From 1cf00fbdb36fd2f350d92530007483b8831d4340 Mon Sep 17 00:00:00 2001 From: Eric Dong Date: Tue, 29 Mar 2016 14:45:36 +0800 Subject: SecurityPkg: OpalPasswordSupportLib: Add Opal password support library. APIs used to support opal password solution to trig opal command. Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong Reviewed-by: Feng Tian --- .../Include/Guid/OpalPasswordExtraInfoVariable.h | 27 ++ .../Include/Library/OpalPasswordSupportLib.h | 289 +++++++++++++++++++++ 2 files changed, 316 insertions(+) create mode 100644 SecurityPkg/Include/Guid/OpalPasswordExtraInfoVariable.h create mode 100644 SecurityPkg/Include/Library/OpalPasswordSupportLib.h (limited to 'SecurityPkg/Include') diff --git a/SecurityPkg/Include/Guid/OpalPasswordExtraInfoVariable.h b/SecurityPkg/Include/Guid/OpalPasswordExtraInfoVariable.h new file mode 100644 index 0000000000..f16d0a4ac3 --- /dev/null +++ b/SecurityPkg/Include/Guid/OpalPasswordExtraInfoVariable.h @@ -0,0 +1,27 @@ +/** @file + Defines Name GUIDs to represent an Opal device variable guid for Opal Security Feature. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + +#ifndef _OPAL_PASSWORD_EXTRA_INFO_VARIABLE_H_ +#define _OPAL_PASSWORD_EXTRA_INFO_VARIABLE_H_ + +#define OPAL_EXTRA_INFO_VAR_NAME L"OpalExtraInfo" + +typedef struct { + UINT8 EnableBlockSid; +} OPAL_EXTRA_INFO_VAR; + +extern EFI_GUID gOpalExtraInfoVariableGuid; + +#endif // _OPAL_PASSWORD_SECURITY_VARIABLE_H_ + diff --git a/SecurityPkg/Include/Library/OpalPasswordSupportLib.h b/SecurityPkg/Include/Library/OpalPasswordSupportLib.h new file mode 100644 index 0000000000..e616c763f0 --- /dev/null +++ b/SecurityPkg/Include/Library/OpalPasswordSupportLib.h @@ -0,0 +1,289 @@ +/** @file + Header file of Opal password support library. + +Copyright (c) 2016, Intel Corporation. All rights reserved.
+This program and the accompanying materials +are licensed and made available under the terms and conditions of the BSD License +which accompanies this distribution. The full text of the license may be found at +http://opensource.org/licenses/bsd-license.php + +THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, +WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + +**/ + + +#ifndef _OPAL_PASSWORD_SUPPORT_LIB_H_ +#define _OPAL_PASSWORD_SUPPORT_LIB_H_ + +#include +#include + + +#pragma pack(1) + +// +// Structure that is used to represent the available actions for an OpalDisk. +// The data can then be utilized to expose/hide certain actions available to an end user +// by the consumer of this library. +// +typedef struct { + // + // Indicates if the disk can support PSID Revert action. should verify disk supports PSID authority + // + UINT16 PsidRevert : 1; + + // + // Indicates if the disk can support Revert action + // + UINT16 Revert : 1; + + // + // Indicates if the user must keep data for revert action. It is true if no media encryption is supported. + // + UINT16 RevertKeepDataForced : 1; + + // + // Indicates if the disk can support set Admin password + // + UINT16 AdminPass : 1; + + // + // Indicates if the disk can support set User password. This action requires that a user + // password is first enabled. + // + UINT16 UserPass : 1; + + // + // Indicates if unlock action is available. Requires disk to be currently locked. + // + UINT16 Unlock : 1; + + // + // Indicates if Secure Erase action is available. Action requires admin credentials and media encryption support. + // + UINT16 SecureErase : 1; + + // + // Indicates if Disable User action is available. Action requires admin credentials. + // + UINT16 DisableUser : 1; +} OPAL_DISK_ACTIONS; + +// +// Structure that is used to represent the Opal device with password info. +// +typedef struct { + LIST_ENTRY Link; + + UINT8 Password[32]; + UINT8 PasswordLength; + + EFI_DEVICE_PATH_PROTOCOL OpalDevicePath; +} OPAL_DISK_AND_PASSWORD_INFO; + +#pragma pack() + +/** + + The function performs determines the available actions for the OPAL_DISK provided. + + @param[in] SupportedAttributes The support attribute for the device. + @param[in] LockingFeature The locking status for the device. + @param[in] OwnerShip The ownership for the device. + @param[out] AvalDiskActions Pointer to fill-out with appropriate disk actions. + +**/ +TCG_RESULT +EFIAPI +OpalSupportGetAvailableActions( + IN OPAL_DISK_SUPPORT_ATTRIBUTE *SupportedAttributes, + IN TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature, + IN UINT16 OwnerShip, + OUT OPAL_DISK_ACTIONS *AvalDiskActions + ); + +/** + Enable Opal Feature for the input device. + + @param[in] Session The opal session for the opal device. + @param[in] Msid Msid + @param[in] MsidLength Msid Length + @param[in] Password Admin password + @param[in] PassLength Length of password in bytes + @param[in] DevicePath The device path for the opal devcie. + +**/ +TCG_RESULT +EFIAPI +OpalSupportEnableOpalFeature( + IN OPAL_SESSION *Session, + IN VOID *Msid, + IN UINT32 MsidLength, + IN VOID *Password, + IN UINT32 PassLength, + IN EFI_DEVICE_PATH_PROTOCOL *DevicePath + ); + +/** + Creates a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts device using Admin SP Revert method. + + @param[in] Session The opal session for the opal device. + @param[in] Psid PSID of device to revert. + @param[in] PsidLength Length of PSID in bytes. + @param[in] DevicePath The device path for the opal devcie. + +**/ +TCG_RESULT +EFIAPI +OpalSupportPsidRevert( + IN OPAL_SESSION *Session, + IN VOID *Psid, + IN UINT32 PsidLength, + IN EFI_DEVICE_PATH_PROTOCOL *DevicePath + ); + +/** + Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts the device using the RevertSP method. + + @param[in] Session The opal session for the opal device. + @param[in] KeepUserData TRUE to keep existing Data on the disk, or FALSE to erase it + @param[in] Password Admin password + @param[in] PasswordLength Length of password in bytes + @param[in] Msid Msid + @param[in] MsidLength Msid Length + @param[out] PasswordFailed indicates if password failed (start session didn't work) + @param[in] DevicePath The device path for the opal devcie. + +**/ +TCG_RESULT +EFIAPI +OpalSupportRevert( + IN OPAL_SESSION *Session, + IN BOOLEAN KeepUserData, + IN VOID *Password, + IN UINT32 PasswordLength, + IN VOID *Msid, + IN UINT32 MsidLength, + OUT BOOLEAN *PasswordFailed, + IN EFI_DEVICE_PATH_PROTOCOL *DevicePath + ); + +/** + Set new password. + + @param[in] Session The opal session for the opal device. + @param[in] OldPassword Current admin password + @param[in] OldPasswordLength Length of current admin password in bytes + @param[in] NewPassword New admin password to set + @param[in] NewPasswordLength Length of new password in bytes + @param[in] DevicePath The device path for the opal devcie. + @param[in] SetAdmin Whether set admin password or user password. + TRUE for admin, FALSE for user. + +**/ +TCG_RESULT +EFIAPI +OpalSupportSetPassword( + IN OPAL_SESSION *Session, + IN VOID *OldPassword, + IN UINT32 OldPasswordLength, + IN VOID *NewPassword, + IN UINT32 NewPasswordLength, + IN EFI_DEVICE_PATH_PROTOCOL *DevicePath, + IN BOOLEAN SetAdmin + ); + +/** + Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY and disables the User1 authority. + + @param[in] Session The opal session for the opal device. + @param[in] Password Admin password + @param[in] PasswordLength Length of password in bytes + @param[out] PasswordFailed Indicates if password failed (start session didn't work) + @param[in] DevicePath The device path for the opal devcie. + +**/ +TCG_RESULT +EFIAPI +OpalSupportDisableUser( + IN OPAL_SESSION *Session, + IN VOID *Password, + IN UINT32 PasswordLength, + OUT BOOLEAN *PasswordFailed, + IN EFI_DEVICE_PATH_PROTOCOL *DevicePath + ); + +/** + Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY + and updates the global locking range ReadLocked and WriteLocked columns to FALSE. + + @param[in] Session The opal session for the opal device. + @param[in] Password Admin or user password + @param[in] PasswordLength Length of password in bytes + @param[in] DevicePath The device path for the opal devcie. + +**/ +TCG_RESULT +EFIAPI +OpalSupportUnlock( + IN OPAL_SESSION *Session, + IN VOID *Password, + IN UINT32 PasswordLength, + IN EFI_DEVICE_PATH_PROTOCOL *DevicePath + ); + +/** + Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY + and updates the global locking range ReadLocked and WriteLocked columns to TRUE. + + @param[in] Session The opal session for the opal device. + @param[in] Password Admin or user password + @param[in] PasswordLength Length of password in bytes + @param[in] DevicePath The device path for the opal devcie. + +**/ +TCG_RESULT +EFIAPI +OpalSupportLock( + IN OPAL_SESSION *Session, + IN VOID *Password, + IN UINT32 PasswordLength, + IN EFI_DEVICE_PATH_PROTOCOL *DevicePath + ); + +/** + Check if the password is full zero. + + @param[in] Password Points to the Data Buffer + + @retval TRUE This password string is full zero. + @retval FALSE This password string is not full zero. + +**/ +LIST_ENTRY * +EFIAPI +OpalSupportGetOpalDeviceList ( + VOID + ); + +/** + Transfer the password to the smm driver. + + @param[in] DevicePath The device path for the opal devcie. + @param PasswordLen The input password length. + @param Password Input password buffer. + + @retval EFI_SUCCESS Do the required action success. + @retval Others Error occured. + +**/ +EFI_STATUS +EFIAPI +OpalSupportSendPasword( + EFI_DEVICE_PATH_PROTOCOL *DevicePath, + UINTN PasswordLen, + VOID *Password + ); + +#endif // _OPAL_CORE_H_ -- cgit v1.2.3