From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: eric.dong@intel.com) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by groups.io with SMTP; Sun, 09 Jun 2019 23:18:04 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Jun 2019 23:18:03 -0700 X-ExtLoop1: 1 Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206]) by orsmga002.jf.intel.com with ESMTP; 09 Jun 2019 23:18:02 -0700 Received: from fmsmsx152.amr.corp.intel.com (10.18.125.5) by FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS) id 14.3.408.0; Sun, 9 Jun 2019 23:18:02 -0700 Received: from shsmsx154.ccr.corp.intel.com (10.239.6.54) by FMSMSX152.amr.corp.intel.com (10.18.125.5) with Microsoft SMTP Server (TLS) id 14.3.408.0; Sun, 9 Jun 2019 23:18:01 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.134]) by SHSMSX154.ccr.corp.intel.com ([169.254.7.247]) with mapi id 14.03.0415.000; Mon, 10 Jun 2019 14:17:59 +0800 From: "Dong, Eric" To: "Chu, Maggie" , "devel@edk2.groups.io" CC: "Zhang, Chao B" , "Yao, Jiewen" Subject: Re: [PATCH] SecurityPkg/OpalPassword: Add PCD to skip password prompt Thread-Topic: [PATCH] SecurityPkg/OpalPassword: Add PCD to skip password prompt Thread-Index: AQHVEGyt0fm/9YIqIUmQo6GVlriJxKaUh3ig Date: Mon, 10 Jun 2019 06:17:59 +0000 Message-ID: References: <20190522070443.21064-1-maggie.chu@intel.com> In-Reply-To: <20190522070443.21064-1-maggie.chu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: eric.dong@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Maggie, Reviewed-by: Eric Dong And pushed: 6cbed0e36fe734f3fc11d30d652122d7714627c4 Thanks, Eric > -----Original Message----- > From: Chu, Maggie > Sent: Wednesday, May 22, 2019 3:05 PM > To: devel@edk2.groups.io > Cc: Dong, Eric ; Zhang, Chao B > ; Yao, Jiewen > Subject: [PATCH] SecurityPkg/OpalPassword: Add PCD to skip password > prompt >=20 > https://bugzilla.tianocore.org/show_bug.cgi?id=3D1801 > Add a PCD for skipping password prompt in device unlocked status. > Previous change only support if storage device is in locked status. > This change is added to support the case that security status of the stor= age > device is unlocked. >=20 > Signed-off-by: Maggie Chu > Cc: Eric Dong > Cc: Chao Zhang > Cc: Jiewen Yao > --- > SecurityPkg/SecurityPkg.dec | 10 +++++----- > SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 16 > ++++++++++++++-- > SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf | 2 +- > 3 files changed, 20 insertions(+), 8 deletions(-) >=20 > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec in= dex > 3314f1854b..96db80c2d2 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -422,11 +422,11 @@ > # @Prompt Possible TPM2 Interrupt Number buffer > gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x00, 0x00, > 0x00, 0x00}|VOID*|0x0001001D >=20 > - ## Indicates if Opal DXE driver skip unlock device flow.

> - # TRUE - Skip unlock device flow.
> - # FALSE - Does not skip unlock device flow.
> - # @Prompt Skip Opal DXE driver unlock device flow. > - > gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0 > x00010020 > + ## Indicates if Opal DXE driver skip password prompt.

> + # TRUE - Skip password prompt.
> + # FALSE - Does not skip password prompt.
> + # @Prompt Skip Opal DXE driver password prompt. > + > + > gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt|FALSE|BOOL > EAN| > + 0x00010020 >=20 > [PcdsDynamic, PcdsDynamicEx] >=20 > diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c > b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c > index 965205c0b2..e14fa32354 100644 > --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c > +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c > @@ -899,8 +899,20 @@ OpalDriverRequestPassword ( >=20 > IsLocked =3D OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes, > &Dev->OpalDisk.LockingFeature); >=20 > - if (IsLocked && PcdGetBool (PcdSkipOpalDxeUnlock)) { > - return; > + // > + // Add PcdSkipOpalPasswordPrompt to determin whether to skip > password prompt. > + // Due to board design, device may not power off during system warm > boot, which result in > + // security status remain unlocked status, hence we add device secur= ity > status check here. > + // > + // If device is in the locked status, device keeps locked and system > continues booting. > + // If device is in the unlocked status, system is forced shutdown to > support security requirement. > + // > + if (PcdGetBool (PcdSkipOpalPasswordPrompt)) { > + if (IsLocked) { > + return; > + } else { > + gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL); > + } > } >=20 > while (Count < MAX_PASSWORD_TRY_COUNT) { diff --git > a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf > b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf > index e74f147aaa..87519198c0 100644 > --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf > +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf > @@ -71,7 +71,7 @@ > gS3StorageDeviceInitListGuid ## SOMETIMES_PRODUCES ## > UNDEFINED >=20 > [Pcd] > - gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock ## CONSUMES > + gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt ## > CONSUMES >=20 > [Depex] > gEfiHiiStringProtocolGuid AND gEfiHiiDatabaseProtocolGuid > -- > 2.16.2.windows.1