SecurityPkg TcgStorageOpalLib: Check the capability before use.

For Pyrite SSC device, it may not supports Active Key,  So
add check logic before enable it.

Cc: Feng Tian <feng.tian@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>

diff --git a/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c b/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c
index 7674ee5716811b811f09eb179bdcda7804e3b04e..cc8d5ef3f00033d2a9530732f47a44192de9da58 100644 (file)
--- a/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c
+++ b/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c
@@ -814,6 +814,7 @@ OpalSetLockingSpAuthorityEnabledAndPin(
   TCG_PARSE_STRUCT  ParseStruct;\r
   UINT32            Size;\r
   TCG_UID           ActiveKey;\r
+  TCG_RESULT        Ret;\r
 \r
   NULL_CHECK(LockingSpSession);\r
   NULL_CHECK(NewPin);\r
@@ -901,30 +902,35 @@ OpalSetLockingSpAuthorityEnabledAndPin(
   ERROR_CHECK(OpalCreateRetrieveGlobalLockingRangeActiveKey(LockingSpSession, &CreateStruct, &Size));\r
   ERROR_CHECK(OpalPerformMethod(LockingSpSession, Size, Buf, sizeof(Buf), &ParseStruct, MethodStatus));\r
 \r
-  ERROR_CHECK(OpalParseRetrieveGlobalLockingRangeActiveKey(&ParseStruct, &ActiveKey));\r
-\r
-  ERROR_CHECK(TcgInitTcgCreateStruct(&CreateStruct, Buf, sizeof(Buf)));\r
-  ERROR_CHECK(TcgCreateSetAce(\r
-                  &CreateStruct,\r
-                  &Size,\r
-                  LockingSpSession->OpalBaseComId,\r
-                  LockingSpSession->ComIdExtension,\r
-                  LockingSpSession->TperSessionId,\r
-                  LockingSpSession->HostSessionId,\r
-                  (ActiveKey == OPAL_LOCKING_SP_K_AES_256_GLOBALRANGE_KEY) ? OPAL_LOCKING_SP_ACE_K_AES_256_GLOBALRANGE_GENKEY : OPAL_LOCKING_SP_ACE_K_AES_128_GLOBALRANGE_GENKEY,\r
-                  OPAL_LOCKING_SP_USER1_AUTHORITY,\r
-                  TCG_ACE_EXPRESSION_OR,\r
-                  OPAL_LOCKING_SP_ADMINS_AUTHORITY\r
-              ));\r
+  //\r
+  // For Pyrite type SSC, it not supports Active Key. \r
+  // So here add check logic before enable it.\r
+  //\r
+  Ret = OpalParseRetrieveGlobalLockingRangeActiveKey(&ParseStruct, &ActiveKey);\r
+  if (Ret == TcgResultSuccess) {\r
+    ERROR_CHECK(TcgInitTcgCreateStruct(&CreateStruct, Buf, sizeof(Buf)));\r
+    ERROR_CHECK(TcgCreateSetAce(\r
+                    &CreateStruct,\r
+                    &Size,\r
+                    LockingSpSession->OpalBaseComId,\r
+                    LockingSpSession->ComIdExtension,\r
+                    LockingSpSession->TperSessionId,\r
+                    LockingSpSession->HostSessionId,\r
+                    (ActiveKey == OPAL_LOCKING_SP_K_AES_256_GLOBALRANGE_KEY) ? OPAL_LOCKING_SP_ACE_K_AES_256_GLOBALRANGE_GENKEY : OPAL_LOCKING_SP_ACE_K_AES_128_GLOBALRANGE_GENKEY,\r
+                    OPAL_LOCKING_SP_USER1_AUTHORITY,\r
+                    TCG_ACE_EXPRESSION_OR,\r
+                    OPAL_LOCKING_SP_ADMINS_AUTHORITY\r
+                ));\r
 \r
-  ERROR_CHECK(OpalPerformMethod(LockingSpSession, Size, Buf, sizeof(Buf), &ParseStruct, MethodStatus));\r
+    ERROR_CHECK(OpalPerformMethod(LockingSpSession, Size, Buf, sizeof(Buf), &ParseStruct, MethodStatus));\r
 \r
-  if (*MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r
-    DEBUG ((DEBUG_INFO, "Update ACE for GLOBALRANGE_GENKEY failed\n"));\r
-    //\r
-    //TODO do we want to disable user1 if all permissions are not granted\r
-    //\r
-    return TcgResultFailure;\r
+    if (*MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) {\r
+      DEBUG ((DEBUG_INFO, "Update ACE for GLOBALRANGE_GENKEY failed\n"));\r
+      //\r
+      // TODO do we want to disable user1 if all permissions are not granted\r
+      //\r
+      return TcgResultFailure;\r
+    }\r
   }\r
 \r
   ERROR_CHECK(TcgInitTcgCreateStruct(&CreateStruct, Buf, sizeof(Buf)));\r