From: "Yao, Jiewen" <jiewen.yao@intel.com>
To: "Zeng, Star" <star.zeng@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@lists.01.org>
Cc: "Zhang, Chao B" <chao.b.zhang@intel.com>,
"Dong, Eric" <eric.dong@intel.com>
Subject: Re: [PATCH 1/3] SecurityPkg Tcg2PPLib: Support BlockSID related actions
Date: Thu, 24 Nov 2016 12:23:21 +0000 [thread overview]
Message-ID: <74D8A39837DF1E4DA445A8C0B3885C50386DA49E@shsmsx102.ccr.corp.intel.com> (raw)
In-Reply-To: <1479978844-101272-2-git-send-email-star.zeng@intel.com>
Reviewed-by: Jiewen.yao@intel.com
> -----Original Message-----
> From: Zeng, Star
> Sent: Thursday, November 24, 2016 5:14 PM
> To: edk2-devel@lists.01.org
> Cc: Zeng, Star <star.zeng@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Zhang, Chao B <chao.b.zhang@intel.com>; Dong, Eric <eric.dong@intel.com>
> Subject: [PATCH 1/3] SecurityPkg Tcg2PPLib: Support BlockSID related actions
>
> Then Tcg2PhysicalPresenceLib can support TCG2 PP TPM2,
> storage management and vendor specific requests according
> to Physical Presence Interface Specification.
>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Contributed-under: TianoCore Contribution Agreement 1.0
> Signed-off-by: Star Zeng <star.zeng@intel.com>
> ---
> .../Include/Library/Tcg2PhysicalPresenceLib.h | 7 +
> .../DxeTcg2PhysicalPresenceLib.c | 241
> +++++++++++++++------
> .../PeiTcg2PhysicalPresenceLib.c | 4 +-
> .../SmmTcg2PhysicalPresenceLib.c | 41 +++-
> 4 files changed, 217 insertions(+), 76 deletions(-)
>
> diff --git a/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
> b/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
> index 910da7a288b1..3e446acab221 100644
> --- a/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
> +++ b/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h
> @@ -43,6 +43,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF
> ANY KIND, EITHER EXPRESS OR IMPLIED.
> //
> #define
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_
> BLOCK_SID BIT16
> #define
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_
> BLOCK_SID BIT17
> +#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID
> BIT18
>
> //
> // Default value
> @@ -52,6 +53,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF
> ANY KIND, EITHER EXPRESS OR IMPLIED.
>
> TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS
> | \
>
> TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCR
> S)
>
> +//
> +// Default value
> +//
> +#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT
> (TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_
> BLOCK_SID | \
> +
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_
> BLOCK_SID)
> +
> /**
> Check and execute the pending TPM request.
>
> diff --git
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenc
> eLib.c
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenc
> eLib.c
> index bfecffa0fed8..a077b03a4d2b 100644
> ---
> a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenc
> eLib.c
> +++
> b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenc
> eLib.c
> @@ -163,9 +163,6 @@ Tcg2ExecutePhysicalPresence (
> EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap;
> UINT32 ActivePcrBanks;
>
> - Status = Tpm2GetCapabilitySupportedAndActivePcrs
> (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
> - ASSERT_EFI_ERROR (Status);
> -
> switch (CommandCode) {
> case TCG2_PHYSICAL_PRESENCE_CLEAR:
> case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR:
> @@ -187,6 +184,8 @@ Tcg2ExecutePhysicalPresence (
> return TCG_PP_OPERATION_RESPONSE_SUCCESS;
>
> case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
> + Status = Tpm2GetCapabilitySupportedAndActivePcrs
> (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
> + ASSERT_EFI_ERROR (Status);
> Status = Tpm2PcrAllocateBanks (PlatformAuth,
> TpmHashAlgorithmBitmap, CommandParameter);
> if (EFI_ERROR (Status)) {
> return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
