:17 -07:00
Michael D Kinney bbdd3bad1b edk2: Move TianoCore Contribution Agreement to root
https://bugzilla.tianocore.org/show_bug.cgi?id=629

Move Contributions.txt that contains the TianoCore
Contribution Agreement 1.0 to the root of the edk2
repository and remove the duplicate Contributions.txt
files from all packages.

Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Andrew Fish <afish@apple.com>
Cc: Jordan Justen <jordan.l.justen@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jordan Justen <jordan.l.justen@intel.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
2017-08-03 11:01:53 -07:00
Star Zeng 398b0f6766 SecurityPkg OpalPasswordSupportLib: Remove include to UefiAcpiDataTable.h
Remove redundant include to UefiAcpiDataTable.h as
SmmCommunication.h will help to include it.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-07-27 14:08:08 +08:00
Star Zeng ec4910cd33 SecurityPkg TcgDxe: Simplify debug msg when "TPM not working properly"
Current code for case "TPM not working properly" uses the predefined
macro __FILE__ in debug format string, but uses predefined macro
__LINE__ as parameter, and it also uses multiple pairs of "" in debug
format string.

To be simple and clear, this patch is to update the code to just use
"DriverEntry: TPM not working properly\n" as the debug message.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Amy Chan <amy.chan@intel.com>
Cc: Chasel Chiu <chasel.chiu@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chasel Chiu <chasel.chiu@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-06-10 13:19:59 +08:00
Zhang, Chao B 6d92ae11d1 SecurityPkg: Add TCG Spec info to TCG related modules
Add TCG Spec compliance info to TCG related module INFs.

Cc: Qin Long <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-05-11 16:20:05 +08:00
Long Qin 76b35710b9 SecurityPkg/Pkcs7VerifyDxe: Add format check in DB list contents
Add the size check for invalid format detection in AllowedDb,
RevokedDb and TimeStampDb list contents.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Qin Long <qin.long@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-05-05 14:58:47 +08:00
Zhang, Chao B de8e4dc4df SecurityPkg: Update package version to 0.97
Update package version of SecurityPkg to 0.97.

Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2017-05-05 13:27:00 +08:00
Eric Dong 350e9150cc SecurityPkg: Consume SmmIoLib.
Update code to consume SmmIoLib to pass build.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-05-04 08:32:39 +08:00
Eric Dong 50e6bb98ee SecurityPkg OpalPasswordSmm: Consume SmmIoLib.
Update code to consume SmmIoLib to check Mmio validation.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-05-04 08:32:38 +08:00
Long Qin d3e0c996d5 SecurityPkg/SecurityPkg.dec: Update PcdPkcs7CertBuffer PCD.
This patch updates the PcdPkcs7CertBuffer PCD to use the new
generated test certificate data for PKCS7 verification. This
was used as sample trusted certificate in the verification of
Signed Capsule Update.
(The updated value is still only for test purpose.)

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Long Qin <qin.long@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-04-12 13:18:06 +08:00
Jeff Fan f0f1a3cbf6 SecurityPkg: Error Level is not used correctly
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jeff Fan <jeff.fan@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-04-12 08:56:33 +08:00
Zhang, Chao B 9d9b8b77bc SecurityPkg: SecureBootConfigDxe: Update CloseEnrolledFile comment
Update function CloseEnrolledFile comment introduced in
4de754e15f

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>
2017-04-06 15:49:21 +08:00
Zhang, Chao B 4de754e15f SecurityPkg: SecureBootConfigDxe: Support AUTH_2 enrollment to DBX
Update SecureBootConfigDxe to support AUTH_2 format data enrollment
to DBX.
Free opened file handle resource after exit PK/KEK/DB/DBX/DBT
enrollment page.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-04-06 10:50:43 +08:00
Hao Wu 5d7f27aab2 SecurityPkg/Opal: Refine casting expression result to bigger size
There are cases that the operands of an expression are all with rank less
than UINT64/INT64 and the result of the expression is explicitly cast to
UINT64/INT64 to fit the target size.

An example will be:
UINT32 a,b;
// a and b can be any unsigned int type with rank less than UINT64, like
// UINT8, UINT16, etc.
UINT64 c;
c = (UINT64) (a + b);

Some static code checkers may warn that the expression result might
overflow within the rank of "int" (integer promotions) and the result is
then cast to a bigger size.

