[mirror_edk2.git] / SecurityPkg / Tcg / Opal / OpalPassword / OpalPasswordPei.c

/** @file\r
  Opal Password PEI driver which is used to unlock Opal Password for S3.\r
\r
Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#include "OpalPasswordPei.h"\r
\r
EFI_GUID  mOpalDeviceLockBoxGuid = OPAL_DEVICE_LOCKBOX_GUID;\r
\r
/**\r
  Send a security protocol command to a device that receives data and/or the result\r
  of one or more commands sent by SendData.\r
\r
  The ReceiveData function sends a security protocol command to the given MediaId.\r
  The security protocol command sent is defined by SecurityProtocolId and contains\r
  the security protocol specific data SecurityProtocolSpecificData. The function\r
  returns the data from the security protocol command in PayloadBuffer.\r
\r
  For devices supporting the SCSI command set, the security protocol command is sent\r
  using the SECURITY PROTOCOL IN command defined in SPC-4.\r
\r
  For devices supporting the ATA command set, the security protocol command is sent\r
  using one of the TRUSTED RECEIVE commands defined in ATA8-ACS if PayloadBufferSize\r
  is non-zero.\r
\r
  If the PayloadBufferSize is zero, the security protocol command is sent using the\r
  Trusted Non-Data command defined in ATA8-ACS.\r
\r
  If PayloadBufferSize is too small to store the available data from the security\r
  protocol command, the function shall copy PayloadBufferSize bytes into the\r
  PayloadBuffer and return EFI_WARN_BUFFER_TOO_SMALL.\r
\r
  If PayloadBuffer or PayloadTransferSize is NULL and PayloadBufferSize is non-zero,\r
  the function shall return EFI_INVALID_PARAMETER.\r
\r
  If the given MediaId does not support security protocol commands, the function shall\r
  return EFI_UNSUPPORTED. If there is no media in the device, the function returns\r
  EFI_NO_MEDIA. If the MediaId is not the ID for the current media in the device,\r
  the function returns EFI_MEDIA_CHANGED.\r
\r
  If the security protocol fails to complete within the Timeout period, the function\r
  shall return EFI_TIMEOUT.\r
\r
  If the security protocol command completes without an error, the function shall\r
  return EFI_SUCCESS. If the security protocol command completes with an error, the\r
  function shall return EFI_DEVICE_ERROR.\r
\r
  @param  This                         Indicates a pointer to the calling context.\r
  @param  MediaId                      ID of the medium to receive data from.\r
  @param  Timeout                      The timeout, in 100ns units, to use for the execution\r
                                       of the security protocol command. A Timeout value of 0\r
                                       means that this function will wait indefinitely for the\r
                                       security protocol command to execute. If Timeout is greater\r
                                       than zero, then this function will return EFI_TIMEOUT\r
                                       if the time required to execute the receive data command\r
                                       is greater than Timeout.\r
  @param  SecurityProtocolId           The value of the "Security Protocol" parameter of\r
                                       the security protocol command to be sent.\r
  @param  SecurityProtocolSpecificData The value of the "Security Protocol Specific" parameter\r
                                       of the security protocol command to be sent.\r
  @param  PayloadBufferSize            Size in bytes of the payload data buffer.\r
  @param  PayloadBuffer                A pointer to a destination buffer to store the security\r
                                       protocol command specific payload data for the security\r
                                       protocol command. The caller is responsible for having\r
                                       either implicit or explicit ownership of the buffer.\r
  @param  PayloadTransferSize          A pointer to a buffer to store the size in bytes of the\r
                                       data written to the payload data buffer.\r
\r
  @retval EFI_SUCCESS                  The security protocol command completed successfully.\r
  @retval EFI_WARN_BUFFER_TOO_SMALL    The PayloadBufferSize was too small to store the available\r
                                       data from the device. The PayloadBuffer contains the truncated data.\r
  @retval EFI_UNSUPPORTED              The given MediaId does not support security protocol commands.\r
  @retval EFI_DEVICE_ERROR             The security protocol command completed with an error.\r
  @retval EFI_NO_MEDIA                 There is no media in the device.\r
  @retval EFI_MEDIA_CHANGED            The MediaId is not for the current media.\r
  @retval EFI_INVALID_PARAMETER        The PayloadBuffer or PayloadTransferSize is NULL and\r
                                       PayloadBufferSize is non-zero.\r
  @retval EFI_TIMEOUT                  A timeout occurred while waiting for the security\r
                                       protocol command to execute.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
SecurityReceiveData (\r
  IN  EFI_STORAGE_SECURITY_COMMAND_PROTOCOL  *This,\r
  IN  UINT32                                 MediaId,\r
  IN  UINT64                                 Timeout,\r
  IN  UINT8                                  SecurityProtocolId,\r
  IN  UINT16                                 SecurityProtocolSpecificData,\r
  IN  UINTN                                  PayloadBufferSize,\r
  OUT VOID                                   *PayloadBuffer,\r
  OUT UINTN                                  *PayloadTransferSize\r
  )\r
{\r
  OPAL_PEI_DEVICE  *PeiDev;\r
\r
  PeiDev = OPAL_PEI_DEVICE_FROM_THIS (This);\r
  if (PeiDev == NULL) {\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  return PeiDev->SscPpi->ReceiveData (\r
                           PeiDev->SscPpi,\r
                           PeiDev->DeviceIndex,\r
                           SSC_PPI_GENERIC_TIMEOUT,\r
                           SecurityProtocolId,\r
                           SecurityProtocolSpecificData,\r
                           PayloadBufferSize,\r
                           PayloadBuffer,\r
                           PayloadTransferSize\r
                           );\r
}\r
\r
/**\r
  Send a security protocol command to a device.\r
\r
  The SendData function sends a security protocol command containing the payload\r
  PayloadBuffer to the given MediaId. The security protocol command sent is\r
  defined by SecurityProtocolId and contains the security protocol specific data\r
  SecurityProtocolSpecificData. If the underlying protocol command requires a\r
  specific padding for the command payload, the SendData function shall add padding\r
  bytes to the command payload to satisfy the padding requirements.\r
\r
  For devices supporting the SCSI command set, the security protocol command is sent\r
  using the SECURITY PROTOCOL OUT command defined in SPC-4.\r
\r
  For devices supporting the ATA command set, the security protocol command is sent\r
  using one of the TRUSTED SEND commands defined in ATA8-ACS if PayloadBufferSize\r
  is non-zero. If the PayloadBufferSize is zero, the security protocol command is\r
  sent using the Trusted Non-Data command defined in ATA8-ACS.\r
\r
  If PayloadBuffer is NULL and PayloadBufferSize is non-zero, the function shall\r
  return EFI_INVALID_PARAMETER.\r
\r
  If the given MediaId does not support security protocol commands, the function\r
  shall return EFI_UNSUPPORTED. If there is no media in the device, the function\r
  returns EFI_NO_MEDIA. If the MediaId is not the ID for the current media in the\r
  device, the function returns EFI_MEDIA_CHANGED.\r
\r
  If the security protocol fails to complete within the Timeout period, the function\r
  shall return EFI_TIMEOUT.\r
\r
  If the security protocol command completes without an error, the function shall return\r
  EFI_SUCCESS. If the security protocol command completes with an error, the function\r
  shall return EFI_DEVICE_ERROR.\r
\r
  @param  This                         Indicates a pointer to the calling context.\r
  @param  MediaId                      ID of the medium to receive data from.\r
  @param  Timeout                      The timeout, in 100ns units, to use for the execution\r
                                       of the security protocol command. A Timeout value of 0\r
                                       means that this function will wait indefinitely for the\r
                                       security protocol command to execute. If Timeout is greater\r
                                       than zero, then this function will return EFI_TIMEOUT\r
                                       if the time required to execute the send data command\r
                                       is greater than Timeout.\r
  @param  SecurityProtocolId           The value of the "Security Protocol" parameter of\r
                                       the security protocol command to be sent.\r
  @param  SecurityProtocolSpecificData The value of the "Security Protocol Specific" parameter\r
                                       of the security protocol command to be sent.\r
  @param  PayloadBufferSize            Size in bytes of the payload data buffer.\r
  @param  PayloadBuffer                A pointer to a destination buffer to store the security\r
                                       protocol command specific payload data for the security\r
                                       protocol command.\r
\r
  @retval EFI_SUCCESS                  The security protocol command completed successfully.\r
  @retval EFI_UNSUPPORTED              The given MediaId does not support security protocol commands.\r
  @retval EFI_DEVICE_ERROR             The security protocol command completed with an error.\r
  @retval EFI_NO_MEDIA                 There is no media in the device.\r
  @retval EFI_MEDIA_CHANGED            The MediaId is not for the current media.\r
  @retval EFI_INVALID_PARAMETER        The PayloadBuffer is NULL and PayloadBufferSize is non-zero.\r
  @retval EFI_TIMEOUT                  A timeout occurred while waiting for the security\r
                                       protocol command to execute.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
SecuritySendData (\r
  IN EFI_STORAGE_SECURITY_COMMAND_PROTOCOL  *This,\r
  IN UINT32                                 MediaId,\r
  IN UINT64                                 Timeout,\r
  IN UINT8                                  SecurityProtocolId,\r
  IN UINT16                                 SecurityProtocolSpecificData,\r
  IN UINTN                                  PayloadBufferSize,\r
  IN VOID                                   *PayloadBuffer\r
  )\r
{\r
  OPAL_PEI_DEVICE  *PeiDev;\r
\r
  PeiDev = OPAL_PEI_DEVICE_FROM_THIS (This);\r
  if (PeiDev == NULL) {\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  return PeiDev->SscPpi->SendData (\r
                           PeiDev->SscPpi,\r
                           PeiDev->DeviceIndex,\r
                           SSC_PPI_GENERIC_TIMEOUT,\r
                           SecurityProtocolId,\r
                           SecurityProtocolSpecificData,\r
                           PayloadBufferSize,\r
                           PayloadBuffer\r
                           );\r
}\r
\r
/**\r
\r
  The function returns whether or not the device is Opal Locked.\r
  TRUE means that the device is partially or fully locked.\r
  This will perform a Level 0 Discovery and parse the locking feature descriptor\r
\r
  @param[in]      OpalDev             Opal object to determine if locked.\r
  @param[out]     BlockSidSupported   Whether device support BlockSid feature.\r
\r
**/\r
BOOLEAN\r
IsOpalDeviceLocked (\r
  OPAL_PEI_DEVICE  *OpalDev,\r
  BOOLEAN          *BlockSidSupported\r
  )\r
{\r
  OPAL_SESSION                    Session;\r
  OPAL_DISK_SUPPORT_ATTRIBUTE     SupportedAttributes;\r
  TCG_LOCKING_FEATURE_DESCRIPTOR  LockingFeature;\r
  UINT16                          OpalBaseComId;\r
  TCG_RESULT                      Ret;\r
\r
  Session.Sscp    = &OpalDev->Sscp;\r
  Session.MediaId = 0;\r
\r
  Ret = OpalGetSupportedAttributesInfo (&Session, &SupportedAttributes, &OpalBaseComId);\r
  if (Ret != TcgResultSuccess) {\r
    return FALSE;\r
  }\r
\r
  Session.OpalBaseComId = OpalBaseComId;\r
  *BlockSidSupported    = SupportedAttributes.BlockSid == 1 ? TRUE : FALSE;\r
\r
  Ret = OpalGetLockingInfo (&Session, &LockingFeature);\r
  if (Ret != TcgResultSuccess) {\r
    return FALSE;\r
  }\r
\r
  return OpalDeviceLocked (&SupportedAttributes, &LockingFeature);\r
}\r
\r
/**\r
  Unlock OPAL password for S3.\r
\r
  @param[in] OpalDev            Opal object to unlock.\r
\r
**/\r
VOID\r
UnlockOpalPassword (\r
  IN OPAL_PEI_DEVICE  *OpalDev\r
  )\r
{\r
  TCG_RESULT    Result;\r
  OPAL_SESSION  Session;\r
  BOOLEAN       BlockSidSupport;\r
  UINT32        PpStorageFlags;\r
  BOOLEAN       BlockSIDEnabled;\r
\r
  BlockSidSupport = FALSE;\r
  if (IsOpalDeviceLocked (OpalDev, &BlockSidSupport)) {\r
    ZeroMem (&Session, sizeof (Session));\r
    Session.Sscp          = &OpalDev->Sscp;\r
    Session.MediaId       = 0;\r
    Session.OpalBaseComId = OpalDev->Device->OpalBaseComId;\r
\r
    Result = OpalUtilUpdateGlobalLockingRange (\r
               &Session,\r
               OpalDev->Device->Password,\r
               OpalDev->Device->PasswordLength,\r
               FALSE,\r
               FALSE\r
               );\r
    DEBUG ((\r
      DEBUG_INFO,\r
      "%a() OpalUtilUpdateGlobalLockingRange() Result = 0x%x\n",\r
      __FUNCTION__,\r
      Result\r
      ));\r
  }\r
\r
  PpStorageFlags = Tcg2PhysicalPresenceLibGetManagementFlags ();\r
  if ((PpStorageFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID) != 0) {\r
    BlockSIDEnabled = TRUE;\r
  } else {\r
    BlockSIDEnabled = FALSE;\r
  }\r
\r
  if (BlockSIDEnabled && BlockSidSupport) {\r
    DEBUG ((DEBUG_INFO, "OpalPassword: S3 phase send BlockSid command to device!\n"));\r
    ZeroMem (&Session, sizeof (Session));\r
    Session.Sscp          = &OpalDev->Sscp;\r
    Session.MediaId       = 0;\r
    Session.OpalBaseComId = OpalDev->Device->OpalBaseComId;\r
    Result                = OpalBlockSid (&Session, TRUE);\r
    DEBUG ((\r
      DEBUG_INFO,\r
      "%a() OpalBlockSid() Result = 0x%x\n",\r
      __FUNCTION__,\r
      Result\r
      ));\r
  }\r
}\r
\r
/**\r
  Unlock the OPAL NVM Express and ATA devices for S3.\r
\r
  @param[in] SscPpi    Pointer to the EDKII_PEI_STORAGE_SECURITY_CMD_PPI instance.\r
\r
**/\r
VOID\r
UnlockOpalPasswordDevices (\r
  IN EDKII_PEI_STORAGE_SECURITY_CMD_PPI  *SscPpi\r
  )\r
{\r
  EFI_STATUS                Status;\r
  UINT8                     *DevInfoBuffer;\r
  UINT8                     DummyData;\r
  OPAL_DEVICE_LOCKBOX_DATA  *DevInfo;\r
  UINTN                     DevInfoLength;\r
  EFI_DEVICE_PATH_PROTOCOL  *SscDevicePath;\r
  UINTN                     SscDevicePathLength;\r
  UINTN                     SscDeviceNum;\r
  UINTN                     SscDeviceIndex;\r
  OPAL_PEI_DEVICE           OpalDev;\r
\r
  //\r
  // Get OPAL devices info from LockBox.\r
  //\r
  DevInfoBuffer = &DummyData;\r
  DevInfoLength = sizeof (DummyData);\r
  Status        = RestoreLockBox (&mOpalDeviceLockBoxGuid, DevInfoBuffer, &DevInfoLength);\r
  if (Status == EFI_BUFFER_TOO_SMALL) {\r
    DevInfoBuffer = AllocatePages (EFI_SIZE_TO_PAGES (DevInfoLength));\r
    if (DevInfoBuffer != NULL) {\r
      Status = RestoreLockBox (&mOpalDeviceLockBoxGuid, DevInfoBuffer, &DevInfoLength);\r
    }\r
  }\r
\r
  if ((DevInfoBuffer == NULL) || (DevInfoBuffer == &DummyData)) {\r
    return;\r
  } else if (EFI_ERROR (Status)) {\r
    FreePages (DevInfoBuffer, EFI_SIZE_TO_PAGES (DevInfoLength));\r
    return;\r
  }\r
\r
  //\r
  // Go through all the devices managed by the SSC PPI instance.\r
  //\r
  Status = SscPpi->GetNumberofDevices (SscPpi, &SscDeviceNum);\r
  if (EFI_ERROR (Status)) {\r
    goto Exit;\r
  }\r
\r
  for (SscDeviceIndex = 1; SscDeviceIndex <= SscDeviceNum; SscDeviceIndex++) {\r
    Status = SscPpi->GetDevicePath (\r
                       SscPpi,\r
                       SscDeviceIndex,\r
                       &SscDevicePathLength,\r
                       &SscDevicePath\r
                       );\r
    if (SscDevicePathLength <= sizeof (EFI_DEVICE_PATH_PROTOCOL)) {\r
      //\r
      // Device path validity check.\r
      //\r
      continue;\r
    }\r
\r
    //\r
    // Search the device in the restored LockBox.\r
    //\r
    for (DevInfo = (OPAL_DEVICE_LOCKBOX_DATA *)DevInfoBuffer;\r
         (UINTN)DevInfo < ((UINTN)DevInfoBuffer + DevInfoLength);\r
         DevInfo = (OPAL_DEVICE_LOCKBOX_DATA *)((UINTN)DevInfo + DevInfo->Length))\r
    {\r
      //\r
      // Find the matching device.\r
      //\r
      if ((DevInfo->DevicePathLength >= SscDevicePathLength) &&\r
          (CompareMem (\r
             DevInfo->DevicePath,\r
             SscDevicePath,\r
             SscDevicePathLength - sizeof (EFI_DEVICE_PATH_PROTOCOL)\r
             ) == 0))\r
      {\r
        OpalDev.Signature        = OPAL_PEI_DEVICE_SIGNATURE;\r
        OpalDev.Sscp.ReceiveData = SecurityReceiveData;\r
        OpalDev.Sscp.SendData    = SecuritySendData;\r
        OpalDev.Device           = DevInfo;\r
        OpalDev.Context          = NULL;\r
        OpalDev.SscPpi           = SscPpi;\r
        OpalDev.DeviceIndex      = SscDeviceIndex;\r
        UnlockOpalPassword (&OpalDev);\r
        break;\r
      }\r
    }\r
  }\r
\r
Exit:\r
  ZeroMem (DevInfoBuffer, DevInfoLength);\r
  FreePages (DevInfoBuffer, EFI_SIZE_TO_PAGES (DevInfoLength));\r
}\r
\r
/**\r
  One notified function at the installation of EDKII_PEI_STORAGE_SECURITY_CMD_PPI.\r
  It is to unlock OPAL password for S3.\r
\r
  @param[in] PeiServices         Indirect reference to the PEI Services Table.\r
  @param[in] NotifyDescriptor    Address of the notification descriptor data structure.\r
  @param[in] Ppi                 Address of the PPI that was installed.\r
\r
  @return Status of the notification.\r
          The status code returned from this function is ignored.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
OpalPasswordStorageSecurityPpiNotify (\r
  IN EFI_PEI_SERVICES           **PeiServices,\r
  IN EFI_PEI_NOTIFY_DESCRIPTOR  *NotifyDesc,\r
  IN VOID                       *Ppi\r
  )\r
{\r
  DEBUG ((DEBUG_INFO, "%a entered at S3 resume!\n", __FUNCTION__));\r
\r
  UnlockOpalPasswordDevices ((EDKII_PEI_STORAGE_SECURITY_CMD_PPI *)Ppi);\r
\r
  DEBUG ((DEBUG_INFO, "%a exit at S3 resume!\n", __FUNCTION__));\r
\r
  return EFI_SUCCESS;\r
}\r
\r
EFI_PEI_NOTIFY_DESCRIPTOR  mOpalPasswordStorageSecurityPpiNotifyDesc = {\r
  (EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK | EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST),\r
  &gEdkiiPeiStorageSecurityCommandPpiGuid,\r
  OpalPasswordStorageSecurityPpiNotify\r
};\r
\r
/**\r
  Main entry for this module.\r
\r
  @param FileHandle             Handle of the file being invoked.\r
  @param PeiServices            Pointer to PEI Services table.\r
\r
  @return Status from PeiServicesNotifyPpi.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
OpalPasswordPeiInit (\r
  IN EFI_PEI_FILE_HANDLE     FileHandle,\r
  IN CONST EFI_PEI_SERVICES  **PeiServices\r
  )\r
{\r
  EFI_STATUS     Status;\r
  EFI_BOOT_MODE  BootMode;\r
\r
  Status = PeiServicesGetBootMode (&BootMode);\r
  if ((EFI_ERROR (Status)) || (BootMode != BOOT_ON_S3_RESUME)) {\r
    return EFI_UNSUPPORTED;\r
  }\r
\r
  DEBUG ((DEBUG_INFO, "%a: Enters in S3 path.\n", __FUNCTION__));\r
\r
  Status = PeiServicesNotifyPpi (&mOpalPasswordStorageSecurityPpiNotifyDesc);\r
  ASSERT_EFI_ERROR (Status);\r
  return Status;\r
}\r
Commit	Line	Data
112e584b SZ	1	/** @file\r
	2	Opal Password PEI driver which is used to unlock Opal Password for S3.\r
	3	\r
a3efbc29	4	Copyright (c) 2016 - 2019, Intel Corporation. All rights reserved.<BR>\r
289b714b	5	SPDX-License-Identifier: BSD-2-Clause-Patent\r
112e584b SZ	6	\r
	7	**/\r
	8	\r
	9	#include "OpalPasswordPei.h"\r
	10	\r
c411b485	11	EFI_GUID mOpalDeviceLockBoxGuid = OPAL_DEVICE_LOCKBOX_GUID;\r
112e584b SZ	12	\r
	13	/**\r
	14	Send a security protocol command to a device that receives data and/or the result\r
	15	of one or more commands sent by SendData.\r
	16	\r
	17	The ReceiveData function sends a security protocol command to the given MediaId.\r
	18	The security protocol command sent is defined by SecurityProtocolId and contains\r
	19	the security protocol specific data SecurityProtocolSpecificData. The function\r
	20	returns the data from the security protocol command in PayloadBuffer.\r
	21	\r
	22	For devices supporting the SCSI command set, the security protocol command is sent\r
	23	using the SECURITY PROTOCOL IN command defined in SPC-4.\r
	24	\r
	25	For devices supporting the ATA command set, the security protocol command is sent\r
	26	using one of the TRUSTED RECEIVE commands defined in ATA8-ACS if PayloadBufferSize\r
	27	is non-zero.\r
	28	\r
	29	If the PayloadBufferSize is zero, the security protocol command is sent using the\r
	30	Trusted Non-Data command defined in ATA8-ACS.\r
	31	\r
	32	If PayloadBufferSize is too small to store the available data from the security\r
	33	protocol command, the function shall copy PayloadBufferSize bytes into the\r
	34	PayloadBuffer and return EFI_WARN_BUFFER_TOO_SMALL.\r
	35	\r
	36	If PayloadBuffer or PayloadTransferSize is NULL and PayloadBufferSize is non-zero,\r
	37	the function shall return EFI_INVALID_PARAMETER.\r
	38	\r
	39	If the given MediaId does not support security protocol commands, the function shall\r
	40	return EFI_UNSUPPORTED. If there is no media in the device, the function returns\r
	41	EFI_NO_MEDIA. If the MediaId is not the ID for the current media in the device,\r
	42	the function returns EFI_MEDIA_CHANGED.\r
	43	\r
	44	If the security protocol fails to complete within the Timeout period, the function\r
	45	shall return EFI_TIMEOUT.\r
	46	\r
	47	If the security protocol command completes without an error, the function shall\r
	48	return EFI_SUCCESS. If the security protocol command completes with an error, the\r
	49	function shall return EFI_DEVICE_ERROR.\r
	50	\r
	51	@param This Indicates a pointer to the calling context.\r
	52	@param MediaId ID of the medium to receive data from.\r
	53	@param Timeout The timeout, in 100ns units, to use for the execution\r
	54	of the security protocol command. A Timeout value of 0\r
	55	means that this function will wait indefinitely for the\r
	56	security protocol command to execute. If Timeout is greater\r
	57	than zero, then this function will return EFI_TIMEOUT\r
	58	if the time required to execute the receive data command\r
	59	is greater than Timeout.\r
	60	@param SecurityProtocolId The value of the "Security Protocol" parameter of\r
	61	the security protocol command to be sent.\r
	62	@param SecurityProtocolSpecificData The value of the "Security Protocol Specific" parameter\r
	63	of the security protocol command to be sent.\r
	64	@param PayloadBufferSize Size in bytes of the payload data buffer.\r
	65	@param PayloadBuffer A pointer to a destination buffer to store the security\r
	66	protocol command specific payload data for the security\r
	67	protocol command. The caller is responsible for having\r
	68	either implicit or explicit ownership of the buffer.\r
	69	@param PayloadTransferSize A pointer to a buffer to store the size in bytes of the\r
	70	data written to the payload data buffer.\r
	71	\r
	72	@retval EFI_SUCCESS The security protocol command completed successfully.\r
	73	@retval EFI_WARN_BUFFER_TOO_SMALL The PayloadBufferSize was too small to store the available\r
	74	data from the device. The PayloadBuffer contains the truncated data.\r
	75	@retval EFI_UNSUPPORTED The given MediaId does not support security protocol commands.\r
76	@retval EFI_DEVICE_ERROR The security protocol command completed with an error.\r
77	@retval EFI_NO_MEDIA There is no media in the device.\r
78	@retval EFI_MEDIA_CHANGED The MediaId is not for the current media.\r
79	@retval EFI_INVALID_PARAMETER The PayloadBuffer or PayloadTransferSize is NULL and\r
80	PayloadBufferSize is non-zero.\r
81	@retval EFI_TIMEOUT A timeout occurred while waiting for the security\r
82	protocol command to execute.\r
83	\r
84	**/\r
85	EFI_STATUS\r
86	EFIAPI\r
87	SecurityReceiveData (\r
c411b485 MK	88	IN EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *This,\r
	89	IN UINT32 MediaId,\r
	90	IN UINT64 Timeout,\r
	91	IN UINT8 SecurityProtocolId,\r
	92	IN UINT16 SecurityProtocolSpecificData,\r
	93	IN UINTN PayloadBufferSize,\r
	94	OUT VOID *PayloadBuffer,\r
	95	OUT UINTN *PayloadTransferSize\r
112e584b SZ	96	)\r
112e584b SZ	97	{\r
c411b485	98	OPAL_PEI_DEVICE *PeiDev;\r
112e584b SZ	99	\r
	100	PeiDev = OPAL_PEI_DEVICE_FROM_THIS (This);\r
	101	if (PeiDev == NULL) {\r
	102	return EFI_DEVICE_ERROR;\r
	103	}\r
	104	\r
a3efbc29 HW	105	return PeiDev->SscPpi->ReceiveData (\r
	106	PeiDev->SscPpi,\r
	107	PeiDev->DeviceIndex,\r
	108	SSC_PPI_GENERIC_TIMEOUT,\r
	109	SecurityProtocolId,\r
	110	SecurityProtocolSpecificData,\r
	111	PayloadBufferSize,\r
	112	PayloadBuffer,\r
	113	PayloadTransferSize\r
	114	);\r
112e584b SZ	115	}\r
	116	\r
	117	/**\r
	118	Send a security protocol command to a device.\r
	119	\r
	120	The SendData function sends a security protocol command containing the payload\r
	121	PayloadBuffer to the given MediaId. The security protocol command sent is\r
	122	defined by SecurityProtocolId and contains the security protocol specific data\r
	123	SecurityProtocolSpecificData. If the underlying protocol command requires a\r
	124	specific padding for the command payload, the SendData function shall add padding\r
	125	bytes to the command payload to satisfy the padding requirements.\r
	126	\r
	127	For devices supporting the SCSI command set, the security protocol command is sent\r
	128	using the SECURITY PROTOCOL OUT command defined in SPC-4.\r
	129	\r
	130	For devices supporting the ATA command set, the security protocol command is sent\r
	131	using one of the TRUSTED SEND commands defined in ATA8-ACS if PayloadBufferSize\r
	132	is non-zero. If the PayloadBufferSize is zero, the security protocol command is\r
	133	sent using the Trusted Non-Data command defined in ATA8-ACS.\r
	134	\r
	135	If PayloadBuffer is NULL and PayloadBufferSize is non-zero, the function shall\r
	136	return EFI_INVALID_PARAMETER.\r
	137	\r
	138	If the given MediaId does not support security protocol commands, the function\r
	139	shall return EFI_UNSUPPORTED. If there is no media in the device, the function\r
	140	returns EFI_NO_MEDIA. If the MediaId is not the ID for the current media in the\r
	141	device, the function returns EFI_MEDIA_CHANGED.\r
	142	\r
	143	If the security protocol fails to complete within the Timeout period, the function\r
	144	shall return EFI_TIMEOUT.\r
	145	\r
	146	If the security protocol command completes without an error, the function shall return\r
	147	EFI_SUCCESS. If the security protocol command completes with an error, the function\r
	148	shall return EFI_DEVICE_ERROR.\r
	149	\r
	150	@param This Indicates a pointer to the calling context.\r
	151	@param MediaId ID of the medium to receive data from.\r
	152	@param Timeout The timeout, in 100ns units, to use for the execution\r
	153	of the security protocol command. A Timeout value of 0\r
	154	means that this function will wait indefinitely for the\r
	155	security protocol command to execute. If Timeout is greater\r
	156	than zero, then this function will return EFI_TIMEOUT\r
	157	if the time required to execute the send data command\r
	158	is greater than Timeout.\r
	159	@param SecurityProtocolId The value of the "Security Protocol" parameter of\r
	160	the security protocol command to be sent.\r
	161	@param SecurityProtocolSpecificData The value of the "Security Protocol Specific" parameter\r
	162	of the security protocol command to be sent.\r
	163	@param PayloadBufferSize Size in bytes of the payload data buffer.\r
	164	@param PayloadBuffer A pointer to a destination buffer to store the security\r
	165	protocol command specific payload data for the security\r
	166	protocol command.\r
	167	\r
	168	@retval EFI_SUCCESS The security protocol command completed successfully.\r
	169	@retval EFI_UNSUPPORTED The given MediaId does not support security protocol commands.\r
	170	@retval EFI_DEVICE_ERROR The security protocol command completed with an error.\r
	171	@retval EFI_NO_MEDIA There is no media in the device.\r
	172	@retval EFI_MEDIA_CHANGED The MediaId is not for the current media.\r
	173	@retval EFI_INVALID_PARAMETER The PayloadBuffer is NULL and PayloadBufferSize is non-zero.\r
	174	@retval EFI_TIMEOUT A timeout occurred while waiting for the security\r
	175	protocol command to execute.\r
	176	\r
	177	**/\r
	178	EFI_STATUS\r
179	EFIAPI\r
180	SecuritySendData (\r
c411b485 MK	181	IN EFI_STORAGE_SECURITY_COMMAND_PROTOCOL *This,\r
	182	IN UINT32 MediaId,\r
	183	IN UINT64 Timeout,\r
	184	IN UINT8 SecurityProtocolId,\r
	185	IN UINT16 SecurityProtocolSpecificData,\r
	186	IN UINTN PayloadBufferSize,\r
	187	IN VOID *PayloadBuffer\r
112e584b SZ	188	)\r
112e584b SZ	189	{\r
c411b485	190	OPAL_PEI_DEVICE *PeiDev;\r
112e584b SZ	191	\r
	192	PeiDev = OPAL_PEI_DEVICE_FROM_THIS (This);\r
	193	if (PeiDev == NULL) {\r
	194	return EFI_DEVICE_ERROR;\r
	195	}\r
	196	\r
a3efbc29 HW	197	return PeiDev->SscPpi->SendData (\r
	198	PeiDev->SscPpi,\r
	199	PeiDev->DeviceIndex,\r
	200	SSC_PPI_GENERIC_TIMEOUT,\r
	201	SecurityProtocolId,\r
	202	SecurityProtocolSpecificData,\r
	203	PayloadBufferSize,\r
	204	PayloadBuffer\r
	205	);\r
112e584b SZ	206	}\r
	207	\r
	208	/**\r
	209	\r
	210	The function returns whether or not the device is Opal Locked.\r
	211	TRUE means that the device is partially or fully locked.\r
	212	This will perform a Level 0 Discovery and parse the locking feature descriptor\r
	213	\r
	214	@param[in] OpalDev Opal object to determine if locked.\r
	215	@param[out] BlockSidSupported Whether device support BlockSid feature.\r
	216	\r
	217	**/\r
	218	BOOLEAN\r
c411b485 MK	219	IsOpalDeviceLocked (\r
	220	OPAL_PEI_DEVICE *OpalDev,\r
	221	BOOLEAN *BlockSidSupported\r
112e584b SZ	222	)\r
112e584b SZ	223	{\r
c411b485 MK	224	OPAL_SESSION Session;\r
	225	OPAL_DISK_SUPPORT_ATTRIBUTE SupportedAttributes;\r
	226	TCG_LOCKING_FEATURE_DESCRIPTOR LockingFeature;\r
	227	UINT16 OpalBaseComId;\r
	228	TCG_RESULT Ret;\r
112e584b	229	\r
c411b485	230	Session.Sscp = &OpalDev->Sscp;\r
112e584b SZ	231	Session.MediaId = 0;\r
	232	\r
	233	Ret = OpalGetSupportedAttributesInfo (&Session, &SupportedAttributes, &OpalBaseComId);\r
	234	if (Ret != TcgResultSuccess) {\r
	235	return FALSE;\r
	236	}\r
	237	\r
c411b485 MK	238	Session.OpalBaseComId = OpalBaseComId;\r
c411b485 MK	239	*BlockSidSupported = SupportedAttributes.BlockSid == 1 ? TRUE : FALSE;\r
112e584b	240	\r
c411b485	241	Ret = OpalGetLockingInfo (&Session, &LockingFeature);\r
112e584b SZ	242	if (Ret != TcgResultSuccess) {\r
	243	return FALSE;\r
	244	}\r
	245	\r
	246	return OpalDeviceLocked (&SupportedAttributes, &LockingFeature);\r
	247	}\r
	248	\r
	249	/**\r
	250	Unlock OPAL password for S3.\r
	251	\r
	252	@param[in] OpalDev Opal object to unlock.\r
	253	\r
	254	**/\r
	255	VOID\r
	256	UnlockOpalPassword (\r
c411b485	257	IN OPAL_PEI_DEVICE *OpalDev\r
112e584b SZ	258	)\r
112e584b SZ	259	{\r
c411b485 MK	260	TCG_RESULT Result;\r
	261	OPAL_SESSION Session;\r
	262	BOOLEAN BlockSidSupport;\r
	263	UINT32 PpStorageFlags;\r
	264	BOOLEAN BlockSIDEnabled;\r
112e584b SZ	265	\r
	266	BlockSidSupport = FALSE;\r
	267	if (IsOpalDeviceLocked (OpalDev, &BlockSidSupport)) {\r
c411b485 MK	268	ZeroMem (&Session, sizeof (Session));\r
	269	Session.Sscp = &OpalDev->Sscp;\r
	270	Session.MediaId = 0;\r
112e584b SZ	271	Session.OpalBaseComId = OpalDev->Device->OpalBaseComId;\r
	272	\r
	273	Result = OpalUtilUpdateGlobalLockingRange (\r
	274	&Session,\r
	275	OpalDev->Device->Password,\r
	276	OpalDev->Device->PasswordLength,\r
	277	FALSE,\r
	278	FALSE\r
	279	);\r
	280	DEBUG ((\r
	281	DEBUG_INFO,\r
	282	"%a() OpalUtilUpdateGlobalLockingRange() Result = 0x%x\n",\r
	283	__FUNCTION__,\r
	284	Result\r
	285	));\r
	286	}\r
	287	\r
	288	PpStorageFlags = Tcg2PhysicalPresenceLibGetManagementFlags ();\r
	289	if ((PpStorageFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID) != 0) {\r
	290	BlockSIDEnabled = TRUE;\r
	291	} else {\r
	292	BlockSIDEnabled = FALSE;\r
	293	}\r
c411b485	294	\r
112e584b	295	if (BlockSIDEnabled && BlockSidSupport) {\r
40d32e79	296	DEBUG ((DEBUG_INFO, "OpalPassword: S3 phase send BlockSid command to device!\n"));\r
c411b485 MK	297	ZeroMem (&Session, sizeof (Session));\r
	298	Session.Sscp = &OpalDev->Sscp;\r
	299	Session.MediaId = 0;\r
112e584b	300	Session.OpalBaseComId = OpalDev->Device->OpalBaseComId;\r
c411b485	301	Result = OpalBlockSid (&Session, TRUE);\r
112e584b SZ	302	DEBUG ((\r
	303	DEBUG_INFO,\r
	304	"%a() OpalBlockSid() Result = 0x%x\n",\r
	305	__FUNCTION__,\r
	306	Result\r
	307	));\r
	308	}\r
	309	}\r
	310	\r
	311	/**\r
a3efbc29 HW	312	Unlock the OPAL NVM Express and ATA devices for S3.\r
	313	\r
	314	@param[in] SscPpi Pointer to the EDKII_PEI_STORAGE_SECURITY_CMD_PPI instance.\r
112e584b SZ	315	\r
	316	**/\r
	317	VOID\r
a3efbc29	318	UnlockOpalPasswordDevices (\r
c411b485	319	IN EDKII_PEI_STORAGE_SECURITY_CMD_PPI *SscPpi\r
112e584b SZ	320	)\r
112e584b SZ	321	{\r
c411b485 MK	322	EFI_STATUS Status;\r
	323	UINT8 *DevInfoBuffer;\r
	324	UINT8 DummyData;\r
	325	OPAL_DEVICE_LOCKBOX_DATA *DevInfo;\r
	326	UINTN DevInfoLength;\r
	327	EFI_DEVICE_PATH_PROTOCOL *SscDevicePath;\r
	328	UINTN SscDevicePathLength;\r
	329	UINTN SscDeviceNum;\r
	330	UINTN SscDeviceIndex;\r
	331	OPAL_PEI_DEVICE OpalDev;\r
112e584b SZ	332	\r
112e584b SZ	333	//\r
a3efbc29	334	// Get OPAL devices info from LockBox.\r
112e584b	335	//\r
a3efbc29 HW	336	DevInfoBuffer = &DummyData;\r
a3efbc29 HW	337	DevInfoLength = sizeof (DummyData);\r
c411b485	338	Status = RestoreLockBox (&mOpalDeviceLockBoxGuid, DevInfoBuffer, &DevInfoLength);\r
112e584b	339	if (Status == EFI_BUFFER_TOO_SMALL) {\r
a3efbc29 HW	340	DevInfoBuffer = AllocatePages (EFI_SIZE_TO_PAGES (DevInfoLength));\r
	341	if (DevInfoBuffer != NULL) {\r
	342	Status = RestoreLockBox (&mOpalDeviceLockBoxGuid, DevInfoBuffer, &DevInfoLength);\r
112e584b SZ	343	}\r
112e584b SZ	344	}\r
c411b485 MK	345	\r
c411b485 MK	346	if ((DevInfoBuffer == NULL) \|\| (DevInfoBuffer == &DummyData)) {\r
a3efbc29 HW	347	return;\r
	348	} else if (EFI_ERROR (Status)) {\r
	349	FreePages (DevInfoBuffer, EFI_SIZE_TO_PAGES (DevInfoLength));\r
112e584b SZ	350	return;\r
	351	}\r
	352	\r
112e584b	353	//\r
a3efbc29	354	// Go through all the devices managed by the SSC PPI instance.\r
112e584b	355	//\r
a3efbc29 HW	356	Status = SscPpi->GetNumberofDevices (SscPpi, &SscDeviceNum);\r
	357	if (EFI_ERROR (Status)) {\r
	358	goto Exit;\r
112e584b	359	}\r
c411b485	360	\r
a3efbc29 HW	361	for (SscDeviceIndex = 1; SscDeviceIndex <= SscDeviceNum; SscDeviceIndex++) {\r
	362	Status = SscPpi->GetDevicePath (\r
	363	SscPpi,\r
	364	SscDeviceIndex,\r
	365	&SscDevicePathLength,\r
	366	&SscDevicePath\r
	367	);\r
	368	if (SscDevicePathLength <= sizeof (EFI_DEVICE_PATH_PROTOCOL)) {\r
	369	//\r
	370	// Device path validity check.\r
	371	//\r
	372	continue;\r
112e584b SZ	373	}\r
112e584b SZ	374	\r
a3efbc29 HW	375	//\r
	376	// Search the device in the restored LockBox.\r
	377	//\r
c411b485 MK	378	for (DevInfo = (OPAL_DEVICE_LOCKBOX_DATA *)DevInfoBuffer;\r
	379	(UINTN)DevInfo < ((UINTN)DevInfoBuffer + DevInfoLength);\r
	380	DevInfo = (OPAL_DEVICE_LOCKBOX_DATA *)((UINTN)DevInfo + DevInfo->Length))\r
	381	{\r
a3efbc29 HW	382	//\r
	383	// Find the matching device.\r
	384	//\r
	385	if ((DevInfo->DevicePathLength >= SscDevicePathLength) &&\r
	386	(CompareMem (\r
	387	DevInfo->DevicePath,\r
	388	SscDevicePath,\r
c411b485 MK	389	SscDevicePathLength - sizeof (EFI_DEVICE_PATH_PROTOCOL)\r
	390	) == 0))\r
	391	{\r
a3efbc29 HW	392	OpalDev.Signature = OPAL_PEI_DEVICE_SIGNATURE;\r
	393	OpalDev.Sscp.ReceiveData = SecurityReceiveData;\r
	394	OpalDev.Sscp.SendData = SecuritySendData;\r
	395	OpalDev.Device = DevInfo;\r
	396	OpalDev.Context = NULL;\r
	397	OpalDev.SscPpi = SscPpi;\r
	398	OpalDev.DeviceIndex = SscDeviceIndex;\r
	399	UnlockOpalPassword (&OpalDev);\r
	400	break;\r
	401	}\r
	402	}\r
112e584b SZ	403	}\r
112e584b SZ	404	\r
a3efbc29 HW	405	Exit:\r
	406	ZeroMem (DevInfoBuffer, DevInfoLength);\r
	407	FreePages (DevInfoBuffer, EFI_SIZE_TO_PAGES (DevInfoLength));\r
112e584b SZ	408	}\r
	409	\r
	410	/**\r
a3efbc29	411	One notified function at the installation of EDKII_PEI_STORAGE_SECURITY_CMD_PPI.\r
112e584b SZ	412	It is to unlock OPAL password for S3.\r
112e584b SZ	413	\r
a3efbc29 HW	414	@param[in] PeiServices Indirect reference to the PEI Services Table.\r
	415	@param[in] NotifyDescriptor Address of the notification descriptor data structure.\r
	416	@param[in] Ppi Address of the PPI that was installed.\r
112e584b SZ	417	\r
	418	@return Status of the notification.\r
	419	The status code returned from this function is ignored.\r
a3efbc29	420	\r
112e584b SZ	421	**/\r
	422	EFI_STATUS\r
	423	EFIAPI\r
a3efbc29	424	OpalPasswordStorageSecurityPpiNotify (\r
c411b485 MK	425	IN EFI_PEI_SERVICES **PeiServices,\r
	426	IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDesc,\r
	427	IN VOID *Ppi\r
112e584b SZ	428	)\r
112e584b SZ	429	{\r
a3efbc29	430	DEBUG ((DEBUG_INFO, "%a entered at S3 resume!\n", __FUNCTION__));\r
112e584b	431	\r
c411b485	432	UnlockOpalPasswordDevices ((EDKII_PEI_STORAGE_SECURITY_CMD_PPI *)Ppi);\r
112e584b	433	\r
a3efbc29	434	DEBUG ((DEBUG_INFO, "%a exit at S3 resume!\n", __FUNCTION__));\r
112e584b SZ	435	\r
	436	return EFI_SUCCESS;\r
	437	}\r
	438	\r
c411b485	439	EFI_PEI_NOTIFY_DESCRIPTOR mOpalPasswordStorageSecurityPpiNotifyDesc = {\r
112e584b	440	(EFI_PEI_PPI_DESCRIPTOR_NOTIFY_CALLBACK \| EFI_PEI_PPI_DESCRIPTOR_TERMINATE_LIST),\r
a3efbc29 HW	441	&gEdkiiPeiStorageSecurityCommandPpiGuid,\r
a3efbc29 HW	442	OpalPasswordStorageSecurityPpiNotify\r
112e584b SZ	443	};\r
	444	\r
	445	/**\r
	446	Main entry for this module.\r
	447	\r
	448	@param FileHandle Handle of the file being invoked.\r
	449	@param PeiServices Pointer to PEI Services table.\r
	450	\r
	451	@return Status from PeiServicesNotifyPpi.\r
	452	\r
	453	**/\r
	454	EFI_STATUS\r
	455	EFIAPI\r
	456	OpalPasswordPeiInit (\r
c411b485 MK	457	IN EFI_PEI_FILE_HANDLE FileHandle,\r
c411b485 MK	458	IN CONST EFI_PEI_SERVICES **PeiServices\r
112e584b SZ	459	)\r
112e584b SZ	460	{\r
c411b485 MK	461	EFI_STATUS Status;\r
c411b485 MK	462	EFI_BOOT_MODE BootMode;\r
a3efbc29 HW	463	\r
	464	Status = PeiServicesGetBootMode (&BootMode);\r
	465	if ((EFI_ERROR (Status)) \|\| (BootMode != BOOT_ON_S3_RESUME)) {\r
	466	return EFI_UNSUPPORTED;\r
	467	}\r
112e584b	468	\r
a3efbc29 HW	469	DEBUG ((DEBUG_INFO, "%a: Enters in S3 path.\n", __FUNCTION__));\r
	470	\r
	471	Status = PeiServicesNotifyPpi (&mOpalPasswordStorageSecurityPpiNotifyDesc);\r
112e584b SZ	472	ASSERT_EFI_ERROR (Status);\r
	473	return Status;\r
	474	}\r