1. Patchew
  2. EDK2
  3. View series

[edk2-devel] [PATCH] SecurityPkg/OpalPassword: Add PCD to skip password prompt

Maggie Chu posted 1 patch 5 years, 6 months ago
Failed in applying to current master (apply log)
SecurityPkg/SecurityPkg.dec                           | 10 +++++-----
SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c        | 16 ++++++++++++++--
SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf |  2 +-
3 files changed, 20 insertions(+), 8 deletions(-)
[edk2-devel] [PATCH] SecurityPkg/OpalPassword: Add PCD to skip password prompt
Posted by Maggie Chu 5 years, 6 months ago 
https://bugzilla.tianocore.org/show_bug.cgi?id=1801
Add a PCD for skipping password prompt in device unlocked status.
Previous change only support if storage device is in locked status.
This change is added to support the case that security status of the
storage device is unlocked.

Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
---
 SecurityPkg/SecurityPkg.dec                           | 10 +++++-----
 SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c        | 16 ++++++++++++++--
 SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf |  2 +-
 3 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec
index 3314f1854b..96db80c2d2 100644
--- a/SecurityPkg/SecurityPkg.dec
+++ b/SecurityPkg/SecurityPkg.dec
@@ -422,11 +422,11 @@
   # @Prompt Possible TPM2 Interrupt Number buffer
   gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x00, 0x00, 0x00, 0x00}|VOID*|0x0001001D
 
-  ## Indicates if Opal DXE driver skip unlock device flow.<BR><BR>
-  #   TRUE  - Skip unlock device flow.<BR>
-  #   FALSE - Does not skip unlock device flow.<BR>
-  # @Prompt Skip Opal DXE driver unlock device flow.
-  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0x00010020
+  ## Indicates if Opal DXE driver skip password prompt.<BR><BR>
+  #   TRUE  - Skip password prompt.<BR>
+  #   FALSE - Does not skip password prompt.<BR>
+  # @Prompt Skip Opal DXE driver password prompt.
+  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt|FALSE|BOOLEAN|0x00010020
 
 [PcdsDynamic, PcdsDynamicEx]
 
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
index 965205c0b2..e14fa32354 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
@@ -899,8 +899,20 @@ OpalDriverRequestPassword (
 
     IsLocked = OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes, &Dev->OpalDisk.LockingFeature);
 
-    if (IsLocked && PcdGetBool (PcdSkipOpalDxeUnlock)) {
-      return;
+    //
+    // Add PcdSkipOpalPasswordPrompt to determin whether to skip password prompt.
+    // Due to board design, device may not power off during system warm boot, which result in
+    // security status remain unlocked status, hence we add device security status check here.
+    //
+    // If device is in the locked status, device keeps locked and system continues booting.
+    // If device is in the unlocked status, system is forced shutdown to support security requirement.
+    //
+    if (PcdGetBool (PcdSkipOpalPasswordPrompt)) {
+      if (IsLocked) {
+        return;
+      } else {
+        gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);
+      }
     }
 
     while (Count < MAX_PASSWORD_TRY_COUNT) {
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
index e74f147aaa..87519198c0 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
@@ -71,7 +71,7 @@
   gS3StorageDeviceInitListGuid                  ## SOMETIMES_PRODUCES ## UNDEFINED
 
 [Pcd]
-  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock  ## CONSUMES
+  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt  ## CONSUMES
 
 [Depex]
   gEfiHiiStringProtocolGuid AND gEfiHiiDatabaseProtocolGuid
-- 
2.16.2.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#41194): https://edk2.groups.io/g/devel/message/41194
Mute This Topic: https://groups.io/mt/31717459/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [edk2-devel] [PATCH] SecurityPkg/OpalPassword: Add PCD to skip password prompt
Posted by Dong, Eric 5 years, 5 months ago 
Hi Maggie,

Reviewed-by: Eric Dong <eric.dong@intel.com>

And pushed: 6cbed0e36fe734f3fc11d30d652122d7714627c4

Thanks,
Eric

> -----Original Message-----
> From: Chu, Maggie
> Sent: Wednesday, May 22, 2019 3:05 PM
> To: devel@edk2.groups.io
> Cc: Dong, Eric <eric.dong@intel.com>; Zhang, Chao B
> <chao.b.zhang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH] SecurityPkg/OpalPassword: Add PCD to skip password
> prompt
> 
> https://bugzilla.tianocore.org/show_bug.cgi?id=1801
> Add a PCD for skipping password prompt in device unlocked status.
> Previous change only support if storage device is in locked status.
> This change is added to support the case that security status of the storage
> device is unlocked.
> 
> Signed-off-by: Maggie Chu <maggie.chu@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Chao Zhang <chao.b.zhang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> ---
>  SecurityPkg/SecurityPkg.dec                           | 10 +++++-----
>  SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c        | 16
> ++++++++++++++--
>  SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf |  2 +-
>  3 files changed, 20 insertions(+), 8 deletions(-)
> 
> diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index
> 3314f1854b..96db80c2d2 100644
> --- a/SecurityPkg/SecurityPkg.dec
> +++ b/SecurityPkg/SecurityPkg.dec
> @@ -422,11 +422,11 @@
>    # @Prompt Possible TPM2 Interrupt Number buffer
>    gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x00, 0x00,
> 0x00, 0x00}|VOID*|0x0001001D
> 
> -  ## Indicates if Opal DXE driver skip unlock device flow.<BR><BR>
> -  #   TRUE  - Skip unlock device flow.<BR>
> -  #   FALSE - Does not skip unlock device flow.<BR>
> -  # @Prompt Skip Opal DXE driver unlock device flow.
> -
> gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0
> x00010020
> +  ## Indicates if Opal DXE driver skip password prompt.<BR><BR>
> +  #   TRUE  - Skip password prompt.<BR>
> +  #   FALSE - Does not skip password prompt.<BR>
> +  # @Prompt Skip Opal DXE driver password prompt.
> +
> +
> gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt|FALSE|BOOL
> EAN|
> + 0x00010020
> 
>  [PcdsDynamic, PcdsDynamicEx]
> 
> diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> index 965205c0b2..e14fa32354 100644
> --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> @@ -899,8 +899,20 @@ OpalDriverRequestPassword (
> 
>      IsLocked = OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes,
> &Dev->OpalDisk.LockingFeature);
> 
> -    if (IsLocked && PcdGetBool (PcdSkipOpalDxeUnlock)) {
> -      return;
> +    //
> +    // Add PcdSkipOpalPasswordPrompt to determin whether to skip
> password prompt.
> +    // Due to board design, device may not power off during system warm
> boot, which result in
> +    // security status remain unlocked status, hence we add device security
> status check here.
> +    //
> +    // If device is in the locked status, device keeps locked and system
> continues booting.
> +    // If device is in the unlocked status, system is forced shutdown to
> support security requirement.
> +    //
> +    if (PcdGetBool (PcdSkipOpalPasswordPrompt)) {
> +      if (IsLocked) {
> +        return;
> +      } else {
> +        gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);
> +      }
>      }
> 
>      while (Count < MAX_PASSWORD_TRY_COUNT) { diff --git
> a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
> b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
> index e74f147aaa..87519198c0 100644
> --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
> +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf
> @@ -71,7 +71,7 @@
>    gS3StorageDeviceInitListGuid                  ## SOMETIMES_PRODUCES ##
> UNDEFINED
> 
>  [Pcd]
> -  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock  ## CONSUMES
> +  gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt  ##
> CONSUMES
> 
>  [Depex]
>    gEfiHiiStringProtocolGuid AND gEfiHiiDatabaseProtocolGuid
> --
> 2.16.2.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#42062): https://edk2.groups.io/g/devel/message/42062
Mute This Topic: https://groups.io/mt/31717459/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.