// /** @file // Provides security features that conform to TCG/UEFI industry standards // // The security features include secure boot, measured boot and user identification. // It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes) // and libraries instances, which are used for those features. // // Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.
// // This program and the accompanying materials are licensed and made available under // the terms and conditions of the BSD License which accompanies this distribution. // The full text of the license may be found at // http://opensource.org/licenses/bsd-license.php // // THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, // WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. // // **/ #string STR_PACKAGE_ABSTRACT #language en-US "Provides security features that conform to TCG/UEFI industry standards" #string STR_PACKAGE_DESCRIPTION #language en-US "The security features include secure boot, measured boot and user identification. It also provides the definitions(including PPIs/PROTOCOLs/GUIDs and library classes) and libraries instances, which are used for those features." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdOptionRomImageVerificationPolicy_PROMPT #language en-US "Set policy for the image from OptionRom." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdOptionRomImageVerificationPolicy_HELP #language en-US "Image verification policy for OptionRom. Only following values are valid:

\n" "NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.
\n" "0x00000000 Always trust the image.
\n" "0x00000001 Never trust the image.
\n" "0x00000002 Allow execution when there is security violation.
\n" "0x00000003 Defer execution when there is security violation.
\n" "0x00000004 Deny execution when there is security violation.
\n" "0x00000005 Query user when there is security violation.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_ERR_80000001 #language en-US "Invalid value provided." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdRemovableMediaImageVerificationPolicy_PROMPT #language en-US "Set policy for the image from removable media." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdRemovableMediaImageVerificationPolicy_HELP #language en-US "Image verification policy for removable media which includes CD-ROM, Floppy, USB and network. Only following values are valid:

\n" "NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.
\n" "0x00000000 Always trust the image.
\n" "0x00000001 Never trust the image.
\n" "0x00000002 Allow execution when there is security violation.
\n" "0x00000003 Defer execution when there is security violation.
\n" "0x00000004 Deny execution when there is security violation.
\n" "0x00000005 Query user when there is security violation.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFixedMediaImageVerificationPolicy_PROMPT #language en-US "Set policy for the image from fixed media." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFixedMediaImageVerificationPolicy_HELP #language en-US "Image verification policy for fixed media which includes hard disk. Only following values are valid:

\n" "NOTE: Do NOT use 0x5 and 0x2 since it violates the UEFI specification and has been removed.
\n" "0x00000000 Always trust the image.
\n" "0x00000001 Never trust the image.
\n" "0x00000002 Allow execution when there is security violation.
\n" "0x00000003 Defer execution when there is security violation.
\n" "0x00000004 Deny execution when there is security violation.
\n" "0x00000005 Query user when there is security violation.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdDeferImageLoadPolicy_PROMPT #language en-US "Set policy whether trust image before user identification." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdDeferImageLoadPolicy_HELP #language en-US "Defer Image Load policy settings. The policy is bitwise. If a bit is set, the image from corresponding device will be trusted when loading. Or the image will be deferred. The deferred image will be checked after user is identified.

\n" "BIT0 - Image from unknown device.
\n" "BIT1 - Image from firmware volume.
\n" "BIT2 - Image from OptionRom.
\n" "BIT3 - Image from removable media which includes CD-ROM, Floppy, USB and network.
\n" "BIT4 - Image from fixed media device which includes hard disk.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_ERR_80000002 #language en-US "Reserved bits must be set to zero." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFixedUsbCredentialProviderTokenFileName_PROMPT #language en-US "File name to save credential." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFixedUsbCredentialProviderTokenFileName_HELP #language en-US "Null-terminated Unicode string of the file name that is the default name to save USB credential. The specified file should be saved at the root directory of USB storage disk." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdMaxAppendVariableSize_PROMPT #language en-US "Max variable size for append operation." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdMaxAppendVariableSize_HELP #language en-US "The size of Append variable buffer. This buffer is reserved for runtime use, OS can append data into one existing variable. Note: This PCD is not been used." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmPlatformClass_PROMPT #language en-US "Select platform type." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmPlatformClass_HELP #language en-US "Specifies the type of TCG platform that contains TPM chip.

\n" "If 0, TCG platform type is PC client.
\n" "If 1, TCG platform type is PC server.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmPhysicalPresence_PROMPT #language en-US "Physical presence of the platform operator." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmPhysicalPresence_HELP #language en-US "Indicates the presence or absence of the platform operator during firmware booting. If platform operator is not physical presnece during boot. TPM will be locked and the TPM commands that required operator physical presence can not run.

\n" "TRUE - The platform operator is physically present.
\n" "FALSE - The platform operator is not physically present.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceLifetimeLock_PROMPT #language en-US "Lock TPM physical presence asserting method." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceLifetimeLock_HELP #language en-US "Indicates whether TPM physical presence is locked during platform initialization. Once it is locked, it can not be unlocked for TPM life time.

\n" "TRUE - Lock TPM physical presence asserting method.
\n" "FALSE - Not lock TPM physical presence asserting method.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceCmdEnable_PROMPT #language en-US "Enable software method of asserting physical presence." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceCmdEnable_HELP #language en-US "Indicates whether the platform supports the software method of asserting physical presence.

\n" "TRUE - Supports the software method of asserting physical presence.
\n" "FALSE - Does not support the software method of asserting physical presence.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceHwEnable_PROMPT #language en-US "Enable hardware method of asserting physical presence." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPhysicalPresenceHwEnable_HELP #language en-US "Indicates whether the platform supports the hardware method of asserting physical presence.

\n" "TRUE - Supports the hardware method of asserting physical presence.
\n" "FALSE - Does not support the hardware method of asserting physical presence.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFirmwareDebuggerInitialized_PROMPT #language en-US "Firmware debugger status." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdFirmwareDebuggerInitialized_HELP #language en-US "This PCD indicates if debugger exists.

\n" "TRUE - Firmware debugger exists.
\n" "FALSE - Firmware debugger doesn't exist.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2InitializationPolicy_PROMPT #language en-US "TPM 2.0 device initialization policy.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2InitializationPolicy_HELP #language en-US "This PCD indicates the initialization policy for TPM 2.0.

\n" "If 0, no initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.
\n" "If 1, initialization needed.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmInitializationPolicy_PROMPT #language en-US "TPM 1.2 device initialization policy." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmInitializationPolicy_HELP #language en-US "This PCD indicates the initialization policy for TPM 1.2.

\n" "If 0, no initialization needed - most likely used for chipset SRTM solution, in which TPM is already initialized.
\n" "If 1, initialization needed.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2SelfTestPolicy_PROMPT #language en-US "TPM 2.0 device selftest." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2SelfTestPolicy_HELP #language en-US "This PCD indicates the TPM 2.0 SelfTest policy.

\n" "if 0, no SelfTest needed - most likely used for fTPM, because it might already be tested.
\n" "if 1, SelfTest needed.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2ScrtmPolicy_PROMPT #language en-US "SCRTM policy setting for TPM 2.0 device." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2ScrtmPolicy_HELP #language en-US "This PCD indicates Static Core Root of Trust for Measurement (SCRTM) policy using TPM 2.0.

\n" "if 0, no SCRTM measurement needed - In this case, it is already done.
\n" "if 1, SCRTM measurement done by BIOS.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmScrtmPolicy_PROMPT #language en-US "SCRTM policy setting for TPM 1.2 device" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmScrtmPolicy_HELP #language en-US "This PCD indicates Static Core Root of Trust for Measurement (SCRTM) policy using TPM 1.2.

\n" "if 0, no SCRTM measurement needed - In this case, it is already done.
\n" "if 1, SCRTM measurement done by BIOS.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmInstanceGuid_PROMPT #language en-US "TPM device type identifier" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmInstanceGuid_HELP #language en-US "Guid name to identify TPM instance.

\n" "TPM_DEVICE_INTERFACE_NONE means disable.
\n" "TPM_DEVICE_INTERFACE_TPM12 means TPM 1.2 DTPM.
\n" "TPM_DEVICE_INTERFACE_DTPM2 means TPM 2.0 DTPM.
\n" "Other GUID value means other TPM 2.0 device.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2HashMask_PROMPT #language en-US "Hash mask for TPM 2.0" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2HashMask_HELP #language en-US "This PCD indicates Hash mask for TPM 2.0.

\n" "If this bit is set, that means this algorithm is needed to extend to PCR.
\n" "If this bit is clear, that means this algorithm is NOT needed to extend to PCR.
\n" "BIT0 - SHA1.
\n" "BIT1 - SHA256.
\n" "BIT2 - SHA384.
\n" "BIT3 - SHA512.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmAutoDetection_PROMPT #language en-US "TPM type detection." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmAutoDetection_HELP #language en-US "This PCD indicates if BIOS auto detect TPM1.2 or dTPM2.0.

\n" "FALSE - No auto detection.
\n" "TRUE - Auto detection.
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmBaseAddress_PROMPT #language en-US "TPM device address." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpmBaseAddress_HELP #language en-US "This PCD indicates TPM base address.

" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdStatusCodeSubClassTpmDevice_PROMPT #language en-US "Status Code for TPM device definitions" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdStatusCodeSubClassTpmDevice_HELP #language en-US "Progress Code for TPM device subclass definitions.

\n" "EFI_PERIPHERAL_TPM = (EFI_PERIPHERAL | 0x000D0000) = 0x010D0000
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdRsa2048Sha256PublicKeyBuffer_PROMPT #language en-US "One or more SHA 256 Hashes of RSA 2048 bit public keys used to verify Recovery and Capsule Update images" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdRsa2048Sha256PublicKeyBuffer_HELP #language en-US "Provides one or more SHA 256 Hashes of the RSA 2048 public keys used to verify Recovery and Capsule Update images\n" "WARNING: The default value is treated as test key. Please do not use default value in the production." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2NumberOfPCRBanks_PROMPT #language en-US "OEM configurated number of PCR banks." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2NumberOfPCRBanks_HELP #language en-US "This PCR means the OEM configurated number of PCR banks.\n" "0 means dynamic get from supported HASH algorithm" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2HashAlgorithmBitmap_PROMPT #language en-US "Hash Algorithm bitmap." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2HashAlgorithmBitmap_HELP #language en-US "This PCD indicated final BIOS supported Hash mask.\n" "Bios may choose to register a subset of PcdTpm2HashMask.\n" "So this PCD is final value of how many hash algo is extended to PCR.\n" "If software HashLib(HashLibBaseCryptoRouter) solution is chosen, this PCD\n" "has no need to be configured in platform dsc and will be set to correct\n" "value by the HashLib instance according to the HashInstanceLib instances\n" "linked, and the value of this PCD should be got in module entrypoint." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcgLogAreaMinLen_PROMPT #language en-US "Minimum length(in bytes) of the system preboot TCG event log area(LAML)." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcgLogAreaMinLen_HELP #language en-US "This PCD defines minimum length(in bytes) of the system preboot TCG event log area(LAML).\n" "For PC Client Implementation spec up to and including 1.2 the minimum log size is 64KB." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2FinalLogAreaLen_PROMPT #language en-US "Length(in bytes) of the TCG2 Final event log area." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2FinalLogAreaLen_HELP #language en-US "This PCD defines length(in bytes) of the TCG2 Final event log area." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcgPhysicalPresenceInterfaceVer_PROMPT #language en-US "Version of Physical Presence interface supported by platform." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcgPhysicalPresenceInterfaceVer_HELP #language en-US "Null-terminated string of the Version of Physical Presence interface supported by platform.

\n" "To support configuring from setup page, this PCD can be DynamicHii type and map to a setup option.
\n" "For example, map to TCG2_VERSION.PpiVersion to be configured by Tcg2ConfigDxe driver.
\n" "gEfiSecurityPkgTokenSpaceGuid.PcdTcgPhysicalPresenceInterfaceVer|L\"TCG2_VERSION\"|gTcg2ConfigFormSetGuid|0x0|\"1.3\"|NV,BS
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdUserPhysicalPresence_PROMPT #language en-US "A physical presence user status" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdUserPhysicalPresence_HELP #language en-US "Indicate whether a physical presence user exist. " "When it is configured to Dynamic or DynamicEx, it can be set through detection using " "a platform-specific method (e.g. Button pressed) in a actual platform in early boot phase.

" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPkcs7CertBuffer_PROMPT #language en-US "One PKCS7 cert used to verify Recovery and Capsule Update images" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdPkcs7CertBuffer_HELP #language en-US "Provides one PKCS7 cert used to verify Recovery and Capsule Update images\n" "WARNING: The default value is treated as test key. Please do not use default value in the production." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2PhysicalPresenceFlags_PROMPT #language en-US " Initial setting of TCG2 Persistent Firmware Management Flags" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTcg2PhysicalPresenceFlags_HELP #language en-US "This PCD defines initial setting of TCG2 Persistent Firmware Management Flags\n" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableRev_PROMPT #language en-US "The revision of TPM2 ACPI table" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2AcpiTableRev_HELP #language en-US "This PCD defines initial revision of TPM2 ACPI table\n" "To support configuring from setup page, this PCD can be DynamicHii type and map to a setup option.
\n" "For example, map to TCG2_VERSION.Tpm2AcpiTableRev to be configured by Tcg2ConfigDxe driver.
\n" "gEfiSecurityPkgTokenSpaceGuid.PcdTpm2AcpiTableRev|L\"TCG2_VERSION\"|gTcg2ConfigFormSetGuid|0x8|3|NV,BS
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2CurrentIrqNum_PROMPT #language en-US "Current TPM2 device interrupt number" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2CurrentIrqNum_HELP #language en-US "This PCD defines current TPM2 device interrupt number reported by _CRS. If set to 0, interrupt is disabled." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2PossibleIrqNumBuf_PROMPT #language en-US "Possible TPM2 device interrupt number buffer" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdTpm2PossibleIrqNumBuf_HELP #language en-US "This PCD defines possible TPM2 interrupt number in a platform reported by _PRS control method.\n" "If PcdTpm2CurrentIrqNum set to 0, _PRS will not report any possible TPM2 interrupt numbers." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdActiveTpmInterfaceType_PROMPT #language en-US "Current active TPM interface type" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdActiveTpmInterfaceType_HELP #language en-US "This PCD indicates current active TPM interface type.\n" "0x00 - FIFO interface as defined in TIS 1.3 is active.
\n" "0x01 - FIFO interface as defined in PTP for TPM 2.0 is active.
\n" "0x02 - CRB interface is active.
\n" "0xFF - Contains no current active TPM interface type
" #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdCRBIdleByPass_PROMPT #language en-US "IdleByass status supported by current active TPM interface." #string STR_gEfiSecurityPkgTokenSpaceGuid_PcdCRBIdleByPass_HELP #language en-US "This PCD records IdleByass status supported by current active TPM interface.\n" "Accodingt to TCG PTP spec 1.3, TPM with CRB interface can skip idle state and diretcly move to CmdReady state.
" "0x01 - Do not support IdleByPass.
\n" "0x02 - Support IdleByPass.
\n" "0xFF - IdleByPass State is not synced with TPM hardware.
"