The BlockSid feature is not depend on lock status,
so move the send BlockSid command out of unlock process.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
BlockSid feature can be retrieve from the header info.
Update the logic, check BlockSid capability before use it.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
Not all opal device support BlockSid feature. So Add
code logic to check the capability before send BlockSid
command.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
The BlockSid feature is a global level feature instead
of device level feature. So move the menu from device page
to the main page.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
Check the BlockSid feature capability through check
BlockSid header in the DiscoveryHeader.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
The ComId for Block SID authentication command is
0x0005 according to "TCG Storage Feature Set: Block
SID Authentication Specification Version 1.0.0". Update code to
follow this spec requirement.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
Disable SecureBoot Enable/Disable feature when PhysicalPresence is not available,
Since SecureBootEnable is protected with PhysicalPresence.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Change design to always install opal menu.
Current implementation only install menu when device connect.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
Remove SecureBoot UI support for Customized SecureBoot Mode transition according to Mantis 1263.
The feature has been moved to
https://github.com/tianocore/edk2-staging/tree/Customized-Secure-Boot
Previous check-in hash is
SHA-1: 96832eefea
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: El-Haj-Mahmoud Samer <samer.el-haj-mahmoud@hpe.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Remove Customized SecureBoot Mode transition logic for Mantis 1263, including AuditMode/DeployedMode/PK update management.
Also remove image verification logic in AuditMode.
The feature has been moved to
https://github.com/tianocore/edk2-staging/tree/Customized-Secure-Boot
Previous check-in hash is
SHA-1: 4fc08e8d68
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: El-Haj-Mahmoud Samer <samer.el-haj-mahmoud@hpe.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Remove gEdkiiSecureBootModeGuid definition for Customized Secure Boot feature defined in
UEFI2.5 Mantis 1263. It is a private variable GUID.
The feature has been moved to
https://github.com/tianocore/edk2-staging/tree/Customized-Secure-Boot
Previous check-in hash is
SHA-1: af9af05bec
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: El-Haj-Mahmoud Samer <samer.el-haj-mahmoud@hpe.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
Update the TCG Spec in the the EFI_TCG_SERVER_ACPI_TABLE from TCG 1.0 to
TCG 1.2
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
Signed-off-by: Derek Lin <derek.lin2@hpe.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reduce several DEBUG messages verbosity from INFO to VERBOSE, so that will not see debug message around each driver loading when TPM 2.0 part present.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Derek Lin <derek.lin2@hpe.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Fix Tpm12NvWriteValue() command/response length byte order.
Tpm12SubmitCommand() was using the value from Command.Hdr.paramSize
which was swapped to be Big Endian, but the function was
expecting it in UINT32 Little Endian
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
Signed-off-by: Derek Lin <derek.lin2@hpe.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Add DEBUG messages for TPM12Startup to distinguish between TPM_SUCCESS
and
TPM_INVALID_POSTINIT. This helps debugging some hardware problems.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
Signed-off-by: Derek Lin <derek.lin2@hpe.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Add DEBUG messages for TPM2Startup to distinguish between TPM_RC_SUCCESS
and TPM_RC_INITIALIZE. This helps debugging some hardware problems.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Samer El-Haj-Mahmoud <elhaj@hpe.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
This patch enhance OPAL password SMM driver to check SMM bar is valid MMIO
besides outside of SMRAM.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Eric Dong <eric.dong@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
This patch enhance OPAL password lib SMM communication by using fixed
SMM communication buffer.
Update OPAL password lib to consume EDKII_PI_SMM_COMMUNICATION_REGION_TABLE
as fixed communication buffer for SMM communication.
This is designed to meet Microsoft WSMT table definition on FIXED_COMM_BUFFERS
requirement.
Cc: Eric Dong <eric.dong@intel.com>
Cc: Feng Tian <feng.tian@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
In image verification, if image verified pass in DBT, still need to verify if it is blocked by any other cert/cert hash from DBX.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Long Qin <qin.long@intel.com>
Reviewed-by: Dick Wilkins <dick_wilkins@phoenix.com>
Revert previous fix in AuthVariable driver init which breaks SecureBootEnable original behavior. Add more error handling logic in SecureBootConfigDxe to prevent wrong display info when SecureBootEnable & PK inconsistency happens.
