* [Patch 0/3] SecurityPkg/Opal: Change BlockSid policy.
@ 2019-05-07 8:00 Dong, Eric
2019-05-07 8:00 ` [Patch 1/3] SecurityPkg/SecurityPkg.dec: Change default value Dong, Eric
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Dong, Eric @ 2019-05-07 8:00 UTC (permalink / raw)
To: devel
This patch serial includes:
1. For safe concern, change BlockSID default policy.
2. Change SendBlockSID command time from ReadyToBoot to EndOfDxe.
3. Fix "Enable Feature" Menu disappear issue.
Eric Dong (3):
SecurityPkg/SecurityPkg.dec: Change default value.
SecurityPkg/OpalPassword: Change send BlockSID policy.
SecurityPkg/OpalPassword: Fix "Enable Feature" Menu disappear issue.
.../Include/Library/Tcg2PhysicalPresenceLib.h | 3 +-
SecurityPkg/SecurityPkg.dec | 2 +-
.../Tcg/Opal/OpalPassword/OpalDriver.c | 115 +++++++++---------
.../Tcg/Opal/OpalPassword/OpalDriver.h | 1 +
SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c | 46 +++++--
SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.h | 15 +++
6 files changed, 112 insertions(+), 70 deletions(-)
--
2.21.0.windows.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Patch 1/3] SecurityPkg/SecurityPkg.dec: Change default value.
2019-05-07 8:00 [Patch 0/3] SecurityPkg/Opal: Change BlockSid policy Dong, Eric
@ 2019-05-07 8:00 ` Dong, Eric
2019-05-07 8:00 ` [Patch 2/3] SecurityPkg/OpalPassword: Change send BlockSID policy Dong, Eric
2019-05-07 8:00 ` [Patch 3/3] SecurityPkg/OpalPassword: Fix "Enable Feature" Menu disappear issue Dong, Eric
2 siblings, 0 replies; 4+ messages in thread
From: Dong, Eric @ 2019-05-07 8:00 UTC (permalink / raw)
To: devel
For safe concern, change BlockSID default policy.
Signed-off-by: Eric Dong <eric.dong@intel.com>
---
SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h | 3 ++-
SecurityPkg/SecurityPkg.dec | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h b/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
index e08719003d..d8aedf1e4c 100644
--- a/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
+++ b/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
@@ -57,7 +57,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
// Default value
//
#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT (TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID | \
- TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID)
+ TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID |\
+ TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID)
/**
Check and execute the pending TPM request.
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 8d64b4fefe..edb31a1456 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -428,7 +428,7 @@
# PCD can be configured for different settings in different scenarios
# Default setting is TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT
# @Prompt Initial setting of TCG2 Persistent Firmware Management Flags
- gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags|0x300E2|UINT32|0x0001001B
+ gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags|0x700E2|UINT32|0x0001001B
## Indicate current TPM2 Interrupt Number reported by _CRS control method.<BR><BR>
# TPM2 Interrupt feature is disabled If the pcd is set to 0.<BR>
--
2.15.0.windows.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Patch 2/3] SecurityPkg/OpalPassword: Change send BlockSID policy.
2019-05-07 8:00 [Patch 0/3] SecurityPkg/Opal: Change BlockSid policy Dong, Eric
2019-05-07 8:00 ` [Patch 1/3] SecurityPkg/SecurityPkg.dec: Change default value Dong, Eric
@ 2019-05-07 8:00 ` Dong, Eric
2019-05-07 8:00 ` [Patch 3/3] SecurityPkg/OpalPassword: Fix "Enable Feature" Menu disappear issue Dong, Eric
2 siblings, 0 replies; 4+ messages in thread
From: Dong, Eric @ 2019-05-07 8:00 UTC (permalink / raw)
To: devel
Change SendBlockSID command time from ReadyToBoot to EndOfDxe.
Signed-off-by: Eric Dong <eric.dong@intel.com>
---
SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 104 +++++++++++--------------
1 file changed, 46 insertions(+), 58 deletions(-)
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
index e3f5056953..a3d4350c67 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
@@ -574,6 +574,47 @@ BuildOpalDeviceInfoNvme (
FreePool (DevInfoNvme);
}
+/**
+
+ Send BlockSid command if needed.
