2 Public API for Opal Core library.
4 Copyright (c) 2016, Intel Corporation. All rights reserved.<BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution. The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
18 #include <IndustryStandard/TcgStorageOpal.h>
20 #include <Library/TcgStorageCoreLib.h>
21 #include <Protocol/StorageSecurityCommand.h>
27 // Opal SSC 1 support (0 - not supported, 1 - supported)
32 // Opal SSC 2support (0 - not supported, 1 - supported)
37 // Opal SSC Lite support (0 - not supported, 1 - supported)
39 UINT32 OpalSscLite
: 1;
42 // Pyrite SSC support (0 - not supported, 1 - supported)
47 // Security protocol 1 support (0 - not supported, 1 - supported)
52 // Security protocol 2 support (0 - not supported, 1 - supported)
57 // Security protocol IEEE1667 support (0 - not supported, 1 - supported)
59 UINT32 SpIeee1667
: 1;
62 // Media encryption supported (0 - not supported, 1 - supported)
64 UINT32 MediaEncryption
: 1;
67 // Initial C_PIN_SID PIN Indicator
68 // 0 - The initial C_PIN_SID PIN value is NOT equal to the C_PIN_MSID PIN value
69 // 1 - The initial C_PIN_SID PIN value is equal to the C_PIN_MSID PIN value
71 UINT32 InitCpinIndicator
: 1;
74 // Behavior of C_PIN_SID PIN upon TPer Revert
75 // 0 - The initial C_PIN_SID PIN value is NOT equal to the C_PIN_MSID PIN value
76 // 1 - The initial C_PIN_SID PIN value is equal to the C_PIN_MSID PIN value
78 UINT32 CpinUponRevert
: 1;
79 } OPAL_DISK_SUPPORT_ATTRIBUTE
;
82 // Opal device ownership type
83 // The type indicates who was the determined owner of the device.
87 // Represents the device ownership is unknown because starting a session as the SID authority with the ADMIN SP
88 //was unsuccessful with the provided PIN
93 // Represents that the ADMIN SP SID authority contains the same PIN as the MSID PIN
99 // Structure that is used to represent an Opal session.
100 // The structure must be initialized by calling OpalStartSession before being used as a parameter
101 // for any other Opal function.
102 // This structure should NOT be directly modified by the client of this library.
106 UINT32 HostSessionId
;
107 UINT32 TperSessionId
;
108 UINT16 ComIdExtension
;
110 UINT16 OpalBaseComId
;
112 EFI_STORAGE_SECURITY_COMMAND_PROTOCOL
*Sscp
;
119 The function fills in the provided Buffer with the supported protocol list
120 of the device specified.
122 @param[in] Session OPAL_SESSION data.
123 @param[in] BufferSize Size of Buffer provided (in bytes)
124 @param[in] BuffAddress Buffer address to fill with security protocol list
129 OpalRetrieveSupportedProtocolList(
130 OPAL_SESSION
*Session
,
137 The function fills in the provided Buffer with the level 0 discovery Header
138 of the device specified.
140 @param[in] Session OPAL_SESSION data.
141 @param[in] BufferSize Size of Buffer provided (in bytes)
142 @param[in] BuffAddress Buffer address to fill with Level 0 Discovery response
147 OpalRetrieveLevel0DiscoveryHeader(
148 OPAL_SESSION
*Session
,
154 Starts a session with a security provider (SP).
156 If a session is started successfully, the caller must end the session with OpalEndSession when finished
157 performing Opal actions.
159 @param[in/out] Session OPAL_SESSION to initialize.
160 @param[in] SpId Security provider ID to start the session with.
161 @param[in] Write Whether the session should be read-only (FALSE) or read/write (TRUE).
162 @param[in] HostChallengeLength Length of the host challenge. Length should be 0 if hostChallenge is NULL
163 @param[in] HostChallenge Host challenge for Host Signing Authority. If NULL, then no Host Challenge will be sent.
164 @param[in] HostSigningAuthority Host Signing Authority used for start session. If NULL, then no Host Signing Authority will be sent.
165 @param[in/out] MethodStatus Status of the StartSession method; only valid if TcgResultSuccess is returned.
