From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id A009681C9E for ; Wed, 16 Nov 2016 21:49:22 -0800 (PST) Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga101.fm.intel.com with ESMTP; 16 Nov 2016 21:49:27 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,504,1473145200"; d="scan'208";a="32363801" Received: from fmsmsx106.amr.corp.intel.com ([10.18.124.204]) by fmsmga006.fm.intel.com with ESMTP; 16 Nov 2016 21:49:27 -0800 Received: from shsmsx103.ccr.corp.intel.com (10.239.4.69) by FMSMSX106.amr.corp.intel.com (10.18.124.204) with Microsoft SMTP Server (TLS) id 14.3.248.2; Wed, 16 Nov 2016 21:49:26 -0800 Received: from shsmsx102.ccr.corp.intel.com ([169.254.2.239]) by SHSMSX103.ccr.corp.intel.com ([169.254.4.96]) with mapi id 14.03.0248.002; Thu, 17 Nov 2016 13:49:24 +0800 From: "Zhang, Chao B" To: "Dong, Eric" , "edk2-devel@lists.01.org" CC: "Yao, Jiewen" Thread-Topic: [Patch 03/10] SecurityPkg: Add DxeTcgPhysicalPresenceStorageLib. Thread-Index: AQHSP87+n9xjCwjxck6zDvCW+7flraDcrKDQ Date: Thu, 17 Nov 2016 05:49:23 +0000 Message-ID: References: <1479276049-34308-1-git-send-email-eric.dong@intel.com> <1479276049-34308-4-git-send-email-eric.dong@intel.com> In-Reply-To: <1479276049-34308-4-git-send-email-eric.dong@intel.com> Accept-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ctpclassification: CTP_IC x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNjRlZGE5MWMtZTA4ZC00ZjY0LTlmNzMtNWQ5OTlmMGEyMWNhIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX0lDIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE1LjkuNi42IiwiVHJ1c3RlZExhYmVsSGFzaCI6Ik1aVmpLNEtzaWFnbHB2MmMyZnJmbFJrK1BXMGh2aEZXcWxxMm52dVlPUzg9In0= x-originating-ip: [10.239.127.40] MIME-Version: 1.0 Subject: Re: [Patch 03/10] SecurityPkg: Add DxeTcgPhysicalPresenceStorageLib. X-BeenThere: edk2-devel@lists.01.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: EDK II Development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2016 05:49:22 -0000 Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Eric: DxeTcgPhysicalPresenceStorageLibStrings.uni @@ -0,0 +1,31 @@ +/** @file + String definitions for TPM 2.0 physical presence storage related actions= confirm text. The module is for TPM1.2 & TPM2.0. Please update the license header. Thanks & Best regards Chao Zhang -----Original Message----- From: Dong, Eric=20 Sent: Wednesday, November 16, 2016 2:01 PM To: edk2-devel@lists.01.org Cc: Yao, Jiewen; Zhang, Chao B Subject: [Patch 03/10] SecurityPkg: Add DxeTcgPhysicalPresenceStorageLib. Tcg Physical Presence spec defined some actions used for storage device. Add Dxe version library to handles these actions. Cc: Jiewen Yao Cc: Chao Zhang Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong --- .../DxeTcg2PhysicalPresenceStorage.c | 504 +++++++++++++++++= ++++ .../DxeTcg2PhysicalPresenceStorage.h | 88 ++++ .../DxeTcgPhysicalPresenceStorage.c | 501 +++++++++++++++++= +++ .../DxeTcgPhysicalPresenceStorage.h | 88 ++++ .../DxeTcgPhysicalPresenceStorageLib.c | 390 ++++++++++++++++ .../DxeTcgPhysicalPresenceStorageLib.inf | 67 +++ .../DxeTcgPhysicalPresenceStorageLib.uni | 18 + .../DxeTcgPhysicalPresenceStorageLibInternal.h | 31 ++ .../DxeTcgPhysicalPresenceStorageLibStrings.uni | 31 ++ SecurityPkg/SecurityPkg.dec | 9 + 10 files changed, 1727 insertions(+) create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcg2PhysicalPresenceStorage.c create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcg2PhysicalPresenceStorage.h create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcgPhysicalPresenceStorage.c create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcgPhysicalPresenceStorage.h create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcgPhysicalPresenceStorageLib.c create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcgPhysicalPresenceStorageLib.inf create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcgPhysicalPresenceStorageLib.uni create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcgPhysicalPresenceStorageLibInternal.h create mode 100644 SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/Dx= eTcgPhysicalPresenceStorageLibStrings.uni diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcg2Ph= ysicalPresenceStorage.c b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorage= Lib/DxeTcg2PhysicalPresenceStorage.c new file mode 100644 index 0000000..74c975e --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcg2PhysicalP= resenceStorage.c @@ -0,0 +1,504 @@ +/** @file + Tcg PP storage library instance that does support any storage specific P= PI. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ +#include + +#include +#include + +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "DxeTcgPhysicalPresenceStorageLibInternal.h" + +/** + Display the confirm text and get user confirmation. + + @param[in] OperationRequest TPM physical presence operation requ= est. + @param[in] ManagementFlags BIOS TPM Management Flags. + + + @retval TRUE The user need to confirme the changes. + @retval FALSE The user doesn't need to confirme the changes. +**/ +BOOLEAN +Tcg2PpNeedUserConfirm ( + IN UINT8 OperationRequest, + IN UINT32 ManagementFlags + ) +{ + BOOLEAN NeedUserConfirm; + + NeedUserConfirm =3D FALSE; + + switch (OperationRequest) { + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + if ((ManagementFlags & TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FO= R_ENABLE_BLOCK_SID) !=3D 0) { + NeedUserConfirm =3D TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + if ((ManagementFlags & TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FO= R_DISABLE_BLOCK_SID) !=3D 0) { + NeedUserConfirm =3D TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TR= UE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_T= RUE: + NeedUserConfirm =3D TRUE; + break; + + default: + break; + } + + return NeedUserConfirm; +} + +/** + The handler for TPM physical presence function: + Submit TPM Operation Request to Pre-OS Environment and + Submit TPM Operation Request to Pre-OS Environment 2. + + Caution: This function may receive untrusted input. + + @param[in] OperationRequest TPM physical presence operation request= . + @param[in] RequestParameter TPM physical presence operation request= parameter. + + @return Return Code for Submit TPM Operation Request to Pre-OS Environme= nt and + Submit TPM Operation Request to Pre-OS Environment 2. +**/ +UINT32 +EFIAPI +Tcg2SubmitStorageRequest ( + IN UINT32 OperationRequest, + IN UINT32 RequestParameter + ) +{ + EFI_STATUS Status; + UINTN DataSize; + EFI_TCG2_PHYSICAL_PRESENCE PpData; + + DEBUG ((EFI_D_INFO, "[TPM Storage] SubmitRequestToPreOSFunction, Request= =3D %x, %x\n", OperationRequest, RequestParameter)); + + // + // Get the Physical Presence storage variable + // + DataSize =3D sizeof (EFI_TCG2_PHYSICAL_PRESENCE); + Status =3D gRT->GetVariable ( + TCG2_PHYSICAL_PRESENCE_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + NULL, + &DataSize, + &PpData + ); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Get PP variable failure! Status = =3D %r\n", Status)); + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + } + + if ((OperationRequest >=3D TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERAT= ION) && + (OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN)= ) { + // + // This library only support storage related actions. + // + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED; + } + + if ((PpData.PPRequest !=3D OperationRequest) || + (PpData.PPRequestParameter !=3D RequestParameter)) { + PpData.PPRequest =3D (UINT8)OperationRequest; + PpData.PPRequestParameter =3D RequestParameter; + DataSize =3D sizeof (EFI_TCG2_PHYSICAL_PRESENCE); + Status =3D gRT->SetVariable ( + TCG2_PHYSICAL_PRESENCE_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_A= CCESS | EFI_VARIABLE_RUNTIME_ACCESS, + DataSize, + &PpData + ); + } + + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status =3D %r\n"= , Status)); + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + } + + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS; +} + +/** + Check if the pending TPM request needs user input to confirm. + + The TPM request may come from OS. This API will check if TPM request exi= sts and need user + input to confirmation. + + @retval TRUE TPM needs input to confirm user physical presence= . + @retval FALSE TPM doesn't need input to confirm user physical p= resence. + +**/ +BOOLEAN +EFIAPI +Tcg2NeedUserConfirm( + VOID + ) +{ + EFI_STATUS Status; + EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; + UINTN DataSize; + EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS PpiFlags; + + // + // Check S4 resume + // + if (GetBootModeHob () =3D=3D BOOT_ON_S4_RESUME) { + DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n")); + return FALSE; + } + + // + // Check Tpm requests + // + DataSize =3D sizeof (EFI_TCG2_PHYSICAL_PRESENCE); + Status =3D gRT->GetVariable ( + TCG2_PHYSICAL_PRESENCE_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + NULL, + &DataSize, + &TcgPpData + ); + if (EFI_ERROR (Status)) { + return FALSE; + } + + DataSize =3D sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS); + Status =3D gRT->GetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + NULL, + &DataSize, + &PpiFlags + ); + if (EFI_ERROR (Status)) { + PpiFlags.PPFlags =3D TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; + } + + if ((TcgPpData.PPRequest >=3D TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPE= RATION) && + (TcgPpData.PPRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEG= IN)) { + // + // This library only support storage related actions. + // + return FALSE; + } + + return Tcg2PpNeedUserConfirm(TcgPpData.PPRequest, PpiFlags.PPFlags); +} + +/** + The handler for TPM physical presence function: + Return TPM Operation Response to OS Environment. + + @param[out] MostRecentRequest Most recent operation request. + @param[out] Response Response to the most recent operation = request. + + @return Return Code for Return TPM Operation Response to OS Environment. +**/ +UINT32 +EFIAPI +Tcg2ReturnOperationResponseToOsFunction ( + OUT UINT32 *MostRecentRequest, + OUT UINT32 *Response + ) +{ + EFI_STATUS Status; + UINTN DataSize; + EFI_TCG2_PHYSICAL_PRESENCE PpData; + + DEBUG ((EFI_D_INFO, "[TPM Storage] ReturnOperationResponseToOsFunction\n= ")); + + // + // Get the Physical Presence variable + // + DataSize =3D sizeof (EFI_TCG2_PHYSICAL_PRESENCE); + Status =3D gRT->GetVariable ( + TCG2_PHYSICAL_PRESENCE_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + NULL, + &DataSize, + &PpData + ); + if (EFI_ERROR (Status)) { + *MostRecentRequest =3D 0; + *Response =3D 0; + DEBUG ((EFI_D_ERROR, "[TPM Storage] Get PP variable failure! Status = =3D %r\n", Status)); + return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_FAILURE; + } + + *MostRecentRequest =3D PpData.LastPPRequest; + *Response =3D PpData.PPResponse; + + return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_SUCCESS; +} + +/** + Check and execute the requested physical presence command. + + This API should be invoked in BIOS boot phase to process pending request= . + + Caution: This function may receive untrusted input. + + If OperationRequest < 128, then ASSERT(). + + @param[in] OperationRequest TPM physical presence operation request= . + @param[in, out] ManagementFlags BIOS TPM Management Flags. + @param[out] ResetRequired If reset is required to vendor settings= in effect. + True, it indicates the reset is require= d. + False, it indicates the reset is not re= quired. + + @return TPM Operation Response to OS Environment. +**/ +UINT32 +Tcg2ExecutePendingRequest ( + IN UINT8 OperationRequest, + IN OUT UINT32 *ManagementFlags, + OUT BOOLEAN *ResetRequired + ) +{ + ASSERT ((OperationRequest >=3D TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT= _BEGIN) && + (OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERA= TION)); + + if (Tcg2PpNeedUserConfirm(OperationRequest, *ManagementFlags)) { + if (!TcgPpUserConfirm (OperationRequest)) { + return TCG_PP_OPERATION_RESPONSE_USER_ABORT; + } + } + + switch (OperationRequest) { + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TR= UE: + *ManagementFlags|=3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_= ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FA= LSE: + *ManagementFlags &=3D ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FO= R_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_T= RUE: + *ManagementFlags |=3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR= _DISABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_F= ALSE: + *ManagementFlags &=3D ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FO= R_DISABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + *ManagementFlags |=3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SI= D; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + *ManagementFlags &=3D ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_S= ID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + default: + break; + } + + return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; +} + +/** + Check and execute the pending TPM request. + + The TPM request may come from OS or BIOS. This API will display request = information and wait + for user confirmation if TPM request exists. The TPM request will be sen= t to TPM device after + the TPM request is confirmed, and one or more reset may be required to m= ake TPM request to + take effect. + + This API should be invoked after console in and console out are all read= y as they are required + to display request