From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: intel.com, ip: 134.134.136.65, mailfrom: eric.dong@intel.com) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by groups.io with SMTP; Tue, 11 Jun 2019 18:16:24 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 11 Jun 2019 18:16:23 -0700 X-ExtLoop1: 1 Received: from fmsmsx107.amr.corp.intel.com ([10.18.124.205]) by fmsmga007.fm.intel.com with ESMTP; 11 Jun 2019 18:16:23 -0700 Received: from fmsmsx161.amr.corp.intel.com (10.18.125.9) by fmsmsx107.amr.corp.intel.com (10.18.124.205) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 11 Jun 2019 18:16:23 -0700 Received: from shsmsx153.ccr.corp.intel.com (10.239.6.53) by FMSMSX161.amr.corp.intel.com (10.18.125.9) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 11 Jun 2019 18:16:22 -0700 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.33]) by SHSMSX153.ccr.corp.intel.com ([169.254.12.76]) with mapi id 14.03.0439.000; Wed, 12 Jun 2019 09:16:20 +0800 From: "Dong, Eric" To: "Chu, Maggie" , "devel@edk2.groups.io" CC: "Zhang, Chao B" , "Yao, Jiewen" Subject: Re: [PATCH] SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt Thread-Topic: [PATCH] SecurityPkg/HddPassword: Add a PCD to skip Hdd password prompt Thread-Index: AQHVH3YG5FHGENZyjk2DwBtCKdmNoaaXOc4g Date: Wed, 12 Jun 2019 01:16:20 +0000 Message-ID: References: <20190610101927.19224-1-maggie.chu@intel.com> In-Reply-To: <20190610101927.19224-1-maggie.chu@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Return-Path: eric.dong@intel.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Maggie, Reviewed-by: Eric Dong And pushed: 9e2416ae2e1d26c6e6daa58353de519745bb322d Thanks, Eric > -----Original Message----- > From: Chu, Maggie > Sent: Monday, June 10, 2019 6:19 PM > To: devel@edk2.groups.io > Cc: Zhang, Chao B ; Yao, Jiewen > ; Dong, Eric > Subject: [PATCH] SecurityPkg/HddPassword: Add a PCD to skip Hdd > password prompt >=20 > https://bugzilla.tianocore.org/show_bug.cgi?id=3D1876 > Add a PCD for skipping Hdd password prompt. > If device is in the locked status while attempting to skip password promp= t, > device will keep locked and system continue to boot. > If device is in the unlocked status while attempting to skip password pro= mpt, > system will be forced shutdown. >=20 > Signed-off-by: Maggie Chu > Cc: Chao Zhang > Cc: Jiewen Yao > Cc: Eric Dong > --- > SecurityPkg/HddPassword/HddPasswordDxe.c | 16 ++++++++++++++++ > SecurityPkg/HddPassword/HddPasswordDxe.inf | 4 ++++ > SecurityPkg/SecurityPkg.dec | 6 ++++++ > 3 files changed, 26 insertions(+) >=20 > diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.c > b/SecurityPkg/HddPassword/HddPasswordDxe.c > index 253af9f78f..b0d795b659 100644 > --- a/SecurityPkg/HddPassword/HddPasswordDxe.c > +++ b/SecurityPkg/HddPassword/HddPasswordDxe.c > @@ -1345,6 +1345,22 @@ HddPasswordRequestPassword ( > // > if ((ConfigFormEntry->IfrData.SecurityStatus.Supported) && > (ConfigFormEntry->IfrData.SecurityStatus.Enabled)) { > + > + // > + // Add PcdSkipHddPasswordPrompt to determin whether to skip > password prompt. > + // Due to board design, device may not power off during system warm > boot, which result in > + // security status remain unlocked status, hence we add device secu= rity > status check here. > + // > + // If device is in the locked status, device keeps locked and syste= m > continues booting. > + // If device is in the unlocked status, system is forced shutdown f= or > security concern. > + // > + if (PcdGetBool (PcdSkipHddPasswordPrompt)) { > + if (ConfigFormEntry->IfrData.SecurityStatus.Locked) { > + return; > + } else { > + gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL); > + } > + } > // > // As soon as the HDD password is in enabled state, we pop up a wind= ow > to unlock hdd > // no matter it's really in locked or unlocked state. > diff --git a/SecurityPkg/HddPassword/HddPasswordDxe.inf > b/SecurityPkg/HddPassword/HddPasswordDxe.inf > index f7550079ed..06e8755ffc 100644 > --- a/SecurityPkg/HddPassword/HddPasswordDxe.inf > +++ b/SecurityPkg/HddPassword/HddPasswordDxe.inf > @@ -34,6 +34,7 @@ > MdePkg/MdePkg.dec > MdeModulePkg/MdeModulePkg.dec > CryptoPkg/CryptoPkg.dec > + SecurityPkg/SecurityPkg.dec >=20 > [LibraryClasses] > BaseLib > @@ -64,6 +65,9 @@ > gEfiPciIoProtocolGuid ## CONSUMES > gEdkiiVariableLockProtocolGuid ## CONSUMES >=20 > +[Pcd] > + gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt ## > CONSUMES > + > [Depex] > gEfiVariableWriteArchProtocolGuid >=20 > diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec in= dex > 3314f1854b..82929fe38e 100644 > --- a/SecurityPkg/SecurityPkg.dec > +++ b/SecurityPkg/SecurityPkg.dec > @@ -428,6 +428,12 @@ > # @Prompt Skip Opal DXE driver unlock device flow. >=20 > gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0 > x00010020 >=20 > + ## Indicates if Hdd Password driver skip password prompt.

> + # TRUE - Skip password prompt.
> + # FALSE - Does not skip password prompt.
> + # @Prompt Skip Hdd Password prompt. > + > + > gEfiSecurityPkgTokenSpaceGuid.PcdSkipHddPasswordPrompt|FALSE|BOOLE > AN|0 > + x00010021 > + > [PcdsDynamic, PcdsDynamicEx] >=20 > ## This PCD indicates Hash mask for TPM 2.0. Bit definition strictly f= ollows > TCG Algorithm Registry.

> -- > 2.16.2.windows.1