The commit refines codes by the following rules:
1). When the expression is possible to overflow the range of unsigned int/
int:
c = (UINT64)a + b;

2). When the expression will not overflow within the rank of "int", remove
the explicit type casts:
c = a + b;

3). When the expression will be cast to pointer of possible greater size:
UINT32 a,b;
VOID *c;
c = (VOID *)(UINTN)(a + b); --> c = (VOID *)((UINTN)a + b);

4). When one side of a comparison expression contains only operands with
rank less than UINT32:
UINT8 a;
UINT16 b;
UINTN c;
if ((UINTN)(a + b) > c) {...} --> if (((UINT32)a + b) > c) {...}

For rule 4), if we remove the 'UINTN' type cast like:
if (a + b > c) {...}
The VS compiler will complain with warning C4018 (signed/unsigned
mismatch, level 3 warning) due to promoting 'a + b' to type 'int'.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2017-03-06 14:33:24 +08:00
Hao Wu 4333b99d28 SecurityPkg: Refine type cast for pointer subtraction
For pointer subtraction, the result is of type "ptrdiff_t". According to
the C11 standard (Committee Draft - April 12, 2011):

"When two pointers are subtracted, both shall point to elements of the
same array object, or one past the last element of the array object; the
result is the difference of the subscripts of the two array elements. The
size of the result is implementation-defined, and its type (a signed
integer type) is ptrdiff_t defined in the <stddef.h> header. If the result
is not representable in an object of that type, the behavior is
undefined."

In our codes, there are cases that the pointer subtraction is not
performed by pointers to elements of the same array object. This might
lead to potential issues, since the behavior is undefined according to C11
standard.

Also, since the size of type "ptrdiff_t" is implementation-defined. Some
static code checkers may warn that the pointer subtraction might underflow
first and then being cast to a bigger size. For example:

UINT8  *Ptr1, *Ptr2;
UINTN  PtrDiff;
...
PtrDiff = (UINTN) (Ptr1 - Ptr2);

The commit will refine the pointer subtraction expressions by casting each
pointer to UINTN first and then perform the subtraction:

PtrDiff = (UINTN) Ptr1 - (UINTN) Ptr2;

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-03-06 14:15:36 +08:00
Zhang, Chao B 400b0940c8 SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7]
Measure DBT into PCR[7] in initial measurement phase if present and
not empty by following TCG PC Client PFP 00.49.
The previous patch according to 00.21 is removed
1404e3a150

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-03-06 09:58:36 +08:00
Zhang, Chao B fe13f92b6f SecurityPkg: Tcg2Dxe: Measure BootOrder, Boot#### to PCR[1]
Measure BootOrder, Boot#### to PCR[1] according to TCG PC-Client PFP Spec
00.21 Section 2.4.4.2
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-03-06 09:57:24 +08:00
Zhang Lubo e9429e7997 SecurityPkg: Fix potential bug in Security Boot dxe.
v2: update hash value in SecureBootConfig.vfr to keep
them consistent with macro definition in SecureBootConfigImpl.h

since we removed the sha-1 definition in Hash table
and related macro, but the macro definition HashAlg index
may be value 4 which is exceed the range of the Hash
table array.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-03-01 15:40:50 +08:00
Ruiyu Ni 2a08577480 SecurityPkg/SecureBootConfigDxe: Use StrToGuid in BaseLib
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <ruiyu.ni@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-02-28 11:30:34 +08:00
Jiewen Yao 087132a84a SecurityPkg/TpmCommandLib: Add Tpm2ReadPublic.
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-02-21 16:47:18 +08:00
Star Zeng 5af4388433 Security Tcg2Smm: Add missing gEfiTcg2ProtocolGuid dependency
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=380

gEfiTcgProtocolGuid dependency was added in TcgSmm.
But gEfiTcg2ProtocolGuid dependency is missing in Tcg2Smm.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-02-21 08:54:58 +08:00
Zhang Lubo c035e37335 SecurityPkg: enhance secure boot Config Dxe & Time Based AuthVariable.
V3: code clean up

prohibit Image SHA-1 hash option in SecureBootConfigDxe.
Timebased Auth Variable driver should ensure AuthAlgorithm
is SHA256 before further verification

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Zhang Lubo <lubo.zhang@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-02-20 10:09:53 +08:00
Star Zeng 9fe9cf9acb SecurityPkg HashLibRouter: Avoid incorrect PcdTcg2HashAlgorithmBitmap
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=244

Currently, when software HashLib (HashLibBaseCryptoRouter) and related
HashInstanceLib instances are used, PcdTcg2HashAlgorithmBitmap is
expected to be configured to 0 in platform dsc.
But PcdTcg2HashAlgorithmBitmap has default value 0xFFFFFFFF in
SecurityPkg.dec, and some platforms forget to configure it to 0 or
still configure it to 0xFFFFFFFF in platform dsc, that will make final
PcdTcg2HashAlgorithmBitmap value incorrect.