> @@ -203,6 +202,8 @@ Tcg2ExecutePhysicalPresence (
> }
>
> case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:
> + Status = Tpm2GetCapabilitySupportedAndActivePcrs
> (&TpmHashAlgorithmBitmap, &ActivePcrBanks);
> + ASSERT_EFI_ERROR (Status);
> Status = Tpm2PcrAllocateBanks (PlatformAuth,
> TpmHashAlgorithmBitmap, TpmHashAlgorithmBitmap);
> if (EFI_ERROR (Status)) {
> return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
> @@ -210,6 +211,30 @@ Tcg2ExecutePhysicalPresence (
> return TCG_PP_OPERATION_RESPONSE_SUCCESS;
> }
>
> + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
> + PpiFlags->PPFlags |=
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;
> + return TCG_PP_OPERATION_RESPONSE_SUCCESS;
> +
> + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
> + PpiFlags->PPFlags &=
> ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;
> + return TCG_PP_OPERATION_RESPONSE_SUCCESS;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_TRUE:
> + PpiFlags->PPFlags |=
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_
> BLOCK_SID;
> + return TCG_PP_OPERATION_RESPONSE_SUCCESS;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_FALSE:
> + PpiFlags->PPFlags &=
> ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE
> _BLOCK_SID;
> + return TCG_PP_OPERATION_RESPONSE_SUCCESS;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_TRUE:
> + PpiFlags->PPFlags |=
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_
> BLOCK_SID;
> + return TCG_PP_OPERATION_RESPONSE_SUCCESS;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_FALSE:
> + PpiFlags->PPFlags &=
> ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE
> _BLOCK_SID;
> + return TCG_PP_OPERATION_RESPONSE_SUCCESS;
> +
> default:
> if (CommandCode <=
> TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
> return TCG_PP_OPERATION_RESPONSE_SUCCESS;
> @@ -339,22 +364,6 @@ Tcg2UserConfirm (
> EFI_TCG2_BOOT_SERVICE_CAPABILITY ProtocolCapability;
> UINT32 CurrentPCRBanks;
> EFI_STATUS Status;
> -
> - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **)
> &Tcg2Protocol);
> - ASSERT_EFI_ERROR (Status);
> -
> - ProtocolCapability.Size = sizeof(ProtocolCapability);
> - Status = Tcg2Protocol->GetCapability (
> - Tcg2Protocol,
> - &ProtocolCapability
> - );
> - ASSERT_EFI_ERROR (Status);
> -
> - Status = Tcg2Protocol->GetActivePcrBanks (
> - Tcg2Protocol,
> - &CurrentPCRBanks
> - );
> - ASSERT_EFI_ERROR (Status);
>
> TmpStr2 = NULL;
> CautionKey = FALSE;
> @@ -363,6 +372,9 @@ Tcg2UserConfirm (
> ConfirmText = AllocateZeroPool (BufSize);
> ASSERT (ConfirmText != NULL);
>
> + mTcg2PpStringPackHandle = HiiAddPackages
> (&gEfiTcg2PhysicalPresenceGuid, gImageHandle,
> DxeTcg2PhysicalPresenceLibStrings, NULL);
> + ASSERT (mTcg2PpStringPackHandle != NULL);
> +
> switch (TpmPpCommand) {
>
> case TCG2_PHYSICAL_PRESENCE_CLEAR:
> @@ -404,6 +416,22 @@ Tcg2UserConfirm (
> break;
>
> case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
> + Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID
> **) &Tcg2Protocol);
> + ASSERT_EFI_ERROR (Status);
> +
> + ProtocolCapability.Size = sizeof(ProtocolCapability);
> + Status = Tcg2Protocol->GetCapability (
> + Tcg2Protocol,
> + &ProtocolCapability
> + );
> + ASSERT_EFI_ERROR (Status);
> +
> + Status = Tcg2Protocol->GetActivePcrBanks (
> + Tcg2Protocol,
> + &CurrentPCRBanks
> + );
> + ASSERT_EFI_ERROR (Status);
> +
> CautionKey = TRUE;
> TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TPM_SET_PCR_BANKS));
>
> @@ -449,7 +477,40 @@ Tcg2UserConfirm (
> FreePool (TmpStr1);
>
> break;
> -
> +
> + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
> + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TCG_STORAGE_ENABLE_BLOCK_SID));
> +
> + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TCG_STORAGE_HEAD_STR));
> + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
> + FreePool (TmpStr1);
> + break;
> +
> + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
> + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TCG_STORAGE_DISABLE_BLOCK_SID));
> +
> + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TCG_STORAGE_HEAD_STR));
> + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
> + FreePool (TmpStr1);
> + break;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_FALSE:
> + NoPpiInfo = TRUE;
> + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TCG_STORAGE_PP_ENABLE_BLOCK_SID));
> +
> + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TCG_STORAGE_PPI_HEAD_STR));
> + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
> + FreePool (TmpStr1);
> + break;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_FALSE:
> + NoPpiInfo = TRUE;
> + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TCG_STORAGE_PP_DISABLE_BLOCK_SID));
> +
> + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN
> (TCG_STORAGE_PPI_HEAD_STR));
> + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
> + FreePool (TmpStr1);
> + break;
>
> default:
> ;
> @@ -505,6 +566,7 @@ Tcg2UserConfirm (
> FreePool (TmpStr1);
> FreePool (TmpStr2);
> FreePool (ConfirmText);
> + HiiRemovePackages (mTcg2PpStringPackHandle);
>
> if (Tcg2ReadUserKey (CautionKey)) {
> return TRUE;
> @@ -519,10 +581,10 @@ Tcg2UserConfirm (
>
> @param[in] TcgPpData EFI Tcg2 Physical
> Presence request data.
> @param[in] Flags The physical presence
> interface flags.
> - @param[out] RequestConfirmed If the physical presence
> operation command required user confirm from UI.
> - True, it indicates the
> command doesn't require user confirm, or already confirmed
> - in last boot
> cycle by user.
> - False, it indicates
> the command need user confirm from UI.
> + @param[out] RequestConfirmed If the physical presence
> operation command required user confirm from UI.
> + True, it indicates the
> command doesn't require user confirm, or already confirmed
> + in last boot
> cycle by user.
> + False, it indicates the
> command need user confirm from UI.
>
> @retval TRUE Physical Presence operation command is
> valid.
> @retval FALSE Physical Presence operation command is
> invalid.
> @@ -535,10 +597,22 @@ Tcg2HaveValidTpmRequest (
> OUT BOOLEAN *RequestConfirmed
> )
> {
> - BOOLEAN IsRequestValid;
> + EFI_TCG2_PROTOCOL *Tcg2Protocol;
> + EFI_STATUS Status;
> + BOOLEAN IsRequestValid;
>
> *RequestConfirmed = FALSE;
>
> + if (TcgPpData->PPRequest <=
> TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
> + //
> + // Need TCG2 protocol.
> + //
> + Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID
> **) &Tcg2Protocol);
> + if (EFI_ERROR (Status)) {
> + return FALSE;
> + }
> + }
> +
> switch (TcgPpData->PPRequest) {
> case TCG2_PHYSICAL_PRESENCE_NO_ACTION:
> *RequestConfirmed = TRUE;
> @@ -576,6 +650,27 @@ Tcg2HaveValidTpmRequest (
> *RequestConfirmed = TRUE;
> break;
>
> + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
> + if ((Flags.PPFlags &
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_
> BLOCK_SID) == 0) {
> + *RequestConfirmed = TRUE;
> + }
> + break;
> +
> + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
> + if ((Flags.PPFlags &
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_
> BLOCK_SID) == 0) {
> + *RequestConfirmed = TRUE;
> + }
> + break;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_TRUE:
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_TRUE:
> + *RequestConfirmed = TRUE;
> + break;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_FALSE:
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_FALSE:
> + break;
> +
> default:
> if (TcgPpData->PPRequest >=
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
> IsRequestValid = Tcg2PpVendorLibHasValidRequest
> (TcgPpData->PPRequest, Flags.PPFlags, RequestConfirmed);
> @@ -613,15 +708,15 @@ Tcg2HaveValidTpmRequest (
> TcgPpData variable is external input, so this function will validate
> its data structure to be valid value.
