X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=blobdiff_plain;f=SecurityPkg%2FLibrary%2FDxeTcg2PhysicalPresenceLib%2FDxeTcg2PhysicalPresenceLib.c;h=a077b03a4d2bd688e2318a7788289bb04fc3882e;hp=bfecffa0fed8aeccd7f06c56f0e9d125b08a49b7;hb=e92ddda2b547f0b952935abaf44fd72e97dbf755;hpb=6a82ceb69093cf77ac36dff63225c05f764999ca diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c index bfecffa0fe..a077b03a4d 100644 --- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c +++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c @@ -163,9 +163,6 @@ Tcg2ExecutePhysicalPresence ( EFI_TCG2_EVENT_ALGORITHM_BITMAP TpmHashAlgorithmBitmap; UINT32 ActivePcrBanks; - Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks); - ASSERT_EFI_ERROR (Status); - switch (CommandCode) { case TCG2_PHYSICAL_PRESENCE_CLEAR: case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR: @@ -187,6 +184,8 @@ Tcg2ExecutePhysicalPresence ( return TCG_PP_OPERATION_RESPONSE_SUCCESS; case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS: + Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks); + ASSERT_EFI_ERROR (Status); Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, CommandParameter); if (EFI_ERROR (Status)) { return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; @@ -203,6 +202,8 @@ Tcg2ExecutePhysicalPresence ( } case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS: + Status = Tpm2GetCapabilitySupportedAndActivePcrs (&TpmHashAlgorithmBitmap, &ActivePcrBanks); + ASSERT_EFI_ERROR (Status); Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, TpmHashAlgorithmBitmap); if (EFI_ERROR (Status)) { return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE; @@ -210,6 +211,30 @@ Tcg2ExecutePhysicalPresence ( return TCG_PP_OPERATION_RESPONSE_SUCCESS; } + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE: + PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE: + PpiFlags->PPFlags |= TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + PpiFlags->PPFlags &= ~TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID; + return TCG_PP_OPERATION_RESPONSE_SUCCESS; + default: if (CommandCode <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) { return TCG_PP_OPERATION_RESPONSE_SUCCESS; @@ -339,22 +364,6 @@ Tcg2UserConfirm ( EFI_TCG2_BOOT_SERVICE_CAPABILITY ProtocolCapability; UINT32 CurrentPCRBanks; EFI_STATUS Status; - - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); - ASSERT_EFI_ERROR (Status); - - ProtocolCapability.Size = sizeof(ProtocolCapability); - Status = Tcg2Protocol->GetCapability ( - Tcg2Protocol, - &ProtocolCapability - ); - ASSERT_EFI_ERROR (Status); - - Status = Tcg2Protocol->GetActivePcrBanks ( - Tcg2Protocol, - &CurrentPCRBanks - ); - ASSERT_EFI_ERROR (Status); TmpStr2 = NULL; CautionKey = FALSE; @@ -363,6 +372,9 @@ Tcg2UserConfirm ( ConfirmText = AllocateZeroPool (BufSize); ASSERT (ConfirmText != NULL); + mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL); + ASSERT (mTcg2PpStringPackHandle != NULL); + switch (TpmPpCommand) { case TCG2_PHYSICAL_PRESENCE_CLEAR: @@ -404,6 +416,22 @@ Tcg2UserConfirm ( break; case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS: + Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); + ASSERT_EFI_ERROR (Status); + + ProtocolCapability.Size = sizeof(ProtocolCapability); + Status = Tcg2Protocol->GetCapability ( + Tcg2Protocol, + &ProtocolCapability + ); + ASSERT_EFI_ERROR (Status); + + Status = Tcg2Protocol->GetActivePcrBanks ( + Tcg2Protocol, + &CurrentPCRBanks + ); + ASSERT_EFI_ERROR (Status); + CautionKey = TRUE; TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_SET_PCR_BANKS)); @@ -449,7 +477,40 @@ Tcg2UserConfirm ( FreePool (TmpStr1); break; - + + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_ENABLE_BLOCK_SID)); + + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_DISABLE_BLOCK_SID)); + + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + NoPpiInfo = TRUE; + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PP_ENABLE_BLOCK_SID)); + + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PPI_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + NoPpiInfo = TRUE; + TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PP_DISABLE_BLOCK_SID)); + + TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TCG_STORAGE_PPI_HEAD_STR)); + UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2); + FreePool (TmpStr1); + break; default: ; @@ -505,6 +566,7 @@ Tcg2UserConfirm ( FreePool (TmpStr1); FreePool (TmpStr2); FreePool (ConfirmText); + HiiRemovePackages (mTcg2PpStringPackHandle); if (Tcg2ReadUserKey (CautionKey)) { return TRUE; @@ -519,10 +581,10 @@ Tcg2UserConfirm ( @param[in] TcgPpData EFI Tcg2 Physical Presence request data. @param[in] Flags The physical presence interface flags. - @param[out] RequestConfirmed If the physical presence operation command required user confirm from UI. - True, it indicates the command doesn't require user confirm, or already confirmed - in last boot cycle by user. - False, it indicates the command need user confirm from UI. + @param[out] RequestConfirmed If the physical presence operation command required user confirm from UI. + True, it indicates the command doesn't require user confirm, or already confirmed + in last boot cycle by user. + False, it indicates the command need user confirm from UI. @retval TRUE Physical Presence operation command is valid. @retval FALSE Physical Presence operation command is invalid. @@ -535,10 +597,22 @@ Tcg2HaveValidTpmRequest ( OUT BOOLEAN *RequestConfirmed ) { - BOOLEAN IsRequestValid; + EFI_TCG2_PROTOCOL *Tcg2Protocol; + EFI_STATUS Status; + BOOLEAN IsRequestValid; *RequestConfirmed = FALSE; + if (TcgPpData->PPRequest <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) { + // + // Need TCG2 protocol. + // + Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); + if (EFI_ERROR (Status)) { + return FALSE; + } + } + switch (TcgPpData->PPRequest) { case TCG2_PHYSICAL_PRESENCE_NO_ACTION: *RequestConfirmed = TRUE; @@ -576,6 +650,27 @@ Tcg2HaveValidTpmRequest ( *RequestConfirmed = TRUE; break; + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_ENABLE_BLOCK_SID) == 0) { + *RequestConfirmed = TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + if ((Flags.PPFlags & TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_PP_REQUIRED_FOR_DISABLE_BLOCK_SID) == 0) { + *RequestConfirmed = TRUE; + } + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE: + *RequestConfirmed = TRUE; + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + break; + default: if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { IsRequestValid = Tcg2PpVendorLibHasValidRequest (TcgPpData->PPRequest, Flags.PPFlags, RequestConfirmed); @@ -613,15 +708,15 @@ Tcg2HaveValidTpmRequest ( TcgPpData variable is external input, so this function will validate its data structure to be valid value. - @param[in] PlatformAuth platform auth value. NULL means no platform auth change. - @param[in] TcgPpData Point to the physical presence NV variable. - @param[in] Flags The physical presence interface flags. + @param[in] PlatformAuth platform auth value. NULL means no platform auth change. + @param[in, out] TcgPpData Pointer to the physical presence NV variable. + @param[in, out] Flags Pointer to the physical presence interface flags. **/ VOID Tcg2ExecutePendingTpmRequest ( IN TPM2B_AUTH *PlatformAuth, OPTIONAL - IN EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData, - IN EFI_TCG2_PHYSICAL_PRESENCE_FLAGS Flags + IN OUT EFI_TCG2_PHYSICAL_PRESENCE *TcgPpData, + IN OUT EFI_TCG2_PHYSICAL_PRESENCE_FLAGS *Flags ) { EFI_STATUS Status; @@ -638,7 +733,7 @@ Tcg2ExecutePendingTpmRequest ( return; } - if (!Tcg2HaveValidTpmRequest(TcgPpData, Flags, &RequestConfirmed)) { + if (!Tcg2HaveValidTpmRequest(TcgPpData, *Flags, &RequestConfirmed)) { // // Invalid operation request. // @@ -664,7 +759,7 @@ Tcg2ExecutePendingTpmRequest ( ResetRequired = FALSE; if (TcgPpData->PPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { - NewFlags = Flags; + NewFlags = *Flags; NewPPFlags = NewFlags.PPFlags; TcgPpData->PPResponse = Tcg2PpVendorLibExecutePendingRequest (PlatformAuth, TcgPpData->PPRequest, &NewPPFlags, &ResetRequired); NewFlags.PPFlags = NewPPFlags; @@ -680,7 +775,7 @@ Tcg2ExecutePendingTpmRequest ( // Execute requested physical presence command // TcgPpData->PPResponse = TCG_PP_OPERATION_RESPONSE_USER_ABORT; - NewFlags = Flags; + NewFlags = *Flags; if (RequestConfirmed) { TcgPpData->PPResponse = Tcg2ExecutePhysicalPresence ( PlatformAuth, @@ -694,7 +789,8 @@ Tcg2ExecutePendingTpmRequest ( // // Save the flags if it is updated. // - if (CompareMem (&Flags, &NewFlags, sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) { + if (CompareMem (Flags, &NewFlags, sizeof(EFI_TCG2_PHYSICAL_PRESENCE_FLAGS)) != 0) { + *Flags = NewFlags; Status = gRT->SetVariable ( TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, &gEfiTcg2PhysicalPresenceGuid, @@ -745,6 +841,16 @@ Tcg2ExecutePendingTpmRequest ( case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS: break; + case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID: + case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID: + break; + + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_TRUE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_TRUE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_ENABLE_BLOCK_SID_FUNC_FALSE: + case TCG2_PHYSICAL_PRESENCE_SET_PP_REQUIRED_FOR_DISABLE_BLOCK_SID_FUNC_FALSE: + return; + default: if (TcgPpData->LastPPRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { if (ResetRequired) { @@ -786,15 +892,9 @@ Tcg2PhysicalPresenceLibProcessRequest ( EFI_STATUS Status; UINTN DataSize; EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; - EFI_TCG2_PROTOCOL *Tcg2Protocol; EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); - if (EFI_ERROR (Status)) { - return ; - } - // // This flags variable controls whether physical presence is required for TPM command. // It should be protected from malicious software. We set it as read-only variable here. @@ -820,9 +920,6 @@ Tcg2PhysicalPresenceLibProcessRequest ( return ; } - mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL); - ASSERT (mTcg2PpStringPackHandle != NULL); - // // Initialize physical presence flags. // @@ -835,7 +932,7 @@ Tcg2PhysicalPresenceLibProcessRequest ( &PpiFlags ); if (EFI_ERROR (Status)) { - PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; + PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; Status = gRT->SetVariable ( TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, &gEfiTcg2PhysicalPresenceGuid, @@ -848,7 +945,6 @@ Tcg2PhysicalPresenceLibProcessRequest ( return ; } } - DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags)); // // Initialize physical presence variable. @@ -882,7 +978,7 @@ Tcg2PhysicalPresenceLibProcessRequest ( // // Execute pending TPM request. // - Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, PpiFlags); + Tcg2ExecutePendingTpmRequest (PlatformAuth, &TcgPpData, &PpiFlags); DEBUG ((EFI_D_INFO, "[TPM2] PPResponse = %x (LastPPRequest=%x, Flags=%x)\n", TcgPpData.PPResponse, TcgPpData.LastPPRequest, PpiFlags.PPFlags)); } @@ -907,14 +1003,8 @@ Tcg2PhysicalPresenceLibNeedUserConfirm( EFI_TCG2_PHYSICAL_PRESENCE TcgPpData; UINTN DataSize; BOOLEAN RequestConfirmed; - EFI_TCG2_PROTOCOL *Tcg2Protocol; EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; - Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) &Tcg2Protocol); - if (EFI_ERROR (Status)) { - return FALSE; - } - // // Check S4 resume // @@ -1065,10 +1155,7 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction ( } if ((OperationRequest > TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) && - (OperationRequest < TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) ) { - // - // This command requires UI to prompt user for Auth data. - // + (OperationRequest < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) ) { return TCG_PP_SUBMIT_REQUEST_TO_PREOS_NOT_IMPLEMENTED; } @@ -1084,11 +1171,10 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction ( DataSize, &PpData ); - } - - if (EFI_ERROR (Status)) { - DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status)); - return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + if (EFI_ERROR (Status)) { + DEBUG ((EFI_D_ERROR, "[TPM2] Set PP variable failure! Status = %r\n", Status)); + return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE; + } } if (OperationRequest >= TCG2_PHYSICAL_PRESENCE_VENDOR_SPECIFIC_OPERATION) { @@ -1101,10 +1187,41 @@ Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction ( &Flags ); if (EFI_ERROR (Status)) { - Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT; + Flags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; } return Tcg2PpVendorLibSubmitRequestToPreOSFunction (OperationRequest, Flags.PPFlags, RequestParameter); } return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS; } + +/** + Return TPM2 ManagementFlags set by PP interface. + + @retval ManagementFlags TPM2 Management Flags. +**/ +UINT32 +EFIAPI +Tcg2PhysicalPresenceLibGetManagementFlags ( + VOID + ) +{ + EFI_STATUS Status; + EFI_TCG2_PHYSICAL_PRESENCE_FLAGS PpiFlags; + UINTN DataSize; + + DEBUG ((EFI_D_INFO, "[TPM2] GetManagementFlags\n")); + + DataSize = sizeof (EFI_TCG2_PHYSICAL_PRESENCE_FLAGS); + Status = gRT->GetVariable ( + TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, + &gEfiTcg2PhysicalPresenceGuid, + NULL, + &DataSize, + &PpiFlags + ); + if (EFI_ERROR (Status)) { + PpiFlags.PPFlags = TCG2_BIOS_TPM_MANAGEMENT_FLAG_DEFAULT | TCG2_BIOS_STORAGE_MANAGEMENT_FLAG_DEFAULT; + } + return PpiFlags.PPFlags; +}