SecurityPkg/OpalPassword: Add PCD to skip password prompt

[mirror_edk2.git] / SecurityPkg / Tcg / Opal / OpalPassword / OpalDriver.c
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c

index 42999c89f0fb48673346b10b9c6e50053c416744..e14fa32354ea09c7665e661c95ba0dcbe48e7c63 100644 (file)
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
@@ -424,6 +424,52 @@ BuildOpalDeviceInfo (
    FreePool (S3InitDevices);\r
  }\r
  \r
+/**\r
+\r
+  Send BlockSid command if needed.\r
+\r
+**/\r
+VOID\r
+SendBlockSidCommand (\r
+  VOID\r
+  )\r
+{\r
+  OPAL_DRIVER_DEVICE                         *Itr;\r
+  TCG_RESULT                                 Result;\r
+  OPAL_SESSION                               Session;\r
+  UINT32                                     PpStorageFlag;\r
+\r
+  PpStorageFlag = Tcg2PhysicalPresenceLibGetManagementFlags ();\r
+  if ((PpStorageFlag & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID) != 0) {\r
+    //\r
+    // Send BlockSID command to each Opal disk\r
+    //\r
+    Itr = mOpalDriver.DeviceList;\r
+    while (Itr != NULL) {\r
+      if (Itr->OpalDisk.SupportedAttributes.BlockSid) {\r
+        ZeroMem(&Session, sizeof(Session));\r
+        Session.Sscp = Itr->OpalDisk.Sscp;\r
+        Session.MediaId = Itr->OpalDisk.MediaId;\r
+        Session.OpalBaseComId = Itr->OpalDisk.OpalBaseComId;\r
+\r
+        DEBUG ((DEBUG_INFO, "OpalPassword: EndOfDxe point, send BlockSid command to device!\n"));\r
+        Result = OpalBlockSid (&Session, TRUE);  // HardwareReset must always be TRUE\r
+        if (Result != TcgResultSuccess) {\r
+          DEBUG ((DEBUG_ERROR, "OpalBlockSid fail\n"));\r
+          break;\r
+        }\r
+\r
+        //\r
+        // Record BlockSID command has been sent.\r
+        //\r
+        Itr->OpalDisk.SentBlockSID = TRUE;\r
+      }\r
+\r
+      Itr = Itr->Next;\r
+    }\r
+  }\r
+}\r
+\r
  /**\r
    Notification function of EFI_END_OF_DXE_EVENT_GROUP_GUID event group.\r
  \r
@@ -475,6 +521,11 @@ OpalEndOfDxeEventNotify (
      TmpDev = TmpDev->Next;\r
    }\r
  \r
+  //\r
+  // Send BlockSid command if needed.\r
+  //\r
+  SendBlockSidCommand ();\r
+\r
    DEBUG ((DEBUG_INFO, "%a() - exit\n", __FUNCTION__));\r
  \r
    gBS->CloseEvent (Event);\r
@@ -848,8 +899,20 @@ OpalDriverRequestPassword (
  \r
      IsLocked = OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes, &Dev->OpalDisk.LockingFeature);\r
  \r
-    if (IsLocked && PcdGetBool (PcdSkipOpalDxeUnlock)) {\r
-      return;\r
+    //\r
+    // Add PcdSkipOpalPasswordPrompt to determin whether to skip password prompt.\r
+    // Due to board design, device may not power off during system warm boot, which result in\r
+    // security status remain unlocked status, hence we add device security status check here.\r
+    //\r
+    // If device is in the locked status, device keeps locked and system continues booting.\r
+    // If device is in the unlocked status, system is forced shutdown to support security requirement.\r
+    //\r
+    if (PcdGetBool (PcdSkipOpalPasswordPrompt)) {\r
+      if (IsLocked) {\r
+        return;\r
+      } else {\r
+        gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);\r
+      }\r
      }\r
  \r
      while (Count < MAX_PASSWORD_TRY_COUNT) {\r
@@ -2158,6 +2221,12 @@ ProcessOpalRequest (
          ProcessOpalRequestEnableFeature (Dev, L"Enable Feature:");\r
        }\r
  \r
+      //\r
+      // Update Device ownership.\r
+      // Later BlockSID command may block the update.\r
+      //\r
+      OpalDiskUpdateOwnerShip (&Dev->OpalDisk);\r
+\r
        break;\r
      }\r
  \r
@@ -2262,53 +2331,6 @@ OpalDriverGetDeviceList(
    return mOpalDriver.DeviceList;\r
  }\r
  \r
-/**\r
-  ReadyToBoot callback to send BlockSid command.\r
-\r
-  @param  Event   Pointer to this event\r
-  @param  Context Event handler private Data\r
-\r
-**/\r
-VOID\r
-EFIAPI\r
-ReadyToBootCallback (\r
-  IN EFI_EVENT        Event,\r
-  IN VOID             *Context\r
-  )\r
-{\r
-  OPAL_DRIVER_DEVICE                         *Itr;\r
-  TCG_RESULT                                 Result;\r
-  OPAL_SESSION                               Session;\r
-  UINT32                                     PpStorageFlag;\r
-\r
-  gBS->CloseEvent (Event);\r
-\r
-  PpStorageFlag = Tcg2PhysicalPresenceLibGetManagementFlags ();\r
-  if ((PpStorageFlag & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID) != 0) {\r
-    //\r
-    // Send BlockSID command to each Opal disk\r
-    //\r
-    Itr = mOpalDriver.DeviceList;\r
-    while (Itr != NULL) {\r
-      if (Itr->OpalDisk.SupportedAttributes.BlockSid) {\r
-        ZeroMem(&Session, sizeof(Session));\r
-        Session.Sscp = Itr->OpalDisk.Sscp;\r
-        Session.MediaId = Itr->OpalDisk.MediaId;\r
-        Session.OpalBaseComId = Itr->OpalDisk.OpalBaseComId;\r
-\r
-        DEBUG ((DEBUG_INFO, "OpalPassword: ReadyToBoot point, send BlockSid command to device!\n"));\r
-        Result = OpalBlockSid (&Session, TRUE);  // HardwareReset must always be TRUE\r
-        if (Result != TcgResultSuccess) {\r
-          DEBUG ((DEBUG_ERROR, "OpalBlockSid fail\n"));\r
-          break;\r
-        }\r
-      }\r
-\r
-      Itr = Itr->Next;\r
-    }\r
-  }\r
-}\r
-\r
  /**\r
    Stop this Controller.\r
  \r
@@ -2571,7 +2593,6 @@ EfiDriverEntryPoint(
    )\r
  {\r
    EFI_STATUS                     Status;\r
-  EFI_EVENT                      ReadyToBootEvent;\r
    EFI_EVENT                      EndOfDxeEvent;\r
  \r
    Status = EfiLibInstallDriverBindingComponentName2 (\r
@@ -2604,16 +2625,6 @@ EfiDriverEntryPoint(
                    );\r
    ASSERT_EFI_ERROR (Status);\r
  \r
-  //\r
-  // register a ReadyToBoot event callback for sending BlockSid command\r
-  //\r
-  Status = EfiCreateEventReadyToBootEx (\r
-                  TPL_CALLBACK,\r
-                  ReadyToBootCallback,\r
-                  (VOID *) &ImageHandle,\r
-                  &ReadyToBootEvent\r
-                  );\r
-\r
    //\r
    // Install Hii packages.\r
    //\r