public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH] SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt
@ 2019-06-10 10:19 Maggie Chu
  2019-06-12  1:16 ` Dong, Eric
  0 siblings, 1 reply; 2+ messages in thread
From: Maggie Chu @ 2019-06-10 10:19 UTC (permalink / raw)
  To: devel; +Cc: Chao Zhang, Jiewen Yao, Eric Dong

https://bugzilla.tianocore.org/show_bug.cgi?id=1876
Add a PCD for skipping Hdd password prompt.
If device is in the locked status while attempting to skip
password prompt, device will keep locked and system
continue to boot.
If device is in the unlocked status while attempting to skip
password prompt, system will be forced shutdown.

Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
---
 SecurityPkg/HddPassword/HddPasswordDxe.c   | 16 ++++++++++++++++
 SecurityPkg/HddPassword/HddPasswordDxe.inf |  4 ++++
 SecurityPkg/SecurityPkg.dec                |  6 ++++++
 3 files changed, 26 insertions(+)

diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.c b/SecurityPkg/HddPassword/HddPasswordDxe.c
index 253af9f78f..b0d795b659 100644
--- a/SecurityPkg/HddPassword/HddPasswordDxe.c
+++ b/SecurityPkg/HddPassword/HddPasswordDxe.c
@@ -1345,6 +1345,22 @@ HddPasswordRequestPassword (
   //
   if ((ConfigFormEntry->IfrData.SecurityStatus.Supported) &&
       (ConfigFormEntry->IfrData.SecurityStatus.Enabled)) {
+
+     //
+     // Add PcdSkipHddPasswordPrompt to determin whether to skip password prompt.
+     // Due to board design, device may not power off during system warm boot, which result in
+     // security status remain unlocked status, hence we add device security status check here.
+     //
+     // If device is in the locked status, device keeps locked and system continues booting.
+     // If device is in the unlocked status, system is forced shutdown for security concern.
+     //
+     if (PcdGetBool (PcdSkipHddPasswordPrompt)) {
+       if (ConfigFormEntry->IfrData.SecurityStatus.Locked) {
+         return;
+       } else {
+         gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);
+       }
+    }
     //
     // As soon as the HDD password is in enabled state, we pop up a window to unlock hdd
     // no matter it's really in locked or unlocked state.
diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.inf b/SecurityPkg/HddPassword/HddPasswordDxe.inf
index f7550079ed..06e8755ffc 100644
--- a/SecurityPkg/HddPassword/HddPasswordDxe.inf
+++ b/SecurityPkg/HddPassword/HddPasswordDxe.inf
@@ -34,6 +34,7 @@
   MdePkg/MdePkg.dec
   MdeModulePkg/MdeModulePkg.dec
   CryptoPkg/CryptoPkg.dec
+  SecurityPkg/SecurityPkg.dec
 
 [LibraryClasses]
   BaseLib
@@ -64,6 +65,9 @@
   gEfiPciIoProtocolGuid                         ## CONSUMES
   gEdkiiVariableLockProtocolGuid                ## CONSUMES
 
+[Pcd]
+  gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt  ## CONSUMES
+
 [Depex]
   gEfiVariableWriteArchProtocolGuid
 
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 3314f1854b..82929fe38e 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -428,6 +428,12 @@
   # @Prompt Skip Opal DXE driver unlock device flow.
   gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0x00010020
 
+  ## Indicates if Hdd Password driver skip password prompt.<BR><BR>
+  #   TRUE  - Skip password prompt.<BR>
+  #   FALSE - Does not skip password prompt.<BR>
+  # @Prompt Skip Hdd Password prompt.
+  gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt|FALSE|BOOLEAN|0x00010021
+
 [PcdsDynamic, PcdsDynamicEx]
 
   ## This PCD indicates Hash mask for TPM 2.0. Bit definition strictly follows TCG Algorithm Registry.<BR><BR>
-- 
2.16.2.windows.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt
  2019-06-10 10:19 [PATCH] SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt Maggie Chu
@ 2019-06-12  1:16 ` Dong, Eric
  0 siblings, 0 replies; 2+ messages in thread
From: Dong, Eric @ 2019-06-12  1:16 UTC (permalink / raw)
  To: Chu, Maggie, devel@edk2.groups.io; +Cc: Zhang, Chao B, Yao, Jiewen

