SecurityPkg OpalPasswordDxe: Error handling enhance when input password.

Enhance the error handling:
1. When the device is unlocked at BIOS phase and system does a warm reboot,
the device may be still in unlock status if it uses external power. For
such case, we would still popup password window to ask user input. If
user presses ESC key here, we would force the system shut down or ask
user input again to avoid security hole.
2. When user reach max retry count, force shutdown.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Eric Dong <eric.dong@intel.com>
Reviewed-by: Feng Tian <feng.tian@intel.com>

diff --git a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalDriver.c b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalDriver.c
index 7c6deb8f39ca0fd9dd3da51e69dd4932fd695b1b..3764b243444c6d8efbe46eb68d26dbe10734ba22 100644 (file)
--- a/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalDriver.c
+++ b/SecurityPkg/Tcg/Opal/OpalPasswordDxe/OpalDriver.c
@@ -263,6 +263,7 @@ OpalDriverRequestPassword (
   EFI_INPUT_KEY       Key;\r
   OPAL_SESSION        Session;\r
   BOOLEAN             PressEsc;\r
+  BOOLEAN             Locked;\r
 \r
   if (Dev == NULL) {\r
     return;\r
@@ -277,33 +278,61 @@ OpalDriverRequestPassword (
     Session.MediaId = Dev->OpalDisk.MediaId;\r
     Session.OpalBaseComId = Dev->OpalDisk.OpalBaseComId;\r
 \r
+    Locked = OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes, &Dev->OpalDisk.LockingFeature);\r
+\r
     while (Count < MAX_PASSWORD_TRY_COUNT) {\r
       Password = OpalDriverPopUpHddPassword (Dev, &PressEsc);\r
       if (PressEsc) {\r
-        //\r
-        // User not input password and press ESC, keep device in lock status and continue boot.\r
-        //\r
-        do {\r
-          CreatePopUp (\r
-                  EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
-                  &Key,\r
-                  L"Confirm: Not unlock device and continue boot?.",\r
-                  L"Press ENTER to confirm, Press Esc to input password",\r
-                  NULL\r
-                  );\r
-        } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));\r
-\r
-        if (Key.UnicodeChar == CHAR_CARRIAGE_RETURN) {\r
-          gST->ConOut->ClearScreen(gST->ConOut);\r
+        if (Locked) {\r
           //\r
-          // Keep lock and continue boot.\r
+          // Current device in the lock status and\r
+          // User not input password and press ESC,\r
+          // keep device in lock status and continue boot.\r
           //\r
-          return;\r
+          do {\r
+            CreatePopUp (\r
+                    EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
+                    &Key,\r
+                    L"Press ENTER to skip password, Press ESC to input password",\r
+                    NULL\r
+                    );\r
+          } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));\r
+\r
+          if (Key.UnicodeChar == CHAR_CARRIAGE_RETURN) {\r
+            gST->ConOut->ClearScreen(gST->ConOut);\r
+            //\r
+            // Keep lock and continue boot.\r
+            //\r
+            return;\r
+          } else {\r
+            //\r
+            // Let user input password again.\r
+            //\r
+            continue;\r
+          }\r
         } else {\r
           //\r
-          // Let user input password again.\r
+          // Current device in the unlock status and\r
+          // User not input password and press ESC,\r
+          // Shutdown the device.\r
           //\r
-          continue;\r
+          do {\r
+            CreatePopUp (\r
+                    EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
+                    &Key,\r
+                    L"Press ENTER to shutdown, Press ESC to input password",\r
+                    NULL\r
+                    );\r
+          } while ((Key.ScanCode != SCAN_ESC) && (Key.UnicodeChar != CHAR_CARRIAGE_RETURN));\r
+\r
+          if (Key.UnicodeChar == CHAR_CARRIAGE_RETURN) {\r
+            gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);\r
+          } else {\r
+            //\r
+            // Let user input password again.\r
+            //\r
+            continue;\r
+          }\r
         }\r
       }\r
 \r
@@ -313,7 +342,7 @@ OpalDriverRequestPassword (
       }\r
       PasswordLen = (UINT32) AsciiStrLen(Password);\r
 \r
-      if (OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes, &Dev->OpalDisk.LockingFeature)) {\r
+      if (Locked) {\r
         Ret = OpalSupportUnlock(&Session, Password, PasswordLen, Dev->OpalDevicePath);\r
       } else {\r
         Ret = OpalSupportLock(&Session, Password, PasswordLen, Dev->OpalDevicePath);\r
@@ -349,12 +378,13 @@ OpalDriverRequestPassword (
         CreatePopUp (\r
                 EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE,\r
                 &Key,\r
-                L"Opal password retry count is expired. Keep lock and continue boot.",\r
-                L"Press ENTER to continue",\r
+                L"Opal password retry count exceeds the limit. Must shutdown!",\r
+                L"Press ENTER to shutdown",\r
                 NULL\r
                 );\r
       } while (Key.UnicodeChar != CHAR_CARRIAGE_RETURN);\r
-      gST->ConOut->ClearScreen(gST->ConOut);\r
+\r
+      gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);\r
     }\r
   }\r
 }\r