This patch is to add CONSTRUCTOR in HashLib (HashLibBaseCryptoRouter)
and PcdTcg2HashAlgorithmBitmap will be set to 0 in the CONSTRUCTOR.

Current HASH_LIB_PEI_ROUTER_GUID HOB created in
HashLibBaseCryptoRouterPei is shared between modules that link
HashLibBaseCryptoRouterPei.
To avoid mutual interference, separated HASH_LIB_PEI_ROUTER_GUID HOBs
with gEfiCallerIdGuid Identifier will be created for those modules.

This patch is also to add check in HashLib (HashLibBaseCryptoRouter)
for the mismatch of supported HashMask between modules that may link
different HashInstanceLib instances, warning will be reported if
mismatch is found.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-02-08 18:52:07 +08:00
Zhang, Chao B a2612cf7d8 SecurityPkg: Tcg2Dxe: Log EV_NO_ACTION event in TCG_PCR_EVENT2 format
All the event log entry in TCG2 Event log format should be TCG_PCR_EVENT2
except event log header. Defined by TCG EFI Spec 2.0 00.13
https://trustedcomputinggroup.org/wp-content/uploads/EFI-Protocol-Specification-rev13-160330final.pdf

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-02-06 09:28:20 +08:00
Zhang, Chao B c1b0828b3b SecurityPkg: Tcg2Dxe: Update PCR[4] measure logic
Update PCR[4] measure logic for each boot attempt.
1. Measure event to PCR[4] instead of PCR[5]
2. Measure “Calling UEFI Application from Boot Option”
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-26 13:43:25 +08:00
Michael Kinney 8b17ad862c SecurityPkg/Tpm12CommandLib: Always check response returnCode
https://bugzilla.tianocore.org/show_bug.cgi?id=338

Update the Tpm12CommandLib to consistently check the returnCode
field of a response packet.  These checks are missing from the
GetCapability and SelfTest commands.  The functions
Tpm12ContinueSelfTest(), Tpm12GetCapabilityFlagPermanent(), and
Tpm12GetCapabilityFlagVolatile() are updated to verify that the
response returnCode is not an error.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Michael Kinney <michael.d.kinney@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-01-25 14:18:30 -08:00
Zhang, Chao B 9d77acf156 SecurityPkg: Tcg2Dxe: Use UEFI_VARIABLE_DATA
Use UEFI_VARIABLE_DATA data structure according to TCG PC-Client PFP Spec
00.21.
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-25 10:24:14 +08:00
Zhang, Chao B 18458db1d4 SecurityPkg: Tcg2Dxe: Log Startup Locality Event
Log Startup Locality Event according to TCG PC Client PFP 00.21.
Event should be placed before any extend to PCR[0]
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-24 10:22:25 +08:00
Zhang, Chao B 1404e3a150 SecurityPkg: Tcg2Dxe: Measure DBT into PCR[7]
Measure DBT into PCR[7] in initial measurement phase according
to TCG PC Client PFP 00.37. http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-22 13:02:56 +08:00
Zhang, Chao B 5b196b06b2 SecurityPkg: DxeImageVerificationLib: Update PCR[7] measure logic
Update PCR[7] measure logic according to TCG PC Client PFP 00.37.
Only entries in DB that is used for image authentication need to be
measured.
http://www.trustedcomputinggroup.org/wp-content/uploads/PC-ClientSpecific_Platform_Profile_for_TPM_2p0_Systems_v21.pdf

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-22 13:02:46 +08:00
Hao Wu ba47ae9352 SecurityPkg/FmpAuthenticationLib: Refine to compare with same type
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-01-12 21:26:29 +08:00
Hao Wu b35ace1777 SecurityPkg/TcgDxe: Refine to compare 2 values with the same type
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2017-01-12 21:26:28 +08:00
Zhang, Chao B bf3b7aae71 SecuritPkg: Tcg2Smm: Add PlatformClass to TPM2 Table
Add PlatformClass info into TPM2 ACPI table, it is only valid with table
Rev 4 and later.

