+++ /dev/null
-/** @file\r
- Execute pending TPM2 requests from OS or BIOS.\r
-\r
- Caution: This module requires additional review when modified.\r
- This driver will have external input - variable.\r
- This external input must be validated carefully to avoid security issue.\r
-\r
- TrEEExecutePendingTpmRequest() will receive untrusted input and do validation.\r
-\r
-Copyright (c) 2013 - 2015, Intel Corporation. All rights reserved.<BR>\r
-This program and the accompanying materials \r
-are licensed and made available under the terms and conditions of the BSD License \r
-which accompanies this distribution. The full text of the license may be found at \r
-http://opensource.org/licenses/bsd-license.php\r
-\r
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, \r
-WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
-\r
-**/\r
-\r
-#include <PiDxe.h>\r
-\r
-#include <Protocol/TrEEProtocol.h>\r
-#include <Protocol/VariableLock.h>\r
-#include <Library/DebugLib.h>\r
-#include <Library/BaseMemoryLib.h>\r
-#include <Library/UefiRuntimeServicesTableLib.h>\r
-#include <Library/UefiDriverEntryPoint.h>\r
-#include <Library/UefiBootServicesTableLib.h>\r
-#include <Library/UefiLib.h>\r
-#include <Library/MemoryAllocationLib.h>\r
-#include <Library/PrintLib.h>\r
-#include <Library/HiiLib.h>\r
-#include <Guid/EventGroup.h>\r
-#include <Guid/TrEEPhysicalPresenceData.h>\r
-#include <Library/Tpm2CommandLib.h>\r
-#include <Library/TrEEPpVendorLib.h>\r
-\r
-#define CONFIRM_BUFFER_SIZE 4096\r
-\r
-EFI_HII_HANDLE mTrEEPpStringPackHandle;\r
-\r
-/**\r
- Get string by string id from HII Interface.\r
-\r
- @param[in] Id String ID.\r
-\r
- @retval CHAR16 * String from ID.\r
- @retval NULL If error occurs.\r
-\r
-**/\r
-CHAR16 *\r
-TrEEPhysicalPresenceGetStringById (\r
- IN EFI_STRING_ID Id\r
- )\r
-{\r
- return HiiGetString (mTrEEPpStringPackHandle, Id, NULL);\r
-}\r
-\r
-/**\r
- Send ClearControl and Clear command to TPM.\r
-\r
- @param[in] PlatformAuth platform auth value. NULL means no platform auth change.\r
-\r
- @retval EFI_SUCCESS Operation completed successfully.\r
- @retval EFI_TIMEOUT The register can't run into the expected status in time.\r
- @retval EFI_BUFFER_TOO_SMALL Response data buffer is too small.\r
- @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
-\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-TpmCommandClear (\r
- IN TPM2B_AUTH *PlatformAuth OPTIONAL\r
- )\r
-{\r
- EFI_STATUS Status;\r
- TPMS_AUTH_COMMAND *AuthSession;\r
- TPMS_AUTH_COMMAND LocalAuthSession;\r
-\r
- if (PlatformAuth == NULL) {\r
- AuthSession = NULL;\r
- } else {\r
- AuthSession = &LocalAuthSession;\r
- ZeroMem (&LocalAuthSession, sizeof(LocalAuthSession));\r
- LocalAuthSession.sessionHandle = TPM_RS_PW;\r
- LocalAuthSession.hmac.size = PlatformAuth->size;\r
- CopyMem (LocalAuthSession.hmac.buffer, PlatformAuth->buffer, PlatformAuth->size);\r
- }\r
-\r
- DEBUG ((EFI_D_INFO, "Tpm2ClearControl ... \n"));\r
- Status = Tpm2ClearControl (TPM_RH_PLATFORM, AuthSession, NO);\r
- DEBUG ((EFI_D_INFO, "Tpm2ClearControl - %r\n", Status));\r
- if (EFI_ERROR (Status)) {\r
- goto Done;\r
- }\r
- DEBUG ((EFI_D_INFO, "Tpm2Clear ... \n"));\r
- Status = Tpm2Clear (TPM_RH_PLATFORM, AuthSession);\r
- DEBUG ((EFI_D_INFO, "Tpm2Clear - %r\n", Status));\r
-\r
-Done:\r
- ZeroMem (&LocalAuthSession.hmac, sizeof(LocalAuthSession.hmac));\r
- return Status;\r
-}\r
-\r
-/**\r
- Execute physical presence operation requested by the OS.\r
-\r
- @param[in] PlatformAuth platform auth value. NULL means no platform auth change.\r
- @param[in] CommandCode Physical presence operation value.\r
- @param[in, out] PpiFlags The physical presence interface flags.\r
- \r
- @retval TREE_PP_OPERATION_RESPONSE_BIOS_FAILURE Unknown physical presence operation.\r
- @retval TREE_PP_OPERATION_RESPONSE_BIOS_FAILURE Error occurred during sending command to TPM or \r
- receiving response from TPM.\r
- @retval Others Return code from the TPM device after command execution.\r
-**/\r
-UINT32\r
-TrEEExecutePhysicalPresence (\r
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL\r
- IN UINT32 CommandCode,\r
- IN OUT EFI_TREE_PHYSICAL_PRESENCE_FLAGS *PpiFlags\r
- )\r
-{\r
- EFI_STATUS Status;\r
-\r
- switch (CommandCode) {\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_2:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_3:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_4:\r
- Status = TpmCommandClear (PlatformAuth);\r
- if (EFI_ERROR (Status)) {\r
- return TREE_PP_OPERATION_RESPONSE_BIOS_FAILURE;\r
- } else {\r
- return TREE_PP_OPERATION_RESPONSE_SUCCESS;\r
- }\r
-\r
- case TREE_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_FALSE:\r
- PpiFlags->PPFlags &= ~TREE_BIOS_TPM_MANAGEMENT_FLAG_NO_PPI_CLEAR;\r
- return TREE_PP_OPERATION_RESPONSE_SUCCESS;\r
-\r
- case TREE_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE:\r
- PpiFlags->PPFlags |= TREE_BIOS_TPM_MANAGEMENT_FLAG_NO_PPI_CLEAR;\r
- return TREE_PP_OPERATION_RESPONSE_SUCCESS;\r
-\r
- default:\r
- if (CommandCode <= TREE_PHYSICAL_PRESENCE_NO_ACTION_MAX) {\r
- return TREE_PP_OPERATION_RESPONSE_SUCCESS;\r
- } else {\r
- return TREE_PP_OPERATION_RESPONSE_BIOS_FAILURE;\r
- }\r
- }\r
-}\r
-\r
-\r
-/**\r
- Read the specified key for user confirmation.\r
-\r
- @param[in] CautionKey If true, F12 is used as confirm key;\r
- If false, F10 is used as confirm key.\r
-\r
- @retval TRUE User confirmed the changes by input.\r
- @retval FALSE User discarded the changes.\r
-**/\r
-BOOLEAN\r
-TrEEReadUserKey (\r
- IN BOOLEAN CautionKey\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_INPUT_KEY Key;\r
- UINT16 InputKey;\r
- \r
- InputKey = 0; \r
- do {\r
- Status = gBS->CheckEvent (gST->ConIn->WaitForKey);\r
- if (!EFI_ERROR (Status)) {\r
- Status = gST->ConIn->ReadKeyStroke (gST->ConIn, &Key);\r
- if (Key.ScanCode == SCAN_ESC) {\r
- InputKey = Key.ScanCode;\r
- }\r
- if ((Key.ScanCode == SCAN_F10) && !CautionKey) {\r
- InputKey = Key.ScanCode;\r
- }\r
- if ((Key.ScanCode == SCAN_F12) && CautionKey) {\r
- InputKey = Key.ScanCode;\r
- }\r
- } \r
- } while (InputKey == 0);\r
-\r
- if (InputKey != SCAN_ESC) {\r
- return TRUE;\r
- }\r
- \r
- return FALSE;\r
-}\r
-\r
-/**\r
- The constructor function register UNI strings into imageHandle.\r
- \r
- It will ASSERT() if that operation fails and it will always return EFI_SUCCESS. \r
-\r
- @param ImageHandle The firmware allocated handle for the EFI image.\r
- @param SystemTable A pointer to the EFI System Table.\r
- \r
- @retval EFI_SUCCESS The constructor successfully added string package.\r
- @retval Other value The constructor can't add string package.\r
-**/\r
-EFI_STATUS\r
-EFIAPI\r
-TrEEPhysicalPresenceLibConstructor (\r
- IN EFI_HANDLE ImageHandle,\r
- IN EFI_SYSTEM_TABLE *SystemTable\r
- )\r
-{\r
- mTrEEPpStringPackHandle = HiiAddPackages (&gEfiTrEEPhysicalPresenceGuid, ImageHandle, DxeTrEEPhysicalPresenceLibStrings, NULL);\r
- ASSERT (mTrEEPpStringPackHandle != NULL);\r
-\r
- return EFI_SUCCESS;\r
-}\r
-\r
-/**\r
- Display the confirm text and get user confirmation.\r
-\r
- @param[in] TpmPpCommand The requested TPM physical presence command.\r
-\r
- @retval TRUE The user has confirmed the changes.\r
- @retval FALSE The user doesn't confirm the changes.\r
-**/\r
-BOOLEAN\r
-TrEEUserConfirm (\r
- IN UINT32 TpmPpCommand\r
- )\r
-{\r
- CHAR16 *ConfirmText;\r
- CHAR16 *TmpStr1;\r
- CHAR16 *TmpStr2; \r
- UINTN BufSize;\r
- BOOLEAN CautionKey;\r
- UINT16 Index;\r
- CHAR16 DstStr[81];\r
- \r
- TmpStr2 = NULL;\r
- CautionKey = FALSE;\r
- BufSize = CONFIRM_BUFFER_SIZE;\r
- ConfirmText = AllocateZeroPool (BufSize);\r
- ASSERT (ConfirmText != NULL);\r
-\r
- switch (TpmPpCommand) {\r
-\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_2:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_3:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_4:\r
- CautionKey = TRUE;\r
- TmpStr2 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_CLEAR));\r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR));\r
- UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);\r
- FreePool (TmpStr1);\r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR));\r
- StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
- StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), L" \n\n", (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
- FreePool (TmpStr1); \r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY));\r
- StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
- FreePool (TmpStr1);\r
- break;\r
-\r
- case TREE_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE:\r
- CautionKey = TRUE;\r
- TmpStr2 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_CLEAR));\r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_PPI_HEAD_STR));\r
- UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);\r
- FreePool (TmpStr1);\r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_NOTE_CLEAR));\r
- StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
- FreePool (TmpStr1);\r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR));\r
- StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
- StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), L" \n\n", (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
- FreePool (TmpStr1); \r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY));\r
- StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
- FreePool (TmpStr1);\r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_NO_PPI_INFO));\r
- StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
- FreePool (TmpStr1);\r
- break;\r
-\r
- default:\r
- ;\r
- }\r
-\r
- if (TmpStr2 == NULL) {\r
- FreePool (ConfirmText);\r
- return FALSE;\r
- }\r
-\r
- TmpStr1 = TrEEPhysicalPresenceGetStringById (STRING_TOKEN (TPM_REJECT_KEY));\r
- BufSize -= StrSize (ConfirmText);\r
- UnicodeSPrint (ConfirmText + StrLen (ConfirmText), BufSize, TmpStr1, TmpStr2);\r
-\r
- DstStr[80] = L'\0';\r
- for (Index = 0; Index < StrLen (ConfirmText); Index += 80) {\r
- StrnCpyS(DstStr, sizeof (DstStr) / sizeof (CHAR16), ConfirmText + Index, sizeof (DstStr) / sizeof (CHAR16) - 1); \r
- Print (DstStr); \r
- }\r
- \r
- FreePool (TmpStr1);\r
- FreePool (TmpStr2);\r
- FreePool (ConfirmText);\r
-\r
- if (TrEEReadUserKey (CautionKey)) {\r
- return TRUE;\r
- }\r
-\r
- return FALSE; \r
-}\r
-\r
-/**\r
- Check if there is a valid physical presence command request. Also updates parameter value \r
- to whether the requested physical presence command already confirmed by user\r
- \r
- @param[in] TcgPpData EFI TrEE Physical Presence request data. \r
- @param[in] Flags The physical presence interface flags.\r
- @param[out] RequestConfirmed If the physical presence operation command required user confirm from UI.\r
- True, it indicates the command doesn't require user confirm, or already confirmed \r
- in last boot cycle by user.\r
- False, it indicates the command need user confirm from UI.\r
-\r
- @retval TRUE Physical Presence operation command is valid.\r
- @retval FALSE Physical Presence operation command is invalid.\r
-\r
-**/\r
-BOOLEAN\r
-TrEEHaveValidTpmRequest (\r
- IN EFI_TREE_PHYSICAL_PRESENCE *TcgPpData,\r
- IN EFI_TREE_PHYSICAL_PRESENCE_FLAGS Flags,\r
- OUT BOOLEAN *RequestConfirmed\r
- )\r
-{\r
- BOOLEAN IsRequestValid;\r
-\r
- *RequestConfirmed = FALSE;\r
-\r
- switch (TcgPpData->PPRequest) {\r
- case TREE_PHYSICAL_PRESENCE_NO_ACTION:\r
- *RequestConfirmed = TRUE;\r
- return TRUE;\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_2:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_3:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_4:\r
- if ((Flags.PPFlags & TREE_BIOS_TPM_MANAGEMENT_FLAG_NO_PPI_CLEAR) != 0) {\r
- *RequestConfirmed = TRUE;\r
- }\r
- break;\r
-\r
- case TREE_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_FALSE:\r
- *RequestConfirmed = TRUE;\r
- break;\r
-\r
- case TREE_PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE:\r
- break;\r
-\r
- default:\r
- if (TcgPpData->PPRequest >= TREE_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {\r
- IsRequestValid = TrEEPpVendorLibHasValidRequest (TcgPpData->PPRequest, Flags.PPFlags, RequestConfirmed);\r
- if (!IsRequestValid) {\r
- return FALSE;\r
- } else {\r
- break;\r
- }\r
- } else {\r
- //\r
- // Wrong Physical Presence command\r
- //\r
- return FALSE;\r
- }\r
- }\r
-\r
- if ((Flags.PPFlags & TREE_VENDOR_LIB_FLAG_RESET_TRACK) != 0) {\r
- //\r
- // It had been confirmed in last boot, it doesn't need confirm again.\r
- //\r
- *RequestConfirmed = TRUE;\r
- }\r
-\r
- //\r
- // Physical Presence command is correct\r
- //\r
- return TRUE;\r
-}\r
-\r
-\r
-/**\r
- Check and execute the requested physical presence command.\r
-\r
- Caution: This function may receive untrusted input.\r
- TcgPpData variable is external input, so this function will validate\r
- its data structure to be valid value.\r
-\r
- @param[in] PlatformAuth platform auth value. NULL means no platform auth change.\r
- @param[in] TcgPpData Point to the physical presence NV variable.\r
- @param[in] Flags The physical presence interface flags.\r
-**/\r
-VOID\r
-TrEEExecutePendingTpmRequest (\r
- IN TPM2B_AUTH *PlatformAuth, OPTIONAL\r
- IN EFI_TREE_PHYSICAL_PRESENCE *TcgPpData,\r
- IN EFI_TREE_PHYSICAL_PRESENCE_FLAGS Flags\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINTN DataSize;\r
- BOOLEAN RequestConfirmed;\r
- EFI_TREE_PHYSICAL_PRESENCE_FLAGS NewFlags;\r
- BOOLEAN ResetRequired;\r
- UINT32 NewPPFlags;\r
-\r
- if (TcgPpData->PPRequest == TREE_PHYSICAL_PRESENCE_NO_ACTION) {\r
- //\r
- // No operation request\r
- //\r
- return;\r
- }\r
-\r
- if (!TrEEHaveValidTpmRequest(TcgPpData, Flags, &RequestConfirmed)) {\r
- //\r
- // Invalid operation request.\r
- //\r
- if (TcgPpData->PPRequest <= TREE_PHYSICAL_PRESENCE_NO_ACTION_MAX) {\r
- TcgPpData->PPResponse = TREE_PP_OPERATION_RESPONSE_SUCCESS;\r
- } else {\r
- TcgPpData->PPResponse = TREE_PP_OPERATION_RESPONSE_BIOS_FAILURE;\r
- }\r
- TcgPpData->LastPPRequest = TcgPpData->PPRequest;\r
- TcgPpData->PPRequest = TREE_PHYSICAL_PRESENCE_NO_ACTION;\r
- DataSize = sizeof (EFI_TREE_PHYSICAL_PRESENCE);\r
- Status = gRT->SetVariable (\r
- TREE_PHYSICAL_PRESENCE_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- DataSize,\r
- TcgPpData\r
- );\r
- return;\r
- }\r
-\r
- ResetRequired = FALSE;\r
- if (TcgPpData->PPRequest >= TREE_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {\r
- NewFlags = Flags;\r
- NewPPFlags = NewFlags.PPFlags;\r
- TcgPpData->PPResponse = TrEEPpVendorLibExecutePendingRequest (PlatformAuth, TcgPpData->PPRequest, &NewPPFlags, &ResetRequired);\r
- NewFlags.PPFlags = (UINT8)NewPPFlags;\r
- } else {\r
- if (!RequestConfirmed) {\r
- //\r
- // Print confirm text and wait for approval. \r
- //\r
- RequestConfirmed = TrEEUserConfirm (TcgPpData->PPRequest\r
- );\r
- }\r
-\r
- //\r
- // Execute requested physical presence command\r
- //\r
- TcgPpData->PPResponse = TREE_PP_OPERATION_RESPONSE_USER_ABORT;\r
- NewFlags = Flags;\r
- if (RequestConfirmed) {\r
- TcgPpData->PPResponse = TrEEExecutePhysicalPresence (PlatformAuth, TcgPpData->PPRequest, \r
- &NewFlags);\r
- }\r
- }\r
-\r
- //\r
- // Save the flags if it is updated.\r
- //\r
- if (CompareMem (&Flags, &NewFlags, sizeof(EFI_TREE_PHYSICAL_PRESENCE_FLAGS)) != 0) {\r
- Status = gRT->SetVariable (\r
- TREE_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- sizeof (EFI_TREE_PHYSICAL_PRESENCE_FLAGS),\r
- &NewFlags\r
- ); \r
- }\r
-\r
- //\r
- // Clear request\r
- //\r
- if ((NewFlags.PPFlags & TREE_VENDOR_LIB_FLAG_RESET_TRACK) == 0) {\r
- TcgPpData->LastPPRequest = TcgPpData->PPRequest;\r
- TcgPpData->PPRequest = TREE_PHYSICAL_PRESENCE_NO_ACTION; \r
- }\r
-\r
- //\r
- // Save changes\r
- //\r
- DataSize = sizeof (EFI_TREE_PHYSICAL_PRESENCE);\r
- Status = gRT->SetVariable (\r
- TREE_PHYSICAL_PRESENCE_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- DataSize,\r
- TcgPpData\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return;\r
- }\r
-\r
- if (TcgPpData->PPResponse == TREE_PP_OPERATION_RESPONSE_USER_ABORT) {\r
- return;\r
- }\r
-\r
- //\r
- // Reset system to make new TPM settings in effect\r
- //\r
- switch (TcgPpData->LastPPRequest) {\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_2:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_3:\r
- case TREE_PHYSICAL_PRESENCE_CLEAR_CONTROL_CLEAR_4:\r
- break;\r
- default:\r
- if (TcgPpData->LastPPRequest >= TREE_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {\r
- if (ResetRequired) {\r
- break;\r
- } else {\r
- return ;\r
- }\r
- }\r
- if (TcgPpData->PPRequest != TREE_PHYSICAL_PRESENCE_NO_ACTION) {\r
- break;\r
- }\r
- return;\r
- }\r
-\r
- Print (L"Rebooting system to make TPM2 settings in effect\n");\r
- gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);\r
- ASSERT (FALSE); \r
-}\r
-\r
-/**\r
- Check and execute the pending TPM request.\r
-\r
- The TPM request may come from OS or BIOS. This API will display request information and wait \r
- for user confirmation if TPM request exists. The TPM request will be sent to TPM device after\r
- the TPM request is confirmed, and one or more reset may be required to make TPM request to \r
- take effect.\r
- \r
- This API should be invoked after console in and console out are all ready as they are required\r
- to display request information and get user input to confirm the request. \r
-\r
- @param[in] PlatformAuth platform auth value. NULL means no platform auth change.\r
-**/\r
-VOID\r
-EFIAPI\r
-TrEEPhysicalPresenceLibProcessRequest (\r
- IN TPM2B_AUTH *PlatformAuth OPTIONAL\r
- )\r
-{\r
- EFI_STATUS Status;\r
- UINTN DataSize;\r
- EFI_TREE_PHYSICAL_PRESENCE TcgPpData;\r
- EFI_TREE_PROTOCOL *TreeProtocol;\r
- EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol;\r
- EFI_TREE_PHYSICAL_PRESENCE_FLAGS PpiFlags;\r
-\r
- Status = gBS->LocateProtocol (&gEfiTrEEProtocolGuid, NULL, (VOID **) &TreeProtocol);\r
- if (EFI_ERROR (Status)) {\r
- return ;\r
- }\r
-\r
- //\r
- // Initialize physical presence flags.\r
- //\r
- DataSize = sizeof (EFI_TREE_PHYSICAL_PRESENCE_FLAGS);\r
- Status = gRT->GetVariable (\r
- TREE_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- NULL,\r
- &DataSize,\r
- &PpiFlags\r
- );\r
- if (EFI_ERROR (Status)) {\r
- PpiFlags.PPFlags = 0;\r
- Status = gRT->SetVariable (\r
- TREE_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- sizeof (EFI_TREE_PHYSICAL_PRESENCE_FLAGS),\r
- &PpiFlags\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((EFI_D_ERROR, "[TPM2] Set physical presence flag failed, Status = %r\n", Status));\r
- return ;\r
- }\r
- }\r
- DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags));\r
-\r
- //\r
- // This flags variable controls whether physical presence is required for TPM command. \r
- // It should be protected from malicious software. We set it as read-only variable here.\r
- //\r
- Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);\r
- if (!EFI_ERROR (Status)) {\r
- Status = VariableLockProtocol->RequestToLock (\r
- VariableLockProtocol,\r
- TREE_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((EFI_D_ERROR, "[TPM2] Error when lock variable %s, Status = %r\n", TREE_PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status));\r
- ASSERT_EFI_ERROR (Status);\r
- }\r
- }\r
- \r
- //\r
- // Initialize physical presence variable.\r
- //\r
- DataSize = sizeof (EFI_TREE_PHYSICAL_PRESENCE);\r
- Status = gRT->GetVariable (\r
- TREE_PHYSICAL_PRESENCE_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- NULL,\r
- &DataSize,\r
- &TcgPpData\r
- );\r
- if (EFI_ERROR (Status)) {\r
- ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData));\r
- DataSize = sizeof (EFI_TREE_PHYSICAL_PRESENCE);\r
- Status = gRT->SetVariable (\r
- TREE_PHYSICAL_PRESENCE_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
- DataSize,\r
- &TcgPpData\r
- );\r
- if (EFI_ERROR (Status)) {\r
- DEBUG ((EFI_D_ERROR, "[TPM2] Set physical presence variable failed, Status = %r\n", Status));\r
- return ;\r
- }\r
- }\r
-\r
- DEBUG ((EFI_D_INFO, "[TPM2] Flags=%x, PPRequest=%x (LastPPRequest=%x)\n", PpiFlags.PPFlags, TcgPpData.PPRequest, TcgPpData.LastPPRequest));\r
-\r
- //\r
- // Execute pending TPM request.\r
- // \r
- TrEEExecutePendingTpmRequest (PlatformAuth, &TcgPpData, PpiFlags);\r
- DEBUG ((EFI_D_INFO, "[TPM2] PPResponse = %x (LastPPRequest=%x, Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.PPFlags));\r
-\r
-}\r
-\r
-/**\r
- Check if the pending TPM request needs user input to confirm.\r
-\r
- The TPM request may come from OS. This API will check if TPM request exists and need user\r
- input to confirmation.\r
- \r
- @retval TRUE TPM needs input to confirm user physical presence.\r
- @retval FALSE TPM doesn't need input to confirm user physical presence.\r
-\r
-**/\r
-BOOLEAN\r
-EFIAPI\r
-TrEEPhysicalPresenceLibNeedUserConfirm(\r
- VOID\r
- )\r
-{\r
- EFI_STATUS Status;\r
- EFI_TREE_PHYSICAL_PRESENCE TcgPpData;\r
- UINTN DataSize;\r
- BOOLEAN RequestConfirmed;\r
- EFI_TREE_PROTOCOL *TreeProtocol;\r
- EFI_TREE_PHYSICAL_PRESENCE_FLAGS PpiFlags;\r
-\r
- Status = gBS->LocateProtocol (&gEfiTrEEProtocolGuid, NULL, (VOID **) &TreeProtocol);\r
- if (EFI_ERROR (Status)) {\r
- return FALSE;\r
- }\r
-\r
- //\r
- // Check Tpm requests\r
- //\r
- DataSize = sizeof (EFI_TREE_PHYSICAL_PRESENCE);\r
- Status = gRT->GetVariable (\r
- TREE_PHYSICAL_PRESENCE_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- NULL,\r
- &DataSize,\r
- &TcgPpData\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return FALSE;\r
- }\r
-\r
- DataSize = sizeof (EFI_TREE_PHYSICAL_PRESENCE_FLAGS);\r
- Status = gRT->GetVariable (\r
- TREE_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
- &gEfiTrEEPhysicalPresenceGuid,\r
- NULL,\r
- &DataSize,\r
- &PpiFlags\r
- );\r
- if (EFI_ERROR (Status)) {\r
- return FALSE;\r
- }\r
- \r
- if (TcgPpData.PPRequest == TREE_PHYSICAL_PRESENCE_NO_ACTION) {\r
- //\r
- // No operation request\r
- //\r
- return FALSE;\r
- }\r
-\r
- if (!TrEEHaveValidTpmRequest(&TcgPpData, PpiFlags, &RequestConfirmed)) {\r
- //\r
- // Invalid operation request.\r
- //\r
- return FALSE;\r
- }\r
-\r
- if (!RequestConfirmed) {\r
- //\r
- // Need UI to confirm\r
- //\r
- return TRUE;\r
- }\r
-\r
- return FALSE;\r
-}\r
-\r