From nobody Thu May 2 18:43:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+42489+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42489+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1560754324; cv=none; d=zoho.com; s=zohoarc; b=keVLybrC4tg5SFscojoldudJuOsNlkILuAlq4GcmpTO9gMNIne/m51zyuCVQCfSh7WSimGXBUOBzrpeaEjjHyC7i91WI5U4pypgZr7S4/xGxXKElvAK0jcQO1uoTMzOv1goT66jaazTukSaHijASwjPZcJOxhOitYl8sqHRtkT4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1560754324; h=Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=9RAJn0i9daFbMZDKxMl+U4uoqsNlVIbecEirdTvTc4k=; b=LvVsnX7bka6JjS76Dx2ycuwfKJjsEOhhIZxAXHqITC4iYkAWk9zngxQWBx6xotlaNg0kzOrHMrzoukEiqyE7c13Z7d0ZXYc+vCK3vFQK0eo9uo+za6Gc4RvoP/gS+xbFPfOp8MFgLGQnD/MIraYcAmMdFG4SL0BZZegDJZMXJpw= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42489+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1560754324207351.6033500373702; Sun, 16 Jun 2019 23:52:04 -0700 (PDT) Return-Path: X-Received: from mga07.intel.com (mga07.intel.com []) by groups.io with SMTP; Sun, 16 Jun 2019 23:52:03 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jun 2019 23:52:03 -0700 X-ExtLoop1: 1 X-Received: from shwdeopenpsi114.ccr.corp.intel.com ([10.239.157.147]) by orsmga006.jf.intel.com with ESMTP; 16 Jun 2019 23:52:02 -0700 From: "Dandan Bi" To: devel@edk2.groups.io Cc: Eric Dong , Liming Gao Subject: [edk2-devel] [edk2-platforms] [patch v2 1/2] Platform/Intel: Add UserInterfaceFeaturePkg Date: Mon, 17 Jun 2019 14:51:45 +0800 Message-Id: <20190617065146.32648-2-dandan.bi@intel.com> In-Reply-To: <20190617065146.32648-1-dandan.bi@intel.com> References: <20190617065146.32648-1-dandan.bi@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dandan.bi@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1560754323; bh=XKQsAVRDmDXN56bKdQShC77g1chNHRS0cRnjA+k1jqM=; h=Cc:Date:From:Reply-To:Subject:To; b=AQEWapJPKwFLFAEG51TtRSr+0ScpKu8wAkqWYilB6kLdN5ZsI0TDzVz8UVYDVWRRCyi +zi1Hivk9zTjVuNQvKOrnO1SAXLFekD+E8/34mvzcQi7/aKm/l6ZJO7ByUoRRfVOE9m+5 kHZ9TrHsKmA5u7pTe47EOSAY3T/C/g8uAZ0= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1545 Add new package UserInterfaceFeaturePkg in Platform/Intel/ folder. It will keep UI related modules in this package. We plan add UserAuthentication modules in Platform/Intel. Firstly we add a new package UserInterfaceFeaturePkg where add the UserAuthentication modules into. Package name follows the discussion in: https://edk2.groups.io/g/devel/message/42286 Cc: Eric Dong Cc: Liming Gao Signed-off-by: Dandan Bi --- Maintainers.txt | 4 ++++ .../UserInterfaceFeaturePkg.dec | 19 +++++++++++++++ .../UserInterfaceFeaturePkg.dsc | 23 +++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFea= turePkg.dec create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFea= turePkg.dsc diff --git a/Maintainers.txt b/Maintainers.txt index cb9e15e880..c55a285fa1 100644 --- a/Maintainers.txt +++ b/Maintainers.txt @@ -71,10 +71,14 @@ R: Liming Gao =20 Platform/Intel/DebugFeaturePkg M: Eric Dong R: Liming Gao =20 +Platform/Intel/UserInterfaceFeaturePkg +M: Dandan Bi +R: Liming Gao + Platform/Intel/ClevoOpenBoardPkg M: Michael Kubacki M: Ankit Sinha M: Nate DeSimone =20 diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg= .dec b/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec new file mode 100644 index 0000000000..7162637e24 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec @@ -0,0 +1,19 @@ +## @file +# This package provides UI related modules. +# +# The DEC files are used by the utilities that parse DSC and +# INF files to generate AutoGen.c and AutoGen.h files +# for the build infrastructure. +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + DEC_SPECIFICATION =3D 0x00010017 + PACKAGE_NAME =3D UserInterfaceFeaturePkg + PACKAGE_VERSION =3D 0.1 + PACKAGE_GUID =3D 5A92199C-C2ED-4A3F-9ED0-C278DEA0DA47 + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg= .dsc b/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dsc new file mode 100644 index 0000000000..7098affee9 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dsc @@ -0,0 +1,23 @@ +## @file +# This package provides UI related modules. +# +# The DEC files are used by the utilities that parse DSC and +# INF files to generate AutoGen.c and AutoGen.h files +# for the build infrastructure. +# +# Copyright (c) 2019, Intel Corporation. All rights reserved.
+# +# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + PLATFORM_NAME =3D UserInterfaceFeaturePkg + PLATFORM_GUID =3D 66536B4C-84A3-42FD-B0AE-603414A4CE9E + PLATFORM_VERSION =3D 0.1 + DSC_SPECIFICATION =3D 0x00010005 + OUTPUT_DIRECTORY =3D Build/UserInterfaceFeaturePkg + SUPPORTED_ARCHITECTURES =3D IA32|X64 + BUILD_TARGETS =3D DEBUG|RELEASE|NOOPT + SKUID_IDENTIFIER =3D DEFAULT + --=20 2.18.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#42489): https://edk2.groups.io/g/devel/message/42489 Mute This Topic: https://groups.io/mt/32092226/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- From nobody Thu May 2 18:43:02 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) client-ip=66.175.222.12; envelope-from=bounce+27952+42490+1787277+3901457@groups.io; helo=web01.groups.io; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42490+1787277+3901457@groups.io; dmarc=fail(p=none dis=none) header.from=intel.com ARC-Seal: i=1; a=rsa-sha256; t=1560754332; cv=none; d=zoho.com; s=zohoarc; b=Bp3z8cPyG7BGEo/t3OJP9DUQurFlTLnMx8vf1qSqk8B7X0Jtg1AUMzAyLNNzFI3+r3YHZJ1vPtvT8KjGNghFmxrwKhnU+NLsKUQpARfSWzKLMYHuF2hKqvVBAsF9wQWyVGU+NgUvGHOfkOI3Lr+r/TJasqLcWTdo1M+S+PLEJr0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1560754332; h=Cc:Date:From:In-Reply-To:List-Id:List-Unsubscribe:Message-ID:Reply-To:References:Sender:Subject:To:ARC-Authentication-Results; bh=wSna7Ii1yMcocY8Vf3tqEEiY/v7gTyPzalja0TIODu8=; b=XP+3DR6pkuFXyzrSoLskmJ+E78cGMg10+bRamWHUK3KY9yMCf/TXz3NlTwNehIGAknHPEKQJIEoMnVQ08Jqsxk7oq2+2PI0Q676uDU8r45Ufa0DYwcFBCRAxeuPVJtgAW21xw8PpFg1mP+TWZtsywK3lniKIEiNZcbqikxnQCD0= ARC-Authentication-Results: i=1; mx.zoho.com; dkim=pass; spf=pass (zoho.com: domain of groups.io designates 66.175.222.12 as permitted sender) smtp.mailfrom=bounce+27952+42490+1787277+3901457@groups.io; dmarc=fail header.from= (p=none dis=none) header.from= Received: from web01.groups.io (web01.groups.io [66.175.222.12]) by mx.zohomail.com with SMTPS id 1560754332406240.02293088748752; Sun, 16 Jun 2019 23:52:12 -0700 (PDT) Return-Path: X-Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by groups.io with SMTP; Sun, 16 Jun 2019 23:52:11 -0700 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-Received: from orsmga006.jf.intel.com ([10.7.209.51]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jun 2019 23:52:10 -0700 X-ExtLoop1: 1 X-Received: from shwdeopenpsi114.ccr.corp.intel.com ([10.239.157.147]) by orsmga006.jf.intel.com with ESMTP; 16 Jun 2019 23:52:08 -0700 From: "Dandan Bi" To: devel@edk2.groups.io Cc: Eric Dong , Liming Gao Subject: [edk2-devel] [edk2-platforms] [patch v2 2/2] Platform/Intel/UserInterfaceFeaturePkg: Add UserAuthentication modules Date: Mon, 17 Jun 2019 14:51:46 +0800 Message-Id: <20190617065146.32648-3-dandan.bi@intel.com> In-Reply-To: <20190617065146.32648-1-dandan.bi@intel.com> References: <20190617065146.32648-1-dandan.bi@intel.com> Precedence: Bulk List-Unsubscribe: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dandan.bi@intel.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io; q=dns/txt; s=20140610; t=1560754331; bh=1EAJCavuC8xsg/JxmhT3MEC1yPu/Uh5vXQ21OYbkk8o=; h=Cc:Date:From:Reply-To:Subject:To; b=jR8n6lXZZBOo4jRzPGwBnGmRNsdNYjNhfLHx7GJN7CArTHVoQsaqoXxFa1oqgd1jHBy g7iwqUBjRKKko2tlUwM9CPXvquWQ4SefgyC5xnK4GWmiQwjNmBC/EaqDxmekb8qeDvqcn a36AbUUlwMiaNEHCxcpWvNEBdxoPiMY9rK8= X-ZohoMail-DKIM: pass (identity @groups.io) Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" REF: https://bugzilla.tianocore.org/show_bug.cgi?id=3D1545 This password based user authentication is to verify user when a user wants to enter BIOS setup page or enter other boot path. 1. The UserAuthenticationDxe driver registers report status code listener. When it gets (EFI_SOFTWARE_DXE_BS_DRIVER | EFI_SW_PC_USER_SETUP) progress code, it will let the user input password, validate and set the password. It also registers a setup page in setup browser, so that user may update the password. UserAuthenticationDxe driver communicates with UserAuthenticationSmm driver to do the password verification and management. 2. UserAuthentication2Dxe driver only registesr a setup page in setup brows= er, so that user may update the password. UserPasswordLib will provide services to set/verify password. UserPasswordUiLib will provide services to do password authentication. 3. UserAuthenticationSmm driver registers SMI handler to perform the request from UserAuthenticationDxe or UserPasswordLib. If the SMM driver will detect IsPasswordCleared() at the entry point and clear the password if IsPasswordCleared() is TRUE. This can be used when the user forgets the password. 4. PlatformPasswordLib LibraryClass provides a platform-specific method to return password policy.(whether need enroll password or clean password) Cc: Eric Dong Cc: Liming Gao Signed-off-by: Dandan Bi --- V2: Add PcdPasswordCleared in [PcdsFixedAtBuild,PcdsPatchableInModule,PcdsDynamic,PcdsDynamicEx] section. .../Include/Guid/UserAuthentication.h | 45 + .../Include/Library/PlatformPasswordLib.h | 48 ++ .../Include/Library/UserPasswordLib.h | 70 ++ .../Include/Library/UserPasswordUiLib.h | 37 + .../PlatformPasswordLibNull.c | 78 ++ .../PlatformPasswordLibNull.inf | 39 + .../PlatformPasswordLibNull.uni | 19 + .../Library/UserPasswordLib/UserPasswordLib.c | 274 ++++++ .../UserPasswordLib/UserPasswordLib.inf | 37 + .../UserPasswordUiLib/UserPasswordUiLib.c | 522 ++++++++++++ .../UserPasswordUiLib/UserPasswordUiLib.inf | 41 + .../UserAuthentication/KeyService.c | 133 +++ .../UserAuthentication/KeyService.h | 88 ++ .../UserAuthentication2Dxe.c | 478 +++++++++++ .../UserAuthentication2Dxe.h | 55 ++ .../UserAuthentication2Dxe.inf | 53 ++ .../UserAuthenticationDxe.c | 780 ++++++++++++++++++ .../UserAuthenticationDxe.h | 138 ++++ .../UserAuthenticationDxe.inf | 63 ++ .../UserAuthenticationDxeFormset.h | 23 + .../UserAuthenticationDxePassword.c | 319 +++++++ .../UserAuthenticationDxeStrings.uni | 30 + .../UserAuthenticationDxeVfr.vfr | 39 + .../UserAuthenticationSmm.c | 674 +++++++++++++++ .../UserAuthenticationSmm.h | 52 ++ .../UserAuthenticationSmm.inf | 53 ++ .../UserInterfaceFeaturePkg.dec | 15 + .../UserInterfaceFeaturePkg.dsc | 55 ++ 28 files changed, 4258 insertions(+) create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Include/Guid/Use= rAuthentication.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Include/Library/= PlatformPasswordLib.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Include/Library/= UserPasswordLib.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Include/Library/= UserPasswordUiLib.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Library/Platform= PasswordLibNull/PlatformPasswordLibNull.c create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Library/Platform= PasswordLibNull/PlatformPasswordLibNull.inf create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Library/Platform= PasswordLibNull/PlatformPasswordLibNull.uni create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Library/UserPass= wordLib/UserPasswordLib.c create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Library/UserPass= wordLib/UserPasswordLib.inf create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Library/UserPass= wordUiLib/UserPasswordUiLib.c create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/Library/UserPass= wordUiLib/UserPasswordUiLib.inf create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/KeyService.c create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/KeyService.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthentication2Dxe.c create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthentication2Dxe.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthentication2Dxe.inf create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationDxe.c create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationDxe.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationDxe.inf create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationDxeFormset.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationDxePassword.c create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationDxeStrings.uni create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationDxeVfr.vfr create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationSmm.c create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationSmm.h create mode 100644 Platform/Intel/UserInterfaceFeaturePkg/UserAuthenticati= on/UserAuthenticationSmm.inf diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Include/Guid/UserAuthen= tication.h b/Platform/Intel/UserInterfaceFeaturePkg/Include/Guid/UserAuthen= tication.h new file mode 100644 index 0000000000..c8012c3e4f --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Include/Guid/UserAuthenticatio= n.h @@ -0,0 +1,45 @@ +/** @file + GUID is for UserAuthentication SMM communication. + + Copyright (c) 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __USER_AUTHENTICATION_GUID_H__ +#define __USER_AUTHENTICATION_GUID_H__ + +#define PASSWORD_MIN_SIZE 9 // MIN number of chars of password, includ= ing NULL. +#define PASSWORD_MAX_SIZE 33 // MAX number of chars of password, includ= ing NULL. + +#define USER_AUTHENTICATION_GUID \ + { 0xf06e3ea7, 0x611c, 0x4b6b, { 0xb4, 0x10, 0xc2, 0xbf, 0x94, 0x3f, 0x38= , 0xf2 } } + +extern EFI_GUID gUserAuthenticationGuid; + +typedef struct { + UINTN Function; + EFI_STATUS ReturnStatus; +} SMM_PASSWORD_COMMUNICATE_HEADER; + +#define SMM_PASSWORD_FUNCTION_IS_PASSWORD_SET 1 +#define SMM_PASSWORD_FUNCTION_SET_PASSWORD 2 +#define SMM_PASSWORD_FUNCTION_VERIFY_PASSWORD 3 +#define SMM_PASSWORD_FUNCTION_SET_VERIFY_POLICY 4 +#define SMM_PASSWORD_FUNCTION_GET_VERIFY_POLICY 5 +#define SMM_PASSWORD_FUNCTION_WAS_PASSWORD_VERIFIED 6 + +typedef struct { + CHAR8 NewPassword[PASSWORD_MAX_SIZE]; + CHAR8 OldPassword[PASSWORD_MAX_SIZE]; +} SMM_PASSWORD_COMMUNICATE_SET_PASSWORD; + +typedef struct { + CHAR8 Password[PASSWORD_MAX_SIZE]; +} SMM_PASSWORD_COMMUNICATE_VERIFY_PASSWORD; + +typedef struct { + BOOLEAN NeedReVerify; +} SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY; + +#endif diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/Platfor= mPasswordLib.h b/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/Pla= tformPasswordLib.h new file mode 100644 index 0000000000..d3aa40e076 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/PlatformPasswo= rdLib.h @@ -0,0 +1,48 @@ +/** @file + Provides a platform-specific method to return password policy. + + Copyright (c) 2017, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __PLATFORM_PASSWORD_LIB_H__ +#define __PLATFORM_PASSWORD_LIB_H__ + +/** + This function is called at password driver entrypoint. + This function should be called only once, to clear the password. + + This function provides a way to reset the password, just in case + the platform owner forgets the password. + The platform should provide a secure way to make sure + only the platform owner is allowed to clear password. + + Once the password is cleared, the platform should provide a way + to set a new password. + + @retval TRUE There is a platform request to clear the password. + @retval FALSE There is no platform request to clear the password. +**/ +BOOLEAN +EFIAPI +IsPasswordCleared ( + VOID + ); + +/** + This function is called if the password driver finds that the password i= s not enrolled, + when the password is required to input. + + This function should return the action according to platform policy. + + @retval TRUE The caller should force the user to enroll the password. + @retval FALSE The caller may skip the password enroll. +**/ +BOOLEAN +EFIAPI +NeedEnrollPassword ( + VOID + ); + +#endif diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/UserPas= swordLib.h b/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/UserPas= swordLib.h new file mode 100644 index 0000000000..46be21ce48 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/UserPasswordLi= b.h @@ -0,0 +1,70 @@ +/** @file + Provides services to set/verify password and return if the password is s= et. + + Copyright (c) 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __USER_PASSWORD_LIB_H__ +#define __USER_PASSWORD_LIB_H__ + +/** + Validate if the password is correct. + + @param[in] Password The user input password. + @param[in] PasswordSize The size of Password in byte. + + @retval EFI_SUCCESS The password is correct. + @retval EFI_SECURITY_VIOLATION The password is incorrect. + @retval EFI_INVALID_PARAMETER The password or size is invalid. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to verify the p= assword. + @retval EFI_ACCESS_DENIED Password retry count reach. +**/ +EFI_STATUS +EFIAPI +VerifyPassword ( + IN CHAR16 *Password, + IN UINTN PasswordSize + ); + +/** + Set a new password. + + @param[in] NewPassword The user input new password. + NULL means clear password. + @param[in] NewPasswordSize The size of NewPassword in byte. + @param[in] OldPassword The user input old password. + NULL means no old password. + @param[in] OldPasswordSize The size of OldPassword in byte. + + @retval EFI_SUCCESS The NewPassword is set successfully. + @retval EFI_SECURITY_VIOLATION The OldPassword is incorrect. + @retval EFI_INVALID_PARAMETER The password or size is invalid. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to set the pass= word. + @retval EFI_ACCESS_DENIED Password retry count reach. + @retval EFI_UNSUPPORTED NewPassword is not strong enough. + @retval EFI_ALREADY_STARTED NewPassword is in history. +**/ +EFI_STATUS +EFIAPI +SetPassword ( + IN CHAR16 *NewPassword, OPTIONAL + IN UINTN NewPasswordSize, + IN CHAR16 *OldPassword, OPTIONAL + IN UINTN OldPasswordSize + ); + +/** + Return if the password is set. + + @retval TRUE The password is set. + @retval FALSE The password is not set. +**/ +BOOLEAN +EFIAPI +IsPasswordInstalled ( + VOID + ); + +#endif diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/UserPas= swordUiLib.h b/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/UserP= asswordUiLib.h new file mode 100644 index 0000000000..a426050d33 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Include/Library/UserPasswordUi= Lib.h @@ -0,0 +1,37 @@ +/** @file + Provides services to do password authentication. + + Copyright (c) 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __USER_PASSWORD_UI_LIB_H__ +#define __USER_PASSWORD_UI_LIB_H__ + +/** + Do password authentication. + + @retval EFI_SUCCESS Password authentication pass. +**/ +EFI_STATUS +EFIAPI +UiDoPasswordAuthentication ( + VOID + ); + +/** + Set password verification policy. + + @param[in] NeedReVerify Need re-verify or not. + + @retval EFI_SUCCESS Set verification policy successfully. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to set verifica= tion policy. +**/ +EFI_STATUS +EFIAPI +UiSetPasswordVerificationPolicy ( + IN BOOLEAN NeedReVerify + ); + +#endif diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Library/PlatformPasswor= dLibNull/PlatformPasswordLibNull.c b/Platform/Intel/UserInterfaceFeaturePkg= /Library/PlatformPasswordLibNull/PlatformPasswordLibNull.c new file mode 100644 index 0000000000..18e608f3f1 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Library/PlatformPasswordLibNul= l/PlatformPasswordLibNull.c @@ -0,0 +1,78 @@ +/** @file + NULL PlatformPasswordLib instance does NOT really detect whether the pas= sword is cleared + but returns the PCD value directly. This instance can be used to verify = security + related features during platform enabling and development. It should be = replaced + by a platform-specific method(e.g. Button pressed) in a real platform fo= r product. + + Copyright (c) 2017, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +BOOLEAN mPasswordCleared =3D FALSE; + +/** + This function is called at password driver entrypoint. + This function should be called only once, to clear the password. + + This function provides a way to reset the password, just in case + the platform owner forgets the password. + The platform should provide a secure way to make sure + only the platform owner is allowed to clear password. + + Once the password is cleared, the platform should provide a way + to set a new password. + + @retval TRUE There is a platform request to clear the password. + @retval FALSE There is no platform request to clear the password. +**/ +BOOLEAN +EFIAPI +IsPasswordCleared ( + VOID + ) +{ + return mPasswordCleared; +} + +/** + This function is called if the password driver finds that the password i= s not enrolled, + when the password is required to input. + + This function should return the action according to platform policy. + + @retval TRUE The caller should force the user to enroll the password. + @retval FALSE The caller may skip the password enroll. +**/ +BOOLEAN +EFIAPI +NeedEnrollPassword ( + VOID + ) +{ + return FALSE; +} + + +/** + Save password clear state from a PCD to mPasswordCleared. + + @param ImageHandle ImageHandle of the loaded driver. + @param SystemTable Pointer to the EFI System Table. + + @retval EFI_SUCCESS PcdPasswordCleared is got successfully. + +**/ +EFI_STATUS +EFIAPI +PlatformPasswordLibNullConstructor ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + + mPasswordCleared =3D PcdGetBool(PcdPasswordCleared); + + return EFI_SUCCESS; +} + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Library/PlatformPasswor= dLibNull/PlatformPasswordLibNull.inf b/Platform/Intel/UserInterfaceFeatureP= kg/Library/PlatformPasswordLibNull/PlatformPasswordLibNull.inf new file mode 100644 index 0000000000..cc9ec3dc59 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Library/PlatformPasswordLibNul= l/PlatformPasswordLibNull.inf @@ -0,0 +1,39 @@ +## @file +# NULL platform password library instance that returns the password clear= state based upon PCD. +# +# NULL PlatformPasswordLib instance does NOT really detect whether the pa= ssword is cleared +# but returns the PCD value directly. This instance can be used to verify= security +# related features during platform enabling and development. It should be= replaced +# by a platform-specific method(e.g. Button pressed) in a real platform f= or product. +# +# Copyright (c) 2017, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010006 + BASE_NAME =3D PlatformPasswordLibNull + MODULE_UNI_FILE =3D PlatformPasswordLibNull.uni + FILE_GUID =3D 27417BCA-0CCD-4089-9711-AD069A33C555 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D PlatformPasswordLib|DXE_RUNTIME_DRIVE= R DXE_SMM_DRIVER DXE_DRIVER + CONSTRUCTOR =3D PlatformPasswordLibNullConstructor + +# +# The following information is for reference only and not required by the = build tools. +# +# VALID_ARCHITECTURES =3D IA32 X64 EBC +# + +[Sources] + PlatformPasswordLibNull.c + +[Packages] + MdePkg/MdePkg.dec + UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec + +[Pcd] + gEfiUserInterfaceFeaturePkgTokenSpaceGuid.PcdPasswordCleared ## CONSU= MES + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Library/PlatformPasswor= dLibNull/PlatformPasswordLibNull.uni b/Platform/Intel/UserInterfaceFeatureP= kg/Library/PlatformPasswordLibNull/PlatformPasswordLibNull.uni new file mode 100644 index 0000000000..8a4904f91a --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Library/PlatformPasswordLibNul= l/PlatformPasswordLibNull.uni @@ -0,0 +1,19 @@ +// /** @file +// NULL platform password library instance that returns the password clear= state based upon PCD. +// +// NULL PlatformPasswordLib instance does NOT really detect whether the pa= ssword is cleared +// but returns the PCD value directly. This instance can be used to verify= security +// related features during platform enabling and development. It should be= replaced +// by a platform-specific method(e.g. Button pressed) in a real platform f= or product. +// +// Copyright (c) 2017, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +// **/ + + +#string STR_MODULE_ABSTRACT #language en-US "NULL platform pas= sword library instance that returns the password clear state based upon PCD= ." + +#string STR_MODULE_DESCRIPTION #language en-US "NULL PlatformPass= wordLib instance does NOT really detect whether the password is cleared but= returns the PCD value directly. This instance can be used to verify securi= ty related features during platform enabling and development. It should be = replaced by a platform-specific method(e.g. Button pressed) in a real platf= orm for product." + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPasswordLib= /UserPasswordLib.c b/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPas= swordLib/UserPasswordLib.c new file mode 100644 index 0000000000..6bd51995b6 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPasswordLib/UserPa= sswordLib.c @@ -0,0 +1,274 @@ +/** @file + UserPasswordLib instance implementation provides services to + set/verify password and return if the password is set. + + Copyright (c) 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +#include +#include + +#include +#include +#include +#include + +/** + Initialize the communicate buffer using DataSize and Function. + + @param[out] DataPtr Points to the data in the communicate = buffer. + @param[in] DataSize The data size to send to SMM. + @param[in] Function The function number to initialize the = communicate header. + + @return Communicate buffer. +**/ +VOID* +UserPasswordLibInitCommunicateBuffer ( + OUT VOID **DataPtr OPTIONAL, + IN UINTN DataSize, + IN UINTN Function + ) +{ + EFI_SMM_COMMUNICATE_HEADER *SmmCommunicateHeader; + SMM_PASSWORD_COMMUNICATE_HEADER *SmmPasswordFunctionHeader; + VOID *Buffer; + EDKII_PI_SMM_COMMUNICATION_REGION_TABLE *SmmCommRegionTable; + EFI_MEMORY_DESCRIPTOR *SmmCommMemRegion; + UINTN Index; + UINTN Size; + EFI_STATUS Status; + + Buffer =3D NULL; + Status =3D EfiGetSystemConfigurationTable ( + &gEdkiiPiSmmCommunicationRegionTableGuid, + (VOID **) &SmmCommRegionTable + ); + if (EFI_ERROR (Status)) { + return NULL; + } + ASSERT (SmmCommRegionTable !=3D NULL); + SmmCommMemRegion =3D (EFI_MEMORY_DESCRIPTOR *) (SmmCommRegionTable + 1); + Size =3D 0; + for (Index =3D 0; Index < SmmCommRegionTable->NumberOfEntries; Index++) { + if (SmmCommMemRegion->Type =3D=3D EfiConventionalMemory) { + Size =3D EFI_PAGES_TO_SIZE ((UINTN) SmmCommMemRegion->NumberOfPages); + if (Size >=3D (DataSize + OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Dat= a) + sizeof (SMM_PASSWORD_COMMUNICATE_HEADER))) { + break; + } + } + SmmCommMemRegion =3D (EFI_MEMORY_DESCRIPTOR *) ((UINT8 *) SmmCommMemRe= gion + SmmCommRegionTable->DescriptorSize); + } + ASSERT (Index < SmmCommRegionTable->NumberOfEntries); + + Buffer =3D (VOID*)(UINTN)SmmCommMemRegion->PhysicalStart; + ASSERT (Buffer !=3D NULL); + SmmCommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *) Buffer; + CopyGuid (&SmmCommunicateHeader->HeaderGuid, &gUserAuthenticationGuid); + SmmCommunicateHeader->MessageLength =3D DataSize + sizeof (SMM_PASSWORD_= COMMUNICATE_HEADER); + + SmmPasswordFunctionHeader =3D (SMM_PASSWORD_COMMUNICATE_HEADER *) SmmCom= municateHeader->Data; + ZeroMem (SmmPasswordFunctionHeader, DataSize + sizeof (SMM_PASSWORD_COMM= UNICATE_HEADER)); + SmmPasswordFunctionHeader->Function =3D Function; + if (DataPtr !=3D NULL) { + *DataPtr =3D SmmPasswordFunctionHeader + 1; + } + + return Buffer; +} + +/** + Send the data in communicate buffer to SMM. + + @param[in] Buffer Points to the data in the communicat= e buffer. + @param[in] DataSize The data size to send to SMM. + + @retval EFI_SUCCESS Success is returned from the functio= n in SMM. + @retval Others Failure is returned from the functio= n in SMM. + +**/ +EFI_STATUS +UserPasswordLibSendCommunicateBuffer ( + IN VOID *Buffer, + IN UINTN DataSize + ) +{ + EFI_STATUS Status; + UINTN CommSize; + EFI_SMM_COMMUNICATE_HEADER *SmmCommunicateHeader; + SMM_PASSWORD_COMMUNICATE_HEADER *SmmPasswordFunctionHeader; + EFI_SMM_COMMUNICATION_PROTOCOL *SmmCommunication; + + // + // Locates SMM Communication protocol. + // + Status =3D gBS->LocateProtocol (&gEfiSmmCommunicationProtocolGuid, NULL,= (VOID **) &SmmCommunication); + ASSERT_EFI_ERROR (Status); + + CommSize =3D DataSize + OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + s= izeof (SMM_PASSWORD_COMMUNICATE_HEADER); + + Status =3D SmmCommunication->Communicate (SmmCommunication, Buffer, &Com= mSize); + ASSERT_EFI_ERROR (Status); + + SmmCommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *) Buffer; + SmmPasswordFunctionHeader =3D (SMM_PASSWORD_COMMUNICATE_HEADER *)SmmComm= unicateHeader->Data; + return SmmPasswordFunctionHeader->ReturnStatus; +} + +/** + Validate if the password is correct. + + @param[in] Password The user input password. + @param[in] PasswordSize The size of Password in byte. + + @retval EFI_SUCCESS The password is correct. + @retval EFI_SECURITY_VIOLATION The password is incorrect. + @retval EFI_INVALID_PARAMETER The password or size is invalid. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to verify the p= assword. + @retval EFI_ACCESS_DENIED Password retry count reach. +**/ +EFI_STATUS +EFIAPI +VerifyPassword ( + IN CHAR16 *Password, + IN UINTN PasswordSize + ) +{ + EFI_STATUS Status; + VOID *Buffer; + SMM_PASSWORD_COMMUNICATE_VERIFY_PASSWORD *VerifyPassword; + + ASSERT (Password !=3D NULL); + + if (PasswordSize > sizeof(VerifyPassword->Password) * sizeof(CHAR16)) { + return EFI_INVALID_PARAMETER; + } + + Buffer =3D UserPasswordLibInitCommunicateBuffer ( + (VOID**)&VerifyPassword, + sizeof(*VerifyPassword), + SMM_PASSWORD_FUNCTION_VERIFY_PASSWORD + ); + if (Buffer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Status =3D UnicodeStrToAsciiStrS (Password, VerifyPassword->Password, si= zeof(VerifyPassword->Password)); + if (EFI_ERROR(Status)) { + goto EXIT; + } + + Status =3D UserPasswordLibSendCommunicateBuffer (Buffer, sizeof(*VerifyP= assword)); + +EXIT: + ZeroMem (VerifyPassword, sizeof(*VerifyPassword)); + return Status; +} + +/** + Set a new password. + + @param[in] NewPassword The user input new password. + NULL means clear password. + @param[in] NewPasswordSize The size of NewPassword in byte. + @param[in] OldPassword The user input old password. + NULL means no old password. + @param[in] OldPasswordSize The size of OldPassword in byte. + + @retval EFI_SUCCESS The NewPassword is set successfully. + @retval EFI_SECURITY_VIOLATION The OldPassword is incorrect. + @retval EFI_INVALID_PARAMETER The password or size is invalid. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to set the pass= word. + @retval EFI_ACCESS_DENIED Password retry count reach. + @retval EFI_UNSUPPORTED NewPassword is not strong enough. + @retval EFI_ALREADY_STARTED NewPassword is in history. +**/ +EFI_STATUS +EFIAPI +SetPassword ( + IN CHAR16 *NewPassword, OPTIONAL + IN UINTN NewPasswordSize, + IN CHAR16 *OldPassword, OPTIONAL + IN UINTN OldPasswordSize + ) +{ + EFI_STATUS Status; + VOID *Buffer; + SMM_PASSWORD_COMMUNICATE_SET_PASSWORD *SetPassword; + + if (NewPasswordSize > sizeof(SetPassword->NewPassword) * sizeof(CHAR16))= { + return EFI_INVALID_PARAMETER; + } + if (OldPasswordSize > sizeof(SetPassword->OldPassword) * sizeof(CHAR16))= { + return EFI_INVALID_PARAMETER; + } + + Buffer =3D UserPasswordLibInitCommunicateBuffer ( + (VOID**)&SetPassword, + sizeof(*SetPassword), + SMM_PASSWORD_FUNCTION_SET_PASSWORD + ); + if (Buffer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + if (NewPassword !=3D NULL) { + Status =3D UnicodeStrToAsciiStrS (NewPassword, SetPassword->NewPasswor= d, sizeof(SetPassword->NewPassword)); + if (EFI_ERROR(Status)) { + goto EXIT; + } + } else { + SetPassword->NewPassword[0] =3D 0; + } + + if (OldPassword !=3D NULL) { + Status =3D UnicodeStrToAsciiStrS (OldPassword, SetPassword->OldPasswor= d, sizeof(SetPassword->OldPassword)); + if (EFI_ERROR(Status)) { + goto EXIT; + } + } else { + SetPassword->OldPassword[0] =3D 0; + } + + Status =3D UserPasswordLibSendCommunicateBuffer (Buffer, sizeof(*SetPass= word)); + +EXIT: + ZeroMem (SetPassword, sizeof(*SetPassword)); + return Status; +} + +/** + Return if the password is set. + + @retval TRUE The password is set. + @retval FALSE The password is not set. +**/ +BOOLEAN +EFIAPI +IsPasswordInstalled ( + VOID + ) +{ + EFI_STATUS Status; + VOID *Buffer; + + Buffer =3D UserPasswordLibInitCommunicateBuffer ( + NULL, + 0, + SMM_PASSWORD_FUNCTION_IS_PASSWORD_SET + ); + if (Buffer =3D=3D NULL) { + return FALSE; + } + + Status =3D UserPasswordLibSendCommunicateBuffer (Buffer, 0); + if (EFI_ERROR (Status)) { + return FALSE; + } + + return TRUE; +} + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPasswordLib= /UserPasswordLib.inf b/Platform/Intel/UserInterfaceFeaturePkg/Library/UserP= asswordLib/UserPasswordLib.inf new file mode 100644 index 0000000000..be8cd5a8a8 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPasswordLib/UserPa= sswordLib.inf @@ -0,0 +1,37 @@ +## @file +# UserPasswordLib instance provides services to set/verify password +# and return if the password is set. +# +# Copyright (c) 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D UserPasswordLib + FILE_GUID =3D 422BA58A-F162-4ECC-BD9A-AD84FE940F37 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D UserPasswordLib|DXE_RUNTIME_DRIVER DX= E_SMM_DRIVER DXE_DRIVER UEFI_APPLICATION + +[Sources] + UserPasswordLib.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec + +[LibraryClasses] + UefiBootServicesTableLib + DebugLib + UefiLib + BaseMemoryLib + +[Guids] + gUserAuthenticationGuid ## CONSUMES ## GUID + gEdkiiPiSmmCommunicationRegionTableGuid ## CONSUMES ## SystemTable + +[Protocols] + gEfiSmmCommunicationProtocolGuid ## CONSUMES diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPasswordUiL= ib/UserPasswordUiLib.c b/Platform/Intel/UserInterfaceFeaturePkg/Library/Use= rPasswordUiLib/UserPasswordUiLib.c new file mode 100644 index 0000000000..7edf2af954 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPasswordUiLib/User= PasswordUiLib.c @@ -0,0 +1,522 @@ +/** @file + UserPasswordUiLib instance provides services to do password authenticati= on. + + Copyright (c) 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + Initialize the communicate buffer using DataSize and Function. + + @param[out] DataPtr Points to the data in the communicate = buffer. + @param[in] DataSize The data size to send to SMM. + @param[in] Function The function number to initialize the = communicate header. + + @return Communicate buffer. +**/ +VOID* +UserPasswordUiLibInitCommunicateBuffer ( + OUT VOID **DataPtr OPTIONAL, + IN UINTN DataSize, + IN UINTN Function + ) +{ + EFI_SMM_COMMUNICATE_HEADER *SmmCommunicateHeader; + SMM_PASSWORD_COMMUNICATE_HEADER *SmmPasswordFunctionHeader; + VOID *Buffer; + EDKII_PI_SMM_COMMUNICATION_REGION_TABLE *SmmCommRegionTable; + EFI_MEMORY_DESCRIPTOR *SmmCommMemRegion; + UINTN Index; + UINTN Size; + EFI_STATUS Status; + + Buffer =3D NULL; + Status =3D EfiGetSystemConfigurationTable ( + &gEdkiiPiSmmCommunicationRegionTableGuid, + (VOID **) &SmmCommRegionTable + ); + if (EFI_ERROR (Status)) { + return NULL; + } + ASSERT (SmmCommRegionTable !=3D NULL); + SmmCommMemRegion =3D (EFI_MEMORY_DESCRIPTOR *) (SmmCommRegionTable + 1); + Size =3D 0; + for (Index =3D 0; Index < SmmCommRegionTable->NumberOfEntries; Index++) { + if (SmmCommMemRegion->Type =3D=3D EfiConventionalMemory) { + Size =3D EFI_PAGES_TO_SIZE ((UINTN) SmmCommMemRegion->NumberOfPages); + if (Size >=3D (DataSize + OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Dat= a) + sizeof (SMM_PASSWORD_COMMUNICATE_HEADER))) { + break; + } + } + SmmCommMemRegion =3D (EFI_MEMORY_DESCRIPTOR *) ((UINT8 *) SmmCommMemRe= gion + SmmCommRegionTable->DescriptorSize); + } + ASSERT (Index < SmmCommRegionTable->NumberOfEntries); + + Buffer =3D (VOID*)(UINTN)SmmCommMemRegion->PhysicalStart; + ASSERT (Buffer !=3D NULL); + SmmCommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *) Buffer; + CopyGuid (&SmmCommunicateHeader->HeaderGuid, &gUserAuthenticationGuid); + SmmCommunicateHeader->MessageLength =3D DataSize + sizeof (SMM_PASSWORD_= COMMUNICATE_HEADER); + + SmmPasswordFunctionHeader =3D (SMM_PASSWORD_COMMUNICATE_HEADER *) SmmCom= municateHeader->Data; + ZeroMem (SmmPasswordFunctionHeader, DataSize + sizeof (SMM_PASSWORD_COMM= UNICATE_HEADER)); + SmmPasswordFunctionHeader->Function =3D Function; + if (DataPtr !=3D NULL) { + *DataPtr =3D SmmPasswordFunctionHeader + 1; + } + + return Buffer; +} + +/** + Send the data in communicate buffer to SMM. + + @param[in] Buffer Points to the data in the communicat= e buffer. + @param[in] DataSize The data size to send to SMM. + + @retval EFI_SUCCESS Success is returned from the functio= n in SMM. + @retval Others Failure is returned from the functio= n in SMM. + +**/ +EFI_STATUS +UserPasswordUiLibSendCommunicateBuffer ( + IN VOID *Buffer, + IN UINTN DataSize + ) +{ + EFI_STATUS Status; + UINTN CommSize; + EFI_SMM_COMMUNICATE_HEADER *SmmCommunicateHeader; + SMM_PASSWORD_COMMUNICATE_HEADER *SmmPasswordFunctionHeader; + EFI_SMM_COMMUNICATION_PROTOCOL *SmmCommunication; + + // + // Locates SMM Communication protocol. + // + Status =3D gBS->LocateProtocol (&gEfiSmmCommunicationProtocolGuid, NULL,= (VOID **) &SmmCommunication); + ASSERT_EFI_ERROR (Status); + + CommSize =3D DataSize + OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + s= izeof (SMM_PASSWORD_COMMUNICATE_HEADER); + + Status =3D SmmCommunication->Communicate (SmmCommunication, Buffer, &Com= mSize); + ASSERT_EFI_ERROR (Status); + + SmmCommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *) Buffer; + SmmPasswordFunctionHeader =3D (SMM_PASSWORD_COMMUNICATE_HEADER *)SmmComm= unicateHeader->Data; + return SmmPasswordFunctionHeader->ReturnStatus; +} + +/** + Set password verification policy. + + @param[in] NeedReVerify Need re-verify or not. + + @retval EFI_SUCCESS Set verification policy successfully. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to set verifica= tion policy. +**/ +EFI_STATUS +EFIAPI +UiSetPasswordVerificationPolicy ( + IN BOOLEAN NeedReVerify + ) +{ + VOID *Buffer; + SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY *SetVerifyPolicy; + + Buffer =3D UserPasswordUiLibInitCommunicateBuffer ( + (VOID**)&SetVerifyPolicy, + sizeof(*SetVerifyPolicy), + SMM_PASSWORD_FUNCTION_SET_VERIFY_POLICY + ); + if (Buffer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + SetVerifyPolicy->NeedReVerify =3D NeedReVerify; + + return UserPasswordUiLibSendCommunicateBuffer (Buffer, sizeof(*SetVerify= Policy)); +} + +/** + Get a user input string. + + @param[in] PopUpString A popup string to inform user. + @param[in, out] UserInput The user input string + @param[in] UserInputMaxLen The max unicode count of the UserInput= without NULL terminator. +**/ +EFI_STATUS +GetUserInput ( + IN CHAR16 *PopUpString, + IN OUT CHAR16 *UserInput, + IN UINTN UserInputMaxLen + ) +{ + EFI_INPUT_KEY InputKey; + UINTN InputLength; + CHAR16 *Mask; + + UserInput[0] =3D 0; + Mask =3D AllocateZeroPool ((UserInputMaxLen + 1) * sizeof(CHAR16)); + if (Mask =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + InputLength =3D 0; + + while (TRUE) { + if (InputLength < UserInputMaxLen) { + Mask[InputLength] =3D L'_'; + } + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &InputKey, + PopUpString, + L"--------------------------------", + Mask, + NULL + ); + if (InputKey.ScanCode =3D=3D SCAN_NULL) { + // + // Check whether finish inputing password. + // + if (InputKey.UnicodeChar =3D=3D CHAR_CARRIAGE_RETURN && InputLength = > 0) { + // + // Add the null terminator. + // + UserInput[InputLength] =3D 0; + break; + } else if ((InputKey.UnicodeChar =3D=3D CHAR_NULL) || + (InputKey.UnicodeChar =3D=3D CHAR_LINEFEED) || + (InputKey.UnicodeChar =3D=3D CHAR_CARRIAGE_RETURN) + ) { + continue; + } else { + // + // delete last key entered + // + if (InputKey.UnicodeChar =3D=3D CHAR_BACKSPACE) { + if (InputLength > 0) { + UserInput[InputLength] =3D 0; + Mask[InputLength] =3D 0; + InputLength--; + } + } else { + if (InputLength =3D=3D UserInputMaxLen) { + Mask[InputLength] =3D 0; + continue; + } + // + // add Next key entry + // + UserInput[InputLength] =3D InputKey.UnicodeChar; + Mask[InputLength] =3D L'*'; + InputLength++; + } + } + } + } + FreePool (Mask); + return EFI_SUCCESS; +} + +/** + Display a message box to end user. + + @param[in] DisplayString The string in message box. +**/ +VOID +MessageBox ( + IN CHAR16 *DisplayString + ) +{ + EFI_INPUT_KEY Key; + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); +} + +/** + Force system reset. +**/ +VOID +ForceSystemReset ( + VOID + ) +{ + MessageBox (L"Password retry count reach, reset system!"); + gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); + CpuDeadLoop(); +} + +/** + Display message for set password. + + @param[in] ReturnStatus The return status for set password. +**/ +VOID +PrintSetPasswordStatus ( + IN EFI_STATUS ReturnStatus + ) +{ + CHAR16 *DisplayString; + CHAR16 *DisplayString2; + + EFI_INPUT_KEY Key; + + if (ReturnStatus =3D=3D EFI_UNSUPPORTED) { + DisplayString =3D L"New password is not strong enough!"; + DisplayString2 =3D L"Password must at least 8 chars and include lowerc= ase, uppercase alphabetic, number and symbol"; + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + DisplayString2, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); + } else { + if (ReturnStatus =3D=3D EFI_SUCCESS) { + DisplayString =3D L"New password is updated successfully!"; + } else if (ReturnStatus =3D=3D EFI_ALREADY_STARTED) { + DisplayString =3D L"New password is found in the history passwords!"; + } else { + DisplayString =3D L"New password update fails!"; + } + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); + } +} + +/** + Get password verification policy. + + @param[out] VerifyPolicy Verification policy. + + @retval EFI_SUCCESS Get verification policy successfully. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to get verifica= tion policy. +**/ +EFI_STATUS +GetPasswordVerificationPolicy ( + OUT SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY *VerifyPolicy + ) +{ + EFI_STATUS Status; + VOID *Buffer; + SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY *TempVerifyPolicy; + + Buffer =3D UserPasswordUiLibInitCommunicateBuffer ( + (VOID**)&TempVerifyPolicy, + sizeof(*TempVerifyPolicy), + SMM_PASSWORD_FUNCTION_GET_VERIFY_POLICY + ); + if (Buffer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Status =3D UserPasswordUiLibSendCommunicateBuffer (Buffer, sizeof(*TempV= erifyPolicy)); + if (!EFI_ERROR (Status)) { + CopyMem (VerifyPolicy, TempVerifyPolicy, sizeof (SMM_PASSWORD_COMMUNIC= ATE_VERIFY_POLICY)); + } + + return Status; +} + +/** + Return if the password was verified. + + @retval TRUE The password was verified. + @retval FALSE The password was not verified. +**/ +BOOLEAN +WasPasswordVerified ( + VOID + ) +{ + EFI_STATUS Status; + VOID *Buffer; + + Buffer =3D UserPasswordUiLibInitCommunicateBuffer ( + NULL, + 0, + SMM_PASSWORD_FUNCTION_WAS_PASSWORD_VERIFIED + ); + if (Buffer =3D=3D NULL) { + return FALSE; + } + + Status =3D UserPasswordUiLibSendCommunicateBuffer (Buffer, 0); + if (EFI_ERROR (Status)) { + return FALSE; + } + + return TRUE; +} + +/** + Require user input password. + + @retval TRUE User input correct password successfully. + @retval FALSE The password is not set. +**/ +BOOLEAN +RequireUserPassword ( + VOID + ) +{ + EFI_STATUS Status; + CHAR16 UserInputPw[PASSWORD_MAX_SIZE]; + CHAR16 *PopUpString; + SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY VerifyPolicy; + + Status =3D EFI_SUCCESS; + ZeroMem(UserInputPw, sizeof(UserInputPw)); + + if (!IsPasswordInstalled ()) { + return FALSE; + } + + Status =3D GetPasswordVerificationPolicy (&VerifyPolicy); + if (!EFI_ERROR (Status)) { + if (WasPasswordVerified() && (!VerifyPolicy.NeedReVerify)) { + DEBUG ((DEBUG_INFO, "Password was verified and Re-verify is not need= ed\n")); + return TRUE; + } + } + + PopUpString =3D L"Please input admin password"; + + while (TRUE) { + gST->ConOut->ClearScreen(gST->ConOut); + GetUserInput (PopUpString, UserInputPw, PASSWORD_MAX_SIZE - 1); + + Status =3D VerifyPassword (UserInputPw, StrSize(UserInputPw)); + if (!EFI_ERROR(Status)) { + break; + } + if (Status =3D=3D EFI_ACCESS_DENIED) { + // + // Password retry count reach. + // + ForceSystemReset (); + } + MessageBox (L"Incorrect password!"); + } + + ZeroMem(UserInputPw, sizeof(UserInputPw)); + + gST->ConOut->ClearScreen(gST->ConOut); + + return TRUE; +} + +/** + Set user password. + +**/ +VOID +SetUserPassword ( + VOID + ) +{ + EFI_STATUS Status; + CHAR16 UserInputPw[PASSWORD_MAX_SIZE]; + CHAR16 TmpPassword[PASSWORD_MAX_SIZE]; + CHAR16 *PopUpString; + CHAR16 *PopUpString2; + + ZeroMem(UserInputPw, sizeof(UserInputPw)); + ZeroMem(TmpPassword, sizeof(TmpPassword)); + + PopUpString =3D L"Please set admin password"; + + while (TRUE) { + gST->ConOut->ClearScreen(gST->ConOut); + GetUserInput (PopUpString, UserInputPw, PASSWORD_MAX_SIZE - 1); + + PopUpString2 =3D L"Please confirm your new password"; + gST->ConOut->ClearScreen(gST->ConOut); + GetUserInput (PopUpString2, TmpPassword, PASSWORD_MAX_SIZE - 1); + if (StrCmp (TmpPassword, UserInputPw) !=3D 0) { + MessageBox (L"Password are not the same!"); + continue; + } + + Status =3D SetPassword (UserInputPw, StrSize(UserInputPw), NULL, 0); + PrintSetPasswordStatus (Status); + if (!EFI_ERROR(Status)) { + break; + } + } + + ZeroMem(UserInputPw, sizeof(UserInputPw)); + ZeroMem(TmpPassword, sizeof(TmpPassword)); + + gST->ConOut->ClearScreen(gST->ConOut); +} + +/** + Do password authentication. + + @retval EFI_SUCCESS Password authentication pass. +**/ +EFI_STATUS +EFIAPI +UiDoPasswordAuthentication ( + VOID + ) +{ + BOOLEAN PasswordSet; + + PasswordSet =3D RequireUserPassword (); + if (PasswordSet) { + DEBUG ((DEBUG_INFO, "Welcome Admin!\n")); + } else { + DEBUG ((DEBUG_INFO, "Admin password is not set!\n")); + if (NeedEnrollPassword()) { + SetUserPassword (); + } + } + + return EFI_SUCCESS; +} + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPasswordUiL= ib/UserPasswordUiLib.inf b/Platform/Intel/UserInterfaceFeaturePkg/Library/U= serPasswordUiLib/UserPasswordUiLib.inf new file mode 100644 index 0000000000..5126115ca4 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/Library/UserPasswordUiLib/User= PasswordUiLib.inf @@ -0,0 +1,41 @@ +## @file +# UserPasswordUiLib instance provides services to do password authenticat= ion. +# +# Copyright (c) 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D UserPasswordUiLib + FILE_GUID =3D E2E92636-F511-46BC-A08B-02F815AFA884 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 1.0 + LIBRARY_CLASS =3D UserPasswordUiLib|DXE_RUNTIME_DRIVER = DXE_SMM_DRIVER DXE_DRIVER UEFI_APPLICATION + +[Sources] + UserPasswordUiLib.c + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec + +[LibraryClasses] + UefiBootServicesTableLib + UefiRuntimeServicesTableLib + DebugLib + UefiLib + MemoryAllocationLib + BaseMemoryLib + PrintLib + PlatformPasswordLib + UserPasswordLib + +[Guids] + gUserAuthenticationGuid ## CONSUMES ## GUID + gEdkiiPiSmmCommunicationRegionTableGuid ## CONSUMES ## SystemTable + +[Protocols] + gEfiSmmCommunicationProtocolGuid ## CONSUMES diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/KeyS= ervice.c b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/KeySer= vice.c new file mode 100644 index 0000000000..d1f87c787b --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/KeyService.c @@ -0,0 +1,133 @@ +/** @file + Password key service. + + Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include +#include +#include +#include +#include "KeyService.h" + +/** + Compares the contents of two buffers with slow algorithm + + This function compares Length bytes of SourceBuffer to Length bytes of D= estinationBuffer. + If all Length bytes of the two buffers are identical, then 0 is returned= . Otherwise, the + value returned is the first mismatched byte in SourceBuffer subtracted f= rom the first + mismatched byte in DestinationBuffer. + + If Length > 0 and DestinationBuffer is NULL, then ASSERT(). + If Length > 0 and SourceBuffer is NULL, then ASSERT(). + If Length is greater than (MAX_ADDRESS - DestinationBuffer + 1), then AS= SERT(). + If Length is greater than (MAX_ADDRESS - SourceBuffer + 1), then ASSERT(= ). + + @param DestinationBuffer The pointer to the destination buffer to compa= re. + @param SourceBuffer The pointer to the source buffer to compare. + @param Length The number of bytes to compare. + + @return 0 All Length bytes of the two buffers are identi= cal. + @retval -1 The SourceBuffer is not identical to Destinati= onBuffer. + +**/ +INTN +EFIAPI +KeyLibSlowCompareMem ( + IN CONST VOID *DestinationBuffer, + IN CONST VOID *SourceBuffer, + IN UINTN Length + ) +{ + UINT8 Delta; + UINTN Index; + UINT8 *Destination; + UINT8 *Source; + + Destination =3D (UINT8 *)DestinationBuffer; + Source =3D (UINT8 *)SourceBuffer; + Delta =3D 0; + for (Index =3D 0; Index < Length; Index++) { + Delta |=3D Destination[Index] ^ Source[Index]; + } + if (Delta =3D=3D 0) { + return 0; + } else { + return -1; + } +} + +/** + Generate Salt value. + + @param[in, out] SaltValue Points to the salt buffer + @param[in] SaltSize Size of the salt buffer + + @retval TRUE Salt is generated. + @retval FALSE Salt is not generated. +**/ +BOOLEAN +EFIAPI +KeyLibGenerateSalt ( + IN OUT UINT8 *SaltValue, + IN UINTN SaltSize + ) +{ + if (SaltValue =3D=3D NULL) { + return FALSE; + } + RandomSeed(NULL, 0); + RandomBytes(SaltValue, SaltSize); + return TRUE; +} + +/** + Hash the password with PBKDF2. + + @param[in] HashType Hash type + @param[in] Key Points to the key buffer + @param[in] KeySize Key buffer size + @param[in] SaltValue Points to the salt buffer + @param[in] SaltSize Size of the salt buffer + @param[out] KeyHash Points to the hashed result + @param[in] KeyHashSize Size of the hash buffer + + @retval TRUE Hash the data successfully. + @retval FALSE Failed to hash the data. + +**/ +BOOLEAN +EFIAPI +KeyLibGeneratePBKDF2Hash ( + IN UINT32 HashType, + IN VOID *Key, + IN UINTN KeySize, + IN UINT8 *SaltValue, + IN UINTN SaltSize, + OUT UINT8 *KeyHash, + IN UINTN KeyHashSize + ) +{ + BOOLEAN Result; + + if (HashType !=3D HASH_TYPE_SHA256) { + return FALSE; + } + if (KeyHashSize !=3D SHA256_DIGEST_SIZE) { + return FALSE; + } + + Result =3D Pkcs5HashPassword ( + KeySize, + Key, + SaltSize, + SaltValue, + DEFAULT_PBKDF2_ITERATION_COUNT, + SHA256_DIGEST_SIZE, + KeyHashSize, + KeyHash + ); + return Result; +} diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/KeyS= ervice.h b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/KeySer= vice.h new file mode 100644 index 0000000000..9b16b1bdbd --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/KeyService.h @@ -0,0 +1,88 @@ +/** @file + Header file for key service. + + Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __KEY_LIB_H__ +#define __KEY_LIB_H__ + +/** + Compares the contents of two buffers with slow algorithm + + This function compares Length bytes of SourceBuffer to Length bytes of D= estinationBuffer. + If all Length bytes of the two buffers are identical, then 0 is returned= . Otherwise, the + value returned is the first mismatched byte in SourceBuffer subtracted f= rom the first + mismatched byte in DestinationBuffer. + + If Length > 0 and DestinationBuffer is NULL, then ASSERT(). + If Length > 0 and SourceBuffer is NULL, then ASSERT(). + If Length is greater than (MAX_ADDRESS - DestinationBuffer + 1), then AS= SERT(). + If Length is greater than (MAX_ADDRESS - SourceBuffer + 1), then ASSERT(= ). + + @param DestinationBuffer The pointer to the destination buffer to compa= re. + @param SourceBuffer The pointer to the source buffer to compare. + @param Length The number of bytes to compare. + + @return 0 All Length bytes of the two buffers are identi= cal. + @retval -1 The SourceBuffer is not identical to Destinati= onBuffer. + +**/ +INTN +EFIAPI +KeyLibSlowCompareMem ( + IN CONST VOID *DestinationBuffer, + IN CONST VOID *SourceBuffer, + IN UINTN Length + ); + +/** + Generate Salt value. + + @param[in, out] SaltValue Points to the salt buffer + @param[in] SaltSize Size of the salt buffer + + @retval TRUE Salt is generated. + @retval FALSE Salt is not generated. +**/ +BOOLEAN +EFIAPI +KeyLibGenerateSalt( + IN OUT UINT8 *SaltValue, + IN UINTN SaltSize + ); + +#define HASH_TYPE_SHA256 0x000B +#define DEFAULT_PBKDF2_ITERATION_COUNT 1000 + +/** + Hash the password with PBKDF2. + + @param[in] HashType Hash type + @param[in] Key Points to the key buffer + @param[in] KeySize Key buffer size + @param[in] SaltValue Points to the salt buffer + @param[in] SaltSize Size of the salt buffer + @param[out] KeyHash Points to the hashed result + @param[in] KeyHashSize Size of the hash buffer + + @retval TRUE Hash the data successfully. + @retval FALSE Failed to hash the data. + +**/ +BOOLEAN +EFIAPI +KeyLibGeneratePBKDF2Hash ( + IN UINT32 HashType, + IN VOID *Key, + IN UINTN KeySize, + IN UINT8 *SaltValue, + IN UINTN SaltSize, + OUT UINT8 *KeyHash, + IN UINTN KeyHashSize + ); + +#endif + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= Authentication2Dxe.c b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentic= ation/UserAuthentication2Dxe.c new file mode 100644 index 0000000000..82f9494333 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= ication2Dxe.c @@ -0,0 +1,478 @@ +/** @file + This Driver mainly provides Setup Form to change password. + + Copyright (c) 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "UserAuthentication2Dxe.h" + +USER_AUTHENTICATION_PRIVATE_DATA *mUserAuthenticationData =3D NULL; + +EFI_GUID mUserAuthenticationVendorGuid =3D USER_AUTHENTICATION_FORMSET_GUI= D; +HII_VENDOR_DEVICE_PATH mHiiVendorDevicePath =3D { + { + { + HARDWARE_DEVICE_PATH, + HW_VENDOR_DP, + { + (UINT8) (sizeof (VENDOR_DEVICE_PATH)), + (UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8) + } + }, + USER_AUTHENTICATION_FORMSET_GUID + }, + { + END_DEVICE_PATH_TYPE, + END_ENTIRE_DEVICE_PATH_SUBTYPE, + { + (UINT8) (END_DEVICE_PATH_LENGTH), + (UINT8) ((END_DEVICE_PATH_LENGTH) >> 8) + } + } +}; + +/** + Display a message box to end user. + + @param[in] DisplayString The string in message box. +**/ +VOID +MessageBox ( + IN CHAR16 *DisplayString + ) +{ + EFI_INPUT_KEY Key; + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); +} + +/** + Force system reset. +**/ +VOID +ForceSystemReset ( + VOID + ) +{ + MessageBox (L"Password retry count reach, reset system!"); + gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); + CpuDeadLoop(); +} + +/** + Display message for set password. + + @param[in] ReturnStatus The return status for set password. +**/ +VOID +PrintSetPasswordStatus ( + IN EFI_STATUS ReturnStatus + ) +{ + CHAR16 *DisplayString; + CHAR16 *DisplayString2; + + EFI_INPUT_KEY Key; + + if (ReturnStatus =3D=3D EFI_UNSUPPORTED) { + DisplayString =3D L"New password is not strong enough!"; + DisplayString2 =3D L"Password must at least 8 chars and include lowerc= ase, uppercase alphabetic, number and symbol"; + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + DisplayString2, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); + } else { + if (ReturnStatus =3D=3D EFI_SUCCESS) { + DisplayString =3D L"New password is updated successfully!"; + } else if (ReturnStatus =3D=3D EFI_ALREADY_STARTED) { + DisplayString =3D L"New password is found in the history passwords!"; + } else { + DisplayString =3D L"New password update fails!"; + } + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); + } +} + +/** + This function allows a caller to extract the current configuration for o= ne + or more named elements from the target driver. + + @param This Points to the EFI_HII_CONFIG_ACCESS_PROTO= COL. + @param Request A null-terminated Unicode string in + format. + @param Progress On return, points to a character in the R= equest + string. Points to the string's null termi= nator if + request was successful. Points to the mos= t recent + '&' before the first failing name/value p= air (or + the beginning of the string if the failur= e is in + the first name/value pair) if the request= was not + successful. + @param Results A null-terminated Unicode string in + format which has all valu= es filled + in for the names in the Request string. S= tring to + be allocated by the called function. + + @retval EFI_SUCCESS The Results is filled with the requested = values. + @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results. + @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown nam= e. + @retval EFI_NOT_FOUND Routing data doesn't match any storage in= this + driver. + +**/ +EFI_STATUS +EFIAPI +ExtractConfig ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN CONST EFI_STRING Request, + OUT EFI_STRING *Progress, + OUT EFI_STRING *Results + ) +{ + if (Progress =3D=3D NULL || Results =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + *Progress =3D Request; + return EFI_NOT_FOUND; +} + + +/** + This function processes the results of changes in configuration. + + @param This Points to the EFI_HII_CONFIG_ACCESS_PROTO= COL. + @param Configuration A null-terminated Unicode string in + format. + @param Progress A pointer to a string filled in with the = offset of + the most recent '&' before the first fail= ing + name/value pair (or the beginning of the = string if + the failure is in the first name/value pa= ir) or + the terminating NULL if all was successfu= l. + + @retval EFI_SUCCESS The Results is processed successfully. + @retval EFI_INVALID_PARAMETER Configuration is NULL. + @retval EFI_NOT_FOUND Routing data doesn't match any storage in= this + driver. + +**/ +EFI_STATUS +EFIAPI +RouteConfig ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN CONST EFI_STRING Configuration, + OUT EFI_STRING *Progress + ) +{ + if (Configuration =3D=3D NULL || Progress =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + *Progress =3D Configuration; + + return EFI_NOT_FOUND; +} + +/** + HII update Admin Password status. + +**/ +VOID +HiiUpdateAdminPasswordStatus ( + VOID + ) +{ + if (IsPasswordInstalled ()) { + HiiSetString ( + mUserAuthenticationData->HiiHandle, + STRING_TOKEN (STR_ADMIN_PASSWORD_STS_CONTENT), + L"Installed", + NULL + ); + } else { + HiiSetString ( + mUserAuthenticationData->HiiHandle, + STRING_TOKEN (STR_ADMIN_PASSWORD_STS_CONTENT), + L"Not Installed", + NULL + ); + } +} + +/** + This function processes the results of changes in configuration. + + @param This Points to the EFI_HII_CONFIG_ACCESS_PROTO= COL. + @param Action Specifies the type of action taken by the= browser. + @param QuestionId A unique value which is sent to the origi= nal + exporting driver so that it can identify = the type + of data to expect. + @param Type The type of value for the question. + @param Value A pointer to the data being sent to the o= riginal + exporting driver. + @param ActionRequest On return, points to the action requested= by the + callback function. + + @retval EFI_SUCCESS The callback successfully handled the act= ion. + @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold t= he + variable and its data. + @retval EFI_DEVICE_ERROR The variable could not be saved. + @retval EFI_UNSUPPORTED The specified Action is not supported by = the + callback. + +**/ +EFI_STATUS +EFIAPI +UserAuthenticationCallback ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN EFI_BROWSER_ACTION Action, + IN EFI_QUESTION_ID QuestionId, + IN UINT8 Type, + IN EFI_IFR_TYPE_VALUE *Value, + OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest + ) +{ + EFI_STATUS Status; + CHAR16 *UserInputPassword; + + Status =3D EFI_SUCCESS; + + if (((Value =3D=3D NULL) && (Action !=3D EFI_BROWSER_ACTION_FORM_OPEN) &= & (Action !=3D EFI_BROWSER_ACTION_FORM_CLOSE)) || + (ActionRequest =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + switch (Action) { + case EFI_BROWSER_ACTION_FORM_OPEN: + { + switch (QuestionId) { + case ADMIN_PASSWORD_KEY_ID: + HiiUpdateAdminPasswordStatus (); + default: + break; + } + } + break; + case EFI_BROWSER_ACTION_CHANGING: + { + switch (QuestionId) { + case ADMIN_PASSWORD_KEY_ID: + if ((Type =3D=3D EFI_IFR_TYPE_STRING) && (Value->string =3D=3D 0) = && + (mUserAuthenticationData->PasswordState =3D=3D BROWSER_STATE_S= ET_PASSWORD)) { + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_VALIDAT= E_PASSWORD; + ZeroMem (mUserAuthenticationData->OldPassword, sizeof(mUserAuthe= nticationData->OldPassword)); + return EFI_INVALID_PARAMETER; + } + // + // The Callback is responsible for validating old password input b= y user, + // If Callback return EFI_SUCCESS, it indicates validation pass. + // + switch (mUserAuthenticationData->PasswordState) { + case BROWSER_STATE_VALIDATE_PASSWORD: + UserInputPassword =3D HiiGetString (mUserAuthenticationData->Hii= Handle, Value->string, NULL); + if ((StrLen (UserInputPassword) >=3D PASSWORD_MAX_SIZE)) { + Status =3D EFI_NOT_READY; + break; + } + if (UserInputPassword[0] =3D=3D 0) { + // + // Setup will use a NULL password to check whether the old pas= sword is set, + // If the validation is successful, means there is no old pass= word, return + // success to set the new password. Or need to return EFI_NOT_= READY to + // let user input the old password. + // + Status =3D VerifyPassword (UserInputPassword, StrSize (UserInp= utPassword)); + if (Status =3D=3D EFI_SUCCESS) { + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_SET= _PASSWORD; + } else { + Status =3D EFI_NOT_READY; + } + break; + } + Status =3D VerifyPassword (UserInputPassword, StrSize (UserInput= Password)); + if (Status =3D=3D EFI_SUCCESS) { + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_SET_P= ASSWORD; + StrCpyS ( + mUserAuthenticationData->OldPassword, + sizeof(mUserAuthenticationData->OldPassword)/sizeof(CHAR16), + UserInputPassword + ); + } else { + // + // Old password mismatch, return EFI_NOT_READY to prompt for e= rror message. + // + if (Status =3D=3D EFI_ACCESS_DENIED) { + // + // Password retry count reach. + // + ForceSystemReset (); + } + Status =3D EFI_NOT_READY; + } + break; + + case BROWSER_STATE_SET_PASSWORD: + UserInputPassword =3D HiiGetString (mUserAuthenticationData->Hii= Handle, Value->string, NULL); + if ((StrLen (UserInputPassword) >=3D PASSWORD_MAX_SIZE)) { + Status =3D EFI_NOT_READY; + break; + } + Status =3D SetPassword (UserInputPassword, StrSize (UserInputPas= sword), mUserAuthenticationData->OldPassword, StrSize(mUserAuthenticationDa= ta->OldPassword)); + PrintSetPasswordStatus (Status); + ZeroMem (mUserAuthenticationData->OldPassword, sizeof(mUserAuthe= nticationData->OldPassword)); + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_VALIDAT= E_PASSWORD; + HiiUpdateAdminPasswordStatus (); + break; + + default: + break; + } + default: + break; + } + } + break; + default: + break; + } + return Status; +} + +/** + User Authentication entry point. + + @param ImageHandle The image handle. + @param SystemTable The system table. + + @retval EFI_SUCCESS The entry point is executed successfully. + @return other Contain some other errors. + +**/ +EFI_STATUS +EFIAPI +UserAuthentication2Entry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + EFI_HANDLE DriverHandle; + EFI_HII_HANDLE HiiHandle; + + DriverHandle =3D NULL; + + mUserAuthenticationData =3D AllocateZeroPool (sizeof (USER_AUTHENTICATIO= N_PRIVATE_DATA)); + if (mUserAuthenticationData =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + mUserAuthenticationData->ConfigAccess.ExtractConfig =3D ExtractConfig; + mUserAuthenticationData->ConfigAccess.RouteConfig =3D RouteConfig; + mUserAuthenticationData->ConfigAccess.Callback =3D UserAuthenticationCal= lback; + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_VALIDATE_PASSWO= RD; + + // + // Install Config Access protocol to driver handle. + // + Status =3D gBS->InstallMultipleProtocolInterfaces ( + &DriverHandle, + &gEfiDevicePathProtocolGuid, + &mHiiVendorDevicePath, + &gEfiHiiConfigAccessProtocolGuid, + &mUserAuthenticationData->ConfigAccess, + NULL + ); + ASSERT_EFI_ERROR (Status); + mUserAuthenticationData->DriverHandle =3D DriverHandle; + + // + // Add HII data to database. + // + HiiHandle =3D HiiAddPackages ( + &mUserAuthenticationVendorGuid, + DriverHandle, + UserAuthentication2DxeStrings, + UserAuthenticationDxeVfrBin, + NULL + ); + if (HiiHandle =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + mUserAuthenticationData->HiiHandle =3D HiiHandle; + + return EFI_SUCCESS; +} + +/** + Unloads the application and its installed protocol. + + @param[in] ImageHandle Handle that identifies the image to be unl= oaded. + + @retval EFI_SUCCESS The image has been unloaded. +**/ +EFI_STATUS +EFIAPI +UserAuthentication2Unload ( + IN EFI_HANDLE ImageHandle + ) +{ + ASSERT (mUserAuthenticationData !=3D NULL); + + // + // Uninstall Config Access Protocol. + // + if (mUserAuthenticationData->DriverHandle !=3D NULL) { + gBS->UninstallMultipleProtocolInterfaces ( + mUserAuthenticationData->DriverHandle, + &gEfiDevicePathProtocolGuid, + &mHiiVendorDevicePath, + &gEfiHiiConfigAccessProtocolGuid, + &mUserAuthenticationData->ConfigAccess, + NULL + ); + mUserAuthenticationData->DriverHandle =3D NULL; + } + + // + // Remove Hii Data. + // + if (mUserAuthenticationData->HiiHandle !=3D NULL) { + HiiRemovePackages (mUserAuthenticationData->HiiHandle); + } + + FreePool (mUserAuthenticationData); + mUserAuthenticationData =3D NULL; + + return EFI_SUCCESS; +} + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= Authentication2Dxe.h b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentic= ation/UserAuthentication2Dxe.h new file mode 100644 index 0000000000..896460b889 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= ication2Dxe.h @@ -0,0 +1,55 @@ +/** @file + Header file for UserAuthentication2Dxe. + + Copyright (c) 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _USER_AUTHENTICATION_DXE_H_ +#define _USER_AUTHENTICATION_DXE_H_ + + +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "UserAuthenticationDxeFormset.h" + +extern UINT8 UserAuthenticationDxeVfrBin[]; +extern UINT8 UserAuthentication2DxeStrings[]; + +typedef struct { + EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess; + EFI_HANDLE DriverHandle; + EFI_HII_HANDLE HiiHandle; + UINT8 PasswordState; + CHAR16 OldPassword[PASSWORD_MAX_SIZE]; +} USER_AUTHENTICATION_PRIVATE_DATA; + +#pragma pack(1) +/// +/// HII specific Vendor Device Path definition. +/// +typedef struct { + VENDOR_DEVICE_PATH VendorDevicePath; + EFI_DEVICE_PATH_PROTOCOL End; +} HII_VENDOR_DEVICE_PATH; +#pragma pack() + +#endif diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= Authentication2Dxe.inf b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthent= ication/UserAuthentication2Dxe.inf new file mode 100644 index 0000000000..bf787b95e5 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= ication2Dxe.inf @@ -0,0 +1,53 @@ +## @file +# User Authentication 2 Dxe Driver. +# +# This Driver mainly provides Setup Form to change password. +# +# Copyright (c) 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D UserAuthentication2Dxe + FILE_GUID =3D 4EF592F4-C716-40CC-8C07-1E4E3BD71F11 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 2.0 + ENTRY_POINT =3D UserAuthentication2Entry + UNLOAD_IMAGE =3D UserAuthentication2Unload + +[Sources] + UserAuthentication2Dxe.c + UserAuthentication2Dxe.h + UserAuthenticationDxeFormset.h + UserAuthenticationDxeVfr.vfr + UserAuthenticationDxeStrings.uni + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec + +[LibraryClasses] + BaseLib + UefiBootServicesTableLib + UefiDriverEntryPoint + UefiRuntimeServicesTableLib + BaseMemoryLib + DebugLib + UefiLib + HiiLib + DevicePathLib + MemoryAllocationLib + UserPasswordLib + +[Protocols] + gEfiDevicePathProtocolGuid ## PRODUCES + gEfiHiiConfigAccessProtocolGuid ## PRODUCES + +[Depex] + gEfiSimpleTextOutProtocolGuid AND + gEfiSmmCommunicationProtocolGuid AND + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationDxe.c b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentica= tion/UserAuthenticationDxe.c new file mode 100644 index 0000000000..745a814c17 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationDxe.c @@ -0,0 +1,780 @@ +/** @file + This Driver mainly provides Setup Form to change password and + does user authentication before entering Setup. + + Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "UserAuthenticationDxe.h" + +EFI_EVENT mExitBootServicesEvent =3D NULL; +EFI_RSC_HANDLER_PROTOCOL *mRscHandlerProtocol =3D NULL; +USER_AUTHENTICATION_PRIVATE_DATA *mUserAuthenticationData =3D NULL; +EFI_SMM_COMMUNICATION_PROTOCOL *mSmmCommunication =3D NULL; + +EFI_GUID mUserAuthenticationVendorGuid =3D USER_AUTHENTICATION_FORMSET_GUI= D; +HII_VENDOR_DEVICE_PATH mHiiVendorDevicePath =3D { + { + { + HARDWARE_DEVICE_PATH, + HW_VENDOR_DP, + { + (UINT8) (sizeof (VENDOR_DEVICE_PATH)), + (UINT8) ((sizeof (VENDOR_DEVICE_PATH)) >> 8) + } + }, + USER_AUTHENTICATION_FORMSET_GUID + }, + { + END_DEVICE_PATH_TYPE, + END_ENTIRE_DEVICE_PATH_SUBTYPE, + { + (UINT8) (END_DEVICE_PATH_LENGTH), + (UINT8) ((END_DEVICE_PATH_LENGTH) >> 8) + } + } +}; + +/** + Get a user input string. + + @param[in] PopUpString A popup string to inform user. + @param[in, out] UserInput The user input string + @param[in] UserInputMaxLen The max unicode count of the UserInput= without NULL terminator. +**/ +EFI_STATUS +GetUserInput ( + IN CHAR16 *PopUpString, + IN OUT CHAR16 *UserInput, + IN UINTN UserInputMaxLen + ) +{ + EFI_INPUT_KEY InputKey; + UINTN InputLength; + CHAR16 *Mask; + + UserInput[0] =3D 0; + Mask =3D AllocateZeroPool ((UserInputMaxLen + 1) * sizeof(CHAR16)); + if (Mask =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + InputLength =3D 0; + + while (TRUE) { + if (InputLength < UserInputMaxLen) { + Mask[InputLength] =3D L'_'; + } + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &InputKey, + PopUpString, + L"--------------------------------", + Mask, + NULL + ); + if (InputKey.ScanCode =3D=3D SCAN_NULL) { + // + // Check whether finish inputing password. + // + if (InputKey.UnicodeChar =3D=3D CHAR_CARRIAGE_RETURN && InputLength = > 0) { + // + // Add the null terminator. + // + UserInput[InputLength] =3D 0; + break; + } else if ((InputKey.UnicodeChar =3D=3D CHAR_NULL) || + (InputKey.UnicodeChar =3D=3D CHAR_LINEFEED) || + (InputKey.UnicodeChar =3D=3D CHAR_CARRIAGE_RETURN) + ) { + continue; + } else { + // + // delete last key entered + // + if (InputKey.UnicodeChar =3D=3D CHAR_BACKSPACE) { + if (InputLength > 0) { + UserInput[InputLength] =3D 0; + Mask[InputLength] =3D 0; + InputLength--; + } + } else { + if (InputLength =3D=3D UserInputMaxLen) { + Mask[InputLength] =3D 0; + continue; + } + // + // add Next key entry + // + UserInput[InputLength] =3D InputKey.UnicodeChar; + Mask[InputLength] =3D L'*'; + InputLength++; + } + } + } + } + FreePool (Mask); + return EFI_SUCCESS; +} + +/** + Display a message box to end user. + + @param[in] DisplayString The string in message box. +**/ +VOID +MessageBox ( + IN CHAR16 *DisplayString + ) +{ + EFI_INPUT_KEY Key; + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); +} + +/** + Force system reset. +**/ +VOID +ForceSystemReset ( + VOID + ) +{ + MessageBox (L"Password retry count reach, reset system!"); + gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL); + CpuDeadLoop(); +} + +/** + Display message for set password. + + @param[in] ReturnStatus The return status for set password. +**/ +VOID +PrintSetPasswordStatus ( + IN EFI_STATUS ReturnStatus + ) +{ + CHAR16 *DisplayString; + CHAR16 *DisplayString2; + + EFI_INPUT_KEY Key; + + if (ReturnStatus =3D=3D EFI_UNSUPPORTED) { + DisplayString =3D L"New password is not strong enough!"; + DisplayString2 =3D L"Password must at least 8 chars and include lowerc= ase, uppercase alphabetic, number and symbol"; + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + DisplayString2, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); + } else { + if (ReturnStatus =3D=3D EFI_SUCCESS) { + DisplayString =3D L"New password is updated successfully!"; + } else if (ReturnStatus =3D=3D EFI_ALREADY_STARTED) { + DisplayString =3D L"New password is found in the history passwords!"; + } else { + DisplayString =3D L"New password update fails!"; + } + + do { + CreatePopUp ( + EFI_LIGHTGRAY | EFI_BACKGROUND_BLUE, + &Key, + L"", + DisplayString, + L"Press ENTER to continue ...", + L"", + NULL + ); + } while (Key.UnicodeChar !=3D CHAR_CARRIAGE_RETURN); + } +} + +/** + Require user input password. + + @retval TRUE User input correct password successfully. + @retval FALSE The password is not set. +**/ +BOOLEAN +RequireUserPassword ( + VOID + ) +{ + EFI_STATUS Status; + CHAR16 UserInputPw[PASSWORD_MAX_S= IZE]; + CHAR16 *PopUpString; + SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY VerifyPolicy; + + Status =3D EFI_SUCCESS; + ZeroMem(UserInputPw, sizeof(UserInputPw)); + + if (!IsPasswordInstalled ()) { + return FALSE; + } + + Status =3D GetPasswordVerificationPolicy (&VerifyPolicy); + if (!EFI_ERROR (Status)) { + if (WasPasswordVerified() && (!VerifyPolicy.NeedReVerify)) { + DEBUG ((DEBUG_INFO, "Password was verified and Re-verify is not need= ed\n")); + return TRUE; + } + } + + PopUpString =3D L"Please input admin password"; + + while (TRUE) { + gST->ConOut->ClearScreen(gST->ConOut); + GetUserInput (PopUpString, UserInputPw, PASSWORD_MAX_SIZE - 1); + + Status =3D VerifyPassword (UserInputPw, StrSize(UserInputPw)); + if (!EFI_ERROR(Status)) { + break; + } + if (Status =3D=3D EFI_ACCESS_DENIED) { + // + // Password retry count reach. + // + ForceSystemReset (); + } + MessageBox (L"Incorrect password!"); + } + + ZeroMem(UserInputPw, sizeof(UserInputPw)); + + gST->ConOut->ClearScreen(gST->ConOut); + + return TRUE; +} + +/** + Set user password. + +**/ +VOID +SetUserPassword ( + VOID + ) +{ + EFI_STATUS Status; + CHAR16 UserInputPw[PASSWORD_MAX_SIZE]; + CHAR16 TmpPassword[PASSWORD_MAX_SIZE]; + CHAR16 *PopUpString; + CHAR16 *PopUpString2; + + ZeroMem(UserInputPw, sizeof(UserInputPw)); + ZeroMem(TmpPassword, sizeof(TmpPassword)); + + PopUpString =3D L"Please set admin password"; + + while (TRUE) { + gST->ConOut->ClearScreen(gST->ConOut); + GetUserInput (PopUpString, UserInputPw, PASSWORD_MAX_SIZE - 1); + + PopUpString2 =3D L"Please confirm your new password"; + gST->ConOut->ClearScreen(gST->ConOut); + GetUserInput (PopUpString2, TmpPassword, PASSWORD_MAX_SIZE - 1); + if (StrCmp (TmpPassword, UserInputPw) !=3D 0) { + MessageBox (L"Password are not the same!"); + continue; + } + + Status =3D SetPassword (UserInputPw, StrSize(UserInputPw), NULL, 0); + PrintSetPasswordStatus (Status); + if (!EFI_ERROR(Status)) { + break; + } + } + + ZeroMem(UserInputPw, sizeof(UserInputPw)); + ZeroMem(TmpPassword, sizeof(TmpPassword)); + + gST->ConOut->ClearScreen(gST->ConOut); +} + +/** + Check password before entering into setup. + + @param CodeType Indicates the type of status code being reported. = Type EFI_STATUS_CODE_TYPE is defined in "Related Definitions" below. + + @param Value Describes the current status of a hardware or soft= ware entity. + This included information about the class and subc= lass that is used to classify the entity + as well as an operation. For progress codes, the = operation is the current activity. + For error codes, it is the exception. For debug c= odes, it is not defined at this time. + Type EFI_STATUS_CODE_VALUE is defined in "Related = Definitions" below. + Specific values are discussed in the Intel? Platfo= rm Innovation Framework for EFI Status Code Specification. + + @param Instance The enumeration of a hardware or software entity w= ithin the system. + A system may contain multiple entities that match = a class/subclass pairing. + The instance differentiates between them. An inst= ance of 0 indicates that instance information is unavailable, + not meaningful, or not relevant. Valid instance n= umbers start with 1. + + + @param CallerId This optional parameter may be used to identify th= e caller. + This parameter allows the status code driver to ap= ply different rules to different callers. + Type EFI_GUID is defined in InstallProtocolInterfa= ce() in the UEFI 2.0 Specification. + + + @param Data This optional parameter may be used to pass additi= onal data + + @retval EFI_SUCCESS Status code is what we expected. + @retval EFI_UNSUPPORTED Status code not supported. + +**/ +EFI_STATUS +EFIAPI +CheckForPassword ( + IN EFI_STATUS_CODE_TYPE CodeType, + IN EFI_STATUS_CODE_VALUE Value, + IN UINT32 Instance, + IN EFI_GUID *CallerId, OPTIONAL + IN EFI_STATUS_CODE_DATA *Data OPTIONAL + ) +{ + BOOLEAN PasswordSet; + + if (((CodeType & EFI_STATUS_CODE_TYPE_MASK) =3D=3D EFI_PROGRESS_CODE) && + (Value =3D=3D (EFI_SOFTWARE_DXE_BS_DRIVER | EFI_SW_PC_USER_SETUP))) { + // + // Check whether enter setup page. + // + PasswordSet =3D RequireUserPassword (); + if (PasswordSet) { + DEBUG ((DEBUG_INFO, "Welcome Admin!\n")); + } else { + DEBUG ((DEBUG_INFO, "Admin password is not set!\n")); + if (NeedEnrollPassword()) { + SetUserPassword (); + } + } + + return EFI_SUCCESS; + } else{ + return EFI_UNSUPPORTED; + } +} + +/** + This function allows a caller to extract the current configuration for o= ne + or more named elements from the target driver. + + @param This Points to the EFI_HII_CONFIG_ACCESS_PROTO= COL. + @param Request A null-terminated Unicode string in + format. + @param Progress On return, points to a character in the R= equest + string. Points to the string's null termi= nator if + request was successful. Points to the mos= t recent + '&' before the first failing name/value p= air (or + the beginning of the string if the failur= e is in + the first name/value pair) if the request= was not + successful. + @param Results A null-terminated Unicode string in + format which has all valu= es filled + in for the names in the Request string. S= tring to + be allocated by the called function. + + @retval EFI_SUCCESS The Results is filled with the requested = values. + @retval EFI_OUT_OF_RESOURCES Not enough memory to store the results. + @retval EFI_INVALID_PARAMETER Request is illegal syntax, or unknown nam= e. + @retval EFI_NOT_FOUND Routing data doesn't match any storage in= this + driver. + +**/ +EFI_STATUS +EFIAPI +ExtractConfig ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN CONST EFI_STRING Request, + OUT EFI_STRING *Progress, + OUT EFI_STRING *Results + ) +{ + if (Progress =3D=3D NULL || Results =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + *Progress =3D Request; + return EFI_NOT_FOUND; +} + + +/** + This function processes the results of changes in configuration. + + @param This Points to the EFI_HII_CONFIG_ACCESS_PROTO= COL. + @param Configuration A null-terminated Unicode string in + format. + @param Progress A pointer to a string filled in with the = offset of + the most recent '&' before the first fail= ing + name/value pair (or the beginning of the = string if + the failure is in the first name/value pa= ir) or + the terminating NULL if all was successfu= l. + + @retval EFI_SUCCESS The Results is processed successfully. + @retval EFI_INVALID_PARAMETER Configuration is NULL. + @retval EFI_NOT_FOUND Routing data doesn't match any storage in= this + driver. + +**/ +EFI_STATUS +EFIAPI +RouteConfig ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN CONST EFI_STRING Configuration, + OUT EFI_STRING *Progress + ) +{ + if (Configuration =3D=3D NULL || Progress =3D=3D NULL) { + return EFI_INVALID_PARAMETER; + } + + *Progress =3D Configuration; + + return EFI_NOT_FOUND; +} + +/** + HII update Admin Password status. + +**/ +VOID +HiiUpdateAdminPasswordStatus ( + VOID + ) +{ + if (IsPasswordInstalled ()) { + HiiSetString ( + mUserAuthenticationData->HiiHandle, + STRING_TOKEN (STR_ADMIN_PASSWORD_STS_CONTENT), + L"Installed", + NULL + ); + } else { + HiiSetString ( + mUserAuthenticationData->HiiHandle, + STRING_TOKEN (STR_ADMIN_PASSWORD_STS_CONTENT), + L"Not Installed", + NULL + ); + } +} + +/** + This function processes the results of changes in configuration. + + @param This Points to the EFI_HII_CONFIG_ACCESS_PROTO= COL. + @param Action Specifies the type of action taken by the= browser. + @param QuestionId A unique value which is sent to the origi= nal + exporting driver so that it can identify = the type + of data to expect. + @param Type The type of value for the question. + @param Value A pointer to the data being sent to the o= riginal + exporting driver. + @param ActionRequest On return, points to the action requested= by the + callback function. + + @retval EFI_SUCCESS The callback successfully handled the act= ion. + @retval EFI_OUT_OF_RESOURCES Not enough storage is available to hold t= he + variable and its data. + @retval EFI_DEVICE_ERROR The variable could not be saved. + @retval EFI_UNSUPPORTED The specified Action is not supported by = the + callback. + +**/ +EFI_STATUS +EFIAPI +UserAuthenticationCallback ( + IN CONST EFI_HII_CONFIG_ACCESS_PROTOCOL *This, + IN EFI_BROWSER_ACTION Action, + IN EFI_QUESTION_ID QuestionId, + IN UINT8 Type, + IN EFI_IFR_TYPE_VALUE *Value, + OUT EFI_BROWSER_ACTION_REQUEST *ActionRequest + ) +{ + EFI_STATUS Status; + CHAR16 *UserInputPassword; + + Status =3D EFI_SUCCESS; + + if (((Value =3D=3D NULL) && (Action !=3D EFI_BROWSER_ACTION_FORM_OPEN) &= & (Action !