SecurityPkg: Clean up source files

[mirror_edk2.git] / SecurityPkg / Library / DxeTcg2PhysicalPresenceLib / DxeTcg2PhysicalPresenceLib.c
diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c

index bfecffa0fed8aeccd7f06c56f0e9d125b08a49b7..a271c813887f8e5864aa88e348429aad55143c53 100644 (file)
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -7,13 +7,13 @@
  \r
    Tpm2ExecutePendingTpmRequest() will receive untrusted input and do validation.\r
  \r
-Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>\r
-This program and the accompanying materials \r
-are licensed and made available under the terms and conditions of the BSD License \r
-which accompanies this distribution.  The full text of the license may be found at \r
+Copyright (c) 2013 - 2018, Intel Corporation. All rights reserved.<BR>\r
+This program and the accompanying materials\r
+are licensed and made available under the terms and conditions of the BSD License\r
+which accompanies this distribution.  The full text of the license may be found at\r
  http://opensource.org/licenses/bsd-license.php\r
  \r
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, \r
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
  WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
  \r
  **/\r
@@ -109,7 +109,7 @@ Done:
    Change EPS.\r
  \r
    @param[in]  PlatformAuth      platform auth value. NULL means no platform auth change.\r
-  \r
+\r
    @retval EFI_SUCCESS Operation completed successfully.\r
  **/\r
  EFI_STATUS\r
@@ -145,9 +145,9 @@ Tpm2CommandChangeEps (
    @param[in]      CommandCode         Physical presence operation value.\r
    @param[in]      CommandParameter    Physical presence operation parameter.\r
    @param[in, out] PpiFlags            The physical presence interface flags.\r
-  \r
+\r
    @retval TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE   Unknown physical presence operation.\r
-  @retval TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE   Error occurred during sending command to TPM or \r
+  @retval TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE   Error occurred during sending command to TPM or\r
                                                     receiving response from TPM.\r
    @retval Others                                   Return code from the TPM device after command execution.\r
  **/\r
@@ -163,9 +163,6 @@ Tcg2ExecutePhysicalPresence (
    EFI_TCG2_EVENT_ALGORITHM_BITMAP   TpmHashAlgorithmBitmap;\r
    UINT32                            ActivePcrBanks;\r
  \r
-  Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);\r
-  ASSERT_EFI_ERROR (Status);\r
-\r
    switch (CommandCode) {\r
      case TCG2_PHYSICAL_PRESENCE_CLEAR:\r
      case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR:\r
@@ -187,6 +184,20 @@ Tcg2ExecutePhysicalPresence (
        return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
  \r
      case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:\r
+      Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);\r
+      ASSERT_EFI_ERROR (Status);\r
+\r
+      //\r
+      // PP spec requirements:\r
+      //    Firmware should check that all requested (set) hashing algorithms are supported with respective PCR banks.\r
+      //    Firmware has to ensure that at least one PCR banks is active.\r
+      // If not, an error is returned and no action is taken.\r
+      //\r
+      if (CommandParameter == 0 || (CommandParameter & (~TpmHashAlgorithmBitmap)) != 0) {\r
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by TPM. Skip operation\n", CommandParameter));\r
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;\r
+      }\r
+\r
        Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter);\r
        if (EFI_ERROR (Status)) {\r
          return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;\r
@@ -203,6 +214,8 @@ Tcg2ExecutePhysicalPresence (
        }\r
  \r
      case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:\r
+      Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks);\r
+      ASSERT_EFI_ERROR (Status);\r
        Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, TpmHashAlgorithmBitmap);\r
        if (EFI_ERROR (Status)) {\r
          return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;\r
@@ -210,6 +223,30 @@ Tcg2ExecutePhysicalPresence (
          return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
        }\r
  \r
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:\r
+      PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;\r
+      return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:\r
+      PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID;\r
+      return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:\r
+      PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID;\r
+      return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:\r
+      PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID;\r
+      return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:\r
+      PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID;\r
+      return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:\r
+      PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID;\r
+      return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
+\r
      default:\r
        if (CommandCode <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {\r
          return TCG_PP_OPERATION_RESPONSE_SUCCESS;\r
@@ -237,8 +274,8 @@ Tcg2ReadUserKey (
    EFI_STATUS                        Status;\r
    EFI_INPUT_KEY                     Key;\r
    UINT16                            InputKey;\r
-      \r
-  InputKey = 0; \r
+\r
+  InputKey = 0;\r
    do {\r
      Status = gBS->CheckEvent (gST->ConIn->WaitForKey);\r
      if (!EFI_ERROR (Status)) {\r
@@ -252,13 +289,13 @@ Tcg2ReadUserKey (
        if ((Key.ScanCode == SCAN_F12) && CautionKey) {\r
          InputKey = Key.ScanCode;\r
        }\r
-    }      \r
+    }\r
    } while (InputKey == 0);\r
  \r
    if (InputKey != SCAN_ESC) {\r
      return TRUE;\r
    }\r
-  \r
+\r
    return FALSE;\r
  }\r
  \r
@@ -327,7 +364,7 @@ Tcg2UserConfirm (
  {\r
    CHAR16                            *ConfirmText;\r
    CHAR16                            *TmpStr1;\r
-  CHAR16                            *TmpStr2; \r
+  CHAR16                            *TmpStr2;\r
    UINTN                             BufSize;\r
    BOOLEAN                           CautionKey;\r
    BOOLEAN                           NoPpiInfo;\r
@@ -340,22 +377,6 @@ Tcg2UserConfirm (
    UINT32                            CurrentPCRBanks;\r
    EFI_STATUS                        Status;\r
  \r
-  Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);\r
-  ASSERT_EFI_ERROR (Status);\r
-\r
-  ProtocolCapability.Size = sizeof(ProtocolCapability);\r
-  Status = Tcg2Protocol->GetCapability (\r
-                           Tcg2Protocol,\r
-                           &ProtocolCapability\r
-                           );\r
-  ASSERT_EFI_ERROR (Status);\r
-\r
-  Status = Tcg2Protocol->GetActivePcrBanks (\r
-                           Tcg2Protocol,\r
-                           &CurrentPCRBanks\r
-                           );\r
-  ASSERT_EFI_ERROR (Status);\r
-  \r
    TmpStr2     = NULL;\r
    CautionKey  = FALSE;\r
    NoPpiInfo   = FALSE;\r
@@ -363,6 +384,9 @@ Tcg2UserConfirm (
    ConfirmText = AllocateZeroPool (BufSize);\r
    ASSERT (ConfirmText != NULL);\r
  \r
+  mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL);\r
+  ASSERT (mTcg2PpStringPackHandle != NULL);\r
+\r
    switch (TpmPpCommand) {\r
  \r
      case TCG2_PHYSICAL_PRESENCE_CLEAR:\r
@@ -379,7 +403,7 @@ Tcg2UserConfirm (
        TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR));\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), L" \n\n", (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
-      FreePool (TmpStr1);      \r
+      FreePool (TmpStr1);\r
  \r
        break;\r
  \r
@@ -399,11 +423,27 @@ Tcg2UserConfirm (
        TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CLEAR));\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), L" \n\n", (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
-      FreePool (TmpStr1); \r
+      FreePool (TmpStr1);\r
  \r
        break;\r
  \r
      case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:\r
+      Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);\r
+      ASSERT_EFI_ERROR (Status);\r
+\r
+      ProtocolCapability.Size = sizeof(ProtocolCapability);\r
+      Status = Tcg2Protocol->GetCapability (\r
+                               Tcg2Protocol,\r
+                               &ProtocolCapability\r
+                               );\r
+      ASSERT_EFI_ERROR (Status);\r
+\r
+      Status = Tcg2Protocol->GetActivePcrBanks (\r
+                               Tcg2Protocol,\r
+                               &CurrentPCRBanks\r
+                               );\r
+      ASSERT_EFI_ERROR (Status);\r
+\r
        CautionKey = TRUE;\r
        TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_SET_PCR_BANKS));\r
  \r
@@ -413,11 +453,11 @@ Tcg2UserConfirm (
  \r
        TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_SET_PCR_BANKS_1));\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
-      FreePool (TmpStr1);      \r
+      FreePool (TmpStr1);\r
  \r
        TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_SET_PCR_BANKS_2));\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
-      FreePool (TmpStr1);      \r
+      FreePool (TmpStr1);\r
  \r
        Tcg2FillBufferWithBootHashAlg (TempBuffer, sizeof(TempBuffer), TpmPpCommandParameter);\r
        Tcg2FillBufferWithBootHashAlg (TempBuffer2, sizeof(TempBuffer2), CurrentPCRBanks);\r
@@ -428,7 +468,7 @@ Tcg2UserConfirm (
  \r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), L" \n", (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
-      FreePool (TmpStr1);      \r
+      FreePool (TmpStr1);\r
  \r
        break;\r
  \r
@@ -442,14 +482,47 @@ Tcg2UserConfirm (
  \r
        TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CHANGE_EPS_1));\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
-      FreePool (TmpStr1);      \r
-      \r
+      FreePool (TmpStr1);\r
+\r
        TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_WARNING_CHANGE_EPS_2));\r
        StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / sizeof (CHAR16)) - StrLen (ConfirmText) - 1);\r
-      FreePool (TmpStr1);      \r
+      FreePool (TmpStr1);\r
+\r
+      break;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:\r
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_ENABLE_BLOCK_SID));\r
+\r
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));\r
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);\r
+      FreePool (TmpStr1);\r
+      break;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:\r
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_DISABLE_BLOCK_SID));\r
+\r
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR));\r
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);\r
+      FreePool (TmpStr1);\r
+      break;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:\r
+      NoPpiInfo  = TRUE;\r
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PP_ENABLE_BLOCK_SID));\r
+\r
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PPI_HEAD_STR));\r
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);\r
+      FreePool (TmpStr1);\r
+      break;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:\r
+      NoPpiInfo  = TRUE;\r
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PP_DISABLE_BLOCK_SID));\r
  \r
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PPI_HEAD_STR));\r
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);\r
+      FreePool (TmpStr1);\r
        break;\r
-      \r
  \r
      default:\r
        ;\r
@@ -498,31 +571,32 @@ Tcg2UserConfirm (
  \r
    DstStr[80] = L'\0';\r
    for (Index = 0; Index < StrLen (ConfirmText); Index += 80) {\r
-    StrnCpyS (DstStr, sizeof (DstStr) / sizeof (CHAR16), ConfirmText + Index, sizeof (DstStr) / sizeof (CHAR16) - 1);    \r
-    Print (DstStr);    \r
+    StrnCpyS (DstStr, sizeof (DstStr) / sizeof (CHAR16), ConfirmText + Index, sizeof (DstStr) / sizeof (CHAR16) - 1);\r
+    Print (DstStr);\r
    }\r
-  \r
+\r
    FreePool (TmpStr1);\r
    FreePool (TmpStr2);\r
    FreePool (ConfirmText);\r
+  HiiRemovePackages (mTcg2PpStringPackHandle);\r
  \r
    if (Tcg2ReadUserKey (CautionKey)) {\r
      return TRUE;\r
    }\r
  \r
-  return FALSE;  \r
+  return FALSE;\r
  }\r
  \r
  /**\r
-  Check if there is a valid physical presence command request. Also updates parameter value \r
+  Check if there is a valid physical presence command request. Also updates parameter value\r
    to whether the requested physical presence command already confirmed by user\r
- \r
-   @param[in]  TcgPpData                 EFI Tcg2 Physical Presence request data. \r
+\r
+   @param[in]  TcgPpData                 EFI Tcg2 Physical Presence request data.\r
     @param[in]  Flags                     The physical presence interface flags.\r
-   @param[out] RequestConfirmed            If the physical presence operation command required user confirm from UI.\r
-                                             True, it indicates the command doesn't require user confirm, or already confirmed \r
-                                                   in last boot cycle by user.\r
-                                             False, it indicates the command need user confirm from UI.\r
+   @param[out] RequestConfirmed          If the physical presence operation command required user confirm from UI.\r
+                                           True, it indicates the command doesn't require user confirm, or already confirmed\r
+                                                 in last boot cycle by user.\r
+                                           False, it indicates the command need user confirm from UI.\r
  \r
     @retval  TRUE        Physical Presence operation command is valid.\r
     @retval  FALSE       Physical Presence operation command is invalid.\r
@@ -535,10 +609,22 @@ Tcg2HaveValidTpmRequest  (
    OUT     BOOLEAN                          *RequestConfirmed\r
    )\r
  {\r
-  BOOLEAN  IsRequestValid;\r
+  EFI_TCG2_PROTOCOL                 *Tcg2Protocol;\r
+  EFI_STATUS                        Status;\r
+  BOOLEAN                           IsRequestValid;\r
  \r
    *RequestConfirmed = FALSE;\r
  \r
+  if (TcgPpData->PPRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {\r
+    //\r
+    // Need TCG2 protocol.\r
+    //\r
+    Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);\r
+    if (EFI_ERROR (Status)) {\r
+      return FALSE;\r
+    }\r
+  }\r
+\r
    switch (TcgPpData->PPRequest) {\r
      case TCG2_PHYSICAL_PRESENCE_NO_ACTION:\r
        *RequestConfirmed = TRUE;\r
@@ -571,11 +657,32 @@ Tcg2HaveValidTpmRequest  (
          *RequestConfirmed = TRUE;\r
        }\r
        break;\r
-      \r
+\r
      case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:\r
        *RequestConfirmed = TRUE;\r
        break;\r
  \r
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:\r
+      if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) == 0) {\r
+        *RequestConfirmed = TRUE;\r
+      }\r
+      break;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:\r
+      if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) == 0) {\r
+        *RequestConfirmed = TRUE;\r
+      }\r
+      break;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:\r
+      *RequestConfirmed = TRUE;\r
+      break;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:\r
+      break;\r
+\r
      default:\r
        if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {\r
          IsRequestValid = Tcg2PpVendorLibHasValidRequest (TcgPpData->PPRequest, Flags.PPFlags, RequestConfirmed);\r
@@ -613,15 +720,15 @@ Tcg2HaveValidTpmRequest  (
    TcgPpData variable is external input, so this function will validate\r
    its data structure to be valid value.\r
  \r
-  @param[in] PlatformAuth         platform auth value. NULL means no platform auth change.\r
-  @param[in] TcgPpData            Point to the physical presence NV variable.\r
-  @param[in] Flags                The physical presence interface flags.\r
+  @param[in]      PlatformAuth      platform auth value. NULL means no platform auth change.\r
+  @param[in, out] TcgPpData         Pointer to the physical presence NV variable.\r
+  @param[in, out] Flags             Pointer to the physical presence interface flags.\r
  **/\r
  VOID\r
  Tcg2ExecutePendingTpmRequest (\r
    IN      TPM2B_AUTH                       *PlatformAuth,  OPTIONAL\r
-  IN      EFI_TCG2_PHYSICAL_PRESENCE       *TcgPpData,\r
-  IN      EFI_TCG2_PHYSICAL_PRESENCE_FLAGS Flags\r
+  IN OUT  EFI_TCG2_PHYSICAL_PRESENCE       *TcgPpData,\r
+  IN OUT  EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *Flags\r
    )\r
  {\r
    EFI_STATUS                        Status;\r
@@ -638,7 +745,7 @@ Tcg2ExecutePendingTpmRequest (
      return;\r
    }\r
  \r
-  if (!Tcg2HaveValidTpmRequest(TcgPpData, Flags, &RequestConfirmed)) {\r
+  if (!Tcg2HaveValidTpmRequest(TcgPpData, *Flags, &RequestConfirmed)) {\r
      //\r
      // Invalid operation request.\r
      //\r
@@ -664,14 +771,14 @@ Tcg2ExecutePendingTpmRequest (
  \r
    ResetRequired = FALSE;\r
    if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {\r
-    NewFlags = Flags;\r
+    NewFlags = *Flags;\r
      NewPPFlags = NewFlags.PPFlags;\r
      TcgPpData->PPResponse = Tcg2PpVendorLibExecutePendingRequest (PlatformAuth, TcgPpData->PPRequest, &NewPPFlags, &ResetRequired);\r
      NewFlags.PPFlags = NewPPFlags;\r
    } else {\r
      if (!RequestConfirmed) {\r
        //\r
-      // Print confirm text and wait for approval. \r
+      // Print confirm text and wait for approval.\r
        //\r
        RequestConfirmed = Tcg2UserConfirm (TcgPpData->PPRequest, TcgPpData->PPRequestParameter);\r
      }\r
@@ -680,12 +787,12 @@ Tcg2ExecutePendingTpmRequest (
      // Execute requested physical presence command\r
      //\r
      TcgPpData->PPResponse = TCG_PP_OPERATION_RESPONSE_USER_ABORT;\r
-    NewFlags = Flags;\r
+    NewFlags = *Flags;\r
      if (RequestConfirmed) {\r
        TcgPpData->PPResponse = Tcg2ExecutePhysicalPresence (\r
                                  PlatformAuth,\r
-                                TcgPpData->PPRequest, \r
-                                TcgPpData->PPRequestParameter, \r
+                                TcgPpData->PPRequest,\r
+                                TcgPpData->PPRequestParameter,\r
                                  &NewFlags\r
                                  );\r
      }\r
@@ -694,14 +801,15 @@ Tcg2ExecutePendingTpmRequest (
    //\r
    // Save the flags if it is updated.\r
    //\r
-  if (CompareMem (&Flags, &NewFlags, sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) {\r
+  if (CompareMem (Flags, &NewFlags, sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) {\r
+    *Flags = NewFlags;\r
      Status   = gRT->SetVariable (\r
                        TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
                        &gEfiTcg2PhysicalPresenceGuid,\r
                        EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,\r
                        sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS),\r
                        &NewFlags\r
-                      ); \r
+                      );\r
    }\r
  \r
    //\r
@@ -709,7 +817,7 @@ Tcg2ExecutePendingTpmRequest (
    //\r
    if ((NewFlags.PPFlags & TCG2_LIB_PP_FLAG_RESET_TRACK) == 0) {\r
      TcgPpData->LastPPRequest = TcgPpData->PPRequest;\r
-    TcgPpData->PPRequest = TCG2_PHYSICAL_PRESENCE_NO_ACTION;    \r
+    TcgPpData->PPRequest = TCG2_PHYSICAL_PRESENCE_NO_ACTION;\r
      TcgPpData->PPRequestParameter = 0;\r
    }\r
  \r
@@ -745,6 +853,16 @@ Tcg2ExecutePendingTpmRequest (
      case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:\r
        break;\r
  \r
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:\r
+    case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:\r
+      break;\r
+\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE:\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE:\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE:\r
+    case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE:\r
+      return;\r
+\r
      default:\r
        if (TcgPpData->LastPPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {\r
          if (ResetRequired) {\r
@@ -761,19 +879,19 @@ Tcg2ExecutePendingTpmRequest (
  \r
    Print (L"Rebooting system to make TPM2 settings in effect\n");\r
    gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);\r
-  ASSERT (FALSE);  \r
+  ASSERT (FALSE);\r
  }\r
  \r
  /**\r
    Check and execute the pending TPM request.\r
  \r
-  The TPM request may come from OS or BIOS. This API will display request information and wait \r
+  The TPM request may come from OS or BIOS. This API will display request information and wait\r
    for user confirmation if TPM request exists. The TPM request will be sent to TPM device after\r
-  the TPM request is confirmed, and one or more reset may be required to make TPM request to \r
+  the TPM request is confirmed, and one or more reset may be required to make TPM request to\r
    take effect.\r
-  \r
+\r
    This API should be invoked after console in and console out are all ready as they are required\r
-  to display request information and get user input to confirm the request.  \r
+  to display request information and get user input to confirm the request.\r
  \r
    @param[in]  PlatformAuth                   platform auth value. NULL means no platform auth change.\r
  **/\r
@@ -786,17 +904,11 @@ Tcg2PhysicalPresenceLibProcessRequest (
    EFI_STATUS                        Status;\r
    UINTN                             DataSize;\r
    EFI_TCG2_PHYSICAL_PRESENCE        TcgPpData;\r
-  EFI_TCG2_PROTOCOL                 *Tcg2Protocol;\r
    EDKII_VARIABLE_LOCK_PROTOCOL      *VariableLockProtocol;\r
    EFI_TCG2_PHYSICAL_PRESENCE_FLAGS  PpiFlags;\r
  \r
-  Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);\r
-  if (EFI_ERROR (Status)) {\r
-    return ;\r
-  }\r
-\r
    //\r
-  // This flags variable controls whether physical presence is required for TPM command. \r
+  // This flags variable controls whether physical presence is required for TPM command.\r
    // It should be protected from malicious software. We set it as read-only variable here.\r
    //\r
    Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);\r
@@ -811,7 +923,7 @@ Tcg2PhysicalPresenceLibProcessRequest (
        ASSERT_EFI_ERROR (Status);\r
      }\r
    }\r
-  \r
+\r
    //\r
    // Check S4 resume\r
    //\r
@@ -820,9 +932,6 @@ Tcg2PhysicalPresenceLibProcessRequest (
      return ;\r
    }\r
  \r
-  mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL);\r
-  ASSERT (mTcg2PpStringPackHandle != NULL);\r
-\r
    //\r
    // Initialize physical presence flags.\r
    //\r
@@ -835,7 +944,7 @@ Tcg2PhysicalPresenceLibProcessRequest (
                    &PpiFlags\r
                    );\r
    if (EFI_ERROR (Status)) {\r
-    PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;\r
+    PpiFlags.PPFlags = PcdGet32(PcdTcg2PhysicalPresenceFlags);\r
      Status   = gRT->SetVariable (\r
                        TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
                        &gEfiTcg2PhysicalPresenceGuid,\r
@@ -847,9 +956,9 @@ Tcg2PhysicalPresenceLibProcessRequest (
        DEBUG ((EFI_D_ERROR, "[TPM2] Set physical presence flag failed, Status = %r\n", Status));\r
        return ;\r
      }\r
+    DEBUG((DEBUG_INFO, "[TPM2] Initial physical presence flags value is 0x%x\n", PpiFlags.PPFlags));\r
    }\r
-  DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags));\r
-  \r
+\r
    //\r
    // Initialize physical presence variable.\r
    //\r
@@ -881,8 +990,8 @@ Tcg2PhysicalPresenceLibProcessRequest (
  \r
    //\r
    // Execute pending TPM request.\r
-  //  \r
-  Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, PpiFlags);\r
+  //\r
+  Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, &PpiFlags);\r
    DEBUG ((EFI_D_INFO, "[TPM2] PPResponse = %x (LastPPRequest=%x, Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.PPFlags));\r
  \r
  }\r
@@ -892,7 +1001,7 @@ Tcg2PhysicalPresenceLibProcessRequest (
  \r
    The TPM request may come from OS. This API will check if TPM request exists and need user\r
    input to confirmation.\r
-  \r
+\r
    @retval    TRUE        TPM needs input to confirm user physical presence.\r
    @retval    FALSE       TPM doesn't need input to confirm user physical presence.\r
  \r
@@ -907,14 +1016,8 @@ Tcg2PhysicalPresenceLibNeedUserConfirm(
    EFI_TCG2_PHYSICAL_PRESENCE        TcgPpData;\r
    UINTN                             DataSize;\r
    BOOLEAN                           RequestConfirmed;\r
-  EFI_TCG2_PROTOCOL                 *Tcg2Protocol;\r
    EFI_TCG2_PHYSICAL_PRESENCE_FLAGS  PpiFlags;\r
  \r
-  Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol);\r
-  if (EFI_ERROR (Status)) {\r
-    return FALSE;\r
-  }\r
-\r
    //\r
    // Check S4 resume\r
    //\r
@@ -949,7 +1052,7 @@ Tcg2PhysicalPresenceLibNeedUserConfirm(
    if (EFI_ERROR (Status)) {\r
      return FALSE;\r
    }\r
-  \r
+\r
    if (TcgPpData.PPRequest == TCG2_PHYSICAL_PRESENCE_NO_ACTION) {\r
      //\r
      // No operation request\r
@@ -994,7 +1097,7 @@ Tcg2PhysicalPresenceLibReturnOperationResponseToOsFunction (
    EFI_STATUS                        Status;\r
    UINTN                             DataSize;\r
    EFI_TCG2_PHYSICAL_PRESENCE        PpData;\r
-  \r
+\r
    DEBUG ((EFI_D_INFO, "[TPM2] ReturnOperationResponseToOsFunction\n"));\r
  \r
    //\r
@@ -1014,7 +1117,7 @@ Tcg2PhysicalPresenceLibReturnOperationResponseToOsFunction (
      DEBUG ((EFI_D_ERROR, "[TPM2] Get PP variable failure! Status = %r\n", Status));\r
      return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_FAILURE;\r
    }\r
-  \r
+\r
    *MostRecentRequest = PpData.LastPPRequest;\r
    *Response          = PpData.PPResponse;\r
  \r
@@ -1027,7 +1130,7 @@ Tcg2PhysicalPresenceLibReturnOperationResponseToOsFunction (
    Submit TPM Operation Request to Pre-OS Environment 2.\r
  \r
    Caution: This function may receive untrusted input.\r
-  \r
+\r
    @param[in]      OperationRequest TPM physical presence operation request.\r
    @param[in]      RequestParameter TPM physical presence operation request parameter.\r
  \r
@@ -1045,9 +1148,9 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
    UINTN                             DataSize;\r
    EFI_TCG2_PHYSICAL_PRESENCE        PpData;\r
    EFI_TCG2_PHYSICAL_PRESENCE_FLAGS  Flags;\r
-  \r
+\r
    DEBUG ((EFI_D_INFO, "[TPM2] SubmitRequestToPreOSFunction, Request = %x, %x\n", OperationRequest, RequestParameter));\r
-  \r
+\r
    //\r
    // Get the Physical Presence variable\r
    //\r
@@ -1065,10 +1168,7 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
    }\r
  \r
    if ((OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) &&\r
-      (OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) {\r
-    //\r
-    // This command requires UI to prompt user for Auth data.\r
-    //\r
+      (OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) {\r
      return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED;\r
    }\r
  \r
@@ -1084,11 +1184,10 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
                      DataSize,\r
                      &PpData\r
                      );\r
-  }\r
-\r
-  if (EFI_ERROR (Status)) { \r
-    DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status));\r
-    return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;\r
+    if (EFI_ERROR (Status)) {\r
+      DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status));\r
+      return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;\r
+    }\r
    }\r
  \r
    if (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) {\r
@@ -1101,10 +1200,41 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
                      &Flags\r
                      );\r
      if (EFI_ERROR (Status)) {\r
-      Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT;\r
+      Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;\r
      }\r
      return Tcg2PpVendorLibSubmitRequestToPreOSFunction (OperationRequest, Flags.PPFlags, RequestParameter);\r
    }\r
  \r
    return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS;\r
  }\r
+\r
+/**\r
+  Return TPM2 ManagementFlags set by PP interface.\r
+\r
+  @retval    ManagementFlags    TPM2 Management Flags.\r
+**/\r
+UINT32\r
+EFIAPI\r
+Tcg2PhysicalPresenceLibGetManagementFlags (\r
+  VOID\r
+  )\r
+{\r
+  EFI_STATUS                        Status;\r
+  EFI_TCG2_PHYSICAL_PRESENCE_FLAGS  PpiFlags;\r
+  UINTN                             DataSize;\r
+\r
+  DEBUG ((EFI_D_INFO, "[TPM2] GetManagementFlags\n"));\r
+\r
+  DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS);\r
+  Status = gRT->GetVariable (\r
+                  TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
+                  &gEfiTcg2PhysicalPresenceGuid,\r
+                  NULL,\r
+                  &DataSize,\r
+                  &PpiFlags\r
+                  );\r
+  if (EFI_ERROR (Status)) {\r
+    PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT;\r
+  }\r
+  return PpiFlags.PPFlags;\r
+}\r