+
+**/
+VOID
+SendBlockSidCommand (
+ VOID
+ )
+{
+ OPAL_DRIVER_DEVICE *Itr;
+ TCG_RESULT Result;
+ OPAL_SESSION Session;
+ UINT32 PpStorageFlag;
+
+ PpStorageFlag = Tcg2PhysicalPresenceLibGetManagementFlags ();
+ if ((PpStorageFlag & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID) != 0) {
+ //
+ // Send BlockSID command to each Opal disk
+ //
+ Itr = mOpalDriver.DeviceList;
+ while (Itr != NULL) {
+ if (Itr->OpalDisk.SupportedAttributes.BlockSid) {
+ ZeroMem(&Session, sizeof(Session));
+ Session.Sscp = Itr->OpalDisk.Sscp;
+ Session.MediaId = Itr->OpalDisk.MediaId;
+ Session.OpalBaseComId = Itr->OpalDisk.OpalBaseComId;
+
+ DEBUG ((DEBUG_INFO, "OpalPassword: EndOfDxe point, send BlockSid command to device!\n"));
+ Result = OpalBlockSid (&Session, TRUE); // HardwareReset must always be TRUE
+ if (Result != TcgResultSuccess) {
+ DEBUG ((DEBUG_ERROR, "OpalBlockSid fail\n"));
+ break;
+ }
+ }
+
+ Itr = Itr->Next;
+ }
+ }
+}
+
/**
Notification function of EFI_END_OF_DXE_EVENT_GROUP_GUID event group.
@@ -645,6 +686,11 @@ OpalEndOfDxeEventNotify (
TmpDev = TmpDev->Next;
}
+ //
+ // Send BlockSid command if needed.
+ //
+ SendBlockSidCommand ();
+
DEBUG ((DEBUG_INFO, "%a() - exit\n", __FUNCTION__));
gBS->CloseEvent (Event);
@@ -2368,53 +2414,6 @@ OpalDriverGetDeviceList(
return mOpalDriver.DeviceList;
}
-/**
- ReadyToBoot callback to send BlockSid command.
-
- @param Event Pointer to this event
- @param Context Event handler private Data
-
-**/
-VOID
-EFIAPI
-ReadyToBootCallback (
- IN EFI_EVENT Event,
- IN VOID *Context
- )
-{
- OPAL_DRIVER_DEVICE *Itr;
- TCG_RESULT Result;
- OPAL_SESSION Session;
- UINT32 PpStorageFlag;
-
- gBS->CloseEvent (Event);
-
- PpStorageFlag = Tcg2PhysicalPresenceLibGetManagementFlags ();
- if ((PpStorageFlag & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID) != 0) {
- //
- // Send BlockSID command to each Opal disk
- //
- Itr = mOpalDriver.DeviceList;
- while (Itr != NULL) {
- if (Itr->OpalDisk.SupportedAttributes.BlockSid) {
- ZeroMem(&Session, sizeof(Session));
- Session.Sscp = Itr->OpalDisk.Sscp;
- Session.MediaId = Itr->OpalDisk.MediaId;
- Session.OpalBaseComId = Itr->OpalDisk.OpalBaseComId;
-
- DEBUG ((DEBUG_INFO, "OpalPassword: ReadyToBoot point, send BlockSid command to device!\n"));
- Result = OpalBlockSid (&Session, TRUE); // HardwareReset must always be TRUE
- if (Result != TcgResultSuccess) {
- DEBUG ((DEBUG_ERROR, "OpalBlockSid fail\n"));
- break;
- }
- }
-
- Itr = Itr->Next;
- }
- }
-}
-
/**
Stop this Controller.
@@ -2677,7 +2676,6 @@ EfiDriverEntryPoint(
)
{
EFI_STATUS Status;
- EFI_EVENT ReadyToBootEvent;
EFI_EVENT EndOfDxeEvent;
Status = EfiLibInstallDriverBindingComponentName2 (
@@ -2710,16 +2708,6 @@ EfiDriverEntryPoint(
);
ASSERT_EFI_ERROR (Status);
- //
- // register a ReadyToBoot event callback for sending BlockSid command
- //
- Status = EfiCreateEventReadyToBootEx (
- TPL_CALLBACK,
- ReadyToBootCallback,
- (VOID *) &ImageHandle,
- &ReadyToBootEvent
- );
-
//
// Install Hii packages.
//
--
2.15.0.windows.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Patch 3/3] SecurityPkg/OpalPassword: Fix "Enable Feature" Menu disappear issue.
2019-05-07 8:00 [Patch 0/3] SecurityPkg/Opal: Change BlockSid policy Dong, Eric
2019-05-07 8:00 ` [Patch 1/3] SecurityPkg/SecurityPkg.dec: Change default value Dong, Eric
2019-05-07 8:00 ` [Patch 2/3] SecurityPkg/OpalPassword: Change send BlockSID policy Dong, Eric
@ 2019-05-07 8:00 ` Dong, Eric
2 siblings, 0 replies; 4+ messages in thread
From: Dong, Eric @ 2019-05-07 8:00 UTC (permalink / raw)
To: devel
After change behavior to send BlockSid command at EndOfDxe point,
check device ownership command will return un-authority error, it
finally caused opal driver can't show "Enable Feature" menu.
Update the code logic to send detect device ownership command
before send BlockSID command.