=3D EFI_BROWSER_ACTION_FORM_CLOSE)) || + (ActionRequest =3D=3D NULL)) { + return EFI_INVALID_PARAMETER; + } + + switch (Action) { + case EFI_BROWSER_ACTION_FORM_OPEN: + { + switch (QuestionId) { + case ADMIN_PASSWORD_KEY_ID: + HiiUpdateAdminPasswordStatus (); + default: + break; + } + } + break; + case EFI_BROWSER_ACTION_CHANGING: + { + switch (QuestionId) { + case ADMIN_PASSWORD_KEY_ID: + if ((Type =3D=3D EFI_IFR_TYPE_STRING) && (Value->string =3D=3D 0) = && + (mUserAuthenticationData->PasswordState =3D=3D BROWSER_STATE_S= ET_PASSWORD)) { + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_VALIDAT= E_PASSWORD; + ZeroMem (mUserAuthenticationData->OldPassword, sizeof(mUserAuthe= nticationData->OldPassword)); + return EFI_INVALID_PARAMETER; + } + // + // The Callback is responsible for validating old password input b= y user, + // If Callback return EFI_SUCCESS, it indicates validation pass. + // + switch (mUserAuthenticationData->PasswordState) { + case BROWSER_STATE_VALIDATE_PASSWORD: + UserInputPassword =3D HiiGetString (mUserAuthenticationData->Hii= Handle, Value->string, NULL); + if ((StrLen (UserInputPassword) >=3D PASSWORD_MAX_SIZE)) { + Status =3D EFI_NOT_READY; + break; + } + if (UserInputPassword[0] =3D=3D 0) { + // + // Setup will use a NULL password to check whether the old pas= sword is set, + // If the validation is successful, means there is no old pass= word, return + // success to set the new password. Or need to return EFI_NOT_= READY to + // let user input the old password. + // + Status =3D VerifyPassword (UserInputPassword, StrSize (UserInp= utPassword)); + if (Status =3D=3D EFI_SUCCESS) { + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_SET= _PASSWORD; + } else { + Status =3D EFI_NOT_READY; + } + break; + } + Status =3D VerifyPassword (UserInputPassword, StrSize (UserInput= Password)); + if (Status =3D=3D EFI_SUCCESS) { + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_SET_P= ASSWORD; + StrCpyS ( + mUserAuthenticationData->OldPassword, + sizeof(mUserAuthenticationData->OldPassword)/sizeof(CHAR16), + UserInputPassword + ); + } else { + // + // Old password mismatch, return EFI_NOT_READY to prompt for e= rror message. + // + if (Status =3D=3D EFI_ACCESS_DENIED) { + // + // Password retry count reach. + // + ForceSystemReset (); + } + Status =3D EFI_NOT_READY; + } + break; + + case BROWSER_STATE_SET_PASSWORD: + UserInputPassword =3D HiiGetString (mUserAuthenticationData->Hii= Handle, Value->string, NULL); + if ((StrLen (UserInputPassword) >=3D PASSWORD_MAX_SIZE)) { + Status =3D EFI_NOT_READY; + break; + } + Status =3D SetPassword (UserInputPassword, StrSize (UserInputPas= sword), mUserAuthenticationData->OldPassword, StrSize(mUserAuthenticationDa= ta->OldPassword)); + PrintSetPasswordStatus (Status); + ZeroMem (mUserAuthenticationData->OldPassword, sizeof(mUserAuthe= nticationData->OldPassword)); + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_VALIDAT= E_PASSWORD; + HiiUpdateAdminPasswordStatus (); + break; + + default: + break; + } + default: + break; + } + } + break; + default: + break; + } + return Status; +} + +/** + Unregister status code callback functions. + + @param Event Event whose notification function is being invoked. + @param Context Pointer to the notification function's context, wh= ich is + always zero in current implementation. + +**/ +VOID +EFIAPI +UnregisterBootTimeHandlers ( + IN EFI_EVENT Event, + IN VOID *Context + ) +{ + mRscHandlerProtocol->Unregister (CheckForPassword); +} + +/** + User Authentication entry point. + + @param ImageHandle The image handle. + @param SystemTable The system table. + + @retval EFI_SUCCESS The entry point is executed successfully. + @return other Contain some other errors. + +**/ +EFI_STATUS +EFIAPI +UserAuthenticationEntry ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + EFI_HANDLE DriverHandle; + EFI_HII_HANDLE HiiHandle; + + DriverHandle =3D NULL; + + mUserAuthenticationData =3D AllocateZeroPool (sizeof (USER_AUTHENTICATIO= N_PRIVATE_DATA)); + if (mUserAuthenticationData =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + mUserAuthenticationData->ConfigAccess.ExtractConfig =3D ExtractConfig; + mUserAuthenticationData->ConfigAccess.RouteConfig =3D RouteConfig; + mUserAuthenticationData->ConfigAccess.Callback =3D UserAuthenticationCal= lback; + mUserAuthenticationData->PasswordState =3D BROWSER_STATE_VALIDATE_PASSWO= RD; + + // + // Install Config Access protocol to driver handle. + // + Status =3D gBS->InstallMultipleProtocolInterfaces ( + &DriverHandle, + &gEfiDevicePathProtocolGuid, + &mHiiVendorDevicePath, + &gEfiHiiConfigAccessProtocolGuid, + &mUserAuthenticationData->ConfigAccess, + NULL + ); + ASSERT_EFI_ERROR (Status); + mUserAuthenticationData->DriverHandle =3D DriverHandle; + + // + // Add HII data to database. + // + HiiHandle =3D HiiAddPackages ( + &mUserAuthenticationVendorGuid, + DriverHandle, + UserAuthenticationDxeStrings, + UserAuthenticationDxeVfrBin, + NULL + ); + if (HiiHandle =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + mUserAuthenticationData->HiiHandle =3D HiiHandle; + + // + // Locate report status code protocol. + // + Status =3D gBS->LocateProtocol ( + &gEfiRscHandlerProtocolGuid, + NULL, + (VOID **) &mRscHandlerProtocol + ); + ASSERT_EFI_ERROR (Status); + + // + //Register the callback function for ReportStatusCode() notification. + // + mRscHandlerProtocol->Register (CheckForPassword, TPL_HIGH_LEVEL); + + // + // Unregister boot time report status code listener at ExitBootService E= vent. + // + Status =3D gBS->CreateEventEx ( + EVT_NOTIFY_SIGNAL, + TPL_NOTIFY, + UnregisterBootTimeHandlers, + NULL, + &gEfiEventExitBootServicesGuid, + &mExitBootServicesEvent + ); + ASSERT_EFI_ERROR (Status); + + // + // Locates SMM Communication protocol. + // + Status =3D gBS->LocateProtocol (&gEfiSmmCommunicationProtocolGuid, NULL,= (VOID **) &mSmmCommunication); + ASSERT_EFI_ERROR (Status); + + return EFI_SUCCESS; +} + +/** + Unloads the application and its installed protocol. + + @param[in] ImageHandle Handle that identifies the image to be unl= oaded. + + @retval EFI_SUCCESS The image has been unloaded. +**/ +EFI_STATUS +EFIAPI +UserAuthenticationUnload ( + IN EFI_HANDLE ImageHandle + ) +{ + ASSERT (mUserAuthenticationData !=3D NULL); + + // + // Uninstall Config Access Protocol. + // + if (mUserAuthenticationData->DriverHandle !=3D NULL) { + gBS->UninstallMultipleProtocolInterfaces ( + mUserAuthenticationData->DriverHandle, + &gEfiDevicePathProtocolGuid, + &mHiiVendorDevicePath, + &gEfiHiiConfigAccessProtocolGuid, + &mUserAuthenticationData->ConfigAccess, + NULL + ); + mUserAuthenticationData->DriverHandle =3D NULL; + } + + // + // Remove Hii Data. + // + if (mUserAuthenticationData->HiiHandle !=3D NULL) { + HiiRemovePackages (mUserAuthenticationData->HiiHandle); + } + + FreePool (mUserAuthenticationData); + mUserAuthenticationData =3D NULL; + + return EFI_SUCCESS; +} + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationDxe.h b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentica= tion/UserAuthenticationDxe.h new file mode 100644 index 0000000000..9a002d2a7c --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationDxe.h @@ -0,0 +1,138 @@ +/** @file + Header file for UserAuthenticationDxe. + + Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _USER_AUTHENTICATION_DXE_H_ +#define _USER_AUTHENTICATION_DXE_H_ + + +#include +#include +#include + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "UserAuthenticationDxeFormset.h" + +extern UINT8 UserAuthenticationDxeVfrBin[]; +extern UINT8 UserAuthenticationDxeStrings[]; +extern EFI_SMM_COMMUNICATION_PROTOCOL *mSmmCommunication; + +typedef struct { + EFI_HII_CONFIG_ACCESS_PROTOCOL ConfigAccess; + EFI_HANDLE DriverHandle; + EFI_HII_HANDLE HiiHandle; + UINT8 PasswordState; + CHAR16 OldPassword[PASSWORD_MAX_SIZE]; +} USER_AUTHENTICATION_PRIVATE_DATA; + +#pragma pack(1) +/// +/// HII specific Vendor Device Path definition. +/// +typedef struct { + VENDOR_DEVICE_PATH VendorDevicePath; + EFI_DEVICE_PATH_PROTOCOL End; +} HII_VENDOR_DEVICE_PATH; +#pragma pack() + +/** + Validate if the password is correct. + + @param[in] Password The user input password. + @param[in] PasswordSize The size of Password in byte. + + @retval EFI_SUCCESS The password is correct. + @retval EFI_SECURITY_VIOLATION The password is incorrect. + @retval EFI_INVALID_PARAMETER The password or size is invalid. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to verify the p= assword. + @retval EFI_ACCESS_DENIED Password retry count reach. +**/ +EFI_STATUS +VerifyPassword ( + IN CHAR16 *Password, + IN UINTN PasswordSize + ); + +/** + Set a new password. + + @param[in] NewPassword The user input new password. + NULL means clear password. + @param[in] NewPasswordSize The size of NewPassword in byte. + @param[in] OldPassword The user input old password. + NULL means no old password. + @param[in] OldPasswordSize The size of OldPassword in byte. + + @retval EFI_SUCCESS The NewPassword is set successfully. + @retval EFI_SECURITY_VIOLATION The OldPassword is incorrect. + @retval EFI_INVALID_PARAMETER The password or size is invalid. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to set the pass= word. + @retval EFI_ACCESS_DENIED Password retry count reach. + @retval EFI_UNSUPPORTED NewPassword is not strong enough. + @retval EFI_ALREADY_STARTED NewPassword is in history. +**/ +EFI_STATUS +SetPassword ( + IN CHAR16 *NewPassword, OPTIONAL + IN UINTN NewPasswordSize, + IN CHAR16 *OldPassword, OPTIONAL + IN UINTN OldPasswordSize + ); + +/** + Return if the password is set. + + @retval TRUE The password is set. + @retval FALSE The password is not set. +**/ +BOOLEAN +IsPasswordInstalled ( + VOID + ); + +/** + Get password verification policy. + + @param[out] VerifyPolicy Verification policy. + + @retval EFI_SUCCESS Get verification policy successfully. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to get verifica= tion policy. +**/ +EFI_STATUS +GetPasswordVerificationPolicy ( + OUT SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY *VerifyPolicy + ); + +/** + Return if the password was verified. + + @retval TRUE The password was verified. + @retval FALSE The password was not verified. +**/ +BOOLEAN +WasPasswordVerified ( + VOID + ); + +#endif diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationDxe.inf b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthenti= cation/UserAuthenticationDxe.inf new file mode 100644 index 0000000000..66b59bd26b --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationDxe.inf @@ -0,0 +1,63 @@ +## @file +# User Authentication Dxe Driver. +# +# This Driver mainly provides Setup Form to change password and +# does user authentication before entering Setup. +# +# Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D UserAuthenticationDxe + FILE_GUID =3D 0683FB88-664C-4BA6-9ED4-1C0916EE43A4 + MODULE_TYPE =3D DXE_DRIVER + VERSION_STRING =3D 2.0 + ENTRY_POINT =3D UserAuthenticationEntry + UNLOAD_IMAGE =3D UserAuthenticationUnload + + +[Sources] + UserAuthenticationDxe.c + UserAuthenticationDxe.h + UserAuthenticationDxePassword.c + UserAuthenticationDxeFormset.h + UserAuthenticationDxeVfr.vfr + UserAuthenticationDxeStrings.uni + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec + +[LibraryClasses] + BaseLib + UefiBootServicesTableLib + UefiDriverEntryPoint + UefiRuntimeServicesTableLib + BaseMemoryLib + DebugLib + UefiLib + HiiLib + DevicePathLib + MemoryAllocationLib + PlatformPasswordLib + PrintLib + +[Guids] + gUserAuthenticationGuid ## CONSUMES ## GUID + gEfiEventExitBootServicesGuid ## CONSUMES ## Event + gEdkiiPiSmmCommunicationRegionTableGuid ## CONSUMES ## SystemTable + +[Protocols] + gEfiRscHandlerProtocolGuid ## CONSUMES + gEfiDevicePathProtocolGuid ## PRODUCES + gEfiHiiConfigAccessProtocolGuid ## PRODUCES + gEfiSmmCommunicationProtocolGuid ## CONSUMES + +[Depex] + gEfiSimpleTextOutProtocolGuid AND + gEfiSmmCommunicationProtocolGuid AND + gEfiVariableArchProtocolGuid AND + gEfiVariableWriteArchProtocolGuid diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationDxeFormset.h b/Platform/Intel/UserInterfaceFeaturePkg/UserAut= hentication/UserAuthenticationDxeFormset.h new file mode 100644 index 0000000000..721a038a7a --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationDxeFormset.h @@ -0,0 +1,23 @@ +/** @file + Header file for UserAuthentication formset. + + Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef _USER_AUTHENTICATION_DXE_FORMSET_H_ +#define _USER_AUTHENTICATION_DXE_FORMSET_H_ + +// +// Vendor GUID of the formset +// +#define USER_AUTHENTICATION_FORMSET_GUID \ + { 0x760e3022, 0xf149, 0x4560, {0x9c, 0x6f, 0x33, 0xaa, 0x7d, 0x48, 0x75,= 0xfa} } + +#define ADMIN_PASSWORD_KEY_ID 0x2001 + +#define MAX_PASSWORD_LEN 32 +#define MIN_PASSWORD_LEN 0 + +#endif diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationDxePassword.c b/Platform/Intel/UserInterfaceFeaturePkg/UserAu= thentication/UserAuthenticationDxePassword.c new file mode 100644 index 0000000000..3645e5c12b --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationDxePassword.c @@ -0,0 +1,319 @@ +/** @file + UserAuthentication DXE password wrapper. + + Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "UserAuthenticationDxe.h" + +/** + Initialize the communicate buffer using DataSize and Function. + + @param[out] DataPtr Points to the data in the communicate = buffer. + @param[in] DataSize The data size to send to SMM. + @param[in] Function The function number to initialize the = communicate header. + + @return Communicate buffer. +**/ +VOID* +InitCommunicateBuffer ( + OUT VOID **DataPtr OPTIONAL, + IN UINTN DataSize, + IN UINTN Function + ) +{ + EFI_SMM_COMMUNICATE_HEADER *SmmCommunicateHeader; + SMM_PASSWORD_COMMUNICATE_HEADER *SmmPasswordFunctionHeader; + VOID *Buffer; + EDKII_PI_SMM_COMMUNICATION_REGION_TABLE *SmmCommRegionTable; + EFI_MEMORY_DESCRIPTOR *SmmCommMemRegion; + UINTN Index; + UINTN Size; + EFI_STATUS Status; + + Buffer =3D NULL; + Status =3D EfiGetSystemConfigurationTable ( + &gEdkiiPiSmmCommunicationRegionTableGuid, + (VOID **) &SmmCommRegionTable + ); + if (EFI_ERROR (Status)) { + return NULL; + } + ASSERT (SmmCommRegionTable !=3D NULL); + SmmCommMemRegion =3D (EFI_MEMORY_DESCRIPTOR *) (SmmCommRegionTable + 1); + Size =3D 0; + for (Index =3D 0; Index < SmmCommRegionTable->NumberOfEntries; Index++) { + if (SmmCommMemRegion->Type =3D=3D EfiConventionalMemory) { + Size =3D EFI_PAGES_TO_SIZE ((UINTN) SmmCommMemRegion->NumberOfPages); + if (Size >=3D (DataSize + OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Dat= a) + sizeof (SMM_PASSWORD_COMMUNICATE_HEADER))) { + break; + } + } + SmmCommMemRegion =3D (EFI_MEMORY_DESCRIPTOR *) ((UINT8 *) SmmCommMemRe= gion + SmmCommRegionTable->DescriptorSize); + } + ASSERT (Index < SmmCommRegionTable->NumberOfEntries); + + Buffer =3D (VOID*)(UINTN)SmmCommMemRegion->PhysicalStart; + ASSERT (Buffer !