From nobody Sun May 5 13:51:39 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+40493+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+40493+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1557739101; cv=none; d=zoho.com; s=zohoarc; b=M19lS5rqAAeWJ1s3bnaYd02EHowKDEFKge/bTOuJDFEieJfmPgH9VmwfzB5gOHwOxPrNCG8wWe1S/RtWi3ao4INMm1czxuMB0YcJrxq1Sv1u7nbZWCfWX/fPzJlTRpshJJ3b8UhPN4fuibsEbWUS/3RJOP0jHtR4gU1J4tDbVug= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1557739101; h=Cc:Date:From:List-Id:List-Unsubscribe:Message-ID:Reply-To:Sender:Subject:To:ARC-Authentication-Results; bh=Pjv2MJWy+YlIGGUGrSMt0It6hiL+/ViKN0LAFS1dpHY=; b=O2Tq/ua48HGQ8vhbcnX5Crn/9N3zo6KZhpeJ8XAO8dJNFYdr+NHD5FCT5dros6IKd1YCxV3bD5y/dEYP5CMJc1St9K3OwdpJ7i9schTlzWMVKcYk9X2dgpRQRD5C2Q+pXaPRbrLrcdiEk7KnMWWR++7ahoj2D8AS8DskKZSH1TE= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+40493+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1557739101249626.7699826992509; Mon, 13 May 2019 02:18:21 -0700 (PDT) Return-Path: X-Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by groups.io with SMTP; Mon, 13 May 2019 02:18:20 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 May 2019 02:18:19 -0700 X-ExtLoop1: 1 X-Received: from chumaggi-mobl.gar.corp.intel.com ([10.5.245.173]) by fmsmga006.fm.intel.com with ESMTP; 13 May 2019 02:18:18 -0700 From: "Maggie Chu" To: devel@edk2.groups.io Cc: Eric Dong , Chao Zhang , Jiewen Yao Subject: [edk2-devel] [PATCH] SecurityPkg/OpalPassword: Add PCD to skip password prompt in device unlocked status Date: Mon, 13 May 2019 17:18:04 +0800 Message-Id: <20190513091804.14660-1-maggie.chu@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,maggie.chu@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1557739100; bh=uCdWREwsAU/6+Vh6QFwW4wcuXsQjdpDQyEi6BPPSuSM=; h=Cc:Date:From:Reply-To:Subject:To; b=dpq0WMrNTUmS/hBTn5wMNyoLBMzkEBDm5ALRhSKvue7ybtvOuN+xkNyyzmtMfOCfW30 DAik2mZsdzoadtIV8hKMYxhCAkRhGD13lWuHukvO/WxYyNX8GDwSvxfVKAcn3yfGkfivi NGQYRhvCJwtD95CQS95P2vbgtYLHmbdHMM4= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" https://bugzilla.tianocore.org/show_bug.cgi?id=3D1801 Add a PCD for skipping password prompt. Previous change only support if storage device is in locked device. This change is added to support the case that security status of the storage device is unlocked. Signed-off-by: Maggie Chu Cc: Eric Dong Cc: Chao Zhang Cc: Jiewen Yao --- SecurityPkg/SecurityPkg.dec | 10 +++++----- SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 16 ++++++++++++++-- SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf | 2 +- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 3314f1854b..96db80c2d2 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -422,11 +422,11 @@ # @Prompt Possible TPM2 Interrupt Number buffer gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x00, 0x00, 0x00= , 0x00}|VOID*|0x0001001D =20 - ## Indicates if Opal DXE driver skip unlock device flow.

- # TRUE - Skip unlock device flow.
- # FALSE - Does not skip unlock device flow.
- # @Prompt Skip Opal DXE driver unlock device flow. - gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0x00010= 020 + ## Indicates if Opal DXE driver skip password prompt.

+ # TRUE - Skip password prompt.
+ # FALSE - Does not skip password prompt.
+ # @Prompt Skip Opal DXE driver password prompt. + gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt|FALSE|BOOLEAN|0x= 00010020 =20 [PcdsDynamic, PcdsDynamicEx] =20 diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c b/SecurityPkg/T= cg/Opal/OpalPassword/OpalDriver.c index 965205c0b2..b0f9ca2215 100644 --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c @@ -899,8 +899,20 @@ OpalDriverRequestPassword ( =20 IsLocked =3D OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes, &De= v->OpalDisk.LockingFeature); =20 - if (IsLocked && PcdGetBool (PcdSkipOpalDxeUnlock)) { - return; + // + // Add PcdSkipOpalPasswordPrompt to determin whether to skip password = prompt. + // Due to board design, device may not power off during system warm bo= ot, which result in=20 + // security status remain unlocked status, hence we add device securit= y status check here. + // + // If device is in the locked status, device keeps locked and system c= ontinues booting. + // If device is in the unlocked status, system is forced shutdown to s= upport security requirement. + // + if (PcdGetBool (PcdSkipOpalPasswordPrompt)) { + if (IsLocked) { + return; + } else { + gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL); + } } =20 while (Count < MAX_PASSWORD_TRY_COUNT) { diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf b/Securi= tyPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf index e74f147aaa..87519198c0 100644 --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf @@ -71,7 +71,7 @@ gS3StorageDeviceInitListGuid ## SOMETIMES_PRODUCES ## U= NDEFINED =20 [Pcd] - gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock ## CONSUMES + gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt ## CONSUMES =20 [Depex] gEfiHiiStringProtocolGuid AND gEfiHiiDatabaseProtocolGuid --=20 2.16.2.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#40493): https://edk2.groups.io/g/devel/message/40493 Mute This Topic: https://groups.io/mt/31605216/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-