167 @return TcgResultSuccess indicates that the function completed without any internal errors.
168 The caller must inspect the MethodStatus field to determine whether the method completed successfully.
174 OPAL_SESSION
*Session
,
177 UINT32 HostChallengeLength
,
178 const VOID
*HostChallenge
,
179 TCG_UID HostSigningAuthority
,
184 Close a session opened with OpalStartSession.
186 @param[in/out] Session OPAL_SESSION to end.
192 OPAL_SESSION
*Session
197 Reverts device using Admin SP Revert method.
199 @param[in] AdminSpSession OPAL_SESSION with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY to perform PSID revert.
205 OPAL_SESSION
*AdminSpSession
211 The function retrieves the MSID from the device specified
213 @param[in] AdminSpSession OPAL_SESSION with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY to perform PSID revert.
214 @param[in] MsidBufferSize Allocated buffer size (in bytes) for MSID allocated by caller
215 @param[in] Msid Variable length byte sequence representing MSID of device
216 @param[in] MsidLength Actual length of MSID retrieved from device
222 OPAL_SESSION
*AdminSpSession
,
223 UINT32 MsidBufferSize
,
230 The function activates the Locking SP.
231 Once activated, per Opal spec, the ADMIN SP SID PIN is copied over to the ADMIN1 LOCKING SP PIN.
232 If the Locking SP is already enabled, then TcgResultSuccess is returned and no action occurs.
234 @param[in] AdminSpSession OPAL_SESSION with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY to activate Locking SP
235 @param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
240 OpalActivateLockingSp(
241 OPAL_SESSION
*AdminSpSession
,
248 The function sets the PIN column of the specified cpinRowUid (authority) with the newPin value.
250 @param[in/out] Session OPAL_SESSION to set password
251 @param[in] CpinRowUid UID of row (authority) to update PIN column
252 @param[in] NewPin New Pin to set for cpinRowUid specified
253 @param[in] NewPinLength Length in bytes of newPin
254 @param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
260 OPAL_SESSION
*Session
,
269 The function retrieves the active key of the global locking range
270 and calls the GenKey method on the active key retrieved.
272 @param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP to generate key
273 @param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
278 OpalGlobalLockingRangeGenKey(
279 OPAL_SESSION
*LockingSpSession
,
286 The function updates the ReadLocked and WriteLocked columns of the Global Locking Range.
287 This funciton is required for a user1 authority, since a user1 authority shall only have access to ReadLocked and WriteLocked columns
288 (not ReadLockEnabled and WriteLockEnabled columns).
290 @param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP to generate key
291 @param[in] ReadLocked Value to set ReadLocked column for Global Locking Range
292 @param[in] WriteLocked Value to set WriteLocked column for Global Locking Range
293 @param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
298 OpalUpdateGlobalLockingRange(
299 OPAL_SESSION
*LockingSpSession
,
308 The function updates the RangeStart, RangeLength, ReadLockedEnabled, WriteLockedEnabled, ReadLocked and WriteLocked columns
309 of the specified Locking Range. This function requires admin authority of a locking SP session.
311 @param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP to generate key
312 @param[in] LockingRangeUid Locking range UID to set values
313 @param[in] RangeStart Value to set RangeStart column for Locking Range
314 @param[in] RangeLength Value to set RangeLength column for Locking Range
315 @param[in] ReadLockEnabled Value to set readLockEnabled column for Locking Range
316 @param[in] WriteLockEnabled Value to set writeLockEnabled column for Locking Range
317 @param[in] ReadLocked Value to set ReadLocked column for Locking Range
318 @param[in] WriteLocked Value to set WriteLocked column for Locking Range
319 @param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
325 OPAL_SESSION
*LockingSpSession
,
326 TCG_UID LockingRangeUid
,
329 BOOLEAN ReadLockEnabled
,
330 BOOLEAN WriteLockEnabled
,
338 The function sets the Enabled column to TRUE for the authorityUid provided and updates the PIN column for the cpinRowUid provided
339 using the newPin provided. AuthorityUid and cpinRowUid should describe the same authority.
