]> git.proxmox.com Git - mirror_edk2.git/blame_incremental - SecurityPkg/SecurityPkg.dec
projects / mirror_edk2.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Validate the input namespace field to avoid assert.
[mirror_edk2.git] / SecurityPkg / SecurityPkg.dec
... / ...
CommitLineData
1## @file SecurityPkg.dec\r
2# Provides security features that conform to TCG/UEFI industry standards\r
3#\r
4# The security features include secure boot, measured boot and user identification.\r
5# It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes)\r
6# and libraries instances, which are used for those features.\r
7#\r
8# Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>\r
9# (C) Copyright 2015 Hewlett Packard Enterprise Development LP <BR>\r
10# This program and the accompanying materials are licensed and made available under\r
11# the terms and conditions of the BSD License which accompanies this distribution.\r
12# The full text of the license may be found at\r
13# http://opensource.org/licenses/bsd-license.php\r
14#\r
15# THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
16# WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
17#\r
18##\r
19\r
20[Defines]\r
21 DEC_SPECIFICATION = 0x00010005\r
22 PACKAGE_NAME = SecurityPkg\r
23 PACKAGE_UNI_FILE = SecurityPkg.uni\r
24 PACKAGE_GUID = 4EFC4F66-6219-4427-B780-FB99F470767F\r
25 PACKAGE_VERSION = 0.95\r
26\r
27[Includes]\r
28 Include\r
29\r
30[LibraryClasses]\r
31 ## @libraryclass Provides hash interfaces from different implementations.\r
32 # \r
33 HashLib|Include/Library/HashLib.h\r
34 \r
35 ## @libraryclass Provides a platform specific interface to detect physically present user.\r
36 #\r
37 PlatformSecureLib|Include/Library/PlatformSecureLib.h\r
38 \r
39 ## @libraryclass Provides interfaces to handle TPM 1.2 request.\r
40 #\r
41 TcgPhysicalPresenceLib|Include/Library/TcgPhysicalPresenceLib.h\r
42 \r
43 ## @libraryclass Provides support for TCG PP >= 128 Vendor Specific PPI Operation.\r
44 #\r
45 TcgPpVendorLib|Include/Library/TcgPpVendorLib.h\r
46 \r
47 ## @libraryclass Provides interfaces for other modules to send TPM 2.0 command.\r
48 #\r
49 Tpm2CommandLib|Include/Library/Tpm2CommandLib.h\r
50 \r
51 ## @libraryclass Provides interfaces on how to access TPM 2.0 hardware device.\r
52 #\r
53 Tpm2DeviceLib|Include/Library/Tpm2DeviceLib.h\r
54 \r
55 ## @libraryclass Provides interfaces for other modules to send TPM 1.2 command.\r
56 #\r
57 Tpm12CommandLib|Include/Library/Tpm12CommandLib.h\r
58 \r
59 ## @libraryclass Provides interfaces on how to access TPM 1.2 hardware device.\r
60 #\r
61 Tpm12DeviceLib|Include/Library/Tpm12DeviceLib.h\r
62 \r
63 ## @libraryclass Provides TPM Interface Specification (TIS) interfaces for TPM command.\r
64 #\r
65 TpmCommLib|Include/Library/TpmCommLib.h\r
66 \r
67 ## @libraryclass Provides interfaces to handle TPM 2.0 request.\r
68 #\r
69 TrEEPhysicalPresenceLib|Include/Library/TrEEPhysicalPresenceLib.h\r
70 \r
71 ## @libraryclass Provides support for TrEE PP >= 128 Vendor Specific PPI Operation.\r
72 #\r
73 TrEEPpVendorLib|Include/Library/TrEEPpVendorLib.h\r
74\r
75[Guids]\r
76 ## Security package token space guid.\r
77 # Include/Guid/SecurityPkgTokenSpace.h\r
78 gEfiSecurityPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef, 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}\r
79\r
80 ## GUID used to "SecureBootEnable" variable for the Secure Boot feature enable/disable.\r
81 # This variable is used for allowing a physically present user to disable Secure Boot via firmware setup without the possession of PKpriv.\r
82 # Include/Guid/AuthenticatedVariableFormat.h\r
83 gEfiSecureBootEnableDisableGuid = { 0xf0a30bc7, 0xaf08, 0x4556, { 0x99, 0xc4, 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44 } }\r
84\r
85 ## GUID used to "CustomMode" variable for two Secure Boot modes feature: "Custom" and "Standard".\r
86 # Standard Secure Boot mode is the default mode as UEFI Spec's description.\r
87 # Custom Secure Boot mode allows for more flexibility as specified in the following:\r
88 # Can enroll or delete PK without existing PK's private key.\r
89 # Can enroll or delete KEK without existing PK's private key.\r
90 # Can enroll or delete signature from DB/DBX without KEK's private key.\r
91 # Include/Guid/AuthenticatedVariableFormat.h\r
92 gEfiCustomModeEnableGuid = { 0xc076ec0c, 0x7028, 0x4399, { 0xa0, 0x72, 0x71, 0xee, 0x5c, 0x44, 0x8b, 0x9f } }\r
93\r
94 ## GUID used to "VendorKeysNv" variable to record the out of band secure boot keys modification.\r
95 # This variable is a read-only NV variable that indicates whether someone other than the platform vendor has used a \r
96 # mechanism not defined by the UEFI Specification to transition the system to setup mode or to update secure boot keys.\r
97 # Include/Guid/AuthenticatedVariableFormat.h\r
98 gEfiVendorKeysNvGuid = { 0x9073e4e0, 0x60ec, 0x4b6e, { 0x99, 0x3, 0x4c, 0x22, 0x3c, 0x26, 0xf, 0x3c } }\r
99\r
100 ## GUID used to "certdb" variable to store the signer's certificates for common variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute.\r
101 # Include/Guid/AuthenticatedVariableFormat.h\r
102 gEfiCertDbGuid = { 0xd9bee56e, 0x75dc, 0x49d9, { 0xb4, 0xd7, 0xb5, 0x34, 0x21, 0xf, 0x63, 0x7a } }\r
103 \r
104 ## Hob GUID used to pass a TCG_PCR_EVENT from a TPM PEIM to a TPM DXE Driver.\r
105 # Include/Guid/TcgEventHob.h\r
106 gTcgEventEntryHobGuid = { 0x2b9ffb52, 0x1b13, 0x416f, { 0xa8, 0x7b, 0xbc, 0x93, 0xd, 0xef, 0x92, 0xa8 }}\r
107\r
108 ## Hob GUID used to pass a TCG_PCR_EVENT_2 from a TPM2 PEIM to a TPM2 DXE Driver.\r
109 ## Include/Guid/TcgEventHob.h\r
110 gTcgEvent2EntryHobGuid = { 0xd26c221e, 0x2430, 0x4c8a, { 0x91, 0x70, 0x3f, 0xcb, 0x45, 0x0, 0x41, 0x3f }}\r
111\r
112 ## HOB GUID used to record TPM device error.\r
113 # Include/Guid/TcgEventHob.h\r
114 gTpmErrorHobGuid = { 0xef598499, 0xb25e, 0x473a, { 0xbf, 0xaf, 0xe7, 0xe5, 0x7d, 0xce, 0x82, 0xc4 }}\r
115\r
116 ## HOB GUID used to pass all PEI measured FV info to DXE Driver.\r
117 # Include/Guid/MeasuredFvHob.h\r
118 gMeasuredFvHobGuid = { 0xb2360b42, 0x7173, 0x420a, { 0x86, 0x96, 0x46, 0xca, 0x6b, 0xab, 0x10, 0x60 }}\r
119\r
120 ## GUID used to "PhysicalPresence" variable and "PhysicalPresenceFlags" variable for TPM request and response.\r
121 # Include/Guid/PhysicalPresenceData.h\r
122 gEfiPhysicalPresenceGuid = { 0xf6499b1, 0xe9ad, 0x493d, { 0xb9, 0xc2, 0x2f, 0x90, 0x81, 0x5c, 0x6c, 0xbc }}\r
123 \r
124 ## GUID used to "Tcg2PhysicalPresence" variable and "Tcg2PhysicalPresenceFlags" variable for TPM2 request and response.\r
125 # Include/Guid/Tcg2PhysicalPresenceData.h\r
126 gEfiTcg2PhysicalPresenceGuid = { 0xaeb9c5c1, 0x94f1, 0x4d02, { 0xbf, 0xd9, 0x46, 0x2, 0xdb, 0x2d, 0x3c, 0x54 }}\r
127\r
128 ## GUID used for form browser, password credential and provider identifier.\r
129 # Include/Guid/PwdCredentialProviderHii.h\r
130 gPwdCredentialProviderGuid = { 0x78b9ec8b, 0xc000, 0x46c5, { 0xac, 0x93, 0x24, 0xa0, 0xc1, 0xbb, 0x0, 0xce }}\r
131\r
132 ## GUID used for form browser, USB credential and provider identifier.\r
133 # Include/Guid/UsbCredentialProviderHii.h\r
134 gUsbCredentialProviderGuid = { 0xd0849ed1, 0xa88c, 0x4ba6, { 0xb1, 0xd6, 0xab, 0x50, 0xe2, 0x80, 0xb7, 0xa9 }}\r
135\r
136 ## GUID used for FormSet guid and user profile variable.\r
137 # Include/Guid/UserIdentifyManagerHii.h\r
138 gUserIdentifyManagerGuid = { 0x3ccd3dd8, 0x8d45, 0x4fed, { 0x96, 0x2d, 0x2b, 0x38, 0xcd, 0x82, 0xb3, 0xc4 }}\r
139\r
140 ## GUID used for FormSet.\r
141 # Include/Guid/UserProfileManagerHii.h\r
142 gUserProfileManagerGuid = { 0xc35f272c, 0x97c2, 0x465a, { 0xa2, 0x16, 0x69, 0x6b, 0x66, 0x8a, 0x8c, 0xfe }}\r
143\r
144 ## GUID used for FormSet.\r
145 # Include/Guid/TcgConfigHii.h\r
146 gTcgConfigFormSetGuid = { 0xb0f901e4, 0xc424, 0x45de, { 0x90, 0x81, 0x95, 0xe2, 0xb, 0xde, 0x6f, 0xb5 }}\r
147 \r
148 ## GUID used for FormSet and config variable.\r
149 # Include/Guid/Tcg2ConfigHii.h\r
150 gTcg2ConfigFormSetGuid = {0x6339d487, 0x26ba, 0x424b, { 0x9a, 0x5d, 0x68, 0x7e, 0x25, 0xd7, 0x40, 0xbc }}\r
151 \r
152 ## GUID used for FormSet.\r
153 # Include/Guid/SecureBootConfigHii.h\r
154 gSecureBootConfigFormSetGuid = { 0x5daf50a5, 0xea81, 0x4de2, {0x8f, 0x9b, 0xca, 0xbd, 0xa9, 0xcf, 0x5c, 0x14}}\r
155\r
156 ## GUID used to "TrEEPhysicalPresence" variable and "TrEEPhysicalPresenceFlags" variable for TPM2 request and response.\r
157 # Include/Guid/TrEEPhysicalPresenceData.h\r
158 gEfiTrEEPhysicalPresenceGuid = { 0xf24643c2, 0xc622, 0x494e, { 0x8a, 0xd, 0x46, 0x32, 0x57, 0x9c, 0x2d, 0x5b }}\r
159\r
160 ## GUID value used for PcdTpmInstanceGuid to indicate TPM is disabled.\r
161 # Include/Guid/TpmInstance.h\r
162 gEfiTpmDeviceInstanceNoneGuid = { 0x00000000, 0x0000, 0x0000, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } }\r
163 \r
164 ## GUID value used for PcdTpmInstanceGuid to indicate TPM 1.2 device is selected to support.\r
165 # Include/Guid/TpmInstance.h\r
166 gEfiTpmDeviceInstanceTpm12Guid = { 0x8b01e5b6, 0x4f19, 0x46e8, { 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xcc } }\r
167 \r
168 ## GUID value used for PcdTpmInstanceGuid to indicate discrete TPM 2.0 device is selected to support.\r
169 # Include/Guid/TpmInstance.h\r
170 gEfiTpmDeviceInstanceTpm20DtpmGuid = { 0x286bf25a, 0xc2c3, 0x408c, { 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17 } }\r
171 \r
172 ## GUID used to select supported TPM instance from UI.\r
173 # Include/Guid/TpmInstance.h\r
174 gEfiTpmDeviceSelectedGuid = { 0x7f4158d3, 0x74d, 0x456d, { 0x8c, 0xb2, 0x1, 0xf9, 0xc8, 0xf7, 0x9d, 0xaa } }\r
175\r
176 ## GUID used for FormSet and config variable.\r
177 # Include/Guid/TrEEConfigHii.h\r
178 gTrEEConfigFormSetGuid = {0xc54b425f, 0xaa79, 0x48b4, { 0x98, 0x1f, 0x99, 0x8b, 0x3c, 0x4b, 0x64, 0x1c }}\r
179\r
180[Ppis]\r
181 ## The PPI GUID for that TPM physical presence should be locked.\r
182 # Include/Ppi/LockPhysicalPresence.h\r
183 gPeiLockPhysicalPresencePpiGuid = { 0xef9aefe5, 0x2bd3, 0x4031, { 0xaf, 0x7d, 0x5e, 0xfe, 0x5a, 0xbb, 0x9a, 0xd } }\r
184\r
185 ## The PPI GUID for that TPM is initialized.\r
186 # Include/Ppi/TpmInitialized.h\r
187 gPeiTpmInitializedPpiGuid = { 0xe9db0d58, 0xd48d, 0x47f6, { 0x9c, 0x6e, 0x6f, 0x40, 0xe8, 0x6c, 0x7b, 0x41 }}\r
188\r
189 ## The PPI GUID for that TPM initialization is done. TPM initialization may be success or fail.\r
190 # Include/Ppi/TpmInitialized.h\r
191 gPeiTpmInitializationDonePpiGuid = { 0xa030d115, 0x54dd, 0x447b, { 0x90, 0x64, 0xf2, 0x6, 0x88, 0x3d, 0x7c, 0xcc }}\r
192\r
193 ## Include/Ppi/FirmwareVolumeInfoMeasurementExcluded.h\r
194 gEfiPeiFirmwareVolumeInfoMeasurementExcludedPpiGuid = { 0x6e056ff9, 0xc695, 0x4364, { 0x9e, 0x2c, 0x61, 0x26, 0xf5, 0xce, 0xea, 0xae } }\r
195\r
196#\r
197# [Error.gEfiSecurityPkgTokenSpaceGuid]\r
198# 0x80000001 | Invalid value provided.\r
199# 0x80000002 | Reserved bits must be set to zero.\r
200# 0x80000003 | Incorrect progress or error code provided.\r
201#\r
202\r
203[PcdsFixedAtBuild, PcdsPatchableInModule]\r
204 ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>\r
205 # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\r
206 # 0x00000000 Always trust the image.<BR>\r
207 # 0x00000001 Never trust the image.<BR>\r
208 # 0x00000002 Allow execution when there is security violation.<BR>\r
209 # 0x00000003 Defer execution when there is security violation.<BR>\r
210 # 0x00000004 Deny execution when there is security violation.<BR>\r
211 # 0x00000005 Query user when there is security violation.<BR>\r
212 # @Prompt Set policy for the image from OptionRom.\r
213 # @ValidRange 0x80000001 | 0x00000000 - 0x00000005\r
214 gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001\r
215\r
216 ## Image verification policy for removable media which includes CD-ROM, Floppy, USB and network.\r
217 # Only following values are valid:<BR><BR>\r
218 # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\r
219 # 0x00000000 Always trust the image.<BR>\r
220 # 0x00000001 Never trust the image.<BR>\r
221 # 0x00000002 Allow execution when there is security violation.<BR>\r
222 # 0x00000003 Defer execution when there is security violation.<BR>\r
223 # 0x00000004 Deny execution when there is security violation.<BR>\r
224 # 0x00000005 Query user when there is security violation.<BR>\r
225 # @Prompt Set policy for the image from removable media.\r
226 # @ValidRange 0x80000001 | 0x00000000 - 0x00000005\r
227 gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002\r
228\r
229 ## Image verification policy for fixed media which includes hard disk.\r
230 # Only following values are valid:<BR><BR>\r
231 # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>\r
232 # 0x00000000 Always trust the image.<BR>\r
233 # 0x00000001 Never trust the image.<BR>\r
234 # 0x00000002 Allow execution when there is security violation.<BR>\r
235 # 0x00000003 Defer execution when there is security violation.<BR>\r
236 # 0x00000004 Deny execution when there is security violation.<BR>\r
237 # 0x00000005 Query user when there is security violation.<BR>\r
238 # @Prompt Set policy for the image from fixed media.\r
239 # @ValidRange 0x80000001 | 0x00000000 - 0x00000005 \r
240 gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003\r
241\r
242 ## Defer Image Load policy settings. The policy is bitwise. \r
243 # If a bit is set, the image from corresponding device will be trusted when loading. Or \r
244 # the image will be deferred. The deferred image will be checked after user is identified.<BR><BR>\r
245 # BIT0 - Image from unknown device. <BR>\r
246 # BIT1 - Image from firmware volume.<BR>\r
247 # BIT2 - Image from OptionRom.<BR>\r
248 # BIT3 - Image from removable media which includes CD-ROM, Floppy, USB and network.<BR>\r
249 # BIT4 - Image from fixed media device which includes hard disk.<BR>\r
250 # @Prompt Set policy whether trust image before user identification.\r
251 # @ValidRange 0x80000002 | 0x00000000 - 0x0000001F \r
252 gEfiSecurityPkgTokenSpaceGuid.PcdDeferImageLoadPolicy|0x0000001F|UINT32|0x0000004\r
253\r
254 ## Null-terminated Unicode string of the file name that is the default name to save USB credential.\r
255 # The specified file should be saved at the root directory of USB storage disk.\r
256 # @Prompt File name to save credential.\r
257 gEfiSecurityPkgTokenSpaceGuid.PcdFixedUsbCredentialProviderTokenFileName|L"Token.bin"|VOID*|0x00000005\r
258\r
259 ## The size of Append variable buffer. This buffer is reserved for runtime use, OS can append data into one existing variable.\r
260 # Note: This PCD is not been used.\r
261 # @Prompt Max variable size for append operation.\r
262 gEfiSecurityPkgTokenSpaceGuid.PcdMaxAppendVariableSize|0x2000|UINT32|0x30000005 \r
263\r
264 ## Specifies the type of TCG platform that contains TPM chip.<BR><BR>\r
265 # If 0, TCG platform type is PC client.<BR>\r
266 # If 1, TCG platform type is PC server.<BR>\r
267 # @Prompt Select platform type.\r
268 # @ValidRange 0x80000001 | 0x00 - 0x1 \r
269 gEfiSecurityPkgTokenSpaceGuid.PcdTpmPlatformClass|0|UINT8|0x00000006\r
270 \r
271 ## Progress Code for TPM device subclass definitions.<BR><BR>\r
272 # EFI_PERIPHERAL_TPM = (EFI_PERIPHERAL | 0x000D0000) = 0x010D0000<BR>\r
273 # @Prompt Status Code for TPM device definitions\r
274 # @ValidList 0x80000003 | 0x010D0000\r
275 gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeSubClassTpmDevice|0x010D0000|UINT32|0x00000007\r
276\r
277[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]\r
278 ## Indicates the presence or absence of the platform operator during firmware booting.\r
279 # If platform operator is not physical presence during boot. TPM will be locked and the TPM commands \r
280 # that required operator physical presence can not run.<BR><BR>\r
281 # TRUE - The platform operator is physically present.<BR>\r
282 # FALSE - The platform operator is not physically present.<BR>\r
283 # @Prompt Physical presence of the platform operator.\r
284 gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001\r
285\r
286[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]\r
287 ## Indicates whether TPM physical presence is locked during platform initialization. \r
288 # Once it is locked, it can not be unlocked for TPM life time.<BR><BR>\r
289 # TRUE - Lock TPM physical presence asserting method.<BR>\r
290 # FALSE - Not lock TPM physical presence asserting method.<BR>\r
291 # @Prompt Lock TPM physical presence asserting method.\r
292 gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceLifetimeLock|FALSE|BOOLEAN|0x00010003\r
293\r
294[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]\r
295 ## Indicates whether the platform supports the software method of asserting physical presence.<BR><BR>\r
296 # TRUE - Supports the software method of asserting physical presence.<BR>\r
297 # FALSE - Does not support the software method of asserting physical presence.<BR>\r
298 # @Prompt Enable software method of asserting physical presence.\r
299 gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceCmdEnable|TRUE|BOOLEAN|0x00010004\r
300\r
301[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]\r
302 ## Indicates whether the platform supports the hardware method of asserting physical presence.<BR><BR>\r
303 # TRUE - Supports the hardware method of asserting physical presence.<BR>\r
304 # FALSE - Does not support the hardware method of asserting physical presence.<BR>\r
305 # @Prompt Enable hardware method of asserting physical presence.\r
306 gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceHwEnable|TRUE|BOOLEAN|0x00010005\r
307\r
308[PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]\r
309 ## This PCD indicates if debugger exists. <BR><BR>\r
310 # TRUE - Firmware debugger exists.<BR>\r
311 # FALSE - Firmware debugger doesn't exist.<BR>\r
312 # @Prompt Firmware debugger status.\r
313 gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE|BOOLEAN|0x00010009\r
314\r
315 ## This PCD indicates the initialization policy for TPM 2.0.<BR><BR>\r
316 # If 0, no initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.<BR>\r
317 # If 1, initialization needed.<BR>\r
318 # @Prompt TPM 2.0 device initialization policy.<BR>\r
319 # @ValidRange 0x80000001 | 0x00 - 0x1 \r
320 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1|UINT8|0x0001000A\r
321\r
322 ## This PCD indicates the initialization policy for TPM 1.2.<BR><BR>\r
323 # If 0, no initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.<BR>\r
324 # If 1, initialization needed.<BR>\r
325 # @Prompt TPM 1.2 device initialization policy.\r
326 # @ValidRange 0x80000001 | 0x00 - 0x1 \r
327 gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1|UINT8|0x0001000B\r
328\r
329 ## This PCD indicates the TPM 2.0 SelfTest policy.<BR><BR>\r
330 # if 0, no SelfTest needed - most likely used for fTPM, because it might already be tested.<BR>\r
331 # if 1, SelfTest needed.<BR>\r
332 # @Prompt TPM 2.0 device selftest.\r
333 # @ValidRange 0x80000001 | 0x00 - 0x1 \r
334 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2SelfTestPolicy|1|UINT8|0x0001000C\r
335\r
336 ## This PCD indicates Static Core Root of Trust for Measurement (SCRTM) policy using TPM 2.0.<BR><BR>\r
337 # if 0, no SCRTM measurement needed - In this case, it is already done.<BR>\r
338 # if 1, SCRTM measurement done by BIOS.<BR>\r
339 # @Prompt SCRTM policy setting for TPM 2.0 device.\r
340 # @ValidRange 0x80000001 | 0x00 - 0x1 \r
341 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy|1|UINT8|0x0001000D\r
342\r
343 ## This PCD indicates Static Core Root of Trust for Measurement (SCRTM) policy using TPM 1.2.<BR><BR>\r
344 # if 0, no SCRTM measurement needed - In this case, it is already done.<BR>\r
345 # if 1, SCRTM measurement done by BIOS.<BR>\r
346 # @Prompt SCRTM policy setting for TPM 1.2 device\r
347 # @ValidRange 0x80000001 | 0x00 - 0x1 \r
348 gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1|UINT8|0x0001000E\r
349\r
350 ## Guid name to identify TPM instance.<BR><BR>\r
351 # TPM_DEVICE_INTERFACE_NONE means disable.<BR>\r
352 # TPM_DEVICE_INTERFACE_TPM12 means TPM 1.2 DTPM.<BR>\r
353 # TPM_DEVICE_INTERFACE_DTPM2 means TPM 2.0 DTPM.<BR>\r
354 # Other GUID value means other TPM 2.0 device.<BR>\r
355 # @Prompt TPM device type identifier\r
356 gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid |{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }|VOID*|0x0001000F\r
357\r
358 ## This PCD indicates if BIOS auto detect TPM1.2 or dTPM2.0.<BR><BR>\r
359 # FALSE - No auto detection.<BR>\r
360 # TRUE - Auto detection.<BR>\r
361 # @Prompt TPM type detection.\r
362 gEfiSecurityPkgTokenSpaceGuid.PcdTpmAutoDetection|TRUE|BOOLEAN|0x00010011\r
363\r
364 ## This PCD indicates TPM base address.<BR><BR>\r
365 # @Prompt TPM device address.\r
366 gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0xFED40000|UINT64|0x00010012\r
367\r
368 ## This PCR means the OEM configurated number of PCR banks.\r
369 # 0 means dynamic get from supported HASH algorithm\r
370 gEfiSecurityPkgTokenSpaceGuid.PcdTcg2NumberOfPCRBanks|0x0|UINT32|0x00010015\r
371 \r
372 ## Provides one or more SHA 256 Hashes of the RSA 2048 public keys used to verify Recovery and Capsule Update images\r
373 #\r
374 # @Prompt One or more SHA 256 Hashes of RSA 2048 bit public keys used to verify Recovery and Capsule Update images\r
375 #\r
376 gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}|VOID*|0x00010013\r
377\r
378[PcdsDynamic, PcdsDynamicEx]\r
379\r
380 ## This PCD indicates Hash mask for TPM 2.0.<BR><BR>\r
381 # If this bit is set, that means this algorithm is needed to extend to PCR.<BR>\r
382 # If this bit is clear, that means this algorithm is NOT needed to extend to PCR.<BR>\r
383 # BIT0 - SHA1.<BR>\r
384 # BIT1 - SHA256.<BR>\r
385 # BIT2 - SHA384.<BR>\r
386 # BIT3 - SHA512.<BR>\r
387 # @Prompt Hash mask for TPM 2.0\r
388 # @ValidRange 0x80000001 | 0x00000000 - 0x0000000F \r
389 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x0000000F|UINT32|0x00010010\r
390\r
391 ## This PCD indicated final BIOS supported Hash mask.\r
392 # Bios may choose to register a subset of PcdTpm2HashMask.\r
393 # So this PCD is final value of how many hash algo is extended to PCR.\r
394 gEfiSecurityPkgTokenSpaceGuid.PcdTcg2HashAlgorithmBitmap|0xFFFFFFFF|UINT32|0x00010016\r
395 \r
396[UserExtensions.TianoCore."ExtraFiles"]\r
397 SecurityPkgExtra.uni\r
EFI Development Kit II mirror for PVE