3 Execute pending TPM requests from OS or BIOS and Lock TPM.
5 Caution: This module requires additional review when modified.
6 This driver will have external input - variable.
7 This external input must be validated carefully to avoid security issue.
9 ExecutePendingTpmRequest() will receive untrusted input and do validation.
11 Copyright (c) 2006 - 2013, Intel Corporation. All rights reserved.<BR>
12 This program and the accompanying materials
13 are licensed and made available under the terms and conditions of the BSD License
14 which accompanies this distribution. The full text of the license may be found at
15 http://opensource.org/licenses/bsd-license.php
17 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
18 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
24 #include <Protocol/TcgService.h>
25 #include <Library/DebugLib.h>
26 #include <Library/BaseMemoryLib.h>
27 #include <Library/UefiRuntimeServicesTableLib.h>
28 #include <Library/UefiDriverEntryPoint.h>
29 #include <Library/UefiBootServicesTableLib.h>
30 #include <Library/UefiLib.h>
31 #include <Library/MemoryAllocationLib.h>
32 #include <Library/PrintLib.h>
33 #include <Library/HiiLib.h>
34 #include <Guid/EventGroup.h>
35 #include <Guid/PhysicalPresenceData.h>
37 #define TPM_PP_USER_ABORT ((TPM_RESULT)(-0x10))
38 #define TPM_PP_BIOS_FAILURE ((TPM_RESULT)(-0x0f))
39 #define CONFIRM_BUFFER_SIZE 4096
41 EFI_HII_HANDLE mPpStringPackHandle
;
44 Get string by string id from HII Interface.
46 @param[in] Id String ID.
48 @retval CHAR16 * String from ID.
49 @retval NULL If error occurs.
53 PhysicalPresenceGetStringById (
57 return HiiGetString (mPpStringPackHandle
, Id
, NULL
);
61 Get TPM physical presence permanent flags.
63 @param[in] TcgProtocol EFI TCG Protocol instance.
64 @param[out] LifetimeLock physicalPresenceLifetimeLock permanent flag.
65 @param[out] CmdEnable physicalPresenceCMDEnable permanent flag.
67 @retval EFI_SUCCESS Flags were returns successfully.
68 @retval other Failed to locate EFI TCG Protocol.
73 IN EFI_TCG_PROTOCOL
*TcgProtocol
,
74 OUT BOOLEAN
*LifetimeLock
,
75 OUT BOOLEAN
*CmdEnable
79 TPM_RQU_COMMAND_HDR
*TpmRqu
;
80 TPM_RSP_COMMAND_HDR
*TpmRsp
;
82 UINT8 SendBuffer
[sizeof (*TpmRqu
) + sizeof (UINT32
) * 3];
83 TPM_PERMANENT_FLAGS
*TpmPermanentFlags
;
87 // Fill request header
89 TpmRsp
= (TPM_RSP_COMMAND_HDR
*)RecvBuffer
;
90 TpmRqu
= (TPM_RQU_COMMAND_HDR
*)SendBuffer
;
92 TpmRqu
->tag
= SwapBytes16 (TPM_TAG_RQU_COMMAND
);
93 TpmRqu
->paramSize
= SwapBytes32 (sizeof (SendBuffer
));
94 TpmRqu
->ordinal
= SwapBytes32 (TPM_ORD_GetCapability
);
97 // Set request parameter
99 SendBufPtr
= (UINT32
*)(TpmRqu
+ 1);
100 WriteUnaligned32 (SendBufPtr
++, SwapBytes32 (TPM_CAP_FLAG
));
101 WriteUnaligned32 (SendBufPtr
++, SwapBytes32 (sizeof (TPM_CAP_FLAG_PERMANENT
)));
102 WriteUnaligned32 (SendBufPtr
, SwapBytes32 (TPM_CAP_FLAG_PERMANENT
));
104 Status
= TcgProtocol
->PassThroughToTpm (
111 ASSERT_EFI_ERROR (Status
);
112 ASSERT (TpmRsp
->tag
== SwapBytes16 (TPM_TAG_RSP_COMMAND
));
113 ASSERT (TpmRsp
->returnCode
== 0);
115 TpmPermanentFlags
= (TPM_PERMANENT_FLAGS
*)&RecvBuffer
[sizeof (TPM_RSP_COMMAND_HDR
) + sizeof (UINT32
)];
117 if (LifetimeLock
!= NULL
) {
118 *LifetimeLock
= TpmPermanentFlags
->physicalPresenceLifetimeLock
;
121 if (CmdEnable
!= NULL
) {
122 *CmdEnable
= TpmPermanentFlags
->physicalPresenceCMDEnable
;
129 Issue TSC_PhysicalPresence command to TPM.
131 @param[in] TcgProtocol EFI TCG Protocol instance.
132 @param[in] PhysicalPresence The state to set the TPM's Physical Presence flags.
134 @retval EFI_SUCCESS TPM executed the command successfully.
135 @retval EFI_SECURITY_VIOLATION TPM returned error when executing the command.
136 @retval other Failed to locate EFI TCG Protocol.
140 TpmPhysicalPresence (
141 IN EFI_TCG_PROTOCOL
*TcgProtocol
,
142 IN TPM_PHYSICAL_PRESENCE PhysicalPresence
146 TPM_RQU_COMMAND_HDR
*TpmRqu
;
147 TPM_PHYSICAL_PRESENCE
*TpmPp
;
148 TPM_RSP_COMMAND_HDR TpmRsp
;
149 UINT8 Buffer
[sizeof (*TpmRqu
) + sizeof (*TpmPp
)];
151 TpmRqu
= (TPM_RQU_COMMAND_HDR
*)Buffer
;
152 TpmPp
= (TPM_PHYSICAL_PRESENCE
*)(TpmRqu
+ 1);
154 TpmRqu
->tag
= SwapBytes16 (TPM_TAG_RQU_COMMAND
);
155 TpmRqu
->paramSize
= SwapBytes32 (sizeof (Buffer
));
156 TpmRqu
->ordinal
= SwapBytes32 (TSC_ORD_PhysicalPresence
);
157 WriteUnaligned16 (TpmPp
, (TPM_PHYSICAL_PRESENCE
) SwapBytes16 (PhysicalPresence
));
159 Status
= TcgProtocol
->PassThroughToTpm (
166 ASSERT_EFI_ERROR (Status
);
167 ASSERT (TpmRsp
.tag
== SwapBytes16 (TPM_TAG_RSP_COMMAND
));
168 if (TpmRsp
.returnCode
!= 0) {
170 // If it fails, some requirements may be needed for this command.
172 return EFI_SECURITY_VIOLATION
;
179 Issue a TPM command for which no additional output data will be returned.
181 @param[in] TcgProtocol EFI TCG Protocol instance.
182 @param[in] Ordinal TPM command code.
183 @param[in] AdditionalParameterSize Additional parameter size.
184 @param[in] AdditionalParameters Pointer to the Additional paramaters.
186 @retval TPM_PP_BIOS_FAILURE Error occurred during sending command to TPM or
187 receiving response from TPM.
188 @retval Others Return code from the TPM device after command execution.
192 TpmCommandNoReturnData (
193 IN EFI_TCG_PROTOCOL
*TcgProtocol
,
194 IN TPM_COMMAND_CODE Ordinal
,
195 IN UINTN AdditionalParameterSize
,
196 IN VOID
*AdditionalParameters
200 TPM_RQU_COMMAND_HDR
*TpmRqu
;
201 TPM_RSP_COMMAND_HDR TpmRsp
;
204 TpmRqu
= (TPM_RQU_COMMAND_HDR
*) AllocatePool (sizeof (*TpmRqu
) + AdditionalParameterSize
);
205 if (TpmRqu
== NULL
) {
206 return TPM_PP_BIOS_FAILURE
;
209 TpmRqu
->tag
= SwapBytes16 (TPM_TAG_RQU_COMMAND
);
210 Size
= (UINT32
)(sizeof (*TpmRqu
) + AdditionalParameterSize
);
211 TpmRqu
->paramSize
= SwapBytes32 (Size
);
212 TpmRqu
->ordinal
= SwapBytes32 (Ordinal
);
213 CopyMem (TpmRqu
+ 1, AdditionalParameters
, AdditionalParameterSize
);
215 Status
= TcgProtocol
->PassThroughToTpm (
219 (UINT32
)sizeof (TpmRsp
),
223 if (EFI_ERROR (Status
) || (TpmRsp
.tag
!= SwapBytes16 (TPM_TAG_RSP_COMMAND
))) {
224 return TPM_PP_BIOS_FAILURE
;
226 return SwapBytes32 (TpmRsp
.returnCode
);
230 Execute physical presence operation requested by the OS.
232 @param[in] TcgProtocol EFI TCG Protocol instance.
233 @param[in] CommandCode Physical presence operation value.
234 @param[in, out] PpiFlags The physical presence interface flags.
236 @retval TPM_PP_BIOS_FAILURE Unknown physical presence operation.
237 @retval TPM_PP_BIOS_FAILURE Error occurred during sending command to TPM or
238 receiving response from TPM.
239 @retval Others Return code from the TPM device after command execution.
243 ExecutePhysicalPresence (
244 IN EFI_TCG_PROTOCOL
*TcgProtocol
,
245 IN UINT8 CommandCode
,
246 IN OUT UINT8
*PpiFlags
250 TPM_RESULT TpmResponse
;
253 switch (CommandCode
) {
254 case PHYSICAL_PRESENCE_ENABLE
:
255 return TpmCommandNoReturnData (
257 TPM_ORD_PhysicalEnable
,
262 case PHYSICAL_PRESENCE_DISABLE
:
263 return TpmCommandNoReturnData (
265 TPM_ORD_PhysicalDisable
,
270 case PHYSICAL_PRESENCE_ACTIVATE
:
272 return TpmCommandNoReturnData (
274 TPM_ORD_PhysicalSetDeactivated
,
279 case PHYSICAL_PRESENCE_DEACTIVATE
:
281 return TpmCommandNoReturnData (
283 TPM_ORD_PhysicalSetDeactivated
,
288 case PHYSICAL_PRESENCE_CLEAR
:
289 return TpmCommandNoReturnData (
296 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE
:
297 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_ENABLE
, PpiFlags
);
298 if (TpmResponse
== 0) {
299 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_ACTIVATE
, PpiFlags
);
303 case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE
:
304 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_DEACTIVATE
, PpiFlags
);
305 if (TpmResponse
== 0) {
306 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_DISABLE
, PpiFlags
);
310 case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE
:
312 return TpmCommandNoReturnData (
314 TPM_ORD_SetOwnerInstall
,
319 case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_FALSE
:
321 return TpmCommandNoReturnData (
323 TPM_ORD_SetOwnerInstall
,
328 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_OWNER_TRUE
:
330 // PHYSICAL_PRESENCE_ENABLE_ACTIVATE + PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE
331 // PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE will be executed after reboot
333 if ((*PpiFlags
& FLAG_RESET_TRACK
) == 0) {
334 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_ENABLE_ACTIVATE
, PpiFlags
);
335 *PpiFlags
|= FLAG_RESET_TRACK
;
337 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE
, PpiFlags
);
338 *PpiFlags
&= ~FLAG_RESET_TRACK
;
342 case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE_OWNER_FALSE
:
343 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_SET_OWNER_INSTALL_FALSE
, PpiFlags
);
344 if (TpmResponse
== 0) {
345 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_DEACTIVATE_DISABLE
, PpiFlags
);
349 case PHYSICAL_PRESENCE_DEFERRED_PP_UNOWNERED_FIELD_UPGRADE
:
350 InData
[0] = SwapBytes32 (TPM_SET_STCLEAR_DATA
); // CapabilityArea
351 InData
[1] = SwapBytes32 (sizeof(UINT32
)); // SubCapSize
352 InData
[2] = SwapBytes32 (TPM_SD_DEFERREDPHYSICALPRESENCE
); // SubCap
353 InData
[3] = SwapBytes32 (sizeof(UINT32
)); // SetValueSize
354 InData
[4] = SwapBytes32 (1); // UnownedFieldUpgrade; bit0
355 return TpmCommandNoReturnData (
357 TPM_ORD_SetCapability
,
362 case PHYSICAL_PRESENCE_SET_OPERATOR_AUTH
:
364 // TPM_SetOperatorAuth
365 // This command requires UI to prompt user for Auth data
366 // Here it is NOT implemented
368 return TPM_PP_BIOS_FAILURE
;
370 case PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE
:
371 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_CLEAR
, PpiFlags
);
372 if (TpmResponse
== 0) {
373 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_ENABLE_ACTIVATE
, PpiFlags
);
377 case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_FALSE
:
378 *PpiFlags
&= ~FLAG_NO_PPI_PROVISION
;
381 case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_TRUE
:
382 *PpiFlags
|= FLAG_NO_PPI_PROVISION
;
385 case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_FALSE
:
386 *PpiFlags
&= ~FLAG_NO_PPI_CLEAR
;
389 case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE
:
390 *PpiFlags
|= FLAG_NO_PPI_CLEAR
;
393 case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_FALSE
:
394 *PpiFlags
&= ~FLAG_NO_PPI_MAINTENANCE
;
397 case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_TRUE
:
398 *PpiFlags
|= FLAG_NO_PPI_MAINTENANCE
;
401 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR
:
403 // PHYSICAL_PRESENCE_ENABLE_ACTIVATE + PHYSICAL_PRESENCE_CLEAR
404 // PHYSICAL_PRESENCE_CLEAR will be executed after reboot.
406 if ((*PpiFlags
& FLAG_RESET_TRACK
) == 0) {
407 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_ENABLE_ACTIVATE
, PpiFlags
);
408 *PpiFlags
|= FLAG_RESET_TRACK
;
410 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_CLEAR
, PpiFlags
);
411 *PpiFlags
&= ~FLAG_RESET_TRACK
;
415 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE
:
417 // PHYSICAL_PRESENCE_ENABLE_ACTIVATE + PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE
418 // PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE will be executed after reboot.
420 if ((*PpiFlags
& FLAG_RESET_TRACK
) == 0) {
421 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_ENABLE_ACTIVATE
, PpiFlags
);
422 *PpiFlags
|= FLAG_RESET_TRACK
;
424 TpmResponse
= ExecutePhysicalPresence (TcgProtocol
, PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE
, PpiFlags
);
425 *PpiFlags
&= ~FLAG_RESET_TRACK
;
432 return TPM_PP_BIOS_FAILURE
;
437 Read the specified key for user confirmation.
439 @param[in] CautionKey If true, F12 is used as confirm key;
440 If false, F10 is used as confirm key.
442 @retval TRUE User confirmed the changes by input.
443 @retval FALSE User discarded the changes or device error.
448 IN BOOLEAN CautionKey
458 Status
= gST
->ConIn
->ReadKeyStroke (gST
->ConIn
, &Key
);
459 if (Status
== EFI_NOT_READY
) {
460 gBS
->WaitForEvent (1, &gST
->ConIn
->WaitForKey
, &Index
);
464 if (Status
== EFI_DEVICE_ERROR
) {
468 if (Key
.ScanCode
== SCAN_ESC
) {
469 InputKey
= Key
.ScanCode
;
471 if ((Key
.ScanCode
== SCAN_F10
) && !CautionKey
) {
472 InputKey
= Key
.ScanCode
;
474 if ((Key
.ScanCode
== SCAN_F12
) && CautionKey
) {
475 InputKey
= Key
.ScanCode
;
477 } while (InputKey
== 0);
479 if (InputKey
!= SCAN_ESC
) {
487 The constructor function register UNI strings into imageHandle.
489 It will ASSERT() if that operation fails and it will always return EFI_SUCCESS.
491 @param ImageHandle The firmware allocated handle for the EFI image.
492 @param SystemTable A pointer to the EFI System Table.
494 @retval EFI_SUCCESS The constructor successfully added string package.
495 @retval Other value The constructor can't add string package.
500 TcgPhysicalPresenceLibConstructor (
501 IN EFI_HANDLE ImageHandle
,
502 IN EFI_SYSTEM_TABLE
*SystemTable
505 mPpStringPackHandle
= HiiAddPackages (&gEfiPhysicalPresenceGuid
, ImageHandle
, DxeTcgPhysicalPresenceLibStrings
, NULL
);
506 ASSERT (mPpStringPackHandle
!= NULL
);
512 Display the confirm text and get user confirmation.
514 @param[in] TpmPpCommand The requested TPM physical presence command.
516 @retval TRUE The user has confirmed the changes.
517 @retval FALSE The user doesn't confirm the changes.
521 IN UINT8 TpmPpCommand
534 BufSize
= CONFIRM_BUFFER_SIZE
;
535 ConfirmText
= AllocateZeroPool (BufSize
);
536 ASSERT (ConfirmText
!= NULL
);
538 switch (TpmPpCommand
) {
539 case PHYSICAL_PRESENCE_ENABLE
:
540 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ENABLE
));
542 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
543 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
546 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
547 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
551 case PHYSICAL_PRESENCE_DISABLE
:
552 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_DISABLE
));
554 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
555 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
558 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING
));
559 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
562 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
563 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
567 case PHYSICAL_PRESENCE_ACTIVATE
:
568 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACTIVATE
));
570 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
571 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
574 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
575 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
579 case PHYSICAL_PRESENCE_DEACTIVATE
:
580 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_DEACTIVATE
));
582 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
583 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
586 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING
));
587 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
590 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
591 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
595 case PHYSICAL_PRESENCE_CLEAR
:
597 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CLEAR
));
599 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
600 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
603 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR
));
604 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
605 StrnCat (ConfirmText
, L
" \n\n", (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
608 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY
));
609 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
613 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE
:
614 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ENABLE_ACTIVATE
));
616 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
617 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
620 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NOTE_ON
));
621 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
624 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
625 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
629 case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE
:
630 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_DEACTIVATE_DISABLE
));
632 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
633 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
636 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NOTE_OFF
));
637 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
640 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING
));
641 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
644 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
645 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
649 case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE
:
650 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ALLOW_TAKE_OWNERSHIP
));
652 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
653 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
656 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
657 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
661 case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_FALSE
:
662 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_DISALLOW_TAKE_OWNERSHIP
));
664 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
665 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
668 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
669 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
673 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_OWNER_TRUE
:
674 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_TURN_ON
));
676 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
677 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
680 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NOTE_ON
));
681 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
684 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
685 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
689 case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE_OWNER_FALSE
:
690 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_TURN_OFF
));
692 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
693 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
696 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NOTE_OFF
));
697 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
700 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING
));
701 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
704 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
705 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
709 case PHYSICAL_PRESENCE_DEFERRED_PP_UNOWNERED_FIELD_UPGRADE
:
711 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_UNOWNED_FIELD_UPGRADE
));
713 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_UPGRADE_HEAD_STR
));
714 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
717 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_MAINTAIN
));
718 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
721 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY
));
722 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
726 case PHYSICAL_PRESENCE_SET_OPERATOR_AUTH
:
728 // TPM_SetOperatorAuth
729 // This command requires UI to prompt user for Auth data
730 // Here it is NOT implemented
734 case PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE
:
736 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CLEAR_TURN_ON
));
738 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
739 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
742 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NOTE_ON
));
743 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
746 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR
));
747 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
750 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR_CONT
));
751 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
754 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY
));
755 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
759 case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_TRUE
:
760 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NO_PPI_PROVISION
));
762 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_PPI_HEAD_STR
));
763 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
766 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ACCEPT_KEY
));
767 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
770 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NO_PPI_INFO
));
771 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
775 case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE
:
777 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CLEAR
));
779 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_PPI_HEAD_STR
));
780 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
783 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NOTE_CLEAR
));
784 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
787 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR
));
788 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
789 StrnCat (ConfirmText
, L
" \n\n", (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
792 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY
));
793 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
796 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NO_PPI_INFO
));
797 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
801 case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_TRUE
:
803 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NO_PPI_MAINTAIN
));
805 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_PPI_HEAD_STR
));
806 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
809 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_MAINTAIN
));
810 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
813 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY
));
814 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
817 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NO_PPI_INFO
));
818 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
822 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR
:
824 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ENABLE_ACTIVATE_CLEAR
));
826 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
827 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
830 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR
));
831 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
832 StrnCat (ConfirmText
, L
" \n\n", (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
835 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY
));
836 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
840 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE
:
842 TmpStr2
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE
));
844 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_HEAD_STR
));
845 UnicodeSPrint (ConfirmText
, BufSize
, TmpStr1
, TmpStr2
);
848 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_NOTE_ON
));
849 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
852 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR
));
853 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
856 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR_CONT
));
857 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
860 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CAUTION_KEY
));
861 StrnCat (ConfirmText
, TmpStr1
, (BufSize
/ sizeof (CHAR16
*)) - StrLen (ConfirmText
) - 1);
869 if (TmpStr2
== NULL
) {
870 FreePool (ConfirmText
);
874 TmpStr1
= PhysicalPresenceGetStringById (STRING_TOKEN (TPM_REJECT_KEY
));
875 BufSize
-= StrSize (ConfirmText
);
876 UnicodeSPrint (ConfirmText
+ StrLen (ConfirmText
), BufSize
, TmpStr1
, TmpStr2
);
879 for (Index
= 0; Index
< StrLen (ConfirmText
); Index
+= 80) {
880 StrnCpy(DstStr
, ConfirmText
+ Index
, 80);
886 FreePool (ConfirmText
);
888 if (ReadUserKey (CautionKey
)) {
896 Check if there is a valid physical presence command request. Also updates parameter value
897 to whether the requested physical presence command already confirmed by user
899 @param[in] TcgPpData EFI TCG Physical Presence request data.
900 @param[out] RequestConfirmed If the physical presence operation command required user confirm from UI.
901 True, it indicates the command doesn't require user confirm, or already confirmed
902 in last boot cycle by user.
903 False, it indicates the command need user confirm from UI.
905 @retval TRUE Physical Presence operation command is valid.
906 @retval FALSE Physical Presence operation command is invalid.
910 HaveValidTpmRequest (
911 IN EFI_PHYSICAL_PRESENCE
*TcgPpData
,
912 OUT BOOLEAN
*RequestConfirmed
917 Flags
= TcgPpData
->Flags
;
918 *RequestConfirmed
= FALSE
;
920 switch (TcgPpData
->PPRequest
) {
921 case PHYSICAL_PRESENCE_NO_ACTION
:
922 *RequestConfirmed
= TRUE
;
924 case PHYSICAL_PRESENCE_ENABLE
:
925 case PHYSICAL_PRESENCE_DISABLE
:
926 case PHYSICAL_PRESENCE_ACTIVATE
:
927 case PHYSICAL_PRESENCE_DEACTIVATE
:
928 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE
:
929 case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE
:
930 case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_TRUE
:
931 case PHYSICAL_PRESENCE_SET_OWNER_INSTALL_FALSE
:
932 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_OWNER_TRUE
:
933 case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE_OWNER_FALSE
:
934 case PHYSICAL_PRESENCE_SET_OPERATOR_AUTH
:
935 if ((Flags
& FLAG_NO_PPI_PROVISION
) != 0) {
936 *RequestConfirmed
= TRUE
;
940 case PHYSICAL_PRESENCE_CLEAR
:
941 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR
:
942 if ((Flags
& FLAG_NO_PPI_CLEAR
) != 0) {
943 *RequestConfirmed
= TRUE
;
947 case PHYSICAL_PRESENCE_DEFERRED_PP_UNOWNERED_FIELD_UPGRADE
:
948 if ((Flags
& FLAG_NO_PPI_MAINTENANCE
) != 0) {
949 *RequestConfirmed
= TRUE
;
953 case PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE
:
954 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE
:
955 if ((Flags
& FLAG_NO_PPI_CLEAR
) != 0 && (Flags
& FLAG_NO_PPI_PROVISION
) != 0) {
956 *RequestConfirmed
= TRUE
;
960 case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_FALSE
:
961 case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_FALSE
:
962 case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_FALSE
:
963 *RequestConfirmed
= TRUE
;
966 case PHYSICAL_PRESENCE_SET_NO_PPI_PROVISION_TRUE
:
967 case PHYSICAL_PRESENCE_SET_NO_PPI_CLEAR_TRUE
:
968 case PHYSICAL_PRESENCE_SET_NO_PPI_MAINTENANCE_TRUE
:
973 // Wrong Physical Presence command
978 if ((Flags
& FLAG_RESET_TRACK
) != 0) {
980 // It had been confirmed in last boot, it doesn't need confirm again.
982 *RequestConfirmed
= TRUE
;
986 // Physical Presence command is correct
993 Check and execute the requested physical presence command.
995 Caution: This function may receive untrusted input.
996 TcgPpData variable is external input, so this function will validate
997 its data structure to be valid value.
999 @param[in] TcgProtocol EFI TCG Protocol instance.
1000 @param[in] TcgPpData Point to the physical presence NV variable.
1004 ExecutePendingTpmRequest (
1005 IN EFI_TCG_PROTOCOL
*TcgProtocol
,
1006 IN EFI_PHYSICAL_PRESENCE
*TcgPpData
1011 BOOLEAN RequestConfirmed
;
1013 if (!HaveValidTpmRequest(TcgPpData
, &RequestConfirmed
)) {
1015 // Invalid operation request.
1017 TcgPpData
->PPResponse
= TPM_PP_BIOS_FAILURE
;
1018 TcgPpData
->LastPPRequest
= TcgPpData
->PPRequest
;
1019 TcgPpData
->PPRequest
= PHYSICAL_PRESENCE_NO_ACTION
;
1020 DataSize
= sizeof (EFI_PHYSICAL_PRESENCE
);
1021 Status
= gRT
->SetVariable (
1022 PHYSICAL_PRESENCE_VARIABLE
,
1023 &gEfiPhysicalPresenceGuid
,
1024 EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS
,
1031 if (!RequestConfirmed
) {
1033 // Print confirm text and wait for approval.
1035 RequestConfirmed
= UserConfirm (TcgPpData
->PPRequest
);
1039 // Execute requested physical presence command
1041 TcgPpData
->PPResponse
= TPM_PP_USER_ABORT
;
1042 if (RequestConfirmed
) {
1043 TcgPpData
->PPResponse
= ExecutePhysicalPresence (TcgProtocol
, TcgPpData
->PPRequest
, &TcgPpData
->Flags
);
1049 if ((TcgPpData
->Flags
& FLAG_RESET_TRACK
) == 0) {
1050 TcgPpData
->LastPPRequest
= TcgPpData
->PPRequest
;
1051 TcgPpData
->PPRequest
= PHYSICAL_PRESENCE_NO_ACTION
;
1057 DataSize
= sizeof (EFI_PHYSICAL_PRESENCE
);
1058 Status
= gRT
->SetVariable (
1059 PHYSICAL_PRESENCE_VARIABLE
,
1060 &gEfiPhysicalPresenceGuid
,
1061 EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS
,
1065 if (EFI_ERROR (Status
)) {
1069 if (TcgPpData
->PPResponse
== TPM_PP_USER_ABORT
) {
1074 // Reset system to make new TPM settings in effect
1076 switch (TcgPpData
->LastPPRequest
) {
1077 case PHYSICAL_PRESENCE_ACTIVATE
:
1078 case PHYSICAL_PRESENCE_DEACTIVATE
:
1079 case PHYSICAL_PRESENCE_CLEAR
:
1080 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE
:
1081 case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE
:
1082 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_OWNER_TRUE
:
1083 case PHYSICAL_PRESENCE_DEACTIVATE_DISABLE_OWNER_FALSE
:
1084 case PHYSICAL_PRESENCE_DEFERRED_PP_UNOWNERED_FIELD_UPGRADE
:
1085 case PHYSICAL_PRESENCE_CLEAR_ENABLE_ACTIVATE
:
1086 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR
:
1087 case PHYSICAL_PRESENCE_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE
:
1090 if (TcgPpData
->PPRequest
!= PHYSICAL_PRESENCE_NO_ACTION
) {
1096 Print (L
"Rebooting system to make TPM settings in effect\n");
1097 gRT
->ResetSystem (EfiResetCold
, EFI_SUCCESS
, 0, NULL
);
1102 Check and execute the pending TPM request and Lock TPM.
1104 The TPM request may come from OS or BIOS. This API will display request information and wait
1105 for user confirmation if TPM request exists. The TPM request will be sent to TPM device after
1106 the TPM request is confirmed, and one or more reset may be required to make TPM request to
1107 take effect. At last, it will lock TPM to prevent TPM state change by malware.
1109 This API should be invoked after console in and console out are all ready as they are required
1110 to display request information and get user input to confirm the request. This API should also
1111 be invoked as early as possible as TPM is locked in this function.
1116 TcgPhysicalPresenceLibProcessRequest (
1121 BOOLEAN LifetimeLock
;
1124 EFI_PHYSICAL_PRESENCE TcgPpData
;
1125 EFI_TCG_PROTOCOL
*TcgProtocol
;
1127 Status
= gBS
->LocateProtocol (&gEfiTcgProtocolGuid
, NULL
, (VOID
**)&TcgProtocol
);
1128 if (EFI_ERROR (Status
)) {
1133 // Initialize physical presence variable.
1135 DataSize
= sizeof (EFI_PHYSICAL_PRESENCE
);
1136 Status
= gRT
->GetVariable (
1137 PHYSICAL_PRESENCE_VARIABLE
,
1138 &gEfiPhysicalPresenceGuid
,
1143 if (EFI_ERROR (Status
)) {
1144 if (Status
== EFI_NOT_FOUND
) {
1145 ZeroMem ((VOID
*)&TcgPpData
, sizeof (TcgPpData
));
1146 TcgPpData
.Flags
|= FLAG_NO_PPI_PROVISION
;
1147 DataSize
= sizeof (EFI_PHYSICAL_PRESENCE
);
1148 Status
= gRT
->SetVariable (
1149 PHYSICAL_PRESENCE_VARIABLE
,
1150 &gEfiPhysicalPresenceGuid
,
1151 EFI_VARIABLE_NON_VOLATILE
| EFI_VARIABLE_BOOTSERVICE_ACCESS
| EFI_VARIABLE_RUNTIME_ACCESS
,
1156 ASSERT_EFI_ERROR (Status
);
1159 DEBUG ((EFI_D_INFO
, "[TPM] Flags=%x, PPRequest=%x\n", TcgPpData
.Flags
, TcgPpData
.PPRequest
));
1161 if (TcgPpData
.PPRequest
== PHYSICAL_PRESENCE_NO_ACTION
) {
1163 // No operation request
1168 Status
= GetTpmCapability (TcgProtocol
, &LifetimeLock
, &CmdEnable
);
1169 if (EFI_ERROR (Status
)) {
1176 // physicalPresenceCMDEnable is locked, can't execute physical presence command.
1180 Status
= TpmPhysicalPresence (TcgProtocol
, TPM_PHYSICAL_PRESENCE_CMD_ENABLE
);
1181 if (EFI_ERROR (Status
)) {
1187 // Set operator physical presence flags
1189 TpmPhysicalPresence (TcgProtocol
, TPM_PHYSICAL_PRESENCE_PRESENT
);
1192 // Execute pending TPM request.
1194 ExecutePendingTpmRequest (TcgProtocol
, &TcgPpData
);
1195 DEBUG ((EFI_D_INFO
, "[TPM] PPResponse = %x\n", TcgPpData
.PPResponse
));
1198 // Lock physical presence.
1200 TpmPhysicalPresence (TcgProtocol
, TPM_PHYSICAL_PRESENCE_NOTPRESENT
| TPM_PHYSICAL_PRESENCE_LOCK
);
1204 Check if the pending TPM request needs user input to confirm.
1206 The TPM request may come from OS. This API will check if TPM request exists and need user
1207 input to confirmation.
1209 @retval TRUE TPM needs input to confirm user physical presence.
1210 @retval FALSE TPM doesn't need input to confirm user physical presence.
1215 TcgPhysicalPresenceLibNeedUserConfirm(
1220 EFI_PHYSICAL_PRESENCE TcgPpData
;
1222 BOOLEAN RequestConfirmed
;
1223 BOOLEAN LifetimeLock
;
1225 EFI_TCG_PROTOCOL
*TcgProtocol
;
1227 Status
= gBS
->LocateProtocol (&gEfiTcgProtocolGuid
, NULL
, (VOID
**)&TcgProtocol
);
1228 if (EFI_ERROR (Status
)) {
1233 // Check Tpm requests
1235 DataSize
= sizeof (EFI_PHYSICAL_PRESENCE
);
1236 Status
= gRT
->GetVariable (
1237 PHYSICAL_PRESENCE_VARIABLE
,
1238 &gEfiPhysicalPresenceGuid
,
1243 if (EFI_ERROR (Status
)) {
1247 if (TcgPpData
.PPRequest
== PHYSICAL_PRESENCE_NO_ACTION
) {
1249 // No operation request
1254 if (!HaveValidTpmRequest(&TcgPpData
, &RequestConfirmed
)) {
1256 // Invalid operation request.
1262 // Check Tpm Capability
1264 Status
= GetTpmCapability (TcgProtocol
, &LifetimeLock
, &CmdEnable
);
1265 if (EFI_ERROR (Status
)) {
1272 // physicalPresenceCMDEnable is locked, can't execute physical presence command.
1278 if (!RequestConfirmed
) {
1280 // Need UI to confirm