]>
Commit | Line | Data |
---|---|---|
1 | /** @file\r | |
2 | Public API for Opal Core library.\r | |
3 | \r | |
4 | Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r | |
5 | This program and the accompanying materials\r | |
6 | are licensed and made available under the terms and conditions of the BSD License\r | |
7 | which accompanies this distribution. The full text of the license may be found at\r | |
8 | http://opensource.org/licenses/bsd-license.php\r | |
9 | \r | |
10 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
11 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
12 | \r | |
13 | **/\r | |
14 | #include <Uefi.h>\r | |
15 | #include <Library/BaseLib.h>\r | |
16 | #include <Library/DebugLib.h>\r | |
17 | #include <Library/TcgStorageOpalLib.h>\r | |
18 | \r | |
19 | \r | |
20 | /**\r | |
21 | Creates a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts device using Admin SP Revert method.\r | |
22 | \r | |
23 | @param[in] Session, The session info for one opal device.\r | |
24 | @param[in] Psid PSID of device to revert.\r | |
25 | @param[in] PsidLength Length of PSID in bytes.\r | |
26 | \r | |
27 | **/\r | |
28 | TCG_RESULT\r | |
29 | EFIAPI\r | |
30 | OpalUtilPsidRevert(\r | |
31 | OPAL_SESSION *Session,\r | |
32 | const VOID *Psid,\r | |
33 | UINT32 PsidLength\r | |
34 | )\r | |
35 | {\r | |
36 | UINT8 MethodStatus;\r | |
37 | TCG_RESULT Ret;\r | |
38 | \r | |
39 | NULL_CHECK(Session);\r | |
40 | NULL_CHECK(Psid);\r | |
41 | \r | |
42 | Ret = OpalStartSession(\r | |
43 | Session,\r | |
44 | OPAL_UID_ADMIN_SP,\r | |
45 | TRUE,\r | |
46 | PsidLength,\r | |
47 | Psid,\r | |
48 | OPAL_ADMIN_SP_PSID_AUTHORITY,\r | |
49 | &MethodStatus);\r | |
50 | if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
51 | Ret = OpalPsidRevert(Session);\r | |
52 | if (Ret != TcgResultSuccess) {\r | |
53 | //\r | |
54 | // If revert was successful, session was already ended by TPer, so only end session on failure\r | |
55 | //\r | |
56 | OpalEndSession(Session);\r | |
57 | }\r | |
58 | }\r | |
59 | \r | |
60 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
61 | Ret = TcgResultFailure;\r | |
62 | }\r | |
63 | \r | |
64 | return Ret;\r | |
65 | }\r | |
66 | \r | |
67 | /**\r | |
68 | Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY,\r | |
69 | sets the OPAL_UID_ADMIN_SP_C_PIN_SID column with the new password,\r | |
70 | and activates the locking SP to copy SID PIN to Admin1 Locking SP PIN\r | |
71 | \r | |
72 | @param[in] Session, The session info for one opal device.\r | |
73 | @param[in] GeneratedSid Generated SID of disk\r | |
74 | @param[in] SidLength Length of generatedSid in bytes\r | |
75 | @param[in] Password New admin password to set\r | |
76 | @param[in] PassLength Length of password in bytes\r | |
77 | \r | |
78 | **/\r | |
79 | TCG_RESULT\r | |
80 | EFIAPI\r | |
81 | OpalUtilSetAdminPasswordAsSid(\r | |
82 | OPAL_SESSION *Session,\r | |
83 | const VOID *GeneratedSid,\r | |
84 | UINT32 SidLength,\r | |
85 | const VOID *Password,\r | |
86 | UINT32 PassLength\r | |
87 | )\r | |
88 | {\r | |
89 | UINT8 MethodStatus;\r | |
90 | TCG_RESULT Ret;\r | |
91 | \r | |
92 | NULL_CHECK(Session);\r | |
93 | NULL_CHECK(GeneratedSid);\r | |
94 | NULL_CHECK(Password);\r | |
95 | \r | |
96 | Ret = OpalStartSession(\r | |
97 | Session,\r | |
98 | OPAL_UID_ADMIN_SP,\r | |
99 | TRUE,\r | |
100 | SidLength,\r | |
101 | GeneratedSid,\r | |
102 | OPAL_ADMIN_SP_SID_AUTHORITY,\r | |
103 | &MethodStatus\r | |
104 | );\r | |
105 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
106 | DEBUG ((DEBUG_INFO, "start session with admin SP as SID authority failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus));\r | |
107 | goto done;\r | |
108 | }\r | |
109 | \r | |
110 | //\r | |
111 | // 1. Update SID = new Password\r | |