341 @param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY to update
342 @param[in] CpinRowUid Row UID of C_PIN table of Locking SP to update PIN
343 @param[in] AuthorityUid UID of Locking SP authority to update Pin column with
344 @param[in] NewPin New Password used to set Pin column
345 @param[in] NewPinLength Length in bytes of new password
346 @param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
351 OpalSetLockingSpAuthorityEnabledAndPin(
352 OPAL_SESSION
*LockingSpSession
,
354 TCG_UID AuthorityUid
,
363 The function sets the Enabled column to FALSE for the USER1 authority.
365 @param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY to disable User1
366 @param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
372 OPAL_SESSION
*LockingSpSession
,
379 The function calls the Admin SP RevertSP method on the Locking SP. If KeepUserData is True, then the optional parameter
380 to keep the user data is set to True, otherwise the optional parameter is not provided.
382 @param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY to revertSP
383 @param[in] KeepUserData Specifies whether or not to keep user data when performing RevertSP action. True = keeps user data.
384 @param[in/out] MethodStatus Method status of last action performed. If action succeeded, it should be TCG_METHOD_STATUS_CODE_SUCCESS.
390 OPAL_SESSION
*LockingSpSession
,
391 BOOLEAN KeepUserData
,
398 The function retrieves the TryLimit column for the specified rowUid (authority).
400 @param[in] LockingSpSession OPAL_SESSION with OPAL_UID_LOCKING_SP to retrieve try limit
401 @param[in] RowUid Row UID of the Locking SP C_PIN table to retrieve TryLimit column
402 @param[in/out] TryLimit Value from TryLimit column
408 OPAL_SESSION
*LockingSpSession
,
416 The function populates the CreateStruct with a payload that will retrieve the global locking range active key.
417 It is intended to be called with a session that is already started with a valid credential.
418 The function does not send the payload.
420 @param[in] Session OPAL_SESSION to populate command for, needs comId
421 @param[in/out] CreateStruct Structure to populate with encoded TCG command
422 @param[in/out] Size Size in bytes of the command created.
427 OpalCreateRetrieveGlobalLockingRangeActiveKey(
428 const OPAL_SESSION
*Session
,
429 TCG_CREATE_STRUCT
*CreateStruct
,
436 The function acquires the activeKey specified for the Global Locking Range from the parseStruct.
438 @param[in] ParseStruct Structure that contains the device's response with the activekey
439 @param[in/out] ActiveKey The UID of the active key retrieved
444 OpalParseRetrieveGlobalLockingRangeActiveKey(
445 TCG_PARSE_STRUCT
*ParseStruct
,
451 Get the support attribute info.
453 @param[in] Session OPAL_SESSION with OPAL_UID_LOCKING_SP to retrieve info.
454 @param[in/out] LockingFeature Return the Locking info.
460 OPAL_SESSION
*Session
,
461 TCG_LOCKING_FEATURE_DESCRIPTOR
*LockingFeature
466 The function determines whether or not all of the requirements for the Opal Feature (not full specification)
467 are met by the specified device.
469 @param[in] SupportedAttributes Opal device attribute.
474 OpalFeatureSupported(
475 OPAL_DISK_SUPPORT_ATTRIBUTE
*SupportedAttributes
480 The function returns whether or not the device is Opal Enabled.
481 TRUE means that the device is partially or fully locked.
482 This will perform a Level 0 Discovery and parse the locking feature descriptor
484 @param[in] SupportedAttributes Opal device attribute.
485 @param[in] LockingFeature Opal device locking status.
492 OPAL_DISK_SUPPORT_ATTRIBUTE
*SupportedAttributes
,
493 TCG_LOCKING_FEATURE_DESCRIPTOR
*LockingFeature
498 The function returns whether or not the device is Opal Locked.
499 TRUE means that the device is partially or fully locked.
500 This will perform a Level 0 Discovery and parse the locking feature descriptor
502 @param[in] SupportedAttributes Opal device attribute.
503 @param[in] LockingFeature Opal device locking status.
508 OPAL_DISK_SUPPORT_ATTRIBUTE
*SupportedAttributes
,
509 TCG_LOCKING_FEATURE_DESCRIPTOR
*LockingFeature
513 Trig the block sid action.
515 @param[in] Session OPAL_SESSION to populate command for, needs comId
516 @param[in] HardwareReset Whether need to do hardware reset.
522 OPAL_SESSION
*Session
,
523 BOOLEAN HardwareReset
528 Get the support attribute info.
530 @param[in] Session OPAL_SESSION with OPAL_UID_LOCKING_SP to retrieve info.
531 @param[in/out] SupportedAttributes Return the support attribute info.
532 @param[out] OpalBaseComId Return the base com id info.
537 OpalGetSupportedAttributesInfo(
538 OPAL_SESSION
*Session
,
539 OPAL_DISK_SUPPORT_ATTRIBUTE
*SupportedAttributes
,
540 UINT16
*OpalBaseComId
544 Creates a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts device using Admin SP Revert method.
546 @param[in] AdminSpSession OPAL_SESSION to populate command for, needs comId
547 @param[in] Psid PSID of device to revert.
548 @param[in] PsidLength Length of PSID in bytes.
554 OPAL_SESSION
*AdminSpSession
,
560 Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY,
561 sets the OPAL_UID_ADMIN_SP_C_PIN_SID column with the new password,
562 and activates the locking SP to copy SID PIN to Admin1 Locking SP PIN.
564 @param[in] AdminSpSession OPAL_SESSION to populate command for, needs comId
565 @param[in] GeneratedSid Generated SID of disk
566 @param[in] SidLength Length of generatedSid in bytes
567 @param[in] Password New admin password to set
568 @param[in] PassLength Length of password in bytes
573 OpalUtilSetAdminPasswordAsSid(
574 OPAL_SESSION
*AdminSpSession
,
575 const VOID
*GeneratedSid
,
577 const VOID
*Password
,
583 Opens a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY,
584 and updates the specified locking range with the provided column values.
586 @param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
587 @param[in] Password New admin password to set
588 @param[in] PassLength Length of password in bytes
589 @param[in] LockingRangeUid Locking range UID to set values
590 @param[in] RangeStart Value to set RangeStart column for Locking Range
591 @param[in] RangeLength Value to set RangeLength column for Locking Range
592 @param[in] ReadLockEnabled Value to set readLockEnabled column for Locking Range
593 @param[in] WriteLockEnabled Value to set writeLockEnabled column for Locking Range
594 @param[in] ReadLocked Value to set ReadLocked column for Locking Range
595 @param[in] WriteLocked Value to set WriteLocked column for Locking Range
600 OpalUtilSetOpalLockingRange(
601 OPAL_SESSION
*LockingSpSession
,
602 const VOID
*Password
,
604 TCG_UID LockingRangeUid
,
607 BOOLEAN ReadLockEnabled
,
608 BOOLEAN WriteLockEnabled
,
614 Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY,
615 sets OPAL_UID_ADMIN_SP_C_PIN_SID with the new password,
616 and sets OPAL_LOCKING_SP_C_PIN_ADMIN1 with the new password.
618 @param[in] AdminSpSession OPAL_SESSION to populate command for, needs comId
619 @param[in] OldPassword Current admin password
620 @param[in] OldPasswordLength Length of current admin password in bytes
621 @param[in] NewPassword New admin password to set
622 @param[in] NewPasswordLength Length of new password in bytes
627 OpalUtilSetAdminPassword(
628 OPAL_SESSION
*AdminSpSession
,
629 const VOID
*OldPassword
,
630 UINT32 OldPasswordLength
,
631 const VOID
*NewPassword
,
632 UINT32 NewPasswordLength
636 Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY
637 and sets the User1 SP authority to enabled and sets the User1 password.
639 @param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
640 @param[in] OldPassword Current admin password
641 @param[in] OldPasswordLength Length of current admin password in bytes
642 @param[in] NewPassword New admin password to set
643 @param[in] NewPasswordLength Length of new password in bytes
648 OpalUtilSetUserPassword(
649 OPAL_SESSION
*LockingSpSession
,
650 const VOID
*OldPassword
,
651 UINT32 OldPasswordLength
,
652 const VOID
*NewPassword
,
653 UINT32 NewPasswordLength
657 Verify whether user input the correct password.
659 @param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
660 @param[in] Password Admin password
661 @param[in] PasswordLength Length of password in bytes
662 @param[in/out] HostSigningAuthority Use the Host signing authority type.
667 OpalUtilVerifyPassword (
668 OPAL_SESSION
*LockingSpSession
,
669 const VOID
*Password
,
670 UINT32 PasswordLength
,
671 TCG_UID HostSigningAuthority
675 Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY
676 and generates a new global locking range key to erase the Data.
678 @param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
679 @param[in] Password Admin or user password
680 @param[in] PasswordLength Length of password in bytes
681 @param[in/out] PasswordFailed indicates if password failed (start session didn't work)
687 OPAL_SESSION
*LockingSpSession
,
688 const VOID
*Password
,
689 UINT32 PasswordLength
,
690 BOOLEAN
*PasswordFailed
694 Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY and disables the User1 authority.
696 @param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
697 @param[in] Password Admin password
698 @param[in] PasswordLength Length of password in bytes
699 @param[in/out] PasswordFailed indicates if password failed (start session didn't work)
705 OPAL_SESSION
*LockingSpSession
,
706 const VOID
*Password
,
707 UINT32 PasswordLength
,
708 BOOLEAN
*PasswordFailed
712 Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts the device using the RevertSP method.
714 @param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
715 @param[in] KeepUserData TRUE to keep existing Data on the disk, or FALSE to erase it
716 @param[in] Password Admin password
717 @param[in] PasswordLength Length of password in bytes
718 @param[in/out] PasswordFailed indicates if password failed (start session didn't work)
719 @param[in] Msid Input Msid info.
720 @param[in] MsidLength Input Msid info length.
726 OPAL_SESSION
*LockingSpSession
,
727 BOOLEAN KeepUserData
,
728 const VOID
*Password
,
729 UINT32 PasswordLength
,
730 BOOLEAN
*PasswordFailed
,
736 After revert success, set SID to MSID.
738 @param[in] AdminSpSession OPAL_SESSION to populate command for, needs comId
739 @param Password, Input password info.
740 @param PasswordLength, Input password length.
741 @param[in] Msid Input Msid info.
742 @param[in] MsidLength Input Msid info length.
747 OpalUtilSetSIDtoMSID (
748 OPAL_SESSION
*AdminSpSession
,
749 const VOID
*Password
,
750 UINT32 PasswordLength
,
756 Update global locking range.
758 @param[in] LockingSpSession OPAL_SESSION to populate command for, needs comId
759 @param Password, Input password info.
760 @param PasswordLength, Input password length.
761 @param ReadLocked, Read lock info.
762 @param WriteLocked write lock info.
767 OpalUtilUpdateGlobalLockingRange(
768 OPAL_SESSION
*LockingSpSession
,
769 const VOID
*Password
,
770 UINT32 PasswordLength
,
776 Update global locking range.
778 @param Session, The session info for one opal device.
779 @param Msid, The data buffer to save Msid info.
780 @param MsidBufferLength, The data buffer length for Msid.
781 @param MsidLength, The actual data length for Msid.
787 OPAL_SESSION
*Session
,
789 UINT32 MsidBufferLength
,
795 The function determines who owns the device by attempting to start a session with different credentials.
796 If the SID PIN matches the MSID PIN, the no one owns the device.
797 If the SID PIN matches the ourSidPin, then "Us" owns the device. Otherwise it is unknown.
800 @param[in] Session The session info for one opal device.
801 @param Msid, The Msid info.
802 @param MsidLength, The data length for Msid.
807 OpalUtilDetermineOwnership(
808 OPAL_SESSION
*Session
,
815 The function returns if admin password exists.
817 @param[in] OwnerShip The owner ship of the opal device.
818 @param[in] LockingFeature The locking info of the opal device.
820 @retval TRUE Admin password existed.
821 @retval FALSE Admin password not existed.
826 OpalUtilAdminPasswordExists(
828 IN TCG_LOCKING_FEATURE_DESCRIPTOR
*LockingFeature
831 #endif // _OPAL_CORE_H_