From: Dong, Eric Date: Thu, 5 May 2016 00:51:28 +0000 (+0800) Subject: SecurityPkg TcgStorageOpalLib: Check the capability before use. X-Git-Tag: edk2-stable201903~7102 X-Git-Url: https://git.proxmox.com/?p=mirror_edk2.git;a=commitdiff_plain;h=6e7423c3c2ff56c9256b92a845b3e0c959ab0d74 SecurityPkg TcgStorageOpalLib: Check the capability before use. For Pyrite SSC device, it may not supports Active Key, So add check logic before enable it. Cc: Feng Tian Contributed-under: TianoCore Contribution Agreement 1.0 Signed-off-by: Eric Dong Reviewed-by: Feng Tian --- diff --git a/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c b/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c index 7674ee5716..cc8d5ef3f0 100644 --- a/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c +++ b/SecurityPkg/Library/TcgStorageOpalLib/TcgStorageOpalCore.c @@ -814,6 +814,7 @@ OpalSetLockingSpAuthorityEnabledAndPin( TCG_PARSE_STRUCT ParseStruct; UINT32 Size; TCG_UID ActiveKey; + TCG_RESULT Ret; NULL_CHECK(LockingSpSession); NULL_CHECK(NewPin); @@ -901,30 +902,35 @@ OpalSetLockingSpAuthorityEnabledAndPin( ERROR_CHECK(OpalCreateRetrieveGlobalLockingRangeActiveKey(LockingSpSession, &CreateStruct, &Size)); ERROR_CHECK(OpalPerformMethod(LockingSpSession, Size, Buf, sizeof(Buf), &ParseStruct, MethodStatus)); - ERROR_CHECK(OpalParseRetrieveGlobalLockingRangeActiveKey(&ParseStruct, &ActiveKey)); - - ERROR_CHECK(TcgInitTcgCreateStruct(&CreateStruct, Buf, sizeof(Buf))); - ERROR_CHECK(TcgCreateSetAce( - &CreateStruct, - &Size, - LockingSpSession->OpalBaseComId, - LockingSpSession->ComIdExtension, - LockingSpSession->TperSessionId, - LockingSpSession->HostSessionId, - (ActiveKey == OPAL_LOCKING_SP_K_AES_256_GLOBALRANGE_KEY) ? OPAL_LOCKING_SP_ACE_K_AES_256_GLOBALRANGE_GENKEY : OPAL_LOCKING_SP_ACE_K_AES_128_GLOBALRANGE_GENKEY, - OPAL_LOCKING_SP_USER1_AUTHORITY, - TCG_ACE_EXPRESSION_OR, - OPAL_LOCKING_SP_ADMINS_AUTHORITY - )); + // + // For Pyrite type SSC, it not supports Active Key. + // So here add check logic before enable it. + // + Ret = OpalParseRetrieveGlobalLockingRangeActiveKey(&ParseStruct, &ActiveKey); + if (Ret == TcgResultSuccess) { + ERROR_CHECK(TcgInitTcgCreateStruct(&CreateStruct, Buf, sizeof(Buf))); + ERROR_CHECK(TcgCreateSetAce( + &CreateStruct, + &Size, + LockingSpSession->OpalBaseComId, + LockingSpSession->ComIdExtension, + LockingSpSession->TperSessionId, + LockingSpSession->HostSessionId, + (ActiveKey == OPAL_LOCKING_SP_K_AES_256_GLOBALRANGE_KEY) ? OPAL_LOCKING_SP_ACE_K_AES_256_GLOBALRANGE_GENKEY : OPAL_LOCKING_SP_ACE_K_AES_128_GLOBALRANGE_GENKEY, + OPAL_LOCKING_SP_USER1_AUTHORITY, + TCG_ACE_EXPRESSION_OR, + OPAL_LOCKING_SP_ADMINS_AUTHORITY + )); - ERROR_CHECK(OpalPerformMethod(LockingSpSession, Size, Buf, sizeof(Buf), &ParseStruct, MethodStatus)); + ERROR_CHECK(OpalPerformMethod(LockingSpSession, Size, Buf, sizeof(Buf), &ParseStruct, MethodStatus)); - if (*MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { - DEBUG ((DEBUG_INFO, "Update ACE for GLOBALRANGE_GENKEY failed\n")); - // - //TODO do we want to disable user1 if all permissions are not granted - // - return TcgResultFailure; + if (*MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { + DEBUG ((DEBUG_INFO, "Update ACE for GLOBALRANGE_GENKEY failed\n")); + // + // TODO do we want to disable user1 if all permissions are not granted + // + return TcgResultFailure; + } } ERROR_CHECK(TcgInitTcgCreateStruct(&CreateStruct, Buf, sizeof(Buf)));