information and get user input to confirm the request= . + + @param[in] PlatformAuth platform auth value. NULL mea= ns no platform auth change. +**/ +VOID +EFIAPI +Tcg2ProcessStorageRequest ( + VOID + ) +{ + EFI_STATUS Status; + UINTN DataSize; + EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; + EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; + EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; + EFI_TCG2_PHYSICAL_PRESENCE_FLAGS NewPpiFlags; + BOOLEAN ResetRequired; + + // + // Check S4 resume + // + if (GetBootModeHob () =3D=3D BOOT_ON_S4_RESUME) { + DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n")); + return ; + } + + // + // Initialize physical presence variable. + // + DataSize =3D sizeof (EFI_TCG2_PHYSICAL_PRESENCE); + Status =3D gRT->GetVariable ( + TCG2_PHYSICAL_PRESENCE_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + NULL, + &DataSize, + &TcgPpData + ); + if (EFI_ERROR (Status)) { + ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData)); + DataSize =3D sizeof (EFI_TCG2_PHYSICAL_PRESENCE); + Status =3D gRT->SetVariable ( + TCG2_PHYSICAL_PRESENCE_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + DataSize, + &TcgPpData + ); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Set physical presence variable f= ailed, Status =3D %r\n", Status)); + return ; + } + } + + if ((TcgPpData.PPRequest >=3D TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPE= RATION) || + (TcgPpData.PPRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEG= IN) ) { + // + // This library only support storage related actions. + // + DEBUG ((EFI_D_INFO, "[TPM Storage] Only support TCG storage related PP= actions, not support PPRequest=3D%x\n", TcgPpData.PPRequest)); + return; + } + + // + // Initialize physical presence flags. + // + DataSize =3D sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS); + Status =3D gRT->GetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + NULL, + &DataSize, + &PpiFlags + ); + if (EFI_ERROR (Status)) { + PpiFlags.PPFlags =3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; + Status =3D gRT->SetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS), + &PpiFlags + ); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Set physical presence flag faile= d, Status =3D %r\n", Status)); + return ; + } + } + DEBUG ((EFI_D_INFO, "[TPM Storage] PpiFlags =3D %x\n", PpiFlags.PPFlags)= ); + + // + // This flags variable controls whether physical presence is required fo= r TPM command. + // It should be protected from malicious software. We set it as read-onl= y variable here. + // + Status =3D gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (= VOID **)&VariableLockProtocol); + if (!EFI_ERROR (Status)) { + Status =3D VariableLockProtocol->RequestToLock ( + VariableLockProtocol, + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_V= ARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid + ); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Error when lock variable %s, Sta= tus =3D %r\n", TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, Status)); + ASSERT_EFI_ERROR (Status); + } + } + + DEBUG ((EFI_D_INFO, "[TPM Storage] Flags=3D%x, PPRequest=3D%x (LastPPReq= uest=3D%x)\n", PpiFlags.PPFlags, TcgPpData.PPRequest, TcgPpData.LastPPReque= st)); + + NewPpiFlags.PPFlags =3D PpiFlags.PPFlags; + ResetRequired =3D FALSE; + TcgPpData.PPResponse =3D TCG_PP_OPERATION_RESPONSE_USER_ABORT; + + TcgPpData.PPResponse =3D Tcg2ExecutePendingRequest (TcgPpData.PPRequest,= &NewPpiFlags.PPFlags, &ResetRequired); + DEBUG ((EFI_D_INFO, "[TPM Storage] PPResponse =3D %x (LastPPRequest=3D%x= , Flags=3D%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.P= PFlags)); + + if (TcgPpData.PPResponse =3D=3D TCG_PP_OPERATION_RESPONSE_USER_ABORT) { + return; + } + + // + // Save the flags if it is updated. + // + if (CompareMem (&PpiFlags, &NewPpiFlags, sizeof(EFI_TCG_PHYSICAL_PRESENC= E_STORAGE_FLAGS)) !=3D 0) { + Status =3D gRT->SetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS), + &NewPpiFlags + ); + } + + // + // Clear request + // + TcgPpData.LastPPRequest =3D TcgPpData.PPRequest; + TcgPpData.PPRequest =3D TCG2_PHYSICAL_PRESENCE_NO_ACTION; + TcgPpData.PPRequestParameter =3D 0; + + // + // Save changes + // + DataSize =3D sizeof (EFI_TCG2_PHYSICAL_PRESENCE); + Status =3D gRT->SetVariable ( + TCG2_PHYSICAL_PRESENCE_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS | EFI_VARIABLE_RUNTIME_ACCESS, + DataSize, + &TcgPpData + ); + if (EFI_ERROR (Status)) { + return; + } + + if (!ResetRequired) { + return; + } + + Print (L"Rebooting system to make TPM2 settings in effect\n"); + gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); + ASSERT (FALSE); +} + diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcg2Ph= ysicalPresenceStorage.h b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorage= Lib/DxeTcg2PhysicalPresenceStorage.h new file mode 100644 index 0000000..a93cc53 --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcg2PhysicalP= resenceStorage.h @@ -0,0 +1,88 @@ +/** @file + Tcg PP storage library instance that does support any storage specific P= PI. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ +#ifndef _TCG2_PHYSICAL_PRESENCE_STORAGE_H_ +#define _TCG2_PHYSICAL_PRESENCE_STORAGE_H_ + +/** + The handler for TPM physical presence function: + Submit TPM Operation Request to Pre-OS Environment and + Submit TPM Operation Request to Pre-OS Environment 2. + + Caution: This function may receive untrusted input. + + @param[in] OperationRequest TPM physical presence operation request= . + @param[in] RequestParameter TPM physical presence operation request= parameter. + + @return Return Code for Submit TPM Operation Request to Pre-OS Environme= nt and + Submit TPM Operation Request to Pre-OS Environment 2. +**/ +UINT32 +Tcg2SubmitStorageRequest ( + IN UINT32 OperationRequest, + IN UINT32 RequestParameter + ); + +/** + Check if the pending TPM request needs user input to confirm. + + The TPM request may come from OS. This API will check if TPM request exi= sts and need user + input to confirmation. + + @retval TRUE TPM needs input to confirm user physical presence= . + @retval FALSE TPM doesn't need input to confirm user physical p= resence. + +**/ +BOOLEAN +Tcg2NeedUserConfirm( + VOID + ); + +/** + The handler for TPM physical presence function: + Return TPM Operation Response to OS Environment. + + @param[out] MostRecentRequest Most recent operation request. + @param[out] Response Response to the most recent operation = request. + + @return Return Code for Return TPM Operation Response to OS Environment. +**/ +UINT32 +EFIAPI +Tcg2ReturnOperationResponseToOsFunction ( + OUT UINT32 *MostRecentRequest, + OUT UINT32 *Response + ); + +/** + Check and execute the pending TPM request. + + The TPM