Hi Maggie,

Reviewed-by: Eric Dong <eric.dong@intel.com>

And pushed: 9e2416ae2e1d26c6e6daa58353de519745bb322d

Thanks,
Eric

> -----Original Message-----
> From: Chu, Maggie
> Sent: Monday, June 10, 2019 6:19 PM
> To: devel@edk2.groups.io
> Cc: Zhang, Chao B <chao.b.zhang@intel.com>; Yao, Jiewen
> <jiewen.yao@intel.com>; Dong, Eric <eric.dong@intel.com>
> Subject: [PATCH] SecurityPkg/HddPassword: Add a PCD to skip Hdd
> password prompt
> 
> https://bugzilla.tianocore.org/show_bug.cgi?id=1876
> Add a PCD for skipping Hdd password prompt.
> If device is in the locked status while attempting to skip password prompt,
> device will keep locked and system continue to boot.
> If device is in the unlocked status while attempting to skip password prompt,
> system will be forced shutdown.
> 
> Signed-off-by: Maggie Chu <maggie.chu@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> ---
>  SecurityPkg/HddPassword/HddPasswordDxe.c   | 16 ++++++++++++++++
>  SecurityPkg/HddPassword/HddPasswordDxe.inf |  4 ++++
>  SecurityPkg/SecurityPkg.dec                |  6 ++++++
>  3 files changed, 26 insertions(+)
> 
> diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.c
> b/SecurityPkg/HddPassword/HddPasswordDxe.c
> index 253af9f78f..b0d795b659 100644
> --- a/SecurityPkg/HddPassword/HddPasswordDxe.c
> +++ b/SecurityPkg/HddPassword/HddPasswordDxe.c
> @@ -1345,6 +1345,22 @@ HddPasswordRequestPassword (
>    //
>    if ((ConfigFormEntry->IfrData.SecurityStatus.Supported) &&
>        (ConfigFormEntry->IfrData.SecurityStatus.Enabled)) {
> +
> +     //
> +     // Add PcdSkipHddPasswordPrompt to determin whether to skip
> password prompt.
> +     // Due to board design, device may not power off during system warm
> boot, which result in
> +     // security status remain unlocked status, hence we add device security
> status check here.
> +     //
> +     // If device is in the locked status, device keeps locked and system
> continues booting.
> +     // If device is in the unlocked status, system is forced shutdown for
> security concern.
> +     //
> +     if (PcdGetBool (PcdSkipHddPasswordPrompt)) {
> +       if (ConfigFormEntry->IfrData.SecurityStatus.Locked) {
> +         return;
> +       } else {
> +         gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);
> +       }
> +    }
>      //
>      // As soon as the HDD password is in enabled state, we pop up a window
> to unlock hdd
>      // no matter it's really in locked or unlocked state.
> diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.inf
> b/SecurityPkg/HddPassword/HddPasswordDxe.inf
> index f7550079ed..06e8755ffc 100644
> --- a/SecurityPkg/HddPassword/HddPasswordDxe.inf
> +++ b/SecurityPkg/HddPassword/HddPasswordDxe.inf
> @@ -34,6 +34,7 @@
>    MdePkg/MdePkg.dec
>    MdeModulePkg/MdeModulePkg.dec
>    CryptoPkg/CryptoPkg.dec
> +  SecurityPkg/SecurityPkg.dec
> 
>  [LibraryClasses]
>    BaseLib
> @@ -64,6 +65,9 @@
>    gEfiPciIoProtocolGuid                         ## CONSUMES
>    gEdkiiVariableLockProtocolGuid                ## CONSUMES
> 
> +[Pcd]
> +  gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt  ##
> CONSUMES
> +
>  [Depex]
>    gEfiVariableWriteArchProtocolGuid
> 
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index
> 3314f1854b..82929fe38e 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -428,6 +428,12 @@
>    # @Prompt Skip Opal DXE driver unlock device flow.
> 
> gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0
> x00010020
> 
> +  ## Indicates if Hdd Password driver skip password prompt.<BR><BR>
> +  #   TRUE  - Skip password prompt.<BR>
> +  #   FALSE - Does not skip password prompt.<BR>
> +  # @Prompt Skip Hdd Password prompt.
> +
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt|FALSE|BOOLE
> AN|0
> + x00010021
> +
>  [PcdsDynamic, PcdsDynamicEx]
> 
>    ## This PCD indicates Hash mask for TPM 2.0. Bit definition strictly follows
> TCG Algorithm Registry.<BR><BR>
> --
> 2.16.2.windows.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2019-06-12  1:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-10 10:19 [PATCH] SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt Maggie Chu
2019-06-12  1:16 ` Dong, Eric

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox