[mirror_edk2.git] / SecurityPkg / Include / Library / OpalPasswordSupportLib.h

/** @file\r
  Header file of Opal password support library.\r
\r
Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution.  The full text of the license may be found at\r
http://opensource.org/licenses/bsd-license.php\r
\r
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
\r
#ifndef _OPAL_PASSWORD_SUPPORT_LIB_H_\r
#define _OPAL_PASSWORD_SUPPORT_LIB_H_\r
\r
#include <Protocol/DevicePath.h>\r
#include <Library/TcgStorageOpalLib.h>\r
\r
\r
#pragma pack(1)\r
\r
//\r
// Structure that is used to represent the available actions for an OpalDisk.\r
// The data can then be utilized to expose/hide certain actions available to an end user\r
// by the consumer of this library.\r
//\r
typedef struct {\r
    //\r
    // Indicates if the disk can support PSID Revert action.  should verify disk supports PSID authority\r
    //\r
    UINT16 PsidRevert : 1;\r
\r
    //\r
    // Indicates if the disk can support Revert action\r
    //\r
    UINT16 Revert : 1;\r
\r
    //\r
    // Indicates if the user must keep data for revert action.  It is true if no media encryption is supported.\r
    //\r
    UINT16 RevertKeepDataForced : 1;\r
\r
    //\r
    // Indicates if the disk can support set Admin password\r
    //\r
    UINT16 AdminPass : 1;\r
\r
    //\r
    // Indicates if the disk can support set User password.  This action requires that a user\r
    // password is first enabled.\r
    //\r
    UINT16 UserPass : 1;\r
\r
    //\r
    // Indicates if unlock action is available.  Requires disk to be currently locked.\r
    //\r
    UINT16 Unlock : 1;\r
\r
    //\r
    // Indicates if Secure Erase action is available.  Action requires admin credentials and media encryption support.\r
    //\r
    UINT16 SecureErase : 1;\r
\r
    //\r
    // Indicates if Disable User action is available.  Action requires admin credentials.\r
    //\r
    UINT16 DisableUser : 1;\r
} OPAL_DISK_ACTIONS;\r
\r
//\r
// Structure that is used to represent the Opal device with password info.\r
//\r
typedef struct {\r
  LIST_ENTRY                 Link;\r
\r
  UINT8                      Password[32];\r
  UINT8                      PasswordLength;\r
\r
  EFI_DEVICE_PATH_PROTOCOL   OpalDevicePath;\r
} OPAL_DISK_AND_PASSWORD_INFO;\r
\r
#pragma pack()\r
\r
/**\r
\r
  The function performs determines the available actions for the OPAL_DISK provided.\r
\r
  @param[in]   SupportedAttributes   The support attribute for the device.\r
  @param[in]   LockingFeature        The locking status for the device.\r
  @param[in]   OwnerShip             The ownership for the device.\r
  @param[out]  AvalDiskActions       Pointer to fill-out with appropriate disk actions.\r
\r
**/\r
TCG_RESULT\r
EFIAPI\r
OpalSupportGetAvailableActions(\r
  IN  OPAL_DISK_SUPPORT_ATTRIBUTE      *SupportedAttributes,\r
  IN  TCG_LOCKING_FEATURE_DESCRIPTOR   *LockingFeature,\r
  IN  UINT16                           OwnerShip,\r
  OUT OPAL_DISK_ACTIONS                *AvalDiskActions\r
  );\r
\r
/**\r
  Enable Opal Feature for the input device.\r
\r
  @param[in]      Session            The opal session for the opal device.\r
  @param[in]      Msid               Msid\r
  @param[in]      MsidLength         Msid Length\r
  @param[in]      Password           Admin password\r
  @param[in]      PassLength         Length of password in bytes\r
  @param[in]      DevicePath         The device path for the opal devcie.\r
\r
**/\r
TCG_RESULT\r
EFIAPI\r
OpalSupportEnableOpalFeature(\r
  IN OPAL_SESSION              *Session,\r
  IN VOID                      *Msid,\r
  IN UINT32                    MsidLength,\r
  IN VOID                      *Password,\r
  IN UINT32                    PassLength,\r
  IN EFI_DEVICE_PATH_PROTOCOL  *DevicePath\r
  );\r
\r
/**\r
  Creates a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts device using Admin SP Revert method.\r
\r
  @param[in]      Session            The opal session for the opal device.\r
  @param[in]      Psid               PSID of device to revert.\r
  @param[in]      PsidLength         Length of PSID in bytes.\r
  @param[in]      DevicePath         The device path for the opal devcie.\r
\r
**/\r
TCG_RESULT\r
EFIAPI\r
OpalSupportPsidRevert(\r
  IN OPAL_SESSION              *Session,\r
  IN VOID                      *Psid,\r
  IN UINT32                    PsidLength,\r
  IN EFI_DEVICE_PATH_PROTOCOL  *DevicePath\r
  );\r
\r
/**\r
  Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts the device using the RevertSP method.\r
\r
  @param[in]      Session            The opal session for the opal device.\r
  @param[in]      KeepUserData       TRUE to keep existing Data on the disk, or FALSE to erase it\r
  @param[in]      Password           Admin password\r
  @param[in]      PasswordLength     Length of password in bytes\r
  @param[in]      Msid               Msid\r
  @param[in]      MsidLength         Msid Length\r
  @param[out]     PasswordFailed     indicates if password failed (start session didn't work)\r
  @param[in]      DevicePath         The device path for the opal devcie.\r
\r
**/\r
TCG_RESULT\r
EFIAPI\r
OpalSupportRevert(\r
  IN  OPAL_SESSION              *Session,\r
  IN  BOOLEAN                   KeepUserData,\r
  IN  VOID                      *Password,\r
  IN  UINT32                    PasswordLength,\r
  IN  VOID                      *Msid,\r
  IN  UINT32                    MsidLength,\r
  OUT BOOLEAN                   *PasswordFailed,\r
  IN  EFI_DEVICE_PATH_PROTOCOL  *DevicePath\r
  );\r
\r
/**\r
  Set new password.\r
\r
  @param[in]      Session            The opal session for the opal device.\r
  @param[in]      OldPassword        Current admin password\r
  @param[in]      OldPasswordLength  Length of current admin password in bytes\r
  @param[in]      NewPassword        New admin password to set\r
  @param[in]      NewPasswordLength  Length of new password in bytes\r
  @param[in]      DevicePath         The device path for the opal devcie.\r
  @param[in]      SetAdmin           Whether set admin password or user password.\r
                                     TRUE for admin, FALSE for user.\r
\r
**/\r
TCG_RESULT\r
EFIAPI\r
OpalSupportSetPassword(\r
  IN OPAL_SESSION              *Session,\r
  IN VOID                      *OldPassword,\r
  IN UINT32                    OldPasswordLength,\r
  IN VOID                      *NewPassword,\r
  IN UINT32                    NewPasswordLength,\r
  IN EFI_DEVICE_PATH_PROTOCOL  *DevicePath,\r
  IN BOOLEAN                   SetAdmin\r
  );\r
\r
/**\r
  Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY and disables the User1 authority.\r
\r
  @param[in]      Session            The opal session for the opal device.\r
  @param[in]      Password           Admin password\r
  @param[in]      PasswordLength     Length of password in bytes\r
  @param[out]     PasswordFailed     Indicates if password failed (start session didn't work)\r
  @param[in]      DevicePath         The device path for the opal devcie.\r
\r
**/\r
TCG_RESULT\r
EFIAPI\r
OpalSupportDisableUser(\r
  IN  OPAL_SESSION              *Session,\r
  IN  VOID                      *Password,\r
  IN  UINT32                    PasswordLength,\r
  OUT BOOLEAN                   *PasswordFailed,\r
  IN  EFI_DEVICE_PATH_PROTOCOL  *DevicePath\r
  );\r
\r
/**\r
  Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY\r
  and updates the global locking range ReadLocked and WriteLocked columns to FALSE.\r
\r
  @param[in]      Session            The opal session for the opal device.\r
  @param[in]      Password           Admin or user password\r
  @param[in]      PasswordLength     Length of password in bytes\r
  @param[in]      DevicePath         The device path for the opal devcie.\r
\r
**/\r
TCG_RESULT\r
EFIAPI\r
OpalSupportUnlock(\r
  IN OPAL_SESSION               *Session,\r
  IN VOID                       *Password,\r
  IN UINT32                     PasswordLength,\r
  IN EFI_DEVICE_PATH_PROTOCOL   *DevicePath\r
  );\r
\r
/**\r
  Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY\r
  and updates the global locking range ReadLocked and WriteLocked columns to TRUE.\r
\r
  @param[in]      Session             The opal session for the opal device.\r
  @param[in]      Password            Admin or user password\r
  @param[in]      PasswordLength      Length of password in bytes\r
  @param[in]      DevicePath          The device path for the opal devcie.\r
\r
**/\r
TCG_RESULT\r
EFIAPI\r
OpalSupportLock(\r
  IN OPAL_SESSION               *Session,\r
  IN VOID                       *Password,\r
  IN UINT32                     PasswordLength,\r
  IN EFI_DEVICE_PATH_PROTOCOL   *DevicePath\r
  );\r
\r
/**\r
  Check if the password is full zero.\r
\r
  @param[in]   Password       Points to the Data Buffer\r
\r
  @retval      TRUE           This password string is full zero.\r
  @retval      FALSE          This password string is not full zero.\r
\r
**/\r
LIST_ENTRY *\r
EFIAPI\r
OpalSupportGetOpalDeviceList (\r
  VOID\r
  );\r
\r
/**\r
  Transfer the password to the smm driver.\r
\r
  @param[in]  DevicePath     The device path for the opal devcie.\r
  @param      PasswordLen    The input password length.\r
  @param      Password       Input password buffer.\r
\r
  @retval  EFI_SUCCESS       Do the required action success.\r
  @retval  Others            Error occured.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
OpalSupportSendPasword(\r
  EFI_DEVICE_PATH_PROTOCOL    *DevicePath,\r
  UINTN                       PasswordLen,\r
  VOID                        *Password\r
  );\r
\r
#endif // _OPAL_CORE_H_\r
Commit	Line	Data
1cf00fbd ED	1	/** @file\r
	2	Header file of Opal password support library.\r
	3	\r
	4	Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>\r
	5	This program and the accompanying materials\r
	6	are licensed and made available under the terms and conditions of the BSD License\r
	7	which accompanies this distribution. The full text of the license may be found at\r
	8	http://opensource.org/licenses/bsd-license.php\r
	9	\r
	10	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	11	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	12	\r
	13	**/\r
	14	\r
	15	\r
	16	#ifndef _OPAL_PASSWORD_SUPPORT_LIB_H_\r
	17	#define _OPAL_PASSWORD_SUPPORT_LIB_H_\r
	18	\r
	19	#include <Protocol/DevicePath.h>\r
	20	#include <Library/TcgStorageOpalLib.h>\r
	21	\r
	22	\r
	23	#pragma pack(1)\r
	24	\r
	25	//\r
	26	// Structure that is used to represent the available actions for an OpalDisk.\r
	27	// The data can then be utilized to expose/hide certain actions available to an end user\r
	28	// by the consumer of this library.\r
	29	//\r
	30	typedef struct {\r
	31	//\r
	32	// Indicates if the disk can support PSID Revert action. should verify disk supports PSID authority\r
	33	//\r
	34	UINT16 PsidRevert : 1;\r
	35	\r
	36	//\r
	37	// Indicates if the disk can support Revert action\r
	38	//\r
	39	UINT16 Revert : 1;\r
	40	\r
	41	//\r
	42	// Indicates if the user must keep data for revert action. It is true if no media encryption is supported.\r
	43	//\r
	44	UINT16 RevertKeepDataForced : 1;\r
	45	\r
	46	//\r
	47	// Indicates if the disk can support set Admin password\r
	48	//\r
	49	UINT16 AdminPass : 1;\r
	50	\r
	51	//\r
	52	// Indicates if the disk can support set User password. This action requires that a user\r
	53	// password is first enabled.\r
	54	//\r
	55	UINT16 UserPass : 1;\r
	56	\r
	57	//\r
	58	// Indicates if unlock action is available. Requires disk to be currently locked.\r
	59	//\r
	60	UINT16 Unlock : 1;\r
	61	\r
	62	//\r
	63	// Indicates if Secure Erase action is available. Action requires admin credentials and media encryption support.\r
	64	//\r
65	UINT16 SecureErase : 1;\r
66	\r
67	//\r
68	// Indicates if Disable User action is available. Action requires admin credentials.\r
69	//\r
70	UINT16 DisableUser : 1;\r
71	} OPAL_DISK_ACTIONS;\r
72	\r
73	//\r
74	// Structure that is used to represent the Opal device with password info.\r
75	//\r
76	typedef struct {\r
77	LIST_ENTRY Link;\r
78	\r
79	UINT8 Password[32];\r
80	UINT8 PasswordLength;\r
81	\r
82	EFI_DEVICE_PATH_PROTOCOL OpalDevicePath;\r
83	} OPAL_DISK_AND_PASSWORD_INFO;\r
84	\r
85	#pragma pack()\r
86	\r
87	/**\r
88	\r
89	The function performs determines the available actions for the OPAL_DISK provided.\r
90	\r
91	@param[in] SupportedAttributes The support attribute for the device.\r
92	@param[in] LockingFeature The locking status for the device.\r
93	@param[in] OwnerShip The ownership for the device.\r
94	@param[out] AvalDiskActions Pointer to fill-out with appropriate disk actions.\r
95	\r
96	**/\r
97	TCG_RESULT\r
98	EFIAPI\r
99	OpalSupportGetAvailableActions(\r
100	IN OPAL_DISK_SUPPORT_ATTRIBUTE *SupportedAttributes,\r
101	IN TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature,\r
102	IN UINT16 OwnerShip,\r
103	OUT OPAL_DISK_ACTIONS *AvalDiskActions\r
104	);\r
105	\r
106	/**\r
107	Enable Opal Feature for the input device.\r
108	\r
109	@param[in] Session The opal session for the opal device.\r
110	@param[in] Msid Msid\r
111	@param[in] MsidLength Msid Length\r
112	@param[in] Password Admin password\r
113	@param[in] PassLength Length of password in bytes\r
114	@param[in] DevicePath The device path for the opal devcie.\r
115	\r
116	**/\r
117	TCG_RESULT\r
118	EFIAPI\r
119	OpalSupportEnableOpalFeature(\r
120	IN OPAL_SESSION *Session,\r
121	IN VOID *Msid,\r
122	IN UINT32 MsidLength,\r
123	IN VOID *Password,\r
124	IN UINT32 PassLength,\r
125	IN EFI_DEVICE_PATH_PROTOCOL *DevicePath\r
126	);\r
127	\r
128	/**\r
129	Creates a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts device using Admin SP Revert method.\r
130	\r
131	@param[in] Session The opal session for the opal device.\r
132	@param[in] Psid PSID of device to revert.\r
133	@param[in] PsidLength Length of PSID in bytes.\r
134	@param[in] DevicePath The device path for the opal devcie.\r
135	\r
136	**/\r
137	TCG_RESULT\r
138	EFIAPI\r
139	OpalSupportPsidRevert(\r
140	IN OPAL_SESSION *Session,\r
141	IN VOID *Psid,\r
142	IN UINT32 PsidLength,\r
143	IN EFI_DEVICE_PATH_PROTOCOL *DevicePath\r
144	);\r
145	\r
146	/**\r
147	Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts the device using the RevertSP method.\r
148	\r
149	@param[in] Session The opal session for the opal device.\r
150	@param[in] KeepUserData TRUE to keep existing Data on the disk, or FALSE to erase it\r
151	@param[in] Password Admin password\r
152	@param[in] PasswordLength Length of password in bytes\r
153	@param[in] Msid Msid\r
154	@param[in] MsidLength Msid Length\r
155	@param[out] PasswordFailed indicates if password failed (start session didn't work)\r
156	@param[in] DevicePath The device path for the opal devcie.\r
157	\r
158	**/\r
159	TCG_RESULT\r
160	EFIAPI\r
161	OpalSupportRevert(\r
162	IN OPAL_SESSION *Session,\r
163	IN BOOLEAN KeepUserData,\r
164	IN VOID *Password,\r
165	IN UINT32 PasswordLength,\r
166	IN VOID *Msid,\r
167	IN UINT32 MsidLength,\r
168	OUT BOOLEAN *PasswordFailed,\r
169	IN EFI_DEVICE_PATH_PROTOCOL *DevicePath\r
170	);\r
171	\r
172	/**\r
173	Set new password.\r
174	\r
175	@param[in] Session The opal session for the opal device.\r
176	@param[in] OldPassword Current admin password\r
177	@param[in] OldPasswordLength Length of current admin password in bytes\r
178	@param[in] NewPassword New admin password to set\r
179	@param[in] NewPasswordLength Length of new password in bytes\r
180	@param[in] DevicePath The device path for the opal devcie.\r
181	@param[in] SetAdmin Whether set admin password or user password.\r
182	TRUE for admin, FALSE for user.\r
183	\r
184	**/\r
185	TCG_RESULT\r
186	EFIAPI\r
187	OpalSupportSetPassword(\r
188	IN OPAL_SESSION *Session,\r
189	IN VOID *OldPassword,\r
190	IN UINT32 OldPasswordLength,\r
191	IN VOID *NewPassword,\r
192	IN UINT32 NewPasswordLength,\r
193	IN EFI_DEVICE_PATH_PROTOCOL *DevicePath,\r
194	IN BOOLEAN SetAdmin\r
195	);\r
196	\r
197	/**\r
198	Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY and disables the User1 authority.\r
199	\r
200	@param[in] Session The opal session for the opal device.\r
201	@param[in] Password Admin password\r
202	@param[in] PasswordLength Length of password in bytes\r
203	@param[out] PasswordFailed Indicates if password failed (start session didn't work)\r
204	@param[in] DevicePath The device path for the opal devcie.\r
205	\r
206	**/\r
207	TCG_RESULT\r
208	EFIAPI\r
209	OpalSupportDisableUser(\r
210	IN OPAL_SESSION *Session,\r
211	IN VOID *Password,\r
212	IN UINT32 PasswordLength,\r
213	OUT BOOLEAN *PasswordFailed,\r
214	IN EFI_DEVICE_PATH_PROTOCOL *DevicePath\r
215	);\r
216	\r
217	/**\r
218	Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY\r
219	and updates the global locking range ReadLocked and WriteLocked columns to FALSE.\r
220	\r
221	@param[in] Session The opal session for the opal device.\r
222	@param[in] Password Admin or user password\r
223	@param[in] PasswordLength Length of password in bytes\r
224	@param[in] DevicePath The device path for the opal devcie.\r
225	\r
226	**/\r
227	TCG_RESULT\r
228	EFIAPI\r
229	OpalSupportUnlock(\r
230	IN OPAL_SESSION *Session,\r
231	IN VOID *Password,\r
232	IN UINT32 PasswordLength,\r
233	IN EFI_DEVICE_PATH_PROTOCOL *DevicePath\r
234	);\r
235	\r
236	/**\r
237	Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY\r
238	and updates the global locking range ReadLocked and WriteLocked columns to TRUE.\r
239	\r
240	@param[in] Session The opal session for the opal device.\r
241	@param[in] Password Admin or user password\r
242	@param[in] PasswordLength Length of password in bytes\r
243	@param[in] DevicePath The device path for the opal devcie.\r
244	\r
245	**/\r
246	TCG_RESULT\r
247	EFIAPI\r
248	OpalSupportLock(\r
249	IN OPAL_SESSION *Session,\r
250	IN VOID *Password,\r
251	IN UINT32 PasswordLength,\r
252	IN EFI_DEVICE_PATH_PROTOCOL *DevicePath\r
253	);\r
254	\r
255	/**\r
256	Check if the password is full zero.\r
257	\r
258	@param[in] Password Points to the Data Buffer\r
259	\r
260	@retval TRUE This password string is full zero.\r
261	@retval FALSE This password string is not full zero.\r
262	\r
263	**/\r
264	LIST_ENTRY *\r
265	EFIAPI\r
266	OpalSupportGetOpalDeviceList (\r
267	VOID\r
268	);\r
269	\r
270	/**\r
271	Transfer the password to the smm driver.\r
272	\r
273	@param[in] DevicePath The device path for the opal devcie.\r
274	@param PasswordLen The input password length.\r
275	@param Password Input password buffer.\r
276	\r
277	@retval EFI_SUCCESS Do the required action success.\r
278	@retval Others Error occured.\r
279	\r
280	**/\r
281	EFI_STATUS\r
282	EFIAPI\r
283	OpalSupportSendPasword(\r
284	EFI_DEVICE_PATH_PROTOCOL *DevicePath,\r
285	UINTN PasswordLen,\r
286	VOID *Password\r
287	);\r
288	\r
289	#endif // _OPAL_CORE_H_\r