>
> - @param[in] PlatformAuth platform auth value. NULL means
> no platform auth change.
> - @param[in] TcgPpData Point to the physical presence NV
> variable.
> - @param[in] Flags The physical presence interface
> flags.
> + @param[in] PlatformAuth platform auth value. NULL
> means no platform auth change.
> + @param[in, out] TcgPpData Pointer to the physical presence
> NV variable.
> + @param[in, out] Flags Pointer to the physical presence
> interface flags.
> **/
> VOID
> Tcg2ExecutePendingTpmRequest (
> IN TPM2B_AUTH *PlatformAuth,
> OPTIONAL
> - IN EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData,
> - IN EFI_TCG2_PHYSICAL_PRESENCE_FLAGS Flags
> + IN OUT EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData,
> + IN OUT EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *Flags
> )
> {
> EFI_STATUS Status;
> @@ -638,7 +733,7 @@ Tcg2ExecutePendingTpmRequest (
> return;
> }
>
> - if (!Tcg2HaveValidTpmRequest(TcgPpData, Flags, &RequestConfirmed)) {
> + if (!Tcg2HaveValidTpmRequest(TcgPpData, *Flags, &RequestConfirmed)) {
> //
> // Invalid operation request.
> //
> @@ -664,7 +759,7 @@ Tcg2ExecutePendingTpmRequest (
>
> ResetRequired = FALSE;
> if (TcgPpData->PPRequest >=
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
> - NewFlags = Flags;
> + NewFlags = *Flags;
> NewPPFlags = NewFlags.PPFlags;
> TcgPpData->PPResponse = Tcg2PpVendorLibExecutePendingRequest
> (PlatformAuth, TcgPpData->PPRequest, &NewPPFlags, &ResetRequired);
> NewFlags.PPFlags = NewPPFlags;
> @@ -680,7 +775,7 @@ Tcg2ExecutePendingTpmRequest (
> // Execute requested physical presence command
> //
> TcgPpData->PPResponse =
> TCG_PP_OPERATION_RESPONSE_USER_ABORT;
> - NewFlags = Flags;
> + NewFlags = *Flags;
> if (RequestConfirmed) {
> TcgPpData->PPResponse = Tcg2ExecutePhysicalPresence (
> PlatformAuth,
> @@ -694,7 +789,8 @@ Tcg2ExecutePendingTpmRequest (
> //
> // Save the flags if it is updated.
> //
> - if (CompareMem (&Flags, &NewFlags,
> sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) {
> + if (CompareMem (Flags, &NewFlags,
> sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) {
> + *Flags = NewFlags;
> Status = gRT->SetVariable (
> TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
> &gEfiTcg2PhysicalPresenceGuid,
> @@ -745,6 +841,16 @@ Tcg2ExecutePendingTpmRequest (
> case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:
> break;
>
> + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
> + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
> + break;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_TRUE:
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_TRUE:
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_FALSE:
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_FALSE:
> + return;
> +
> default:
> if (TcgPpData->LastPPRequest >=
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
> if (ResetRequired) {
> @@ -786,15 +892,9 @@ Tcg2PhysicalPresenceLibProcessRequest (
> EFI_STATUS Status;
> UINTN DataSize;
> EFI_TCG2_PHYSICAL_PRESENCE TcgPpData;
> - EFI_TCG2_PROTOCOL *Tcg2Protocol;
> EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol;
> EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags;
>
> - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **)
> &Tcg2Protocol);
> - if (EFI_ERROR (Status)) {
> - return ;
> - }
> -
> //
> // This flags variable controls whether physical presence is required for
> TPM command.
> // It should be protected from malicious software. We set it as read-only
> variable here.