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-12 12:28:52 +08:00
Zhang, Chao B 0772737347 SecurityPkg: Tcg2Smm: Fix incompatible change
Address incompatible change introduced in patch
8f07a374b1

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-11 16:25:03 +08:00
Zhang, Chao B 363dc42226 SecurityPkg: Tcg2ConfigDxe/Tcg2Smm: Fix TPM2 HID issue
Fix wrong TPM2 HID generation logic.

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-10 15:16:46 +08:00
Zhang, Chao B fca4228907 SecurityPkg: Tcg2Config: TPM2 ACPI Table Rev Option
Add TPM2 ACPI Table Rev Option in Tcg2Config UI. Rev 4 is defined in
TCG ACPI Specification 00.37

Cc: Star Zeng <star.zeng@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-10 14:18:42 +08:00
Star Zeng 133834858a SecurityPkg Tcg2ConfigDxe: Refine debug message and comments
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-01-09 16:08:51 +08:00
Star Zeng 3613af9139 SecurityPkg Tcg2ConfigDxe: Typecast to (CHAR8*) as para of AsciiStrSize
Cc: Dandan Bi <dandan.bi@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
2017-01-09 11:10:03 +08:00
Star Zeng dd6d0a520e SecurityPkg Tcg2ConfigDxe: Add setup option to configure PPI version
REF: https://bugzilla.tianocore.org/show_bug.cgi?id=288

gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer was
introduced to configure physical presence interface version. but test
or user needs to build different images to support different versions
separately as the PCD does not support Dynamic types.

This patch is to extend the PCD to support Dynamic types and add a
setup option in Tcg2ConfigDxe driver to configure the physical
presence interface version, the PCD needs to be DynamicHii type and
maps to the setup option.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2017-01-06 18:06:37 +08:00
Zhang, Chao B 42b8555161 SecurityPkg: TcgPei: Sync TCG PP lifetime lock state
Sync TCG lifetime lock state after performing PP command.
Later logic checks such state.

Cc: Long Qin <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
2017-01-06 09:57:05 +08:00
Zhang, Chao B 60c9860c43 SecurityPkg: Tcg2ConfigDxe: Remove duplicate local variable
Remove duplicate local status variable declaration.

Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>
2017-01-06 09:51:27 +08:00
Zhang, Chao B b3724a03d6 SecurityPkg: Add Pcd PROMPT/HELP & Chang default setting
Update PCD PcdTcg2PhysicalPresenceFlags default setting. Also add PROMPT,
HELP string.

Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2017-01-05 10:47:08 +08:00
Zhang, Chao B 3304abc101 SecuritPkg: Tcg2: Fix coding style issue
Fix coding style issue

Cc: Bi Dandan <dandan.bi@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Bi Dandan <dandan.bi@intel.com>
2017-01-05 10:47:03 +08:00
Zhang, Chao B a6e0e994d0 SecurityPkg: Tcg2ConfigDxe: Display TPM2 HID in Tcg2Config
Display TPM2 HID from TPM2 ACPI device object in Tcg2Config UI

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-05 09:30:15 +08:00
Zhang, Chao B 9a9fa14e5c SecurityPkg: Tcg2Smm: Update HID patch logic
Update HID patch logic. NOOP in ASL template may cause syntax error when
disassembled and recompiled.

Cc: Long Qin <qin.long@intel.com>
Cc: Yao Jiewen <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
2017-01-04 13:18:50 +08:00
Zhang, Chao B 710174e011 SecurityPkg: Tcg2PhysicalPresence: Define TCG2 PP Flags Initial Pcd
Define PcdTcg2PhysicalPresenceFlags to initialize TCG2 PP Flags setting.

Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2016-12-29 09:45:15 +08:00
Zhang, Chao B 73126ac2bd SecurityPkg: Tcg2Smm: TPM2 Vendor specific HID
Update TPM2 HID using vendor ManufacturerID & FirmwareVersion1.

Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2016-12-29 09:45:13 +08:00
Jiewen Yao 492c05f599 SecurityPkg/FmpAuthLib: Add PublicKeyDataLength check
Add PublicKeyDataLength check to be multiple SHA256_DIGEST_SIZE
to avoid caller make mistake, or platform mis-configuration.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Qin Long <qin.long@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Qin Long <qin.long@intel.com>
2016-12-23 10:01:36 +08:00
Eric Dong 151ca68845 SecurityPkg Tcg2ConfigDxe: Force reset when PCR Allocation changed.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2016-12-21 09:53:57 +08:00
Dandan Bi 149c104218 SecurityPkg/FmpAuthenticationLib: Fix Guid format issues
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-12-20 10:51:14 +08:00
Zhang, Chao B c0584d0bdd SecurityPkg: Tcg2Dxe: Report correct FinalEventLog size
Update debug log to report correct FinalEventLog size.

Cc: Yao Jiewen <jiewen.yao@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
2016-12-16 14:15:16 +08:00
Dandan Bi 26f7580566 SecurityPkg/OpalPasswordDxe: Make comments align with the function
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2016-12-14 21:34:37 +08:00
Dandan Bi 824abed53d SecurityPkg/FmpAuthenticationLibRsa2048Sha256: Fix Guid/pcd format issues
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-12-14 21:34:36 +08:00
Dandan Bi e0bb4c96e7 SecurityPkg/FmpAuthenticationLibPkcs7: Fix incorrect Guid format
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-12-14 21:34:36 +08:00
Dandan Bi 7f52d196db Security:Add info string to UNI file for PcdPkcs7CertBuffer
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-12-14 21:34:35 +08:00
Jiewen Yao dc756baeda SecurityPkg:/Tcg2Dxe: remove 4G limitation
Tcg2Dxe allocates event log below 4G. It is unnecessary.

Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Star Zeng <star.zeng@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2016-12-13 14:31:23 +08:00
Star Zeng 520150302c SecurityPkg Tcg2ConfigDxe: Align Attempt TPM Device help with options
Current options only have TPM 1.2 and TPM 2.0,
but help shows Disable, TPM1.2, or TPM2.0,
they are mismatched.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-11-28 16:21:25 +08:00
Star Zeng 4e3b05a49f SecurityPkg Tcg2ConfigDxe: Remove BlockSID actions and related strings
Tcg2ConfigDxe has no related code to handle BlockSID related actions
that have been covered by OpalPasswordDxe driver.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2016-11-28 14:50:44 +08:00
Eric Dong 34c2ce6529 SecurityPkg OpalPasswordDxe: Use PP actions to enable BlockSID
Update the implementation to use PP BlockSID related actions.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-11-28 14:50:43 +08:00
Star Zeng e92ddda2b5 SecurityPkg Tcg2PPLib: Support BlockSID related actions
Then Tcg2PhysicalPresenceLib can support TCG2 PP TPM2,
storage management and vendor specific requests according
to Physical Presence Interface Specification.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
2016-11-28 14:50:42 +08:00
Star Zeng 7b9b576c71 SecurityPkg DxeTcg2PPLib: Lock Tcg2PhysicalPresenceFlags variable on S4
The code updates Tcg2PhysicalPresenceLibProcessRequest() to also lock
Tcg2PhysicalPresenceFlags variable on S4.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2016-11-23 16:56:18 +08:00
Eric Dong 252b891b2b Revert old "Enable BlockSid related PP actions" patch series.
New solution for this issue will be provided.

This reverts commits from d1947ce509
to bda034c34d.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-23 16:30:03 +08:00
Hao Wu 36e9e3e8ea SecurityPkg Tcg2Dxe: ASSERT to ensure 'VarData' is not NULL
The logic in functions ReadAndMeasureVariable() and MeasureVariable()
within Tcg2Dxe ensure that 'VarData' will not be NULL before calling
TcgDxeHashLogExtendEvent() at line 1716.

This commit adds ASSERT as warnings for the case that will not happen.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
2016-11-22 16:31:58 +08:00
Hao Wu a8bcbf9c4d SecurityPkg TcgStorageCoreLib: ASSERT to ensure 'ByteSeq' is not NULL
Add ASSERT to make sure 'ByteSeq' is not NULL before comsumed by
CopyMem().

Cc: Eric Dong <eric.dong@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Hao Wu <hao.a.wu@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-11-22 16:31:44 +08:00
Eric Dong 01dd077315 SecurityPkg OpalPasswordDxe: Clean PSID buffer.
Change callback handler type to avoid saving PSID info in
browser temp buffer. Also clean the buffer after using it.