Commit hash for the reverted patch in AuthVariable driver is
SHA-1: a6811666b0
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Fu Siyuan <siyuan.fu@intel.com>
According to current Pyrite SSC Spec 1.00, there is no parameter
for RevertSP method. So suppress KeepUserData option for the
Pyrite Ssc type device.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
Check the pointer before use it to make the code more safely.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
TempBuf in SetupEventLog needs to include sizeof(UINT32) to hold NumberOfAlgorithms.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Thomas Palmer <thomas.palmer@hpe.com>
Reviewed-by: Yao Jiewen <jiewen.yao@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: El-Haj-Mahmoud Samer <samer.el-haj-mahmoud@hpe.com>
This driver used to unlock device in S3 resume phase.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
This driver used to enables opal feature in bios.
It adds setup menu and unlock device process in boot phase.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
APIs used to support opal password solution to trig opal command.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
Library APIs used to create commands defined by TCG storage opal spec.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
APIs used to create commands defined by TCG storage core spec.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>
The type casting in the ChooseFile is not necessary and it actually
hid the incompatible handlers from the compiler.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
The SecureBootConfig now uses ChooseFile() from FileExplorerLib
to select the certificates to be enrolled into PK, KEK, DB, DBX,
or DBT, and the corresponding handlers to get the content of the
file. Per the definition of CHOOSE_HANDLER, the handler must use
EFIAPI as the calling convention. However, the calling convention
was not specified the following handlers: UpdatePKFromFile(),
UpdateKEKFromFile(), UpdateDBFromFile(), UpdateDBXFromFile(), and
UpdateDBTFromFile(). When compiling the firmware with gcc, the
default calling convention is not compatible with EFIAPI, so the
handlers interpreted the argument the wrong way and passed the
wrong device path to UpdatePage(), and the system crashed when
the user tried to enroll a certificate into the key database.
This commit specifies the calling convention for those functions
so that gcc can generate the right code.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Dandan Bi <dandan.bi@intel.com>
Some commands in DxeTcg2PhysicalPresenceLib accept
AuthSession as input parameter and copy to local
command buffer. After use, this AuthSession content
should be zeroed, because there might be some secrete
there.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <jiewen.yao@intel.com>
Reviewed-by: "Zhang, Chao B" <chao.b.zhang@intel.com>
Tpm2Ptp.c is library, but it miss Tpm2 prefix for
IsPtpPresence() and GetPtpInterface(). There might
be risk as name symbol conflict. This patch adds Tpm2
prefix for them.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com>
Reviewed-by: "Zhang, Chao B" <chao.b.zhang@intel.com>
Tested-by: "Wu, Hao A" <hao.a.wu@intel.com>
Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction()
has check if current request is same as previous.
But it forget check RequestParameter, which causes
second request fail to process, if RequestParameter
is different.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: "Yao, Jiewen" <Jiewen.Yao@intel.com>
Reviewed-by: "Zhang, Chao B" <chao.b.zhang@intel.com>
The function AllocateCopyPool may return NULL, so need to do check
after calling it. This patch is to enhance the related logic.
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Qiu Shumin <shumin.qiu@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Using existing library FileExplorerLib to replace the same
logic in SecureBootConfigDxe to make the code clear. After using
FileExplorerLib, the UI behavior for enroll PK will change,
previously when select one PK file, commit/discard changes will
return to Device Manager,press ESC will return to FileExplorer.
Now using FileExplorerLib the behavior will keep same with
enroll KEK/DB/..., commit/discard changes will return to Custom
Secure Boot Options form and ESC will return to PK options form.
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Laszlo Ersek <lersek@redhat.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Dandan Bi <dandan.bi@intel.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
Eric Dong
Zhang, Chao B
Samer El-Haj-Mahmoud
Derek Lin
Liming Gao
Gary Lin
Jiewen Yao
Dandan Bi