1 ## @file SecurityPkg.dec
\r
2 # Provides security features that conform to TCG/UEFI industry standards
\r
4 # The security features include secure boot, measured boot and user identification.
\r
5 # It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes)
\r
6 # and libraries instances, which are used for those features.
\r
8 # Copyright (c) 2009 - 2015, Intel Corporation. All rights reserved.<BR>
\r
9 # This program and the accompanying materials are licensed and made available under
\r
10 # the terms and conditions of the BSD License which accompanies this distribution.
\r
11 # The full text of the license may be found at
\r
12 # http://opensource.org/licenses/bsd-license.php
\r
14 # THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
\r
15 # WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
\r
20 DEC_SPECIFICATION = 0x00010005
\r
21 PACKAGE_NAME = SecurityPkg
\r
22 PACKAGE_UNI_FILE = SecurityPkg.uni
\r
23 PACKAGE_GUID = 24369CAC-6AA6-4fb8-88DB-90BF061668AD
\r
24 PACKAGE_VERSION = 0.94
\r
30 ## @libraryclass Provides hash interfaces from different implementations.
\r
32 HashLib|Include/Library/HashLib.h
\r
34 ## @libraryclass Provides a platform specific interface to detect physically present user.
\r
36 PlatformSecureLib|Include/Library/PlatformSecureLib.h
\r
38 ## @libraryclass Provides interfaces to handle TPM 1.2 request.
\r
40 TcgPhysicalPresenceLib|Include/Library/TcgPhysicalPresenceLib.h
\r
42 ## @libraryclass Provides support for TCG PP >= 128 Vendor Specific PPI Operation.
\r
44 TcgPpVendorLib|Include/Library/TcgPpVendorLib.h
\r
46 ## @libraryclass Provides interfaces for other modules to send TPM 2.0 command.
\r
48 Tpm2CommandLib|Include/Library/Tpm2CommandLib.h
\r
50 ## @libraryclass Provides interfaces on how to access TPM 2.0 hardware device.
\r
52 Tpm2DeviceLib|Include/Library/Tpm2DeviceLib.h
\r
54 ## @libraryclass Provides interfaces for other modules to send TPM 1.2 command.
\r
56 Tpm12CommandLib|Include/Library/Tpm12CommandLib.h
\r
58 ## @libraryclass Provides interfaces on how to access TPM 1.2 hardware device.
\r
60 Tpm12DeviceLib|Include/Library/Tpm12DeviceLib.h
\r
62 ## @libraryclass Provides TPM Interface Specification (TIS) interfaces for TPM command.
\r
64 TpmCommLib|Include/Library/TpmCommLib.h
\r
66 ## @libraryclass Provides common interfaces about TPM measurement for other modules.
\r
68 TpmMeasurementLib|Include/Library/TpmMeasurementLib.h
\r
70 ## @libraryclass Provides interfaces to handle TPM 2.0 request.
\r
72 TrEEPhysicalPresenceLib|Include/Library/TrEEPhysicalPresenceLib.h
\r
74 ## @libraryclass Provides support for TrEE PP >= 128 Vendor Specific PPI Operation.
\r
76 TrEEPpVendorLib|Include/Library/TrEEPpVendorLib.h
\r
79 ## Security package token space guid.
\r
80 # Include/Guid/SecurityPkgTokenSpace.h
\r
81 gEfiSecurityPkgTokenSpaceGuid = { 0xd3fb176, 0x9569, 0x4d51, { 0xa3, 0xef, 0x7d, 0x61, 0xc6, 0x4f, 0xea, 0xba }}
\r
83 ## Guid acted as the authenticated variable store header's signature, and to specify the variable list entries put in the EFI system table.
\r
84 # Include/Guid/AuthenticatedVariableFormat.h
\r
85 gEfiAuthenticatedVariableGuid = { 0xaaf32c78, 0x947b, 0x439a, { 0xa1, 0x80, 0x2e, 0x14, 0x4e, 0xc3, 0x77, 0x92 } }
\r
87 ## GUID used to "SecureBootEnable" variable for the Secure Boot feature enable/disable.
\r
88 # This variable is used for allowing a physically present user to disable Secure Boot via firmware setup without the possession of PKpriv.
\r
89 # Include/Guid/AuthenticatedVariableFormat.h
\r
90 gEfiSecureBootEnableDisableGuid = { 0xf0a30bc7, 0xaf08, 0x4556, { 0x99, 0xc4, 0x0, 0x10, 0x9, 0xc9, 0x3a, 0x44 } }
\r
92 ## GUID used to "CustomMode" variable for two Secure Boot modes feature: "Custom" and "Standard".
\r
93 # Standard Secure Boot mode is the default mode as UEFI Spec's description.
\r
94 # Custom Secure Boot mode allows for more flexibility as specified in the following:
\r
95 # Can enroll or delete PK without existing PK's private key.
\r
96 # Can enroll or delete KEK without existing PK's private key.
\r
97 # Can enroll or delete signature from DB/DBX without KEK's private key.
\r
98 # Include/Guid/AuthenticatedVariableFormat.h
\r
99 gEfiCustomModeEnableGuid = { 0xc076ec0c, 0x7028, 0x4399, { 0xa0, 0x72, 0x71, 0xee, 0x5c, 0x44, 0x8b, 0x9f } }
\r
101 ## GUID used to "VendorKeysNv" variable to record the out of band secure boot keys modification.
\r
102 # This variable is a read-only NV variable that indicates whether someone other than the platform vendor has used a
\r
103 # mechanism not defined by the UEFI Specification to transition the system to setup mode or to update secure boot keys.
\r
104 # Include/Guid/AuthenticatedVariableFormat.h
\r
105 gEfiVendorKeysNvGuid = { 0x9073e4e0, 0x60ec, 0x4b6e, { 0x99, 0x3, 0x4c, 0x22, 0x3c, 0x26, 0xf, 0x3c } }
\r
107 ## GUID used to "certdb" variable to store the signer's certificates for common variables with EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute.
\r
108 # Include/Guid/AuthenticatedVariableFormat.h
\r
109 gEfiCertDbGuid = { 0xd9bee56e, 0x75dc, 0x49d9, { 0xb4, 0xd7, 0xb5, 0x34, 0x21, 0xf, 0x63, 0x7a } }
\r
111 ## Hob GUID used to pass a TCG_PCR_EVENT from a TPM PEIM to a TPM DXE Driver.
\r
112 # Include/Guid/TcgEventHob.h
\r
113 gTcgEventEntryHobGuid = { 0x2b9ffb52, 0x1b13, 0x416f, { 0xa8, 0x7b, 0xbc, 0x93, 0xd, 0xef, 0x92, 0xa8 }}
\r
115 ## HOB GUID used to record TPM device error.
\r
116 # Include/Guid/TcgEventHob.h
\r
117 gTpmErrorHobGuid = { 0xef598499, 0xb25e, 0x473a, { 0xbf, 0xaf, 0xe7, 0xe5, 0x7d, 0xce, 0x82, 0xc4 }}
\r
119 ## HOB GUID used to pass all PEI measured FV info to DXE Driver.
\r
120 # Include/Guid/MeasuredFvHob.h
\r
121 gMeasuredFvHobGuid = { 0xb2360b42, 0x7173, 0x420a, { 0x86, 0x96, 0x46, 0xca, 0x6b, 0xab, 0x10, 0x60 }}
\r
123 ## GUID used to "PhysicalPresence" variable and "PhysicalPresenceFlags" variable for TPM request and response.
\r
124 # Include/Guid/PhysicalPresenceData.h
\r
125 gEfiPhysicalPresenceGuid = { 0xf6499b1, 0xe9ad, 0x493d, { 0xb9, 0xc2, 0x2f, 0x90, 0x81, 0x5c, 0x6c, 0xbc }}
\r
127 ## GUID used for form browser, password credential and provider identifier.
\r
128 # Include/Guid/PwdCredentialProviderHii.h
\r
129 gPwdCredentialProviderGuid = { 0x78b9ec8b, 0xc000, 0x46c5, { 0xac, 0x93, 0x24, 0xa0, 0xc1, 0xbb, 0x0, 0xce }}
\r
131 ## GUID used for form browser, USB credential and provider identifier.
\r
132 # Include/Guid/UsbCredentialProviderHii.h
\r
133 gUsbCredentialProviderGuid = { 0xd0849ed1, 0xa88c, 0x4ba6, { 0xb1, 0xd6, 0xab, 0x50, 0xe2, 0x80, 0xb7, 0xa9 }}
\r
135 ## GUID used for FormSet guid and user profile variable.
\r
136 # Include/Guid/UserIdentifyManagerHii.h
\r
137 gUserIdentifyManagerGuid = { 0x3ccd3dd8, 0x8d45, 0x4fed, { 0x96, 0x2d, 0x2b, 0x38, 0xcd, 0x82, 0xb3, 0xc4 }}
\r
139 ## GUID used for FormSet.
\r
140 # Include/Guid/UserProfileManagerHii.h
\r
141 gUserProfileManagerGuid = { 0xc35f272c, 0x97c2, 0x465a, { 0xa2, 0x16, 0x69, 0x6b, 0x66, 0x8a, 0x8c, 0xfe }}
\r
143 ## GUID used for FormSet.
\r
144 # Include/Guid/TcgConfigHii.h
\r
145 gTcgConfigFormSetGuid = { 0xb0f901e4, 0xc424, 0x45de, { 0x90, 0x81, 0x95, 0xe2, 0xb, 0xde, 0x6f, 0xb5 }}
\r
147 ## GUID used for FormSet.
\r
148 # Include/Guid/SecureBootConfigHii.h
\r
149 gSecureBootConfigFormSetGuid = { 0x5daf50a5, 0xea81, 0x4de2, {0x8f, 0x9b, 0xca, 0xbd, 0xa9, 0xcf, 0x5c, 0x14}}
\r
151 ## GUID used to "TrEEPhysicalPresence" variable and "TrEEPhysicalPresenceFlags" variable for TPM2 request and response.
\r
152 # Include/Guid/TrEEPhysicalPresenceData.h
\r
153 gEfiTrEEPhysicalPresenceGuid = { 0xf24643c2, 0xc622, 0x494e, { 0x8a, 0xd, 0x46, 0x32, 0x57, 0x9c, 0x2d, 0x5b }}
\r
155 ## GUID value used for PcdTpmInstanceGuid to indicate TPM is disabled.
\r
156 # Include/Guid/TpmInstance.h
\r
157 gEfiTpmDeviceInstanceNoneGuid = { 0x00000000, 0x0000, 0x0000, { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 } }
\r
159 ## GUID value used for PcdTpmInstanceGuid to indicate TPM 1.2 device is selected to support.
\r
160 # Include/Guid/TpmInstance.h
\r
161 gEfiTpmDeviceInstanceTpm12Guid = { 0x8b01e5b6, 0x4f19, 0x46e8, { 0xab, 0x93, 0x1c, 0x53, 0x67, 0x1b, 0x90, 0xcc } }
\r
163 ## GUID value used for PcdTpmInstanceGuid to indicate discrete TPM 2.0 device is selected to support.
\r
164 # Include/Guid/TpmInstance.h
\r
165 gEfiTpmDeviceInstanceTpm20DtpmGuid = { 0x286bf25a, 0xc2c3, 0x408c, { 0xb3, 0xb4, 0x25, 0xe6, 0x75, 0x8b, 0x73, 0x17 } }
\r
167 ## GUID used to select supported TPM instance from UI.
\r
168 # Include/Guid/TpmInstance.h
\r
169 gEfiTpmDeviceSelectedGuid = { 0x7f4158d3, 0x74d, 0x456d, { 0x8c, 0xb2, 0x1, 0xf9, 0xc8, 0xf7, 0x9d, 0xaa } }
\r
171 ## GUID used for FormSet and config variable.
\r
172 # Include/Guid/TrEEConfigHii.h
\r
173 gTrEEConfigFormSetGuid = {0xc54b425f, 0xaa79, 0x48b4, { 0x98, 0x1f, 0x99, 0x8b, 0x3c, 0x4b, 0x64, 0x1c }}
\r
176 ## The PPI GUID for that TPM physical presence should be locked.
\r
177 # Include/Ppi/LockPhysicalPresence.h
\r
178 gPeiLockPhysicalPresencePpiGuid = { 0xef9aefe5, 0x2bd3, 0x4031, { 0xaf, 0x7d, 0x5e, 0xfe, 0x5a, 0xbb, 0x9a, 0xd } }
\r
180 ## The PPI GUID for that TPM is initialized.
\r
181 # Include/Ppi/TpmInitialized.h
\r
182 gPeiTpmInitializedPpiGuid = { 0xe9db0d58, 0xd48d, 0x47f6, { 0x9c, 0x6e, 0x6f, 0x40, 0xe8, 0x6c, 0x7b, 0x41 }}
\r
184 ## Include/Ppi/FirmwareVolumeInfoMeasurementExcluded.h
\r
185 gEfiPeiFirmwareVolumeInfoMeasurementExcludedPpiGuid = { 0x6e056ff9, 0xc695, 0x4364, { 0x9e, 0x2c, 0x61, 0x26, 0xf5, 0xce, 0xea, 0xae } }
\r
188 # [Error.gEfiSecurityPkgTokenSpaceGuid]
\r
189 # 0x80000001 | Invalid value provided.
\r
190 # 0x80000002 | Reserved bits must be set to zero.
\r
193 [PcdsFixedAtBuild, PcdsPatchableInModule]
\r
194 ## Image verification policy for OptionRom. Only following values are valid:<BR><BR>
\r
195 # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
\r
196 # 0x00000000 Always trust the image.<BR>
\r
197 # 0x00000001 Never trust the image.<BR>
\r
198 # 0x00000002 Allow execution when there is security violation.<BR>
\r
199 # 0x00000003 Defer execution when there is security violation.<BR>
\r
200 # 0x00000004 Deny execution when there is security violation.<BR>
\r
201 # 0x00000005 Query user when there is security violation.<BR>
\r
202 # @Prompt Set policy for the image from OptionRom.
\r
203 # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
\r
204 gEfiSecurityPkgTokenSpaceGuid.PcdOptionRomImageVerificationPolicy|0x04|UINT32|0x00000001
\r
206 ## Image verification policy for removable media which includes CD-ROM, Floppy, USB and network.
\r
207 # Only following values are valid:<BR><BR>
\r
208 # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
\r
209 # 0x00000000 Always trust the image.<BR>
\r
210 # 0x00000001 Never trust the image.<BR>
\r
211 # 0x00000002 Allow execution when there is security violation.<BR>
\r
212 # 0x00000003 Defer execution when there is security violation.<BR>
\r
213 # 0x00000004 Deny execution when there is security violation.<BR>
\r
214 # 0x00000005 Query user when there is security violation.<BR>
\r
215 # @Prompt Set policy for the image from removable media.
\r
216 # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
\r
217 gEfiSecurityPkgTokenSpaceGuid.PcdRemovableMediaImageVerificationPolicy|0x04|UINT32|0x00000002
\r
219 ## Image verification policy for fixed media which includes hard disk.
\r
220 # Only following values are valid:<BR><BR>
\r
221 # NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.<BR>
\r
222 # 0x00000000 Always trust the image.<BR>
\r
223 # 0x00000001 Never trust the image.<BR>
\r
224 # 0x00000002 Allow execution when there is security violation.<BR>
\r
225 # 0x00000003 Defer execution when there is security violation.<BR>
\r
226 # 0x00000004 Deny execution when there is security violation.<BR>
\r
227 # 0x00000005 Query user when there is security violation.<BR>
\r
228 # @Prompt Set policy for the image from fixed media.
\r
229 # @ValidRange 0x80000001 | 0x00000000 - 0x00000005
\r
230 gEfiSecurityPkgTokenSpaceGuid.PcdFixedMediaImageVerificationPolicy|0x04|UINT32|0x00000003
\r
232 ## Defer Image Load policy settings. The policy is bitwise.
\r
233 # If a bit is set, the image from corresponding device will be trusted when loading. Or
\r
234 # the image will be deferred. The deferred image will be checked after user is identified.<BR><BR>
\r
235 # BIT0 - Image from unknown device. <BR>
\r
236 # BIT1 - Image from firmware volume.<BR>
\r
237 # BIT2 - Image from OptionRom.<BR>
\r
238 # BIT3 - Image from removable media which includes CD-ROM, Floppy, USB and network.<BR>
\r
239 # BIT4 - Image from fixed media device which includes hard disk.<BR>
\r
240 # @Prompt Set policy whether trust image before user identification.
\r
241 # @ValidRange 0x80000002 | 0x00000000 - 0x0000001F
\r
242 gEfiSecurityPkgTokenSpaceGuid.PcdDeferImageLoadPolicy|0x0000001F|UINT32|0x0000004
\r
244 ## Null-terminated Unicode string of the file name that is the default name to save USB credential.
\r
245 # The specified file should be saved at the root directory of USB storage disk.
\r
246 # @Prompt File name to save credential.
\r
247 gEfiSecurityPkgTokenSpaceGuid.PcdFixedUsbCredentialProviderTokenFileName|L"Token.bin"|VOID*|0x00000005
\r
249 ## The size of Append variable buffer. This buffer is reserved for runtime use, OS can append data into one existing variable.
\r
250 # Note: This PCD is not been used.
\r
251 # @Prompt Max variable size for append operation.
\r
252 gEfiSecurityPkgTokenSpaceGuid.PcdMaxAppendVariableSize|0x2000|UINT32|0x30000005
\r
254 ## Specifies the type of TCG platform that contains TPM chip.<BR><BR>
\r
255 # If 0, TCG platform type is PC client.<BR>
\r
256 # If 1, TCG platform type is PC server.<BR>
\r
257 # @Prompt Select platform type.
\r
258 # @ValidRange 0x80000001 | 0x00 - 0x1
\r
259 gEfiSecurityPkgTokenSpaceGuid.PcdTpmPlatformClass|0|UINT8|0x00000006
\r
261 ## Progress Code for TPM device subclass definitions.<BR><BR>
\r
262 # EFI_PERIPHERAL_TPM = (EFI_PERIPHERAL | 0x000D0000) = 0x010D0000<BR>
\r
263 # @Prompt Status Code for TPM device definitions
\r
264 # @ValidList 0x80000003 | 0x010D0000
\r
265 gEfiSecurityPkgTokenSpaceGuid.PcdStatusCodeSubClassTpmDevice|0x010D0000|UINT32|0x00000007
\r
267 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
\r
268 ## Indicates the presence or absence of the platform operator during firmware booting.
\r
269 # If platform operator is not physical presence during boot. TPM will be locked and the TPM commands
\r
270 # that required operator physical presence can not run.<BR><BR>
\r
271 # TRUE - The platform operator is physically present.<BR>
\r
272 # FALSE - The platform operator is not physically present.<BR>
\r
273 # @Prompt Physical presence of the platform operator.
\r
274 gEfiSecurityPkgTokenSpaceGuid.PcdTpmPhysicalPresence|TRUE|BOOLEAN|0x00010001
\r
276 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
\r
277 ## Indicates whether TPM physical presence is locked during platform initialization.
\r
278 # Once it is locked, it can not be unlocked for TPM life time.<BR><BR>
\r
279 # TRUE - Lock TPM physical presence asserting method.<BR>
\r
280 # FALSE - Not lock TPM physical presence asserting method.<BR>
\r
281 # @Prompt Lock TPM physical presence asserting method.
\r
282 gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceLifetimeLock|FALSE|BOOLEAN|0x00010003
\r
284 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
\r
285 ## Indicates whether the platform supports the software method of asserting physical presence.<BR><BR>
\r
286 # TRUE - Supports the software method of asserting physical presence.<BR>
\r
287 # FALSE - Does not support the software method of asserting physical presence.<BR>
\r
288 # @Prompt Enable software method of asserting physical presence.
\r
289 gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceCmdEnable|TRUE|BOOLEAN|0x00010004
\r
291 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
\r
292 ## Indicates whether the platform supports the hardware method of asserting physical presence.<BR><BR>
\r
293 # TRUE - Supports the hardware method of asserting physical presence.<BR>
\r
294 # FALSE - Does not support the hardware method of asserting physical presence.<BR>
\r
295 # @Prompt Enable hardware method of asserting physical presence.
\r
296 gEfiSecurityPkgTokenSpaceGuid.PcdPhysicalPresenceHwEnable|TRUE|BOOLEAN|0x00010005
\r
298 [PcdsFixedAtBuild, PcdsPatchableInModule, PcdsDynamic, PcdsDynamicEx]
\r
299 ## This PCD indicates if debugger exists. <BR><BR>
\r
300 # TRUE - Firmware debugger exists.<BR>
\r
301 # FALSE - Firmware debugger doesn't exist.<BR>
\r
302 # @Prompt Firmware debugger status.
\r
303 gEfiSecurityPkgTokenSpaceGuid.PcdFirmwareDebuggerInitialized|FALSE|BOOLEAN|0x00010009
\r
305 ## This PCD indicates the initialization policy for TPM 2.0.<BR><BR>
\r
306 # If 0, no initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.<BR>
\r
307 # If 1, initialization needed.<BR>
\r
308 # @Prompt TPM 2.0 device initialization policy.<BR>
\r
309 # @ValidRange 0x80000001 | 0x00 - 0x1
\r
310 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2InitializationPolicy|1|UINT8|0x0001000A
\r
312 ## This PCD indicates the initialization policy for TPM 1.2.<BR><BR>
\r
313 # If 0, no initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.<BR>
\r
314 # If 1, initialization needed.<BR>
\r
315 # @Prompt TPM 1.2 device initialization policy.
\r
316 # @ValidRange 0x80000001 | 0x00 - 0x1
\r
317 gEfiSecurityPkgTokenSpaceGuid.PcdTpmInitializationPolicy|1|UINT8|0x0001000B
\r
319 ## This PCD indicates the TPM 2.0 SelfTest policy.<BR><BR>
\r
320 # if 0, no SelfTest needed - most likely used for fTPM, because it might already be tested.<BR>
\r
321 # if 1, SelfTest needed.<BR>
\r
322 # @Prompt TPM 2.0 device selftest.
\r
323 # @ValidRange 0x80000001 | 0x00 - 0x1
\r
324 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2SelfTestPolicy|1|UINT8|0x0001000C
\r
326 ## This PCD indicates Static Core Root of Trust for Measurement (SCRTM) policy using TPM 2.0.<BR><BR>
\r
327 # if 0, no SCRTM measurement needed - In this case, it is already done.<BR>
\r
328 # if 1, SCRTM measurement done by BIOS.<BR>
\r
329 # @Prompt SCRTM policy setting for TPM 2.0 device.
\r
330 # @ValidRange 0x80000001 | 0x00 - 0x1
\r
331 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2ScrtmPolicy|1|UINT8|0x0001000D
\r
333 ## This PCD indicates Static Core Root of Trust for Measurement (SCRTM) policy using TPM 1.2.<BR><BR>
\r
334 # if 0, no SCRTM measurement needed - In this case, it is already done.<BR>
\r
335 # if 1, SCRTM measurement done by BIOS.<BR>
\r
336 # @Prompt SCRTM policy setting for TPM 1.2 device
\r
337 # @ValidRange 0x80000001 | 0x00 - 0x1
\r
338 gEfiSecurityPkgTokenSpaceGuid.PcdTpmScrtmPolicy|1|UINT8|0x0001000E
\r
340 ## Guid name to identify TPM instance.<BR><BR>
\r
341 # TPM_DEVICE_INTERFACE_NONE means disable.<BR>
\r
342 # TPM_DEVICE_INTERFACE_TPM12 means TPM 1.2 DTPM.<BR>
\r
343 # TPM_DEVICE_INTERFACE_DTPM2 means TPM 2.0 DTPM.<BR>
\r
344 # @Prompt TPM device type identifier
\r
345 gEfiSecurityPkgTokenSpaceGuid.PcdTpmInstanceGuid |{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }|VOID*|0x0001000F
\r
347 ## This PCD indicates Hash mask for TPM 2.0.<BR><BR>
\r
348 # If this bit is set, that means this algorithm is needed to extend to PCR.<BR>
\r
349 # If this bit is clear, that means this algorithm is NOT needed to extend to PCR.<BR>
\r
351 # BIT1 - SHA256.<BR>
\r
352 # BIT2 - SHA384.<BR>
\r
353 # BIT3 - SHA512.<BR>
\r
354 # @Prompt Hash mask for TPM 2.0
\r
355 # @ValidRange 0x80000001 | 0x00000000 - 0x0000000F
\r
356 gEfiSecurityPkgTokenSpaceGuid.PcdTpm2HashMask|0x0000000F|UINT32|0x00010010
\r
358 ## This PCD indicates if BIOS auto detect TPM1.2 or dTPM2.0.<BR><BR>
\r
359 # FALSE - No auto detection.<BR>
\r
360 # TRUE - Auto detection.<BR>
\r
361 # @Prompt TPM type detection.
\r
362 gEfiSecurityPkgTokenSpaceGuid.PcdTpmAutoDetection|TRUE|BOOLEAN|0x00010011
\r
364 ## This PCD indicates TPM base address.<BR><BR>
\r
365 # @Prompt TPM device address.
\r
366 gEfiSecurityPkgTokenSpaceGuid.PcdTpmBaseAddress|0xFED40000|UINT64|0x00010012
\r
368 ## Provides one or more SHA 256 Hashes of the RSA 2048 public keys used to verify Recovery and Capsule Update images
\r
370 # @Prompt One or more SHA 256 Hashes of RSA 2048 bit public keys used to verify Recovery and Capsule Update images
\r
372 gEfiSecurityPkgTokenSpaceGuid.PcdRsa2048Sha256PublicKeyBuffer|{0x91, 0x29, 0xc4, 0xbd, 0xea, 0x6d, 0xda, 0xb3, 0xaa, 0x6f, 0x50, 0x16, 0xfc, 0xdb, 0x4b, 0x7e, 0x3c, 0xd6, 0xdc, 0xa4, 0x7a, 0x0e, 0xdd, 0xe6, 0x15, 0x8c, 0x73, 0x96, 0xa2, 0xd4, 0xa6, 0x4d}|VOID*|0x00010013
\r
374 [UserExtensions.TianoCore."ExtraFiles"]
\r
375 SecurityPkgExtra.uni
\r
projects / mirror_edk2.git / blob