112 | //\r | |
113 | Ret = OpalSetPassword(\r | |
114 | Session,\r | |
115 | OPAL_UID_ADMIN_SP_C_PIN_SID,\r | |
116 | Password,\r | |
117 | PassLength,\r | |
118 | &MethodStatus\r | |
119 | );\r | |
120 | \r | |
121 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
122 | OpalEndSession(Session);\r | |
123 | DEBUG ((DEBUG_INFO, "set Password failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus));\r | |
124 | goto done;\r | |
125 | }\r | |
126 | \r | |
127 | //\r | |
128 | // 2. Activate locking SP\r | |
129 | //\r | |
130 | Ret = OpalActivateLockingSp(Session, &MethodStatus);\r | |
131 | OpalEndSession(Session);\r | |
132 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
133 | DEBUG ((DEBUG_INFO, "activate locking SP failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus));\r | |
134 | goto done;\r | |
135 | }\r | |
136 | \r | |
137 | done:\r | |
138 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
139 | Ret = TcgResultFailure;\r | |
140 | }\r | |
141 | return Ret;\r | |
142 | }\r | |
143 | \r | |
144 | /**\r | |
145 | \r | |
146 | Opens a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY,\r | |
147 | and updates the specified locking range with the provided column values\r | |
148 | \r | |
149 | @param[in] Session, The session info for one opal device.\r | |
150 | @param[in] Password New admin password to set\r | |
151 | @param[in] PassLength Length of password in bytes\r | |
152 | @param[in] LockingRangeUid Locking range UID to set values\r | |
153 | @param[in] RangeStart Value to set RangeStart column for Locking Range\r | |
154 | @param[in] RangeLength Value to set RangeLength column for Locking Range\r | |
155 | @param[in] ReadLockEnabled Value to set readLockEnabled column for Locking Range\r | |
156 | @param[in] WriteLockEnabled Value to set writeLockEnabled column for Locking Range\r | |
157 | @param[in] ReadLocked Value to set ReadLocked column for Locking Range\r | |
158 | @param[in] WriteLocked Value to set WriteLocked column for Locking Range\r | |
159 | \r | |
160 | **/\r | |
161 | TCG_RESULT\r | |
162 | EFIAPI\r | |
163 | OpalUtilSetOpalLockingRange(\r | |
164 | OPAL_SESSION *Session,\r | |
165 | const VOID *Password,\r | |
166 | UINT32 PassLength,\r | |
167 | TCG_UID LockingRangeUid,\r | |
168 | UINT64 RangeStart,\r | |
169 | UINT64 RangeLength,\r | |
170 | BOOLEAN ReadLockEnabled,\r | |
171 | BOOLEAN WriteLockEnabled,\r | |
172 | BOOLEAN ReadLocked,\r | |
173 | BOOLEAN WriteLocked\r | |
174 | )\r | |
175 | {\r | |
176 | UINT8 MethodStatus;\r | |
177 | TCG_RESULT Ret;\r | |
178 | \r | |
179 | NULL_CHECK(Session);\r | |
180 | NULL_CHECK(Password);\r | |
181 | \r | |
182 | //\r | |
183 | // Start session with Locking SP using current admin Password\r | |
184 | //\r | |
185 | Ret = OpalStartSession(\r | |
186 | Session,\r | |
187 | OPAL_UID_LOCKING_SP,\r | |
188 | TRUE,\r | |
189 | PassLength,\r | |
190 | Password,\r | |
191 | OPAL_LOCKING_SP_ADMIN1_AUTHORITY,\r | |
192 | &MethodStatus);\r | |
193 | if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) {\r | |
194 | DEBUG ((DEBUG_INFO, "start session with locking SP failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus));\r | |
195 | goto done;\r | |
196 | }\r | |
197 | \r | |
198 | //\r | |
199 | // Enable locking range\r | |
200 | //\r | |
201 | Ret = OpalSetLockingRange(\r | |
202 | Session,\r | |
203 | LockingRangeUid,\r | |
204 | RangeStart,\r | |
205 | RangeLength,\r | |
206 | ReadLockEnabled,\r | |
207 | WriteLockEnabled,\r | |
208 | ReadLocked,\r | |
209 | WriteLocked,\r | |
210 | &MethodStatus);\r | |
211 | \r | |
212 | OpalEndSession(Session);\r | |
213 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
214 | DEBUG ((DEBUG_INFO, "set locking range failed: Ret=%d MethodStatus=0x%x\n", Ret, MethodStatus));\r | |
215 | }\r | |
216 | \r | |
217 | done:\r | |
218 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
219 | Ret = TcgResultFailure;\r | |
220 | }\r | |
221 | return Ret;\r | |
222 | }\r | |
223 | \r | |
224 | /**\r | |
225 | Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY,\r | |
226 | sets OPAL_UID_ADMIN_SP_C_PIN_SID with the new password,\r | |
227 | and sets OPAL_LOCKING_SP_C_PIN_ADMIN1 with the new password.\r | |
228 | \r | |
229 | @param[in] Session, The session info for one opal device.\r | |
230 | @param[in] OldPassword Current admin password\r | |
231 | @param[in] OldPasswordLength Length of current admin password in bytes\r | |
232 | @param[in] NewPassword New admin password to set\r | |
233 | @param[in] NewPasswordLength Length of new password in bytes\r | |
234 | \r | |
235 | **/\r | |
236 | TCG_RESULT\r | |
237 | EFIAPI\r | |
238 | OpalUtilSetAdminPassword(\r | |
239 | OPAL_SESSION *Session,\r | |
240 | const VOID *OldPassword,\r | |
241 | UINT32 OldPasswordLength,\r | |
242 | const VOID *NewPassword,\r | |
243 | UINT32 NewPasswordLength\r | |
244 | )\r | |
245 | {\r | |
246 | TCG_RESULT Ret;\r | |
247 | UINT8 MethodStatus;\r | |
248 | \r | |
249 | NULL_CHECK(Session);\r | |
250 | NULL_CHECK(OldPassword);\r | |
251 | NULL_CHECK(NewPassword);\r | |
252 | \r | |
253 | //\r | |
254 | // Unknown ownership\r | |
255 | //\r | |
256 | Ret = OpalStartSession(\r | |
257 | Session,\r | |
258 | OPAL_UID_ADMIN_SP,\r | |
259 | TRUE,\r | |
260 | OldPasswordLength,\r | |
261 | OldPassword,\r | |
262 | OPAL_ADMIN_SP_SID_AUTHORITY,\r | |
263 | &MethodStatus\r | |
264 | );\r | |
265 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
266 | DEBUG ((DEBUG_INFO, "start session with admin SP using old Password failed\n"));\r | |
267 | goto done;\r | |
268 | }\r | |
269 | \r | |
270 | //\r | |
271 | // Update SID = new pw\r | |
272 | //\r | |
273 | Ret = OpalSetPassword(Session, OPAL_UID_ADMIN_SP_C_PIN_SID, NewPassword, NewPasswordLength, &MethodStatus);\r | |
274 | OpalEndSession(Session);\r | |
275 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
276 | DEBUG ((DEBUG_INFO, "set new admin SP Password failed\n"));\r | |
277 | goto done;\r | |
278 | }\r | |
279 | \r | |
280 | Ret = OpalStartSession(\r | |
281 | Session,\r | |
282 | OPAL_UID_LOCKING_SP,\r | |
283 | TRUE,\r | |
284 | OldPasswordLength,\r | |
285 | OldPassword,\r | |
286 | OPAL_LOCKING_SP_ADMIN1_AUTHORITY,\r | |
287 | &MethodStatus\r | |
288 | );\r | |
289 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
290 | DEBUG ((DEBUG_INFO, "start session with locking SP using old Password failed\n"));\r | |
291 | goto done;\r | |
292 | }\r | |
293 | \r | |
294 | //\r | |
295 | // Update admin locking SP to new pw\r | |
296 | //\r | |
297 | Ret = OpalSetPassword(Session, OPAL_LOCKING_SP_C_PIN_ADMIN1, NewPassword, NewPasswordLength, &MethodStatus);\r | |
298 | OpalEndSession(Session);\r | |
299 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
300 | DEBUG ((DEBUG_INFO, "set new locking SP Password failed\n"));\r | |
301 | goto done;\r | |
302 | }\r | |
303 | \r | |
304 | done:\r | |
305 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
306 | Ret = TcgResultFailure;\r | |
307 | }\r | |
308 | return Ret;\r | |
309 | }\r | |
310 | \r | |
311 | /**\r | |
312 | Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY\r | |
313 | and sets the User1 SP authority to enabled and sets the User1 password.\r | |
314 | \r | |
315 | @param[in] Session, The session info for one opal device.\r | |
316 | @param[in] OldPassword Current admin password\r | |
317 | @param[in] OldPasswordLength Length of current admin password in bytes\r | |
318 | @param[in] NewPassword New admin password to set\r | |
319 | @param[in] NewPasswordLength Length of new password in bytes\r | |
320 | \r | |
321 | **/\r | |
322 | TCG_RESULT\r | |
323 | EFIAPI\r | |
324 | OpalUtilSetUserPassword(\r | |
325 | OPAL_SESSION *Session,\r | |
326 | const VOID *OldPassword,\r | |
327 | UINT32 OldPasswordLength,\r | |
328 | const VOID *NewPassword,\r | |
329 | UINT32 NewPasswordLength\r | |
330 | )\r | |
331 | {\r | |
332 | UINT8 MethodStatus;\r | |
333 | TCG_RESULT Ret;\r | |
334 | \r | |
335 | NULL_CHECK(Session);\r | |
336 | NULL_CHECK(OldPassword);\r | |
337 | NULL_CHECK(NewPassword);\r | |
338 | \r | |
339 | //\r | |
340 | // See if updating user1 authority\r | |
341 | //\r | |
342 | Ret = OpalStartSession(\r | |
343 | Session,\r | |
344 | OPAL_UID_LOCKING_SP,\r | |
345 | TRUE,\r | |
346 | OldPasswordLength,\r | |
347 | OldPassword,\r | |
348 | OPAL_LOCKING_SP_USER1_AUTHORITY,\r | |
349 | &MethodStatus\r | |
350 | );\r | |
351 | if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
352 | Ret = OpalSetPassword(\r | |
353 | Session,\r | |
354 | OPAL_LOCKING_SP_C_PIN_USER1,\r | |
355 | NewPassword,\r | |
356 | NewPasswordLength,\r | |
357 | &MethodStatus\r | |
358 | );\r | |
359 | OpalEndSession(Session);\r | |
360 | if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
361 | return Ret;\r | |
362 | }\r | |
363 | }\r | |
364 | \r | |
365 | //\r | |
366 | // Setting Password for first time or setting Password as admin\r | |
367 | //\r | |
368 | \r | |
369 | //\r | |
370 | // Start session with Locking SP using current admin Password\r | |
371 | //\r | |
372 | Ret = OpalStartSession(\r | |
373 | Session,\r | |
374 | OPAL_UID_LOCKING_SP,\r | |
375 | TRUE,\r | |
376 | OldPasswordLength,\r | |
377 | OldPassword,\r | |
378 | OPAL_LOCKING_SP_ADMIN1_AUTHORITY,\r | |
379 | &MethodStatus\r | |
380 | );\r | |
381 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
382 | DEBUG ((DEBUG_INFO, "StartSession with locking SP as admin1 authority failed\n"));\r | |
383 | goto done;\r | |
384 | }\r | |
385 | \r | |
386 | //\r | |
387 | // Enable User1 and set its PIN\r | |
388 | //\r | |
389 | Ret = OpalSetLockingSpAuthorityEnabledAndPin(\r | |
390 | Session,\r | |
391 | OPAL_LOCKING_SP_C_PIN_USER1,\r | |
392 | OPAL_LOCKING_SP_USER1_AUTHORITY,\r | |
393 | NewPassword,\r | |
394 | NewPasswordLength,\r | |
395 | &MethodStatus\r | |
396 | );\r | |
397 | OpalEndSession(Session);\r | |
398 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
399 | DEBUG ((DEBUG_INFO, "OpalSetLockingSpAuthorityEnabledAndPin failed\n"));\r | |
400 | goto done;\r | |
401 | }\r | |
402 | \r | |
403 | done:\r | |
404 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
405 | Ret = TcgResultFailure;\r | |
406 | }\r | |
407 | return Ret;\r | |
408 | }\r | |
409 | \r | |
410 | /**\r | |
411 | Verify whether user input the correct password.\r | |
412 | \r | |
413 | @param[in] Session, The session info for one opal device.\r | |
414 | @param[in] Password Admin password\r | |
415 | @param[in] PasswordLength Length of password in bytes\r | |
416 | @param[in/out] HostSigningAuthority Use the Host signing authority type.\r | |
417 | \r | |
418 | **/\r | |
419 | TCG_RESULT\r | |
420 | EFIAPI\r | |
421 | OpalUtilVerifyPassword (\r | |
422 | OPAL_SESSION *Session,\r | |
423 | const VOID *Password,\r | |
424 | UINT32 PasswordLength,\r | |
425 | TCG_UID HostSigningAuthority\r | |
426 | )\r | |
427 | {\r | |
428 | TCG_RESULT Ret;\r | |
429 | UINT8 MethodStatus;\r | |
430 | \r | |
431 | NULL_CHECK(Session);\r | |
432 | NULL_CHECK(Password);\r | |
433 | \r | |
434 | Ret = OpalStartSession(\r | |
435 | Session,\r | |
436 | OPAL_UID_LOCKING_SP,\r | |
437 | TRUE,\r | |
438 | PasswordLength,\r | |
439 | Password,\r | |
440 | HostSigningAuthority,\r | |
441 | &MethodStatus);\r | |
442 | if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
443 | OpalEndSession(Session);\r | |
444 | return TcgResultSuccess;\r | |
445 | }\r | |
446 | \r | |
447 | return TcgResultFailure;\r | |
448 | }\r | |
449 | \r | |
450 | /**\r | |
451 | Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY\r | |
452 | and generates a new global locking range key to erase the Data.\r | |
453 | \r | |
454 | @param[in] Session, The session info for one opal device.\r | |
455 | @param[in] Password Admin or user password\r | |
456 | @param[in] PasswordLength Length of password in bytes\r | |
457 | @param[in/out] PasswordFailed indicates if password failed (start session didn't work)\r | |
458 | \r | |
459 | **/\r | |
460 | TCG_RESULT\r | |
461 | EFIAPI\r | |
462 | OpalUtilSecureErase(\r | |
463 | OPAL_SESSION *Session,\r | |
464 | const VOID *Password,\r | |
465 | UINT32 PasswordLength,\r | |
466 | BOOLEAN *PasswordFailed\r | |
467 | )\r | |
468 | {\r | |
469 | UINT8 MethodStatus;\r | |
470 | TCG_RESULT Ret;\r | |
471 | \r | |
472 | NULL_CHECK(Session);\r | |
473 | NULL_CHECK(Password);\r | |
474 | NULL_CHECK(PasswordFailed);\r | |
475 | \r | |
476 | //\r | |
477 | // Try to generate a new key with admin1\r | |
478 | //\r | |
479 | Ret = OpalStartSession(\r | |
480 | Session,\r | |
481 | OPAL_UID_LOCKING_SP,\r | |
482 | TRUE,\r | |
483 | PasswordLength,\r | |
484 | Password,\r | |
485 | OPAL_LOCKING_SP_ADMIN1_AUTHORITY,\r | |
486 | &MethodStatus\r | |
487 | );\r | |
488 | \r | |
489 | if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
490 | Ret = OpalGlobalLockingRangeGenKey(Session, &MethodStatus);\r | |
491 | *PasswordFailed = FALSE;\r | |
492 | OpalEndSession(Session);\r | |
493 | } else {\r | |
494 | //\r | |
495 | // Try to generate a new key with user1\r | |
496 | //\r | |
497 | Ret = OpalStartSession(\r | |
498 | Session,\r | |
499 | OPAL_UID_LOCKING_SP,\r | |
500 | TRUE,\r | |
501 | PasswordLength,\r | |
502 | Password,\r | |
503 | OPAL_LOCKING_SP_USER1_AUTHORITY,\r | |
504 | &MethodStatus\r | |
505 | );\r | |
506 | \r | |
507 | if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
508 | Ret = OpalGlobalLockingRangeGenKey(Session, &MethodStatus);\r | |
509 | *PasswordFailed = FALSE;\r | |
510 | OpalEndSession(Session);\r | |
511 | } else {\r | |
512 | *PasswordFailed = TRUE;\r | |
513 | }\r | |
514 | }\r | |
515 | \r | |
516 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
517 | Ret = TcgResultFailure;\r | |
518 | }\r | |
519 | return Ret;\r | |
520 | }\r | |
521 | \r | |
522 | /**\r | |
523 | Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY and disables the User1 authority.\r | |
524 | \r | |
525 | @param[in] Session, The session info for one opal device.\r | |
526 | @param[in] Password Admin password\r | |
527 | @param[in] PasswordLength Length of password in bytes\r | |
528 | @param[in/out] PasswordFailed indicates if password failed (start session didn't work)\r | |
529 | \r | |
530 | **/\r | |
531 | TCG_RESULT\r | |
532 | EFIAPI\r | |
533 | OpalUtilDisableUser(\r | |
534 | OPAL_SESSION *Session,\r | |
535 | const VOID *Password,\r | |
536 | UINT32 PasswordLength,\r | |
537 | BOOLEAN *PasswordFailed\r | |
538 | )\r | |
539 | {\r | |
540 | UINT8 MethodStatus;\r | |
541 | TCG_RESULT Ret;\r | |
542 | \r | |
543 | NULL_CHECK(Session);\r | |
544 | NULL_CHECK(Password);\r | |
545 | NULL_CHECK(PasswordFailed);\r | |
546 | \r | |
547 | //\r | |
548 | // Start session with Locking SP using current admin Password\r | |
549 | //\r | |
550 | Ret = OpalStartSession(\r | |
551 | Session,\r | |
552 | OPAL_UID_LOCKING_SP,\r | |
553 | TRUE,\r | |
554 | PasswordLength,\r | |
555 | Password,\r | |
556 | OPAL_LOCKING_SP_ADMIN1_AUTHORITY,\r | |
557 | &MethodStatus\r | |
558 | );\r | |
559 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
560 | DEBUG ((DEBUG_INFO, "StartSession with Locking SP as Admin1 failed\n"));\r | |
561 | *PasswordFailed = TRUE;\r | |
562 | goto done;\r | |
563 | }\r | |
564 | \r | |
565 | *PasswordFailed = FALSE;\r | |
566 | Ret = OpalDisableUser(Session, &MethodStatus);\r | |
567 | OpalEndSession(Session);\r | |
568 | \r | |
569 | done:\r | |
570 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
571 | Ret = TcgResultFailure;\r | |
572 | }\r | |
573 | return Ret;\r | |
574 | }\r | |
575 | \r | |
576 | /**\r | |
577 | Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts the device using the RevertSP method.\r | |
578 | \r | |
579 | @param[in] Session, The session info for one opal device.\r | |
580 | @param[in] KeepUserData TRUE to keep existing Data on the disk, or FALSE to erase it\r | |
581 | @param[in] Password Admin password\r | |
582 | @param[in] PasswordLength Length of password in bytes\r | |
583 | @param[in/out] PasswordFailed indicates if password failed (start session didn't work)\r | |
584 | @param[in] Msid Msid info.\r | |
585 | @param[in] MsidLength Msid data length.\r | |
586 | \r | |
587 | **/\r | |
588 | TCG_RESULT\r | |
589 | EFIAPI\r | |
590 | OpalUtilRevert(\r | |
591 | OPAL_SESSION *Session,\r | |
592 | BOOLEAN KeepUserData,\r | |
593 | const VOID *Password,\r | |
594 | UINT32 PasswordLength,\r | |
595 | BOOLEAN *PasswordFailed,\r | |
596 | UINT8 *Msid,\r | |
597 | UINT32 MsidLength\r | |
598 | )\r | |
599 | {\r | |
600 | UINT8 MethodStatus;\r | |
601 | TCG_RESULT Ret;\r | |
602 | \r | |
603 | NULL_CHECK(Session);\r | |
604 | NULL_CHECK(Msid);\r | |
605 | NULL_CHECK(Password);\r | |
606 | NULL_CHECK(PasswordFailed);\r | |
607 | \r | |
608 | Ret = OpalStartSession(\r | |
609 | Session,\r | |
610 | OPAL_UID_LOCKING_SP,\r | |
611 | TRUE,\r | |
612 | PasswordLength,\r | |
613 | Password,\r | |
614 | OPAL_LOCKING_SP_ADMIN1_AUTHORITY,\r | |
615 | &MethodStatus\r | |
616 | );\r | |
617 | \r | |
618 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
619 | DEBUG ((DEBUG_INFO, "error starting session: Ret=%d, MethodStatus=%u\n", Ret, MethodStatus));\r | |
620 | *PasswordFailed = TRUE;\r | |
621 | goto done;\r | |
622 | }\r | |
623 | \r | |
624 | *PasswordFailed = FALSE;\r | |
625 | //\r | |
626 | // Try to revert with admin1\r | |
627 | //\r | |
628 | Ret = OpalAdminRevert(Session, KeepUserData, &MethodStatus);\r | |
629 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
630 | //\r | |
631 | // Device ends the session on successful revert, so only call OpalEndSession when fail.\r | |
632 | //\r | |
633 | DEBUG ((DEBUG_INFO, "OpalAdminRevert as admin failed\n"));\r | |
634 | OpalEndSession(Session);\r | |
635 | }\r | |
636 | \r | |
637 | Ret = OpalUtilSetSIDtoMSID (Session, Password, PasswordLength, Msid, MsidLength);\r | |
638 | \r | |
639 | done:\r | |
640 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
641 | Ret = TcgResultFailure;\r | |
642 | }\r | |
643 | return Ret;\r | |
644 | }\r | |
645 | \r | |
646 | /**\r | |
647 | After revert success, set SID to MSID.\r | |
648 | \r | |
649 | @param Session, The session info for one opal device.\r | |
650 | @param Password, Input password info.\r | |
651 | @param PasswordLength, Input password length.\r | |
652 | @param Msid Msid info.\r | |
653 | @param MsidLength Msid data length.\r | |
654 | \r | |
655 | **/\r | |
656 | TCG_RESULT\r | |
657 | EFIAPI\r | |
658 | OpalUtilSetSIDtoMSID (\r | |
659 | OPAL_SESSION *Session,\r | |
660 | const VOID *Password,\r | |
661 | UINT32 PasswordLength,\r | |
662 | UINT8 *Msid,\r | |
663 | UINT32 MsidLength\r | |
664 | )\r | |
665 | {\r | |
666 | TCG_RESULT Ret;\r | |
667 | UINT8 MethodStatus;\r | |
668 | \r | |
669 | NULL_CHECK(Session);\r | |
670 | NULL_CHECK(Msid);\r | |
671 | NULL_CHECK(Password);\r | |
672 | \r | |
673 | //\r | |
674 | // Start session with admin sp to update SID to MSID\r | |
675 | //\r | |
676 | Ret = OpalStartSession(\r | |
677 | Session,\r | |
678 | OPAL_UID_ADMIN_SP,\r | |
679 | TRUE,\r | |
680 | PasswordLength,\r | |
681 | Password,\r | |
682 | OPAL_ADMIN_SP_SID_AUTHORITY,\r | |
683 | &MethodStatus\r | |
684 | );\r | |
685 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
686 | goto done;\r | |
687 | }\r | |
688 | \r | |
689 | //\r | |
690 | // Update SID pin\r | |
691 | //\r | |
692 | Ret = OpalSetPassword(Session, OPAL_UID_ADMIN_SP_C_PIN_SID, Msid, MsidLength, &MethodStatus);\r | |
693 | OpalEndSession(Session);\r | |
694 | \r | |
695 | done:\r | |
696 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
697 | Ret = TcgResultFailure;\r | |
698 | }\r | |
699 | \r | |
700 | return Ret;\r | |
701 | }\r | |
702 | \r | |
703 | /**\r | |
704 | Update global locking range.\r | |
705 | \r | |
706 | @param Session, The session info for one opal device.\r | |
707 | @param Password, Input password info.\r | |
708 | @param PasswordLength, Input password length.\r | |
709 | @param ReadLocked, Read lock info.\r | |
710 | @param WriteLocked write lock info.\r | |
711 | \r | |
712 | **/\r | |
713 | TCG_RESULT\r | |
714 | EFIAPI\r | |
715 | OpalUtilUpdateGlobalLockingRange(\r | |
716 | OPAL_SESSION *Session,\r | |
717 | const VOID *Password,\r | |
718 | UINT32 PasswordLength,\r | |
719 | BOOLEAN ReadLocked,\r | |
720 | BOOLEAN WriteLocked\r | |
721 | )\r | |
722 | {\r | |
723 | UINT8 MethodStatus;\r | |
724 | TCG_RESULT Ret;\r | |
725 | \r | |
726 | NULL_CHECK(Session);\r | |
727 | NULL_CHECK(Password);\r | |
728 | \r | |
729 | //\r | |
730 | // Try to start session with Locking SP as admin1 authority\r | |
731 | //\r | |
732 | Ret = OpalStartSession(\r | |
733 | Session,\r | |
734 | OPAL_UID_LOCKING_SP,\r | |
735 | TRUE,\r | |
736 | PasswordLength,\r | |
737 | Password,\r | |
738 | OPAL_LOCKING_SP_ADMIN1_AUTHORITY,\r | |
739 | &MethodStatus\r | |
740 | );\r | |
741 | if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
742 | Ret = OpalUpdateGlobalLockingRange(\r | |
743 | Session,\r | |
744 | ReadLocked,\r | |
745 | WriteLocked,\r | |
746 | &MethodStatus\r | |
747 | );\r | |
748 | OpalEndSession(Session);\r | |
749 | if (Ret == TcgResultSuccess && MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
750 | goto done;\r | |
751 | }\r | |
752 | }\r | |
753 | \r | |
754 | if (MethodStatus == TCG_METHOD_STATUS_CODE_AUTHORITY_LOCKED_OUT) {\r | |
755 | DEBUG ((DEBUG_INFO, "unlock as admin failed with AUTHORITY_LOCKED_OUT\n"));\r | |
756 | goto done;\r | |
757 | }\r | |
758 | \r | |
759 | //\r | |
760 | // Try user1 authority\r | |
761 | //\r | |
762 | Ret = OpalStartSession(\r | |
763 | Session,\r | |
764 | OPAL_UID_LOCKING_SP,\r | |
765 | TRUE,\r | |
766 | PasswordLength,\r | |
767 | Password,\r | |
768 | OPAL_LOCKING_SP_USER1_AUTHORITY,\r | |
769 | &MethodStatus\r | |
770 | );\r | |
771 | if (Ret != TcgResultSuccess || MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
772 | DEBUG ((DEBUG_INFO, "StartSession with Locking SP as User1 failed\n"));\r | |
773 | goto done;\r | |
774 | }\r | |
775 | \r | |
776 | Ret = OpalUpdateGlobalLockingRange(Session, ReadLocked, WriteLocked, &MethodStatus);\r | |
777 | OpalEndSession(Session);\r | |
778 | \r | |
779 | done:\r | |
780 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
781 | Ret = TcgResultFailure;\r | |
782 | }\r | |
783 | return Ret;\r | |
784 | }\r | |
785 | \r | |
786 | /**\r | |
787 | Update global locking range.\r | |
788 | \r | |
789 | @param Session, The session info for one opal device.\r | |
790 | @param Msid, The data buffer to save Msid info.\r | |
791 | @param MsidBufferLength, The data buffer length for Msid.\r | |
792 | @param MsidLength, The actual data length for Msid.\r | |
793 | \r | |
794 | **/\r | |
795 | TCG_RESULT\r | |
796 | EFIAPI\r | |
797 | OpalUtilGetMsid(\r | |
798 | OPAL_SESSION *Session,\r | |
799 | UINT8 *Msid,\r | |
800 | UINT32 MsidBufferLength,\r | |
801 | UINT32 *MsidLength\r | |
802 | )\r | |
803 | {\r | |
804 | UINT8 MethodStatus;\r | |
805 | TCG_RESULT Ret;\r | |
806 | \r | |
807 | NULL_CHECK(Session);\r | |
808 | NULL_CHECK(Msid);\r | |
809 | NULL_CHECK(MsidLength);\r | |
810 | \r | |
811 | Ret = OpalStartSession(\r | |
812 | Session,\r | |
813 | OPAL_UID_ADMIN_SP,\r | |
814 | TRUE,\r | |
815 | 0,\r | |
816 | NULL,\r | |
817 | TCG_UID_NULL,\r | |
818 | &MethodStatus\r | |
819 | );\r | |
820 | if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) {\r | |
821 | Ret = OpalGetMsid (Session, MsidBufferLength, Msid, MsidLength);\r | |
822 | OpalEndSession (Session);\r | |
823 | }\r | |
824 | \r | |
825 | if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r | |
826 | Ret = TcgResultFailure;\r | |
827 | }\r | |
828 | \r | |
829 | return Ret;\r | |
830 | }\r | |
831 | \r | |
832 | /**\r | |
833 | \r | |
834 | The function determines who owns the device by attempting to start a session with different credentials.\r | |
835 | If the SID PIN matches the MSID PIN, the no one owns the device.\r | |
836 | If the SID PIN matches the ourSidPin, then "Us" owns the device. Otherwise it is unknown.\r | |
837 | \r | |
838 | \r | |
839 | @param[in] Session The session info for one opal device.\r | |
840 | @param Msid, The Msid info.\r | |
841 | @param MsidLength, The data length for Msid.\r | |
842 | \r | |
843 | **/\r | |
844 | OPAL_OWNER_SHIP\r | |
845 | EFIAPI\r | |
846 | OpalUtilDetermineOwnership(\r | |
847 | OPAL_SESSION *Session,\r | |
848 | UINT8 *Msid,\r | |
849 | UINT32 MsidLength\r | |
850 | )\r | |
851 | {\r | |
852 | UINT8 MethodStatus;\r | |
853 | TCG_RESULT Ret;\r | |
854 | OPAL_OWNER_SHIP Owner;\r | |
855 | \r | |
856 | if ((Session == NULL) || (Msid == NULL)) {\r | |
857 | return OpalOwnershipUnknown;\r | |
858 | }\r | |
859 | \r | |
860 | Owner = OpalOwnershipUnknown;\r | |
861 | //\r | |
862 | // Start Session as SID_UID with ADMIN_SP using MSID PIN\r | |
863 | //\r | |
864 | Ret = OpalStartSession(\r | |
865 | Session,\r | |
866 | OPAL_UID_ADMIN_SP,\r | |
867 | TRUE,\r | |
868 | MsidLength,\r | |
869 | Msid,\r | |
870 | OPAL_ADMIN_SP_SID_AUTHORITY,\r | |
871 | &MethodStatus);\r | |
872 | if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) {\r | |
873 | //\r | |
874 | // now we know that SID PIN == MSID PIN\r | |
875 | //\r | |
876 | Owner = OpalOwnershipNobody;\r | |
877 | \r | |
878 | OpalEndSession(Session);\r | |
879 | }\r | |
880 | \r | |
881 | return Owner;\r | |
882 | }\r | |
883 | \r | |
884 | /**\r | |
885 | \r | |
886 | The function returns if admin password exists.\r | |
887 | \r | |
888 | @param[in] OwnerShip The owner ship of the opal device.\r | |
889 | @param[in] LockingFeature The locking info of the opal device.\r | |
890 | \r | |
891 | @retval TRUE Admin password existed.\r | |
892 | @retval FALSE Admin password not existed.\r | |
893 | \r | |
894 | **/\r | |
895 | BOOLEAN\r | |
896 | EFIAPI\r | |
897 | OpalUtilAdminPasswordExists(\r | |
898 | IN UINT16 OwnerShip,\r | |
899 | IN TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature\r | |
900 | )\r | |
901 | {\r | |
902 | NULL_CHECK(LockingFeature);\r | |
903 | \r | |
904 | // if it is Unknown who owns the device\r | |
905 | // then someone has set password previously through our UI\r | |
906 | // because the SID would no longer match the generated SID (ownership us)\r | |
907 | // or someone has set password using 3rd party software\r | |
908 | \r | |
909 | //\r | |
910 | // Locking sp enabled is checked b/c it must be enabled to change the PIN of the Admin1.\r | |
911 | //\r | |
912 | return (OwnerShip == OpalOwnershipUnknown && LockingFeature->LockingEnabled);\r | |
913 | }\r | |
914 | \r |