> @@ -820,9 +920,6 @@ Tcg2PhysicalPresenceLibProcessRequest (
> return ;
> }
>
> - mTcg2PpStringPackHandle = HiiAddPackages
> (&gEfiTcg2PhysicalPresenceGuid, gImageHandle,
> DxeTcg2PhysicalPresenceLibStrings, NULL);
> - ASSERT (mTcg2PpStringPackHandle != NULL);
> -
> //
> // Initialize physical presence flags.
> //
> @@ -835,7 +932,7 @@ Tcg2PhysicalPresenceLibProcessRequest (
> &PpiFlags
> );
> if (EFI_ERROR (Status)) {
> - PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;
> + PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT |
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
> Status = gRT->SetVariable (
> TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
> &gEfiTcg2PhysicalPresenceGuid,
> @@ -848,7 +945,6 @@ Tcg2PhysicalPresenceLibProcessRequest (
> return ;
> }
> }
> - DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags));
>
> //
> // Initialize physical presence variable.
> @@ -882,7 +978,7 @@ Tcg2PhysicalPresenceLibProcessRequest (
> //
> // Execute pending TPM request.
> //
> - Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, PpiFlags);
> + Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, &PpiFlags);
> DEBUG ((EFI_D_INFO, "[TPM2] PPResponse = %x (LastPPRequest=%x,
> Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest,
> PpiFlags.PPFlags));
>
> }
> @@ -907,14 +1003,8 @@ Tcg2PhysicalPresenceLibNeedUserConfirm(
> EFI_TCG2_PHYSICAL_PRESENCE TcgPpData;
> UINTN DataSize;
> BOOLEAN RequestConfirmed;
> - EFI_TCG2_PROTOCOL *Tcg2Protocol;
> EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags;
>
> - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **)
> &Tcg2Protocol);
> - if (EFI_ERROR (Status)) {
> - return FALSE;
> - }
> -
> //
> // Check S4 resume
> //
> @@ -1065,10 +1155,7 @@
> Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
> }
>
> if ((OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX)
> &&
> - (OperationRequest <
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) {
> - //
> - // This command requires UI to prompt user for Auth data.
> - //
> + (OperationRequest <
> TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
> return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
> }
>
> @@ -1084,11 +1171,10 @@
> Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
> DataSize,
> &PpData
> );
> - }
> -
> - if (EFI_ERROR (Status)) {
> - DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n",
> Status));
> - return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
> + if (EFI_ERROR (Status)) {
> + DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status
> = %r\n", Status));
> + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
> + }
> }
>
> if (OperationRequest >=
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
> @@ -1101,10 +1187,41 @@
> Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
> &Flags
> );
> if (EFI_ERROR (Status)) {
> - Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;
> + Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT |
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
> }
> return Tcg2PpVendorLibSubmitRequestToPreOSFunction
> (OperationRequest, Flags.PPFlags, RequestParameter);
> }
>
> return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS;
> }
> +
> +/**
> + Return TPM2 ManagementFlags set by PP interface.
> +
> + @retval ManagementFlags TPM2 Management Flags.
> +**/
> +UINT32
> +EFIAPI
> +Tcg2PhysicalPresenceLibGetManagementFlags (
> + VOID
> + )
> +{
> + EFI_STATUS Status;
> + EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags;
> + UINTN DataSize;
> +
> + DEBUG ((EFI_D_INFO, "[TPM2] GetManagementFlags\n"));
> +
> + DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS);
> + Status = gRT->GetVariable (
> + TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
> + &gEfiTcg2PhysicalPresenceGuid,
> + NULL,
> + &DataSize,
> + &PpiFlags
> + );
> + if (EFI_ERROR (Status)) {
> + PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT |
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
> + }
> + return PpiFlags.PPFlags;
> +}
> diff --git
> a/SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceL
> ib.c
> b/SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceL
> ib.c
> index 81fe1b4d2cf0..e1907189079d 100644
> ---
> a/SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceL
> ib.c
> +++
> b/SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceL
> ib.c
> @@ -3,7 +3,7 @@
>
> This library will get TPM 2.0 physical presence information.