request may come from OS or BIOS. This API will display request = information and wait + for user confirmation if TPM request exists. The TPM request will be sen= t to TPM device after + the TPM request is confirmed, and one or more reset may be required to m= ake TPM request to + take effect. + + This API should be invoked after console in and console out are all read= y as they are required + to display request information and get user input to confirm the request= . + + @param[in] PlatformAuth platform auth value. NULL mea= ns no platform auth change. +**/ +VOID +EFIAPI +Tcg2ProcessStorageRequest ( + VOID + ); + + +#endif + diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhy= sicalPresenceStorage.c b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageL= ib/DxeTcgPhysicalPresenceStorage.c new file mode 100644 index 0000000..da004d2 --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPr= esenceStorage.c @@ -0,0 +1,501 @@ +/** @file + Tcg PP storage library instance that does support any storage specific P= PI. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ +#include + +#include +#include + +#include + + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "DxeTcgPhysicalPresenceStorageLibInternal.h" + +/** + Display the confirm text and get user confirmation. + + @param[in] OperationRequest TPM physical presence operation requ= est. + @param[in] ManagementFlags BIOS TPM Management Flags. + + + @retval TRUE The user need to confirme the changes. + @retval FALSE The user doesn't need to confirme the changes. +**/ +BOOLEAN +TcgPpNeedUserConfirm ( + IN UINT8 OperationRequest, + IN UINT32 ManagementFlags + ) +{ + BOOLEAN NeedUserConfirm; + + NeedUserConfirm =3D FALSE; + + switch (OperationRequest) { + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + if ((ManagementFlags & TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FO= R_ENABLE_BLOCK_SID) !=3D 0) { + NeedUserConfirm =3D TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + if ((ManagementFlags & TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FO= R_DISABLE_BLOCK_SID) !=3D 0) { + NeedUserConfirm =3D TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TR= UE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_T= RUE: + NeedUserConfirm =3D TRUE; + break; + + default: + break; + } + + return NeedUserConfirm; +} + +/** + The handler for TPM physical presence function: + Submit TPM Operation Request to Pre-OS Environment and + Submit TPM Operation Request to Pre-OS Environment 2. + + Caution: This function may receive untrusted input. + + @param[in] OperationRequest TPM physical presence operation request= . + @param[in] RequestParameter TPM physical presence operation request= parameter. + + @return Return Code for Submit TPM Operation Request to Pre-OS Environme= nt and + Submit TPM Operation Request to Pre-OS Environment 2. +**/ +UINT32 +EFIAPI +TcgSubmitStorageRequest ( + IN UINT32 OperationRequest, + IN UINT32 RequestParameter + ) +{ + EFI_STATUS Status; + UINTN DataSize; + EFI_PHYSICAL_PRESENCE PpData; + + DEBUG ((EFI_D_INFO, "[TPM Storage] SubmitRequestToPreOSFunction, Request= =3D %x, %x\n", OperationRequest, RequestParameter)); + + // + // Get the Physical Presence storage variable + // + DataSize =3D sizeof (EFI_PHYSICAL_PRESENCE); + Status =3D gRT->GetVariable ( + PHYSICAL_PRESENCE_VARIABLE, + &gEfiPhysicalPresenceGuid, + NULL, + &DataSize, + &PpData + ); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Get PP variable failure! Status = =3D %r\n", Status)); + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + } + + if ((OperationRequest >=3D TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERAT= ION) && + (OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN)= ) { + // + // This library only support storage related actions. + // + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED; + } + + if (PpData.PPRequest !=3D OperationRequest) { + PpData.PPRequest =3D (UINT8)OperationRequest; + DataSize =3D sizeof (EFI_PHYSICAL_PRESENCE); + Status =3D gRT->SetVariable ( + PHYSICAL_PRESENCE_VARIABLE, + &gEfiPhysicalPresenceGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_A= CCESS | EFI_VARIABLE_RUNTIME_ACCESS, + DataSize, + &PpData + ); + } + + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Set PP variable failure! Status = =3D %r\n", Status)); + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + } + + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS; +} + +/** + Check if the pending TPM request needs user input to confirm. + + The TPM request may come from OS. This API will check if TPM request exi= sts and need user + input to confirmation. + + @retval TRUE TPM needs input to confirm user physical presence= . + @retval FALSE TPM doesn't need input to confirm user physical p= resence. + +**/ +BOOLEAN +EFIAPI +TcgNeedUserConfirm( + VOID + ) +{ + EFI_STATUS Status; + EFI_PHYSICAL_PRESENCE TcgPpData; + UINTN DataSize; + EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS PpiFlags; + + // + // Check S4 resume + // + if (GetBootModeHob () =3D=3D BOOT_ON_S4_RESUME) { + DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n")); + return FALSE; + } + + // + // Check Tpm requests + // + DataSize =3D sizeof (EFI_PHYSICAL_PRESENCE); + Status =3D gRT->GetVariable ( + PHYSICAL_PRESENCE_VARIABLE, + &gEfiPhysicalPresenceGuid, + NULL, + &DataSize, + &TcgPpData + ); + if (EFI_ERROR (Status)) { + return FALSE; + } + + DataSize =3D sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS); + Status =3D gRT->GetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + NULL, + &DataSize, + &PpiFlags + ); + if (EFI_ERROR (Status)) { + PpiFlags.PPFlags =3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; + } + + if ((TcgPpData.PPRequest >=3D TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPE= RATION) && + (TcgPpData.PPRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEG= IN) ) { + // + // This library only support storage related actions. + // + return FALSE; + } + + return TcgPpNeedUserConfirm(TcgPpData.PPRequest, PpiFlags.PPFlags); +} + +/** + The handler for TPM physical presence function: + Return TPM Operation Response to OS Environment. + + @param[out] MostRecentRequest Most recent operation request. + @param[out] Response Response to the most recent operation = request. + + @return Return Code for Return TPM Operation Response to OS Environment. +**/ +UINT32 +EFIAPI +TcgReturnOperationResponseToOsFunction ( + OUT UINT32 *MostRecentRequest, + OUT UINT32 *Response + ) +{ + EFI_STATUS Status; + UINTN DataSize; + EFI_PHYSICAL_PRESENCE PpData; + + DEBUG ((EFI_D_INFO, "[TPM Storage] ReturnOperationResponseToOsFunction\n= ")); + + // + // Get the Physical Presence variable + // + DataSize =3D sizeof (EFI_PHYSICAL_PRESENCE); + Status =3D gRT->GetVariable ( + PHYSICAL_PRESENCE_VARIABLE, + &gEfiPhysicalPresenceGuid, + NULL, + &DataSize, + &PpData + ); + if (EFI_ERROR (Status)) { + *MostRecentRequest =3D 0; + *Response =3D 0; + DEBUG ((EFI_D_ERROR, "[TPM Storage] Get PP variable failure! Status = =3D %r\n", Status)); + return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_FAILURE; + } + + *MostRecentRequest =3D PpData.LastPPRequest; + *Response =3D PpData.PPResponse; + + return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_SUCCESS; +} + +/** + Check and execute the requested physical presence command. + + This API should be invoked in BIOS boot phase to process pending request= . + + Caution: This function may receive untrusted input. + + If OperationRequest < 128, then ASSERT(). + + @param[in] OperationRequest TPM physical presence operation request= . + @param[in, out] ManagementFlags BIOS TPM Management Flags. + @param[out] ResetRequired If reset is required to vendor settings= in effect. + True, it indicates the reset is require= d. + False, it indicates the reset is not re= quired. + + @return TPM Operation Response to OS Environment. +**/ +UINT32 +TcgExecutePendingRequest ( + IN UINT8 OperationRequest, + IN OUT UINT8 *ManagementFlags, + OUT BOOLEAN *ResetRequired + ) +{ + ASSERT ((OperationRequest >=3D TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT= _BEGIN) && + (OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERA= TION)); + + if (TcgPpNeedUserConfirm(OperationRequest, *ManagementFlags)) { + if (!TcgPpUserConfirm (OperationRequest)) { + return TCG_PP_OPERATION_RESPONSE_USER_ABORT; + } + } + + switch (OperationRequest) { + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TR= UE: + *ManagementFlags |=3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR= _ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FA= LSE: + *ManagementFlags &=3D ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FO= R_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_T= RUE: + *ManagementFlags |=3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR= _DISABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_F= ALSE: + *ManagementFlags &=3D ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FO= R_DISABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + *ManagementFlags |=3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SI= D; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + *ManagementFlags &=3D ~TCG_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_S= ID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + default: + break; + } + + return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; +} + +/** + Check and execute the pending TPM request. + + The TPM request may come from OS or BIOS. This API will display request = information and wait + for user confirmation if TPM request exists. The TPM request will be sen= t to TPM device after + the TPM request is confirmed, and one or more reset may be required to m= ake TPM request to + take effect. + + This API should be invoked after console in and console out are all read= y as they are required + to display request information and get user input to confirm the request= . + + @param[in] PlatformAuth platform auth value. NULL mea= ns no platform auth change. +**/ +VOID +EFIAPI +TcgProcessStorageRequest ( + VOID + ) +{ + EFI_STATUS Status; + UINTN DataSize; + EFI_PHYSICAL_PRESENCE TcgPpData; + EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; + EFI_PHYSICAL_PRESENCE_FLAGS PpiFlags; + EFI_PHYSICAL_PRESENCE_FLAGS NewPpiFlags; + BOOLEAN ResetRequired; + + // + // Check S4 resume + // + if (GetBootModeHob () =3D=3D BOOT_ON_S4_RESUME) { + DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n")); + return ; + } + + // + // Initialize physical presence variable. + // + DataSize =3D sizeof (EFI_PHYSICAL_PRESENCE); + Status =3D gRT->GetVariable ( + PHYSICAL_PRESENCE_VARIABLE, + &gEfiPhysicalPresenceGuid, + NULL, + &DataSize, + &TcgPpData + ); + if (EFI_ERROR (Status)) { + ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData)); + DataSize =3D sizeof (EFI_PHYSICAL_PRESENCE); + Status =3D gRT->SetVariable ( + PHYSICAL_PRESENCE_VARIABLE, + &gEfiPhysicalPresenceGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + DataSize, + &TcgPpData + ); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Set physical presence variable f= ailed, Status =3D %r\n", Status)); + return ; + } + } + + if ((TcgPpData.PPRequest >=3D TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPE= RATION) || + (TcgPpData.PPRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEG= IN) ) { + // + // This library only support storage related actions. + // + DEBUG ((EFI_D_INFO, "[TPM Storage] Only support TCG storage related PP= actions, not support PPRequest=3D%x\n", TcgPpData.PPRequest)); + return; + } + + // + // Initialize physical presence storage flags. + // + DataSize =3D sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS); + Status =3D gRT->GetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + NULL, + &DataSize, + &PpiFlags + ); + if (EFI_ERROR (Status)) { + PpiFlags.PPFlags =3D TCG_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; + Status =3D gRT->SetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS), + &PpiFlags + ); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Set physical presence flag faile= d, Status =3D %r\n", Status)); + return ; + } + } + DEBUG ((EFI_D_INFO, "[TPM Storage] PpiFlags =3D %x\n", PpiFlags.PPFlags)= ); + + // + // This flags variable controls whether physical presence is required fo= r TPM command. + // It should be protected from malicious software. We set it as read-onl= y variable here. + // + Status =3D gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (= VOID **)&VariableLockProtocol); + if (!EFI_ERROR (Status)) { + Status =3D VariableLockProtocol->RequestToLock ( + VariableLockProtocol, + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_V= ARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid + ); + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM Storage] Error when lock variable %s, Sta= tus =3D %r\n", TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, Status)); + ASSERT_EFI_ERROR (Status); + } + } + + DEBUG ((EFI_D_INFO, "[TPM Storage] Flags=3D%x, PPRequest=3D%x (LastPPReq= uest=3D%x)\n", PpiFlags.PPFlags, TcgPpData.PPRequest, TcgPpData.LastPPReque= st)); + + NewPpiFlags.PPFlags =3D PpiFlags.PPFlags; + ResetRequired =3D FALSE; + TcgPpData.PPResponse =3D TCG_PP_OPERATION_RESPONSE_USER_ABORT; + + TcgPpData.PPResponse =3D TcgExecutePendingRequest (TcgPpData.PPRequest, = &NewPpiFlags.PPFlags, &ResetRequired); + DEBUG ((EFI_D_INFO, "[TPM Storage] PPResponse =3D %x (LastPPRequest=3D%x= , Flags=3D%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.P= PFlags)); + + if (TcgPpData.PPResponse =3D=3D TCG_PP_OPERATION_RESPONSE_USER_ABORT) { + return; + } + + // + // Save the flags if it is updated. + // + if (CompareMem (&PpiFlags, &NewPpiFlags, sizeof(EFI_TCG_PHYSICAL_PRESENC= E_STORAGE_FLAGS)) !=3D 0) { + Status =3D gRT->SetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE= _ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, + sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS), + &NewPpiFlags + ); + } + + // + // Clear request + // + TcgPpData.LastPPRequest =3D TcgPpData.PPRequest; + TcgPpData.PPRequest =3D TCG_PHYSICAL_PRESENCE_NO_ACTION; + + // + // Save changes + // + DataSize =3D sizeof (EFI_PHYSICAL_PRESENCE); + Status =3D gRT->SetVariable ( + PHYSICAL_PRESENCE_VARIABLE, + &gEfiPhysicalPresenceGuid, + EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACC= ESS | EFI_VARIABLE_RUNTIME_ACCESS, + DataSize, + &TcgPpData + ); + if (EFI_ERROR (Status)) { + return; + } + + if (!ResetRequired) { + return; + } + + Print (L"Rebooting system to make TPM2 settings in effect\n"); + gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); + ASSERT (FALSE); +} + diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhy= sicalPresenceStorage.h b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageL= ib/DxeTcgPhysicalPresenceStorage.h new file mode 100644 index 0000000..536ff05 --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPr= esenceStorage.h @@ -0,0 +1,88 @@ +/** @file + Tcg PP storage library instance that does support any storage specific P= PI. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ +#ifndef _TCG_PHYSICAL_PRESENCE_STORAGE_H_ +#define _TCG_PHYSICAL_PRESENCE_STORAGE_H_ + +/** + The handler for TPM physical presence function: + Submit TPM Operation Request to Pre-OS Environment and + Submit TPM Operation Request to Pre-OS Environment 2. + + Caution: This function may receive untrusted input. + + @param[in] OperationRequest TPM physical presence operation request= . + @param[in] RequestParameter TPM physical presence operation request= parameter. + + @return Return Code for Submit TPM Operation Request to Pre-OS Environme= nt and + Submit TPM Operation Request to Pre-OS Environment 2. +**/ +UINT32 +TcgSubmitStorageRequest ( + IN UINT32 OperationRequest, + IN UINT32 RequestParameter + ); + +/** + Check if the pending TPM request needs user input to confirm. + + The TPM request may come from OS. This API will check if TPM request exi= sts and need user + input to confirmation. + + @retval TRUE TPM needs input to confirm user physical presence= . + @retval FALSE TPM doesn't need input to confirm user physical p= resence. + +**/ +BOOLEAN +TcgNeedUserConfirm( + VOID + ); + +/** + The handler for TPM physical presence function: + Return TPM Operation Response to OS Environment. + + @param[out] MostRecentRequest Most recent operation request. + @param[out] Response Response to the most recent operation = request. + + @return Return Code for Return TPM Operation Response to OS Environment. +**/ +UINT32 +EFIAPI +TcgReturnOperationResponseToOsFunction ( + OUT UINT32 *MostRecentRequest, + OUT UINT32 *Response + ); + +/** + Check and execute the pending TPM request. + + The TPM request may come from OS or BIOS. This API will display request = information and wait + for user confirmation if TPM request exists. The TPM request will be sen= t to TPM device after + the TPM request is confirmed, and one or more reset may be required to m= ake TPM request to + take effect. + + This API should be invoked after console in and console out are all read= y as they are required + to display request information and get user input to confirm the request= . + + @param[in] PlatformAuth platform auth value. NULL mea= ns no platform auth change. +**/ +VOID +EFIAPI +TcgProcessStorageRequest ( + VOID + ); + + +#endif + diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhy= sicalPresenceStorageLib.c b/SecurityPkg/Library/DxeTcgPhysicalPresenceStora= geLib/DxeTcgPhysicalPresenceStorageLib.c new file mode 100644 index 0000000..1b8a09c --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPr= esenceStorageLib.c @@ -0,0 +1,390 @@ +/** @file + Tcg PP storage library instance that does support any storage specific P= PI. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ +#include + +#include +#include +#include + +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "DxeTcgPhysicalPresenceStorage.h" +#include "DxeTcg2PhysicalPresenceStorage.h" + +#define CONFIRM_BUFFER_SIZE 4096 + +EFI_HII_HANDLE mTcgPpStorageStringPackHandle; + +/** + Get string by string id from HII Interface. + + @param[in] Id String ID. + + @retval CHAR16 * String from ID. + @retval NULL If error occurs. + +**/ +CHAR16 * +TcgPpGetStringById ( + IN EFI_STRING_ID Id + ) +{ + return HiiGetString (mTcgPpStorageStringPackHandle, Id, NULL); +} + +/** + Read the specified key for user confirmation. + + @retval TRUE User confirmed the changes by input. + @retval FALSE User discarded the changes. +**/ +BOOLEAN +TcgPpStrageReadUserKey ( + VOID + ) +{ + EFI_STATUS Status; + EFI_INPUT_KEY Key; + UINT16 InputKey; + + InputKey =3D 0; + do { + Status =3D gBS->CheckEvent (gST->ConIn->WaitForKey); + if (!EFI_ERROR (Status)) { + Status =3D gST->ConIn->ReadKeyStroke (gST->ConIn, &Key); + if (Key.ScanCode =3D=3D SCAN_ESC) { + InputKey =3D Key.ScanCode; + } + if ((Key.ScanCode =3D=3D SCAN_F10)) { + InputKey =3D Key.ScanCode; + } + } + } while (InputKey =3D=3D 0); + + if (InputKey !=3D SCAN_ESC) { + return TRUE; + } + + return FALSE; +} + +/** + Display the confirm text and get user confirmation. + + @param[in] TpmPpCommand The requested TPM physical presence = command. + + @retval TRUE The user has confirmed the changes. + @retval FALSE The user doesn't confirm the changes. +**/ +BOOLEAN +TcgPpUserConfirm ( + IN UINT8 TpmPpCommand + ) +{ + CHAR16 *ConfirmText; + CHAR16 *TmpStr1; + CHAR16 *TmpStr2; + UINTN BufSize; + UINT16 Index; + CHAR16 DstStr[81]; + + TmpStr2 =3D NULL; + BufSize =3D CONFIRM_BUFFER_SIZE; + ConfirmText =3D AllocateZeroPool (BufSize); + ASSERT (ConfirmText !=3D NULL); + + switch (TpmPpCommand) { + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TR= UE: + TmpStr2 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_PP_ENABLE_BL= OCK_SID)); + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FA= LSE: + TmpStr2 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_PP_ENABLE_BL= OCK_SID)); + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_T= RUE: + TmpStr2 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_PP_DISABLE_B= LOCK_SID)); + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_F= ALSE: + TmpStr2 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_PP_DISABLE_B= LOCK_SID)); + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + TmpStr2 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_ENABLE_BLOCK= _SID)); + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + TmpStr2 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_DISABLE_BLOC= K_SID)); + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + default: + break; + } + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_ACCEPT_KEY)); + StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / si= zeof (CHAR16)) - StrLen (ConfirmText) - 1); + FreePool (TmpStr1); + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_NO_PPI_INFO)); + StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / si= zeof (CHAR16)) - StrLen (ConfirmText) - 1); + FreePool (TmpStr1); + + + TmpStr1 =3D TcgPpGetStringById (STRING_TOKEN (TCG_STORAGE_REJECT_KEY)); + BufSize -=3D StrSize (ConfirmText); + UnicodeSPrint (ConfirmText + StrLen (ConfirmText), BufSize, TmpStr1, Tmp= Str2); + + DstStr[80] =3D L'\0'; + for (Index =3D 0; Index < StrLen (ConfirmText); Index +=3D 80) { + StrnCpyS (DstStr, sizeof (DstStr) / sizeof (CHAR16), ConfirmText + Ind= ex, sizeof (DstStr) / sizeof (CHAR16) - 1); + Print (DstStr); + } + + FreePool (TmpStr1); + FreePool (TmpStr2); + FreePool (ConfirmText); + + if (TcgPpStrageReadUserKey ()) { + return TRUE; + } + + return FALSE; +} + +/** + The handler for TPM physical presence function: + Submit TPM Operation Request to Pre-OS Environment and + Submit TPM Operation Request to Pre-OS Environment 2. + + Caution: This function may receive untrusted input. + + @param[in] OperationRequest TPM physical presence operation request= . + @param[in] RequestParameter TPM physical presence operation request= parameter. + + @return Return Code for Submit TPM Operation Request to Pre-OS Environme= nt and + Submit TPM Operation Request to Pre-OS Environment 2. +**/ +UINT32 +EFIAPI +TcgPhysicalPresenceStorageLibSubmitRequestToPreOSFunction ( + IN UINT32 OperationRequest, + IN UINT32 RequestParameter + ) +{ + // + // Get Physical Presence command state + // + if (CompareGuid(PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm= 12Guid)) { + return TcgSubmitStorageRequest (OperationRequest, RequestParameter); + } else { + return Tcg2SubmitStorageRequest (OperationRequest, RequestParameter); + } +} + +/** + The handler for TPM physical presence function: + Return TPM Operation Response to OS Environment. + + @param[out] MostRecentRequest Most recent operation request. + @param[out] Response Response to the most recent operation = request. + + @return Return Code for Return TPM Operation Response to OS Environment. +**/ +UINT32 +EFIAPI +TcgPhysicalPresenceStorageLibReturnOperationResponseToOsFunction ( + OUT UINT32 *MostRecentRequest, + OUT UINT32 *Response + ) +{ + // + // Get Physical Presence command state + // + if (CompareGuid(PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm= 12Guid)) { + return TcgReturnOperationResponseToOsFunction (MostRecentRequest, Resp= onse); + } else { + return Tcg2ReturnOperationResponseToOsFunction (MostRecentRequest, Res= ponse); + } +} + +/** + Check if the pending TPM request needs user input to confirm. + + The TPM request may come from OS. This API will check if TPM request exi= sts and need user + input to confirmation. + + @retval TRUE TPM needs input to confirm user physical presence= . + @retval FALSE TPM doesn't need input to confirm user physical p= resence. + +**/ +BOOLEAN +EFIAPI +TcgPhysicalPresenceStorageLibNeedUserConfirm( + VOID + ) +{ + // + // Get Physical Presence command state + // + if (CompareGuid(PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm= 12Guid)) { + return TcgNeedUserConfirm (); + } else { + return Tcg2NeedUserConfirm (); + } +} + +/** + Check and execute the pending TPM request. + + The TPM request may come from OS or BIOS. This API will display request = information and wait + for user confirmation if TPM request exists. The TPM request will be sen= t to TPM device after + the TPM request is confirmed, and one or more reset may be required to m= ake TPM request to + take effect. + + This API should be invoked after console in and console out are all read= y as they are required + to display request information and get user input to confirm the request= . + + @param[in] PlatformAuth platform auth value. NULL mea= ns no platform auth change. +**/ +VOID +EFIAPI +TcgPhysicalPresenceStorageLibProcessRequest ( + VOID + ) +{ + // + // Get Physical Presence command state + // + if (CompareGuid(PcdGetPtr(PcdTpmInstanceGuid), &gEfiTpmDeviceInstanceTpm= 12Guid)) { + TcgProcessStorageRequest(); + } else { + Tcg2ProcessStorageRequest (); + } +} + +/** + The handler for TPM physical presence function: + Return TPM Operation flag variable. + + @return Return Code for Return TPM Operation flag variable. +**/ +UINT32 +EFIAPI +TcgPhysicalPresenceStorageLibReturnStorageFlags ( + VOID + ) +{ + UINTN DataSize; + EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS PpiFlags; + EFI_STATUS Status; + + + DataSize =3D sizeof (EFI_TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS); + Status =3D gRT->GetVariable ( + TCG_PHYSICAL_PRESENCE_STORAGE_FLAGS_VARIABLE, + &gEfiTcgPhysicalPresenceStorageGuid, + NULL, + &DataSize, + &PpiFlags + ); + if (EFI_ERROR (Status)) { + return TCG_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; + } + + return PpiFlags.PPFlags; +} + +/** + + Install Boot Manager Menu driver. + + @param ImageHandle The image handle. + @param SystemTable The system table. + + @retval EFI_SUCEESS Install Boot manager menu success. + @retval Other Return error status. + +**/ +EFI_STATUS +EFIAPI +TcgPhysicalPresenceStorageLibConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + mTcgPpStorageStringPackHandle =3D HiiAddPackages (&gEfiTcgPhysicalPresen= ceStorageGuid, gImageHandle, DxeTcgPhysicalPresenceStorageLibStrings, NULL)= ; + ASSERT (mTcgPpStorageStringPackHandle !=3D NULL); + + return EFI_SUCCESS; +} + +/** + Unloads the application and its installed protocol. + + @param[in] ImageHandle Handle that identifies the image to be unl= oaded. + @param[in] SystemTable System Table + + @retval EFI_SUCCESS The image has been unloaded. +**/ +EFI_STATUS +EFIAPI +TcgPhysicalPresenceStorageLibDestructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + HiiRemovePackages (mTcgPpStorageStringPackHandle); + + return EFI_SUCCESS; +} diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhy= sicalPresenceStorageLib.inf b/SecurityPkg/Library/DxeTcgPhysicalPresenceSto= rageLib/DxeTcgPhysicalPresenceStorageLib.inf new file mode 100644 index 0000000..a13a47d --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPr= esenceStorageLib.inf @@ -0,0 +1,67 @@ +## @file +# Tcg PP storage library instance that does support any storage specific = PPI. +# +# Copyright (c) 2016, Intel Corporation. All rights reserved.
+# This program and the accompanying materials +# are licensed and made available under the terms and conditions of the BS= D License +# which accompanies this distribution. The full text of the license may be= found at +# http://opensource.org/licenses/bsd-license.php +# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMP= LIED. +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D DxeTcgPhysicalPresenceStorageLib + MODULE_UNI_FILE =3D DxeTcgPhysicalPresenceStorageLib.uni + FILE_GUID =3D 51924AE9-BE81-4820-94BA-7C9546E702D0 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D TcgPhysicalPresenceStorageLib|DXE_RUN= TIME_DRIVER DXE_SMM_DRIVER DXE_DRIVER + CONSTRUCTOR =3D TcgPhysicalPresenceStorageLibConstruc= tor + DESTRUCTOR =3D TcgPhysicalPresenceStorageLibDestruct= or + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 IPF EBC +# + +[Sources] + DxeTcgPhysicalPresenceStorageLib.c + DxeTcgPhysicalPresenceStorageLibStrings.uni + DxeTcg2PhysicalPresenceStorage.c + DxeTcg2PhysicalPresenceStorage.h + DxeTcgPhysicalPresenceStorage.c + DxeTcgPhysicalPresenceStorage.h + DxeTcgPhysicalPresenceStorageLibInternal.h + +[Packages] + MdePkg/MdePkg.dec + SecurityPkg/SecurityPkg.dec + MdeModulePkg/MdeModulePkg.dec + +[LibraryClasses] + MemoryAllocationLib + UefiLib + UefiBootServicesTableLib + UefiDriverEntryPoint + UefiRuntimeServicesTableLib + BaseMemoryLib + DebugLib + PrintLib + HiiLib + HobLib + +[Guids] + gEfiTcgPhysicalPresenceStorageGuid ## SOMETIMES_CONSUMES ## HII + gEfiTpmDeviceInstanceTpm12Guid ## SOMETIMES_CONSUMES + gEfiPhysicalPresenceGuid ## SOMETIMES_CONSUMES + gEfiTcg2PhysicalPresenceGuid ## SOMETIMES_CONSUMES + +[Pcd] + gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid ## C= ONSUMES + +[Protocols] + gEdkiiVariableLockProtocolGuid ## SOMETIMES_CONSUMES diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhy= sicalPresenceStorageLib.uni b/SecurityPkg/Library/DxeTcgPhysicalPresenceSto= rageLib/DxeTcgPhysicalPresenceStorageLib.uni new file mode 100644 index 0000000..400f0fc --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPr= esenceStorageLib.uni @@ -0,0 +1,18 @@ +// /** @file +// Tcg PP storage library instance that does support any storage specific = PPI. +// +// Copyright (c) 2016, Intel Corporation. All rights reserved.
+// +// This program and the accompanying materials +// are licensed and made available under the terms and conditions of the B= SD License +// which accompanies this distribution. The full text of the license may b= e found at +// http://opensource.org/licenses/bsd-license.php +// THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +// WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IM= PLIED. +// +// **/ + +#string STR_MODULE_ABSTRACT #language en-US "Tcg PP Storage li= brary instance that supports any storage specific PPI" + +#string STR_MODULE_DESCRIPTION #language en-US "Tcg PP Storage li= brary instance that supports any storage specific PPI." + diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhy= sicalPresenceStorageLibInternal.h b/SecurityPkg/Library/DxeTcgPhysicalPrese= nceStorageLib/DxeTcgPhysicalPresenceStorageLibInternal.h new file mode 100644 index 0000000..00b79b8 --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPr= esenceStorageLibInternal.h @@ -0,0 +1,31 @@ +/** @file + Tcg PP storage library instance that does support any storage specific P= PI. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ +#ifndef _TCG_PHYSICAL_PRESENCE_STORAGE_LIB_INTENAL_H_ +#define _TCG_PHYSICAL_PRESENCE_STORAGE_LIB_INTENAL_H_ +/** + Display the confirm text and get user confirmation. + + @param[in] TpmPpCommand The requested TPM physical presence = command. + + @retval TRUE The user has confirmed the changes. + @retval FALSE The user doesn't confirm the changes. +**/ +BOOLEAN +TcgPpUserConfirm ( + IN UINT8 TpmPpCommand + ); + + +#endif + diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhy= sicalPresenceStorageLibStrings.uni b/SecurityPkg/Library/DxeTcgPhysicalPres= enceStorageLib/DxeTcgPhysicalPresenceStorageLibStrings.uni new file mode 100644 index 0000000..34ef396 --- /dev/null +++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceStorageLib/DxeTcgPhysicalPr= esenceStorageLibStrings.uni @@ -0,0 +1,31 @@ +/** @file + String definitions for TPM 2.0 physical presence storage related actions= confirm text. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD = License +which accompanies this distribution. The full text of the license may be = found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLI= ED. + +**/ + +#langdef en-US "English" + +#string TCG_STORAGE_HEAD_STR #language en-US "A config= uration change was requested to %s on subsequent boots\n\n" +#string TCG_STORAGE_PPI_HEAD_STR #language en-US "A config= uration change was requested to allow the Operating System to %s without as= king for user confirmation in the future.\n\n" + +#string TCG_STORAGE_ACCEPT_KEY #language en-US "Press F1= 0 " +#string TCG_STORAGE_CAUTION_KEY #language en-US "Press F1= 2 " +#string TCG_STORAGE_REJECT_KEY #language en-US "to %s\nP= ress ESC to reject this change request and continue\n" + +#string TCG_STORAGE_NO_PPI_INFO #language en-US "to appro= ve future Operating System requests " + +#string TCG_STORAGE_ENABLE_BLOCK_SID #language en-US "issue Bl= ock SID " +#string TCG_STORAGE_DISABLE_BLOCK_SID #language en-US "disable = issuing Block SID " + +#string TCG_STORAGE_PP_ENABLE_BLOCK_SID #language en-US "enable b= locking SID authentication" +#string TCG_STORAGE_PP_DISABLE_BLOCK_SID #language en-US "disable = blocking SID authentication" + diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index dab332a..7b71795 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -77,6 +77,11 @@ # Tcg2PpVendorLib|Include/Library/TcgPpVendorLib.h =20 + ## @libraryclass Provides support for TCG Physical Presence Interface = (PPI) specification + # >=3D 96 && < 128 Vendor Specific PPI Operation. + # + TcgPhysicalPresenceStorageLib|Include/Library/TcgPhysicalPresenceStorage= Lib.h + ## @libraryclass Handle TPM 2.0 physical presence request from OS. # Tcg2PhysicalPresenceLib|Include/Library/Tcg2PhysicalPresenceLib.h @@ -146,6 +151,10 @@ # Include/Guid/Tcg2PhysicalPresenceData.h gEfiTcg2PhysicalPresenceGuid =3D { 0xaeb9c5c1, 0x94f1, 0x4d02, { 0xbf, 0= xd9, 0x46, 0x2, 0xdb, 0x2d, 0x3c, 0x54 }} =20 + ## + # Include/Guid/Tcg2PhysicalPresenceData.h + gEfiTcgPhysicalPresenceStorageGuid =3D { 0x2EBE3E34, 0xB3CD, 0x471A, { 0= xBF, 0x87, 0xB3, 0xC6, 0x6E, 0xE0, 0x74, 0x9A}} + ## GUID used for form browser, password credential and provider identifi= er. # Include/Guid/PwdCredentialProviderHii.h gPwdCredentialProviderGuid =3D { 0x78b9ec8b, 0xc000, 0x46c5, { 0= xac, 0x93, 0x24, 0xa0, 0xc1, 0xbb, 0x0, 0xce }} --=20 2.6.4.windows.1