Cc: Feng Tian <feng.tian@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:57 +08:00
Eric Dong bee13c0021 SecurityPkg OpalPasswordDxe: Clean password buffer.
Cc: Feng Tian <feng.tian@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:57 +08:00
Eric Dong bda034c34d SecurityPkg Tcg2Config: Remove the empty options.
The BlockSID actions not has code related to
them. Now we implement the BlockSID feature in
OpalPasswordDxe driver. So remove these actions
here.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:56 +08:00
Eric Dong 9de81c126c SecurityPkg OpalPasswordDxe: Use PP actions to enable BlockSID.
Update the implementation, use physical presence defined actions to
update the BlockSid related status.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:56 +08:00
Eric Dong 177dca331f SecurityPkg TcgSmm: Enable Storage actions.
After enable storage related actions in the
TcgPhysicalPresenceStorageLib, use this library to support
storage related actions in this driver.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:56 +08:00
Eric Dong 509b0fe358 SecurityPkg SmmTcg2PhysicalPresenceLib: Enable Storage actions.
After enable storage related actions in the
TcgPhysicalPresenceStorageLib, use this library to support
storage related actions in this library.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:55 +08:00
Eric Dong 182d8208a4 SecurityPkg DxeTcgPhysicalPresenceLib: Enable Storage actions.
After enable storage related actions in the
TcgPhysicalPresenceStorageLib, use this library to support
storage related actions in this library.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:55 +08:00
Eric Dong d6b02b79b0 SecurityPkg DxeTcg2PhysicalPresenceLib: Enable Storage actions.
After enable storage related actions in the
TcgPhysicalPresenceStorageLib, use this library to support
storage related actions in this library.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:54 +08:00
Eric Dong 63556485ed SecurityPkg: Add SmmTcgPhysicalPresenceStorageLib.
Tcg Physical Presence spec defined some actions used
for storage device. Add Smm version library to handles
these actions.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:54 +08:00
Eric Dong b54946e0fc SecurityPkg: Add DxeTcgPhysicalPresenceStorageLib.
Tcg Physical Presence spec defined some actions used
for storage device. Add Dxe version library to handles
 these actions.

Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:54 +08:00
Eric Dong 132b73dd5c SecurityPkg: Add header file for TcgPhysicalPresenceStorageLib.
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:53 +08:00
Eric Dong d1947ce509 SecurityPkg: Add definition for Physical Presence storage flag.
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
2016-11-21 15:37:53 +08:00
Star Zeng 3cabe66b20 SecurityPkg Tcg2Pei: Add comments into LogHashEvent()
Add comments into LogHashEvent() to describe the usage
of GetDigestListSize (DigestList).

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-11-21 10:38:34 +08:00
Star Zeng a9f1b2e2d7 SecurityPkg Tcg2Dxe: Get correct digest list size
Current code uses GetDigestListSize(DigestList) to get
digest list size, that is incorrect.
The code should get digest list size of digests copied
into event2 log, those digests are compacted, so
GetDigestListBinSize() should be used.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-11-21 10:38:33 +08:00
Star Zeng ab5b1f31c2 SecurityPkg Tcg2Dxe: Filter inactive digest in event2 log from PEI HOB
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by : Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-11-21 10:38:32 +08:00
Star Zeng ae1a4284a0 SecurityPkg TPM2: Update desc for param Buffer of GetDigestListSize()
To make the description more clear, update the description
for parameter Buffer of GetDigestListSize() to
"Buffer to hold copied TPML_DIGEST_VALUES compact binary.".

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by : Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-11-21 10:38:31 +08:00
Star Zeng b8ae1f4de7 SecurityPkg TPM2: Add GetHashMaskFromAlgo() into Tpm2CommandLib
Add GetHashMaskFromAlgo() into Tpm2CommandLib for coming consumer.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by : Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
2016-11-21 10:38:31 +08:00
Star Zeng 697c30b157 SecurityPkg TPM2: Make IsHashAlgSupportedInHashAlgorithmMask external
Current IsHashAlgSupportedInHashAlgorithmMask is only an internal
function, this patch makes it external for coming consumer.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Jiewen Yao <jiewen.yao@intel.com>
Reviewed-by : Chao Zhang <chao.b.zhang@intel.com>
2016-11-21 10:38:30 +08:00