summaryrefslogtreecommitdiff
path: root/SecurityPkg/Tcg/TcgPei
diff options
context:
space:
mode:
authorgdong1 <gdong1@6f19259b-4bc3-4df7-8a09-765794883524>2012-07-26 05:11:47 +0000
committergdong1 <gdong1@6f19259b-4bc3-4df7-8a09-765794883524>2012-07-26 05:11:47 +0000
commit5a5003323610f215591bd3c0bd1a426583e70fc7 (patch)
tree6b72fa57409597ee10686e9c2633d2de454654a7 /SecurityPkg/Tcg/TcgPei
parent4a23eaa9e0400325624e7d45b4a0e1e39c431d30 (diff)
downloadedk2-platforms-5a5003323610f215591bd3c0bd1a426583e70fc7.tar.xz
Enhance TCG driver to provide TPM physical presence lifetime lock capability.
Signed-off-by: Dong Guo <guo.dong@intel.com> Reviewed-by: Ye Ting <ting.ye@intel.com> Reviewed-by: Yao Jiewen <jiewen.yao@intel.com> git-svn-id: https://edk2.svn.sourceforge.net/svnroot/edk2/trunk/edk2@13555 6f19259b-4bc3-4df7-8a09-765794883524
Diffstat (limited to 'SecurityPkg/Tcg/TcgPei')
-rw-r--r--SecurityPkg/Tcg/TcgPei/TcgPei.c52
-rw-r--r--SecurityPkg/Tcg/TcgPei/TcgPei.inf5
2 files changed, 47 insertions, 10 deletions
diff --git a/SecurityPkg/Tcg/TcgPei/TcgPei.c b/SecurityPkg/Tcg/TcgPei/TcgPei.c
index 63caddec8c..4732a2a174 100644
--- a/SecurityPkg/Tcg/TcgPei/TcgPei.c
+++ b/SecurityPkg/Tcg/TcgPei/TcgPei.c
@@ -1,7 +1,7 @@
/** @file
Initialize TPM device and measure FVs before handing off control to DXE.
-Copyright (c) 2005 - 2011, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2005 - 2012, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions of the BSD License
which accompanies this distribution. The full text of the license may be found at
@@ -379,7 +379,8 @@ FirmwareVolmeInfoPpiNotifyCallback (
}
/**
- Lock physical presence if needed.
+ Set physicalPresenceLifetimeLock, physicalPresenceHWEnable and physicalPresenceCMDEnable bit by corresponding PCDs.
+ And lock physical presence if needed.
@param[in] PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation
@param[in] NotifyDescriptor Address of the notification descriptor data structure.
@@ -403,21 +404,54 @@ PhysicalPresencePpiNotifyCallback (
BOOLEAN LifetimeLock;
BOOLEAN CmdEnable;
TIS_TPM_HANDLE TpmHandle;
+ TPM_PHYSICAL_PRESENCE PhysicalPresenceValue;
TpmHandle = (TIS_TPM_HANDLE) (UINTN) TPM_BASE_ADDRESS;
- LockPhysicalPresencePpi = (PEI_LOCK_PHYSICAL_PRESENCE_PPI *) Ppi;
- if (!LockPhysicalPresencePpi->LockPhysicalPresence ((CONST EFI_PEI_SERVICES**) PeiServices)) {
- return EFI_SUCCESS;
+ Status = TpmCommGetCapability (PeiServices, TpmHandle, NULL, &LifetimeLock, &CmdEnable);
+ if (EFI_ERROR (Status)) {
+ return Status;
}
//
- // Lock TPM physical presence.
+ // 1. Set physicalPresenceLifetimeLock, physicalPresenceHWEnable and physicalPresenceCMDEnable bit by PCDs.
//
+ if (PcdGetBool (PcdPhysicalPresenceLifetimeLock) && !LifetimeLock) {
+ //
+ // Lock TPM LifetimeLock is required, and LifetimeLock is not locked yet.
+ //
+ PhysicalPresenceValue = TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK;
+
+ if (PcdGetBool (PcdPhysicalPresenceCmdEnable)) {
+ PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_CMD_ENABLE;
+ CmdEnable = TRUE;
+ } else {
+ PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_CMD_DISABLE;
+ CmdEnable = FALSE;
+ }
- Status = TpmCommGetCapability (PeiServices, TpmHandle, NULL, &LifetimeLock, &CmdEnable);
- if (EFI_ERROR (Status)) {
- return Status;
+ if (PcdGetBool (PcdPhysicalPresenceHwEnable)) {
+ PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_HW_ENABLE;
+ } else {
+ PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_HW_DISABLE;
+ }
+
+ Status = TpmCommPhysicalPresence (
+ PeiServices,
+ TpmHandle,
+ PhysicalPresenceValue
+ );
+ if (EFI_ERROR (Status)) {
+ return Status;
+ }
+ }
+
+ //
+ // 2. Lock physical presence if it is required.
+ //
+ LockPhysicalPresencePpi = (PEI_LOCK_PHYSICAL_PRESENCE_PPI *) Ppi;
+ if (!LockPhysicalPresencePpi->LockPhysicalPresence ((CONST EFI_PEI_SERVICES**) PeiServices)) {
+ return EFI_SUCCESS;
}
if (!CmdEnable) {
diff --git a/SecurityPkg/Tcg/TcgPei/TcgPei.inf b/SecurityPkg/Tcg/TcgPei/TcgPei.inf
index 60a3bfa5f1..5d7da7f5e0 100644
--- a/SecurityPkg/Tcg/TcgPei/TcgPei.inf
+++ b/SecurityPkg/Tcg/TcgPei/TcgPei.inf
@@ -1,7 +1,7 @@
## @file
# This module will initialize TPM device and measure FVs in PEI phase.
#
-# Copyright (c) 2006 - 2011, Intel Corporation. All rights reserved.<BR>
+# Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>
# This program and the accompanying materials
# are licensed and made available under the terms and conditions of the BSD License
# which accompanies this distribution. The full text of the license may be found at
@@ -57,6 +57,9 @@
[Pcd]
gEfiSecurityPkgTokenSpaceGuid.PcdHideTpm
+ gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceLifetimeLock
+ gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceCmdEnable
+ gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceHwEnable
[FixedPcd]
gEfiSecurityPkgTokenSpaceGuid.PcdHideTpmSupport