Signed-off-by: Eric Dong <eric.dong@intel.com>
---
SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 11 ++++++
SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.h | 1 +
SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c | 46 ++++++++++++++++++++------
SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.h | 15 +++++++++
4 files changed, 63 insertions(+), 10 deletions(-)
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
index a3d4350c67..847749be66 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
@@ -608,6 +608,11 @@ SendBlockSidCommand (
DEBUG ((DEBUG_ERROR, "OpalBlockSid fail\n"));
break;
}
+
+ //
+ // Record BlockSID command has been sent.
+ //
+ Itr->OpalDisk.SentBlockSID = TRUE;
}
Itr = Itr->Next;
@@ -2310,6 +2315,12 @@ ProcessOpalRequest (
ProcessOpalRequestEnableFeature (Dev, L"Enable Feature:");
}
+ //
+ // Update Device ownership.
+ // Later BlockSID command may block the update.
+ //
+ OpalDiskUpdateOwnerShip (&Dev->OpalDisk);
+
break;
}
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.h b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.h
index 2bca770620..1b1e372c51 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.h
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.h
@@ -149,6 +149,7 @@ typedef struct {
UINT8 Password[OPAL_MAX_PASSWORD_SIZE];
UINT32 EstimateTimeCost;
+ BOOLEAN SentBlockSID; // Check whether BlockSid command has been sent.
} OPAL_DISK;
//
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c b/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c
index 4336604d0d..6587e0dd1a 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.c
@@ -1220,6 +1220,40 @@ OpalDiskInitialize (
return OpalDiskUpdateStatus (&Dev->OpalDisk);
}
+/**
+ Update the device ownship
+
+ @param OpalDisk The Opal device.
+
+ @retval EFI_SUCESS Get ownership success.
+ @retval EFI_ACCESS_DENIED Has send BlockSID command, can't change ownership.
+ @retval EFI_INVALID_PARAMETER Not get Msid info before get ownership info.
+
+**/
+EFI_STATUS
+OpalDiskUpdateOwnerShip (
+ OPAL_DISK *OpalDisk
+ )
+{
+ OPAL_SESSION Session;
+
+ if (OpalDisk->MsidLength == 0) {
+ return EFI_INVALID_PARAMETER;
+ }
+
+ if (OpalDisk->SentBlockSID) {
+ return EFI_ACCESS_DENIED;
+ }
+
+ ZeroMem(&Session, sizeof(Session));
+ Session.Sscp = OpalDisk->Sscp;
+ Session.MediaId = OpalDisk->MediaId;
+ Session.OpalBaseComId = OpalDisk->OpalBaseComId;
+
+ OpalDisk->Owner = OpalUtilDetermineOwnership(&Session, OpalDisk->Msid, OpalDisk->MsidLength);
+ return EFI_SUCCESS;
+}
+
/**
Update the device info.
@@ -1228,6 +1262,7 @@ OpalDiskInitialize (
@retval EFI_SUCESS Initialize the device success.
@retval EFI_DEVICE_ERROR Get info from device failed.
@retval EFI_INVALID_PARAMETER Not get Msid info before get ownership info.
+ @retval EFI_ACCESS_DENIED Has send BlockSID command, can't change ownership.
**/
EFI_STATUS
@@ -1248,15 +1283,6 @@ OpalDiskUpdateStatus (
return EFI_DEVICE_ERROR;
}
- if (OpalDisk->MsidLength == 0) {
- return EFI_INVALID_PARAMETER;
- } else {
- //
- // Base on the Msid info to get the ownership, so Msid info must get first.
- //
- OpalDisk->Owner = OpalUtilDetermineOwnership(&Session, OpalDisk->Msid, OpalDisk->MsidLength);
- }
-
- return EFI_SUCCESS;
+ return OpalDiskUpdateOwnerShip (OpalDisk);
}
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.h b/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.h
index a4bb19ad60..6d01d3e614 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.h
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalHii.h
@@ -385,4 +385,19 @@ OpalDiskInitialize (
IN OPAL_DRIVER_DEVICE *Dev
);
+/**
+ Update the device ownership
+
+ @param OpalDisk The Opal device.
+
+ @retval EFI_SUCESS Get ownership success.
+ @retval EFI_ACCESS_DENIED Has send BlockSID command, can't change ownership.
+ @retval EFI_INVALID_PARAMETER Not get Msid info before get ownership info.
+
+**/
+EFI_STATUS
+OpalDiskUpdateOwnerShip (
+ OPAL_DISK *OpalDisk
+ );
+
#endif // _HII_H_
--
2.15.0.windows.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-05-07 8:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-07 8:00 [Patch 0/3] SecurityPkg/Opal: Change BlockSid policy Dong, Eric
2019-05-07 8:00 ` [Patch 1/3] SecurityPkg/SecurityPkg.dec: Change default value Dong, Eric
2019-05-07 8:00 ` [Patch 2/3] SecurityPkg/OpalPassword: Change send BlockSID policy Dong, Eric
2019-05-07 8:00 ` [Patch 3/3] SecurityPkg/OpalPassword: Fix "Enable Feature" Menu disappear issue Dong, Eric
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox