SecurityPkg DxeTcg2PPLib: Lock Tcg2PhysicalPresenceFlags variable on S4

The code updates Tcg2PhysicalPresenceLibProcessRequest() to also lock
Tcg2PhysicalPresenceFlags variable on S4.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>

diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 4cec0f75278bcdeac4f5fdd956d69abed63ae28e..bfecffa0fed8aeccd7f06c56f0e9d125b08a49b7 100644 (file)
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -794,6 +794,23 @@ Tcg2PhysicalPresenceLibProcessRequest (
   if (EFI_ERROR (Status)) {\r
     return ;\r
   }\r
+\r
+  //\r
+  // This flags variable controls whether physical presence is required for TPM command. \r
+  // It should be protected from malicious software. We set it as read-only variable here.\r
+  //\r
+  Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);\r
+  if (!EFI_ERROR (Status)) {\r
+    Status = VariableLockProtocol->RequestToLock (\r
+                                     VariableLockProtocol,\r
+                                     TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
+                                     &gEfiTcg2PhysicalPresenceGuid\r
+                                     );\r
+    if (EFI_ERROR (Status)) {\r
+      DEBUG ((EFI_D_ERROR, "[TPM2] Error when lock variable %s, Status = %r\n", TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status));\r
+      ASSERT_EFI_ERROR (Status);\r
+    }\r
+  }\r
   \r
   //\r
   // Check S4 resume\r
@@ -832,23 +849,6 @@ Tcg2PhysicalPresenceLibProcessRequest (
     }\r
   }\r
   DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags));\r
-\r
-  //\r
-  // This flags variable controls whether physical presence is required for TPM command. \r
-  // It should be protected from malicious software. We set it as read-only variable here.\r
-  //\r
-  Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);\r
-  if (!EFI_ERROR (Status)) {\r
-    Status = VariableLockProtocol->RequestToLock (\r
-                                     VariableLockProtocol,\r
-                                     TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,\r
-                                     &gEfiTcg2PhysicalPresenceGuid\r
-                                     );\r
-    if (EFI_ERROR (Status)) {\r
-      DEBUG ((EFI_D_ERROR, "[TPM2] Error when lock variable %s, Status = %r\n", TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status));\r
-      ASSERT_EFI_ERROR (Status);\r
-    }\r
-  }\r
   \r
   //\r
   // Initialize physical presence variable.\r