>
> -Copyright (c) 2015, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.<BR>
> This program and the accompanying materials
> are licensed and made available under the terms and conditions of the BSD
> License
> which accompanies this distribution. The full text of the license may be
> found at
> @@ -53,7 +53,7 @@ Tcg2PhysicalPresenceLibGetManagementFlags (
> &PpiFlags
> );
> if (EFI_ERROR (Status)) {
> - PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;
> + PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT |
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
> }
> return PpiFlags.PPFlags;
> }
> diff --git
> a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPrese
> nceLib.c
> b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPrese
> nceLib.c
> index 039bca129392..ba4db1113aed 100644
> ---
> a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPrese
> nceLib.c
> +++
> b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPrese
> nceLib.c
> @@ -130,10 +130,7 @@
> Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx (
> }
>
> if ((*OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX)
> &&
> - (*OperationRequest <
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) {
> - //
> - // This command requires UI to prompt user for Auth data.
> - //
> + (*OperationRequest <
> TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {
> ReturnCode =
> TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;
> goto EXIT;
> }
> @@ -150,12 +147,11 @@
> Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx (
> DataSize,
> &PpData
> );
> - }
> -
> - if (EFI_ERROR (Status)) {
> - DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n",
> Status));
> - ReturnCode =
> TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
> - goto EXIT;
> + if (EFI_ERROR (Status)) {
> + DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status
> = %r\n", Status));
> + ReturnCode =
> TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
> + goto EXIT;
> + }
> }
>
> if (*OperationRequest >=
> TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {
> @@ -168,7 +164,7 @@
> Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx (
> &Flags
> );
> if (EFI_ERROR (Status)) {
> - Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;
> + Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT |
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;
> }
> ReturnCode = Tcg2PpVendorLibSubmitRequestToPreOSFunction
> (*OperationRequest, Flags.PPFlags, *RequestParameter);
> }
> @@ -318,6 +314,27 @@
> Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
> RequestConfirmed = TRUE;
> break;
>
> + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
> + if ((Flags.PPFlags &
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_
> BLOCK_SID) == 0) {
> + RequestConfirmed = TRUE;
> + }
> + break;
> +
> + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
> + if ((Flags.PPFlags &
> TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_
> BLOCK_SID) == 0) {
> + RequestConfirmed = TRUE;
> + }
> + break;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_TRUE:
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_TRUE:
> + RequestConfirmed = TRUE;
> + break;
> +
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_
> FUNC_FALSE:
> + case
> TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_
> FUNC_FALSE:
> + break;
> +
> default:
> if (OperationRequest <=
> TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
> RequestConfirmed = TRUE;
> @@ -341,7 +358,7 @@
> Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction (
> }
>
> /**
> - The constructor function register UNI strings into imageHandle.
> + The constructor function locates SmmVariable protocol.
>
> It will ASSERT() if that operation fails and it will always return
> EFI_SUCCESS.
>
> --
> 2.7.0.windows.1
next prev parent reply other threads:[~2016-11-24 12:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-24 9:14 [PATCH 0/3] Support TCG2 BlockSID related actions Star Zeng
2016-11-24 9:14 ` [PATCH 1/3] SecurityPkg Tcg2PPLib: Support " Star Zeng
2016-11-24 12:23 ` Yao, Jiewen [this message]
2016-11-24 9:14 ` [PATCH 2/3] SecurityPkg OpalPasswordDxe: Use PP actions to enable BlockSID Star Zeng
2016-11-24 12:20 ` Yao, Jiewen
2016-11-24 9:14 ` [PATCH 3/3] SecurityPkg Tcg2ConfigDxe: Remove BlockSID actions and related strings Star Zeng
2016-11-24 12:20 ` Yao, Jiewen
2016-11-25 2:13 ` [PATCH 0/3] Support TCG2 BlockSID related actions Dong, Eric
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=74D8A39837DF1E4DA445A8C0B3885C50386DA49E@shsmsx102.ccr.corp.intel.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox