From e92ddda2b547f0b952935abaf44fd72e97dbf755 Mon Sep 17 00:00:00 2001 From: Star Zeng Date: Wed, 23 Nov 2016 16:38:33 +0800 Subject: SecurityPkg Tcg2PPLib: Support BlockSID related actions Then Tcg2PhysicalPresenceLib can support TCG2 PP TPM2, storage management and vendor specific requests according to Physical Presence Interface Specification. Cc: Jiewen Yao Cc: Chao Zhang Cc: Eric Dong Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Star Zeng Reviewed-by: Jiewen Yao Reviewed-by: Eric Dong --- .../Include/Library/Tcg2PhysicalPresenceLib.h | 7 + .../DxeTcg2PhysicalPresenceLib.c | 241 +++++++++++++++------ .../PeiTcg2PhysicalPresenceLib.c | 4 +- .../SmmTcg2PhysicalPresenceLib.c | 41 +++- 4 files changed, 217 insertions(+), 76 deletions(-) diff --git a/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h b/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h index 910da7a288..3e446acab2 100644 --- a/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h +++ b/SecurityPkg/Include/Library/Tcg2PhysicalPresenceLib.h @@ -43,6 +43,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. // #define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID BIT16 #define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID BIT17 +#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID BIT18 // // Default value @@ -52,6 +53,12 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_EPS | \ TCG2_BIOS_TPM_MANAGEMENT_FLAG_PP_REQUIRED_FOR_CHANGE_PCRS) +// +// Default value +// +#define TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT (TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID | \ + TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) + /** Check and execute the pending TPM request. diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c index bfecffa0fe..a077b03a4d 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c @@ -163,9 +163,6 @@ Tcg2ExecutePhysicalPresence ( EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap; UINT32 ActivePcrBanks; - Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks); - ASSERT_EFI_ERROR (Status); - switch (CommandCode) { case TCG2_PHYSICAL_PRESENCE_CLEAR: case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR: @@ -187,6 +184,8 @@ Tcg2ExecutePhysicalPresence ( return TCG_PP_OPERATION_RESPONSE_SUCCESS; case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS: + Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks); + ASSERT_EFI_ERROR (Status); Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter); if (EFI_ERROR (Status)) { return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; @@ -203,6 +202,8 @@ Tcg2ExecutePhysicalPresence ( } case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS: + Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks); + ASSERT_EFI_ERROR (Status); Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, TpmHashAlgorithmBitmap); if (EFI_ERROR (Status)) { return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; @@ -210,6 +211,30 @@ Tcg2ExecutePhysicalPresence ( return TCG_PP_OPERATION_RESPONSE_SUCCESS; } + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE: + PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE: + PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + default: if (CommandCode <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) { return TCG_PP_OPERATION_RESPONSE_SUCCESS; @@ -339,22 +364,6 @@ Tcg2UserConfirm ( EFI_TCG2_BOOT_SERVICE_CAPABILITY ProtocolCapability; UINT32 CurrentPCRBanks; EFI_STATUS Status; - - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); - ASSERT_EFI_ERROR (Status); - - ProtocolCapability.Size = sizeof(ProtocolCapability); - Status = Tcg2Protocol->GetCapability ( - Tcg2Protocol, - &ProtocolCapability - ); - ASSERT_EFI_ERROR (Status); - - Status = Tcg2Protocol->GetActivePcrBanks ( - Tcg2Protocol, - &CurrentPCRBanks - ); - ASSERT_EFI_ERROR (Status); TmpStr2 = NULL; CautionKey = FALSE; @@ -363,6 +372,9 @@ Tcg2UserConfirm ( ConfirmText = AllocateZeroPool (BufSize); ASSERT (ConfirmText != NULL); + mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL); + ASSERT (mTcg2PpStringPackHandle != NULL); + switch (TpmPpCommand) { case TCG2_PHYSICAL_PRESENCE_CLEAR: @@ -404,6 +416,22 @@ Tcg2UserConfirm ( break; case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS: + Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); + ASSERT_EFI_ERROR (Status); + + ProtocolCapability.Size = sizeof(ProtocolCapability); + Status = Tcg2Protocol->GetCapability ( + Tcg2Protocol, + &ProtocolCapability + ); + ASSERT_EFI_ERROR (Status); + + Status = Tcg2Protocol->GetActivePcrBanks ( + Tcg2Protocol, + &CurrentPCRBanks + ); + ASSERT_EFI_ERROR (Status); + CautionKey = TRUE; TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_SET_PCR_BANKS)); @@ -449,7 +477,40 @@ Tcg2UserConfirm ( FreePool (TmpStr1); break; - + + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_ENABLE_BLOCK_SID)); + + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_DISABLE_BLOCK_SID)); + + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + NoPpiInfo = TRUE; + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PP_ENABLE_BLOCK_SID)); + + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PPI_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + NoPpiInfo = TRUE; + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PP_DISABLE_BLOCK_SID)); + + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PPI_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; default: ; @@ -505,6 +566,7 @@ Tcg2UserConfirm ( FreePool (TmpStr1); FreePool (TmpStr2); FreePool (ConfirmText); + HiiRemovePackages (mTcg2PpStringPackHandle); if (Tcg2ReadUserKey (CautionKey)) { return TRUE; @@ -519,10 +581,10 @@ Tcg2UserConfirm ( @param[in] TcgPpData EFI Tcg2 Physical Presence request data. @param[in] Flags The physical presence interface flags. - @param[out] RequestConfirmed If the physical presence operation command required user confirm from UI. - True, it indicates the command doesn't require user confirm, or already confirmed - in last boot cycle by user. - False, it indicates the command need user confirm from UI. + @param[out] RequestConfirmed If the physical presence operation command required user confirm from UI. + True, it indicates the command doesn't require user confirm, or already confirmed + in last boot cycle by user. + False, it indicates the command need user confirm from UI. @retval TRUE Physical Presence operation command is valid. @retval FALSE Physical Presence operation command is invalid. @@ -535,10 +597,22 @@ Tcg2HaveValidTpmRequest ( OUT BOOLEAN *RequestConfirmed ) { - BOOLEAN IsRequestValid; + EFI_TCG2_PROTOCOL *Tcg2Protocol; + EFI_STATUS Status; + BOOLEAN IsRequestValid; *RequestConfirmed = FALSE; + if (TcgPpData->PPRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) { + // + // Need TCG2 protocol. + // + Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); + if (EFI_ERROR (Status)) { + return FALSE; + } + } + switch (TcgPpData->PPRequest) { case TCG2_PHYSICAL_PRESENCE_NO_ACTION: *RequestConfirmed = TRUE; @@ -576,6 +650,27 @@ Tcg2HaveValidTpmRequest ( *RequestConfirmed = TRUE; break; + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) == 0) { + *RequestConfirmed = TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) == 0) { + *RequestConfirmed = TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE: + *RequestConfirmed = TRUE; + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + break; + default: if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { IsRequestValid = Tcg2PpVendorLibHasValidRequest (TcgPpData->PPRequest, Flags.PPFlags, RequestConfirmed); @@ -613,15 +708,15 @@ Tcg2HaveValidTpmRequest ( TcgPpData variable is external input, so this function will validate its data structure to be valid value. - @param[in] PlatformAuth platform auth value. NULL means no platform auth change. - @param[in] TcgPpData Point to the physical presence NV variable. - @param[in] Flags The physical presence interface flags. + @param[in] PlatformAuth platform auth value. NULL means no platform auth change. + @param[in, out] TcgPpData Pointer to the physical presence NV variable. + @param[in, out] Flags Pointer to the physical presence interface flags. **/ VOID Tcg2ExecutePendingTpmRequest ( IN TPM2B_AUTH *PlatformAuth, OPTIONAL - IN EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData, - IN EFI_TCG2_PHYSICAL_PRESENCE_FLAGS Flags + IN OUT EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData, + IN OUT EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *Flags ) { EFI_STATUS Status; @@ -638,7 +733,7 @@ Tcg2ExecutePendingTpmRequest ( return; } - if (!Tcg2HaveValidTpmRequest(TcgPpData, Flags, &RequestConfirmed)) { + if (!Tcg2HaveValidTpmRequest(TcgPpData, *Flags, &RequestConfirmed)) { // // Invalid operation request. // @@ -664,7 +759,7 @@ Tcg2ExecutePendingTpmRequest ( ResetRequired = FALSE; if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { - NewFlags = Flags; + NewFlags = *Flags; NewPPFlags = NewFlags.PPFlags; TcgPpData->PPResponse = Tcg2PpVendorLibExecutePendingRequest (PlatformAuth, TcgPpData->PPRequest, &NewPPFlags, &ResetRequired); NewFlags.PPFlags = NewPPFlags; @@ -680,7 +775,7 @@ Tcg2ExecutePendingTpmRequest ( // Execute requested physical presence command // TcgPpData->PPResponse = TCG_PP_OPERATION_RESPONSE_USER_ABORT; - NewFlags = Flags; + NewFlags = *Flags; if (RequestConfirmed) { TcgPpData->PPResponse = Tcg2ExecutePhysicalPresence ( PlatformAuth, @@ -694,7 +789,8 @@ Tcg2ExecutePendingTpmRequest ( // // Save the flags if it is updated. // - if (CompareMem (&Flags, &NewFlags, sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) { + if (CompareMem (Flags, &NewFlags, sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) { + *Flags = NewFlags; Status = gRT->SetVariable ( TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, &gEfiTcg2PhysicalPresenceGuid, @@ -745,6 +841,16 @@ Tcg2ExecutePendingTpmRequest ( case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS: break; + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + return; + default: if (TcgPpData->LastPPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { if (ResetRequired) { @@ -786,15 +892,9 @@ Tcg2PhysicalPresenceLibProcessRequest ( EFI_STATUS Status; UINTN DataSize; EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; - EFI_TCG2_PROTOCOL *Tcg2Protocol; EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); - if (EFI_ERROR (Status)) { - return ; - } - // // This flags variable controls whether physical presence is required for TPM command. // It should be protected from malicious software. We set it as read-only variable here. @@ -820,9 +920,6 @@ Tcg2PhysicalPresenceLibProcessRequest ( return ; } - mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL); - ASSERT (mTcg2PpStringPackHandle != NULL); - // // Initialize physical presence flags. // @@ -835,7 +932,7 @@ Tcg2PhysicalPresenceLibProcessRequest ( &PpiFlags ); if (EFI_ERROR (Status)) { - PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; + PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; Status = gRT->SetVariable ( TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, &gEfiTcg2PhysicalPresenceGuid, @@ -848,7 +945,6 @@ Tcg2PhysicalPresenceLibProcessRequest ( return ; } } - DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags)); // // Initialize physical presence variable. @@ -882,7 +978,7 @@ Tcg2PhysicalPresenceLibProcessRequest ( // // Execute pending TPM request. // - Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, PpiFlags); + Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, &PpiFlags); DEBUG ((EFI_D_INFO, "[TPM2] PPResponse = %x (LastPPRequest=%x, Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.PPFlags)); } @@ -907,14 +1003,8 @@ Tcg2PhysicalPresenceLibNeedUserConfirm( EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; UINTN DataSize; BOOLEAN RequestConfirmed; - EFI_TCG2_PROTOCOL *Tcg2Protocol; EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); - if (EFI_ERROR (Status)) { - return FALSE; - } - // // Check S4 resume // @@ -1065,10 +1155,7 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction ( } if ((OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) && - (OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) { - // - // This command requires UI to prompt user for Auth data. - // + (OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) { return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED; } @@ -1084,11 +1171,10 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction ( DataSize, &PpData ); - } - - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status)); - return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status)); + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + } } if (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { @@ -1101,10 +1187,41 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction ( &Flags ); if (EFI_ERROR (Status)) { - Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; + Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; } return Tcg2PpVendorLibSubmitRequestToPreOSFunction (OperationRequest, Flags.PPFlags, RequestParameter); } return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS; } + +/** + Return TPM2 ManagementFlags set by PP interface. + + @retval ManagementFlags TPM2 Management Flags. +**/ +UINT32 +EFIAPI +Tcg2PhysicalPresenceLibGetManagementFlags ( + VOID + ) +{ + EFI_STATUS Status; + EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; + UINTN DataSize; + + DEBUG ((EFI_D_INFO, "[TPM2] GetManagementFlags\n")); + + DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS); + Status = gRT->GetVariable ( + TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + NULL, + &DataSize, + &PpiFlags + ); + if (EFI_ERROR (Status)) { + PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; + } + return PpiFlags.PPFlags; +} diff --git a/SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.c index 81fe1b4d2c..e190718907 100644 --- a/SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.c +++ b/SecurityPkg/Library/PeiTcg2PhysicalPresenceLib/PeiTcg2PhysicalPresenceLib.c @@ -3,7 +3,7 @@ This library will get TPM 2.0 physical presence information. -Copyright (c) 2015, Intel Corporation. All rights reserved.
+Copyright (c) 2015 - 2016, Intel Corporation. All rights reserved.
This program and the accompanying materials are licensed and made available under the terms and conditions of the BSD License which accompanies this distribution. The full text of the license may be found at @@ -53,7 +53,7 @@ Tcg2PhysicalPresenceLibGetManagementFlags ( &PpiFlags ); if (EFI_ERROR (Status)) { - PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; + PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; } return PpiFlags.PPFlags; } diff --git a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c index 039bca1293..ba4db1113a 100644 --- a/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c +++ b/SecurityPkg/Library/SmmTcg2PhysicalPresenceLib/SmmTcg2PhysicalPresenceLib.c @@ -130,10 +130,7 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx ( } if ((*OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) && - (*OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) { - // - // This command requires UI to prompt user for Auth data. - // + (*OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) { ReturnCode = TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED; goto EXIT; } @@ -150,12 +147,11 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx ( DataSize, &PpData ); - } - - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status)); - ReturnCode = TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; - goto EXIT; + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status)); + ReturnCode = TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + goto EXIT; + } } if (*OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { @@ -168,7 +164,7 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunctionEx ( &Flags ); if (EFI_ERROR (Status)) { - Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; + Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; } ReturnCode = Tcg2PpVendorLibSubmitRequestToPreOSFunction (*OperationRequest, Flags.PPFlags, *RequestParameter); } @@ -318,6 +314,27 @@ Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction ( RequestConfirmed = TRUE; break; + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) == 0) { + RequestConfirmed = TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) == 0) { + RequestConfirmed = TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE: + RequestConfirmed = TRUE; + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + break; + default: if (OperationRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) { RequestConfirmed = TRUE; @@ -341,7 +358,7 @@ Tcg2PhysicalPresenceLibGetUserConfirmationStatusFunction ( } /** - The constructor function register UNI strings into imageHandle. + The constructor function locates SmmVariable protocol. It will ASSERT() if that operation fails and it will always return EFI_SUCCESS. -- cgit v1.2.3