Enable TPM measurement lib to measure all PE image from a FV unmeasured by TcgPei

[mirror_edk2.git] / SecurityPkg / Library / DxeTcgPhysicalPresenceLib / DxeTcgPhysicalPresenceLib.c

diff --git a/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c
index bee311bed80f92319dd452bcef161bb99eb68bda..4b99ab840d4086f197cc07d84ef471c1eb797b64 100644 (file)
--- a/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcgPhysicalPresenceLib/DxeTcgPhysicalPresenceLib.c
@@ -2,6 +2,12 @@
 \r
   Execute pending TPM requests from OS or BIOS and Lock TPM.\r
 \r
+  Caution: This module requires additional review when modified.\r
+  This driver will have external input - variable.\r
+  This external input must be validated carefully to avoid security issue.\r
+\r
+  ExecutePendingTpmRequest() will receive untrusted input and do validation.\r
+\r
 Copyright (c) 2006 - 2012, Intel Corporation. All rights reserved.<BR>\r
 This program and the accompanying materials \r
 are licensed and made available under the terms and conditions of the BSD License \r
@@ -393,16 +399,23 @@ ExecutePhysicalPresence (
       return 0;\r
   \r
     case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR:\r
-      TpmResponse = ExecutePhysicalPresence (TcgProtocol, PHYSICAL_PRESENCE_ENABLE_ACTIVATE, PpiFlags);\r
-      if (TpmResponse == 0) {\r
+      //\r
+      // PHYSICAL_PRESENCE_ENABLE_ACTIVATE + PHYSICAL_PRESENCE_CLEAR\r
+      // PHYSICAL_PRESENCE_CLEAR will be executed after reboot.\r
+      //\r
+      if ((*PpiFlags & FLAG_RESET_TRACK) == 0) {\r
+        TpmResponse = ExecutePhysicalPresence (TcgProtocol, PHYSICAL_PRESENCE_ENABLE_ACTIVATE, PpiFlags);\r
+        *PpiFlags |= FLAG_RESET_TRACK;\r
+      } else {\r
         TpmResponse = ExecutePhysicalPresence (TcgProtocol, PHYSICAL_PRESENCE_CLEAR, PpiFlags);\r
+        *PpiFlags &= ~FLAG_RESET_TRACK;\r
       }\r
       return TpmResponse;\r
 \r
     case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE:\r
       //\r
       // PHYSICAL_PRESENCE_ENABLE_ACTIVATE + PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE\r
-      // PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE will be executed atfer reboot.\r
+      // PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE will be executed after reboot.\r
       //\r
       if ((*PpiFlags & FLAG_RESET_TRACK) == 0) {\r
         TpmResponse = ExecutePhysicalPresence (TcgProtocol, PHYSICAL_PRESENCE_ENABLE_ACTIVATE, PpiFlags);\r
@@ -875,6 +888,10 @@ UserConfirm (
 /**\r
   Check and execute the requested physical presence command.\r
 \r
+  Caution: This function may receive untrusted input.\r
+  TcgPpData variable is external input, so this function will validate\r
+  its data structure to be valid value.\r
+\r
   @param[in] TcgProtocol          EFI TCG Protocol instance. \r
   @param[in] TcgPpData            Point to the physical presence NV variable.\r
 \r
@@ -937,6 +954,11 @@ ExecutePendingTpmRequest (
       RequestConfirmed = TRUE;\r
       break;\r
       \r
+    case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_TRUE:\r
+    case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE:\r
+    case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_TRUE:\r
+      break;\r
+      \r
     default:\r
       //\r
       // Invalid operation request.\r