=3D NULL); + SmmCommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *) Buffer; + CopyGuid (&SmmCommunicateHeader->HeaderGuid, &gUserAuthenticationGuid); + SmmCommunicateHeader->MessageLength =3D DataSize + sizeof (SMM_PASSWORD_= COMMUNICATE_HEADER); + + SmmPasswordFunctionHeader =3D (SMM_PASSWORD_COMMUNICATE_HEADER *) SmmCom= municateHeader->Data; + ZeroMem (SmmPasswordFunctionHeader, DataSize + sizeof (SMM_PASSWORD_COMM= UNICATE_HEADER)); + SmmPasswordFunctionHeader->Function =3D Function; + if (DataPtr !=3D NULL) { + *DataPtr =3D SmmPasswordFunctionHeader + 1; + } + + return Buffer; +} + +/** + Send the data in communicate buffer to SMM. + + @param[in] Buffer Points to the data in the communicat= e buffer. + @param[in] DataSize The data size to send to SMM. + + @retval EFI_SUCCESS Success is returned from the functio= n in SMM. + @retval Others Failure is returned from the functio= n in SMM. + +**/ +EFI_STATUS +SendCommunicateBuffer ( + IN VOID *Buffer, + IN UINTN DataSize + ) +{ + EFI_STATUS Status; + UINTN CommSize; + EFI_SMM_COMMUNICATE_HEADER *SmmCommunicateHeader; + SMM_PASSWORD_COMMUNICATE_HEADER *SmmPasswordFunctionHeader; + + CommSize =3D DataSize + OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + s= izeof (SMM_PASSWORD_COMMUNICATE_HEADER); + + Status =3D mSmmCommunication->Communicate (mSmmCommunication, Buffer, &C= ommSize); + ASSERT_EFI_ERROR (Status); + + SmmCommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *) Buffer; + SmmPasswordFunctionHeader =3D (SMM_PASSWORD_COMMUNICATE_HEADER *)SmmComm= unicateHeader->Data; + return SmmPasswordFunctionHeader->ReturnStatus; +} + +/** + Validate if the password is correct. + + @param[in] Password The user input password. + @param[in] PasswordSize The size of Password in byte. + + @retval EFI_SUCCESS The password is correct. + @retval EFI_SECURITY_VIOLATION The password is incorrect. + @retval EFI_INVALID_PARAMETER The password or size is invalid. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to verify the p= assword. + @retval EFI_ACCESS_DENIED Password retry count reach. +**/ +EFI_STATUS +VerifyPassword ( + IN CHAR16 *Password, + IN UINTN PasswordSize + ) +{ + EFI_STATUS Status; + VOID *Buffer; + SMM_PASSWORD_COMMUNICATE_VERIFY_PASSWORD *VerifyPassword; + + ASSERT (Password !=3D NULL); + + if (PasswordSize > sizeof(VerifyPassword->Password) * sizeof(CHAR16)) { + return EFI_INVALID_PARAMETER; + } + + Buffer =3D InitCommunicateBuffer ( + (VOID**)&VerifyPassword, + sizeof(*VerifyPassword), + SMM_PASSWORD_FUNCTION_VERIFY_PASSWORD + ); + if (Buffer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Status =3D UnicodeStrToAsciiStrS (Password, VerifyPassword->Password, si= zeof(VerifyPassword->Password)); + if (EFI_ERROR(Status)) { + goto EXIT; + } + + Status =3D SendCommunicateBuffer (Buffer, sizeof(*VerifyPassword)); + +EXIT: + ZeroMem (VerifyPassword, sizeof(*VerifyPassword)); + return Status; +} + +/** + Set a new password. + + @param[in] NewPassword The user input new password. + NULL means clear password. + @param[in] NewPasswordSize The size of NewPassword in byte. + @param[in] OldPassword The user input old password. + NULL means no old password. + @param[in] OldPasswordSize The size of OldPassword in byte. + + @retval EFI_SUCCESS The NewPassword is set successfully. + @retval EFI_SECURITY_VIOLATION The OldPassword is incorrect. + @retval EFI_INVALID_PARAMETER The password or size is invalid. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to set the pass= word. + @retval EFI_ACCESS_DENIED Password retry count reach. + @retval EFI_UNSUPPORTED NewPassword is not strong enough. + @retval EFI_ALREADY_STARTED NewPassword is in history. +**/ +EFI_STATUS +SetPassword ( + IN CHAR16 *NewPassword, OPTIONAL + IN UINTN NewPasswordSize, + IN CHAR16 *OldPassword, OPTIONAL + IN UINTN OldPasswordSize + ) +{ + EFI_STATUS Status; + VOID *Buffer; + SMM_PASSWORD_COMMUNICATE_SET_PASSWORD *SetPassword; + + if (NewPasswordSize > sizeof(SetPassword->NewPassword) * sizeof(CHAR16))= { + return EFI_INVALID_PARAMETER; + } + if (OldPasswordSize > sizeof(SetPassword->OldPassword) * sizeof(CHAR16))= { + return EFI_INVALID_PARAMETER; + } + + Buffer =3D InitCommunicateBuffer ( + (VOID**)&SetPassword, + sizeof(*SetPassword), + SMM_PASSWORD_FUNCTION_SET_PASSWORD + ); + if (Buffer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + if (NewPassword !=3D NULL) { + Status =3D UnicodeStrToAsciiStrS (NewPassword, SetPassword->NewPasswor= d, sizeof(SetPassword->NewPassword)); + if (EFI_ERROR(Status)) { + goto EXIT; + } + } else { + SetPassword->NewPassword[0] =3D 0; + } + + if (OldPassword !=3D NULL) { + Status =3D UnicodeStrToAsciiStrS (OldPassword, SetPassword->OldPasswor= d, sizeof(SetPassword->OldPassword)); + if (EFI_ERROR(Status)) { + goto EXIT; + } + } else { + SetPassword->OldPassword[0] =3D 0; + } + + Status =3D SendCommunicateBuffer (Buffer, sizeof(*SetPassword)); + +EXIT: + ZeroMem (SetPassword, sizeof(*SetPassword)); + return Status; +} + +/** + Return if the password is set. + + @retval TRUE The password is set. + @retval FALSE The password is not set. +**/ +BOOLEAN +IsPasswordInstalled ( + VOID + ) +{ + EFI_STATUS Status; + VOID *Buffer; + + Buffer =3D InitCommunicateBuffer ( + NULL, + 0, + SMM_PASSWORD_FUNCTION_IS_PASSWORD_SET + ); + if (Buffer =3D=3D NULL) { + return FALSE; + } + + Status =3D SendCommunicateBuffer (Buffer, 0); + if (EFI_ERROR (Status)) { + return FALSE; + } + + return TRUE; +} + +/** + Get password verification policy. + + @param[out] VerifyPolicy Verification policy. + + @retval EFI_SUCCESS Get verification policy successfully. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to get verifica= tion policy. +**/ +EFI_STATUS +GetPasswordVerificationPolicy ( + OUT SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY *VerifyPolicy + ) +{ + EFI_STATUS Status; + VOID *Buffer; + SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY *GetVerifyPolicy; + + Buffer =3D InitCommunicateBuffer ( + (VOID**)&GetVerifyPolicy, + sizeof(*GetVerifyPolicy), + SMM_PASSWORD_FUNCTION_GET_VERIFY_POLICY + ); + if (Buffer =3D=3D NULL) { + return EFI_OUT_OF_RESOURCES; + } + + Status =3D SendCommunicateBuffer (Buffer, sizeof(*GetVerifyPolicy)); + if (!EFI_ERROR (Status)) { + CopyMem (VerifyPolicy, GetVerifyPolicy, sizeof (SMM_PASSWORD_COMMUNICA= TE_VERIFY_POLICY)); + } + + return Status; +} + +/** + Return if the password was verified. + + @retval TRUE The password was verified. + @retval FALSE The password was not verified. +**/ +BOOLEAN +WasPasswordVerified ( + VOID + ) +{ + EFI_STATUS Status; + VOID *Buffer; + + Buffer =3D InitCommunicateBuffer ( + NULL, + 0, + SMM_PASSWORD_FUNCTION_WAS_PASSWORD_VERIFIED + ); + if (Buffer =3D=3D NULL) { + return FALSE; + } + + Status =3D SendCommunicateBuffer (Buffer, 0); + if (EFI_ERROR (Status)) { + return FALSE; + } + + return TRUE; +} diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationDxeStrings.uni b/Platform/Intel/UserInterfaceFeaturePkg/UserA= uthentication/UserAuthenticationDxeStrings.uni new file mode 100644 index 0000000000..5cfedd2539 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationDxeStrings.uni @@ -0,0 +1,30 @@ +/** @file +// String definitions for User Authentication formset. +// +// Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+// +// SPDX-License-Identifier: BSD-2-Clause-Patent +// +**/ + +#langdef en-US "English" +#langdef fr-FR "Francais" + + +#string STR_FORM_SET_TITLE #language en-US "User Password Mana= gement" + #language fr-FR "User Password Mana= gement" +#string STR_FORM_SET_TITLE_HELP #language en-US "This Driver mainly= handle user's password" + #language fr-FR "This Driver mainly= handle user's password" +#string STR_FORM_TITLE #language en-US "Password Managemen= t Form" + #language fr-FR "Password Managemen= t Form" +#string STR_ADMIN_PASSWORD_PROMPT #language en-US "Change Admin Passw= ord" + #language fr-FR "Change Admin Passw= ord" +#string STR_ADMIN_PASSWORD_HELP #language en-US "Input old admin pa= ssword if it was set, then you can change the password to a new one. After = the change action, you may need input the new password when you enter UI. T= he new password must be between 8 and 32 chars include lowercase, uppercase= alphabetic, number, and symbol. Input an empty password can clean old admi= n password, then no need input password to enter UI." + #language fr-FR "Input old admin pa= ssword if it was set, then you can change the password to a new one. After = the change action, you may need input the new password when you enter UI. T= he new password must be between 8 and 32 chars include lowercase, uppercase= alphabetic, number, and symbol. Input an empty password can clean old admi= n password, then no need input password to enter UI." +#string STR_ADMIN_PASSWORD_STS_HELP #language en-US "Current Admin Pass= word status: Installed or Not Installed." + #language fr-FR "Current Admin Pass= word status: Installed or Not Installed." +#string STR_ADMIN_PASSWORD_STS_PROMPT #language en-US "Admin Password Sta= tus" + #language fr-FR "Admin Password Sta= tus" +#string STR_ADMIN_PASSWORD_STS_CONTENT #language en-US "" + #language fr-FR "" + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationDxeVfr.vfr b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthe= ntication/UserAuthenticationDxeVfr.vfr new file mode 100644 index 0000000000..b0aacdb00c --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationDxeVfr.vfr @@ -0,0 +1,39 @@ +///** @file +// UserAuthentication formset. +// +// Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+// SPDX-License-Identifier: BSD-2-Clause-Patent +// +//**/ + +#include +#include "UserAuthenticationDxeFormset.h" + +formset + guid =3D USER_AUTHENTICATION_FORMSET_GUID, + title =3D STRING_TOKEN(STR_FORM_SET_TITLE), + help =3D STRING_TOKEN(STR_FORM_SET_TITLE_HELP), + classguid =3D EFI_HII_PLATFORM_SETUP_FORMSET_GUID, + + form formid =3D 1, + title =3D STRING_TOKEN(STR_FORM_TITLE); + + grayoutif TRUE; + text + help =3D STRING_TOKEN(STR_ADMIN_PASSWORD_STS_HELP), + text =3D STRING_TOKEN(STR_ADMIN_PASSWORD_STS_PROMPT), + text =3D STRING_TOKEN(STR_ADMIN_PASSWORD_STS_CONTENT); + endif; + + password + prompt =3D STRING_TOKEN(STR_ADMIN_PASSWORD_PROMPT), + help =3D STRING_TOKEN(STR_ADMIN_PASSWORD_HELP), + flags =3D INTERACTIVE, + key =3D ADMIN_PASSWORD_KEY_ID, + minsize =3D MIN_PASSWORD_LEN, + maxsize =3D MAX_PASSWORD_LEN, + endpassword; + + endform; + +endformset; diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationSmm.c b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentica= tion/UserAuthenticationSmm.c new file mode 100644 index 0000000000..ac341e57f6 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationSmm.c @@ -0,0 +1,674 @@ +/** @file + + Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#include "UserAuthenticationSmm.h" + +EFI_SMM_VARIABLE_PROTOCOL *mSmmVariable; + +UINTN mAdminPasswordTryCount =3D 0; + +BOOLEAN mNeedReVerify =3D TRUE; +BOOLEAN mPasswordVerified =3D FALSE; + +/** + Verify if the password is correct. + + @param[in] Password The user input password. + @param[in] PasswordSize The size of Password in byte. + @param[in] UserPasswordVarStruct The storage of password in variable. + + @retval EFI_SUCCESS The password is correct. + @retval EFI_SECURITY_VIOLATION The password is incorrect. +**/ +EFI_STATUS +VerifyPassword ( + IN CHAR8 *Password, + IN UINTN PasswordSize, + IN USER_PASSWORD_VAR_STRUCT *UserPasswordVarStruct + ) +{ + BOOLEAN HashOk; + UINT8 HashData[PASSWORD_HASH_SIZE]; + + HashOk =3D KeyLibGeneratePBKDF2Hash ( + HASH_TYPE_SHA256, + (UINT8 *)Password, + PasswordSize, + UserPasswordVarStruct->PasswordSalt, + sizeof(UserPasswordVarStruct->PasswordSalt), + HashData, + sizeof(HashData) + ); + if (!HashOk) { + return EFI_DEVICE_ERROR; + } + if (KeyLibSlowCompareMem (UserPasswordVarStruct->PasswordHash, HashData,= PASSWORD_HASH_SIZE) =3D=3D 0) { + return EFI_SUCCESS; + } else { + return EFI_SECURITY_VIOLATION; + } +} + +/** + Get hash data of password from non-volatile variable region. + + @param[in] UserGuid The user GUID of the password variab= le. + @param[in] Index The index of the password. + 0 means current password. + Non-0 means the password history. + @param[out] UserPasswordVarStruct The storage of password in variable. + + @retval EFI_SUCCESS The password hash is returned successful= ly. + @retval EFI_NOT_FOUND The password hash is not found. +**/ +EFI_STATUS +GetPasswordHashFromVariable ( + IN EFI_GUID *UserGuid, + IN UINTN Index, + OUT USER_PASSWORD_VAR_STRUCT *UserPasswordVarStruct + ) +{ + UINTN DataSize; + CHAR16 PasswordName[sizeof(USER_AUTHENTICATIO= N_VAR_NAME)/sizeof(CHAR16) + 5]; + + if (Index !=3D 0) { + UnicodeSPrint (PasswordName, sizeof (PasswordName), L"%s%04x", USER_AU= THENTICATION_VAR_NAME, Index); + } else { + UnicodeSPrint (PasswordName, sizeof (PasswordName), L"%s", USER_AUTHEN= TICATION_VAR_NAME); + } + + DataSize =3D sizeof(*UserPasswordVarStruct); + return mSmmVariable->SmmGetVariable ( + PasswordName, + UserGuid, + NULL, + &DataSize, + UserPasswordVarStruct + ); +} + +/** + Save password hash data to non-volatile variable region. + + @param[in] UserGuid The user GUID of the password variab= le. + @param[in] UserPasswordVarStruct The storage of password in variable. + + @retval EFI_SUCCESS The password hash is saved successfully. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to save the passw= ord hash. +**/ +EFI_STATUS +SavePasswordHashToVariable ( + IN EFI_GUID *UserGuid, + IN USER_PASSWORD_VAR_STRUCT *UserPasswordVarStruct + ) +{ + EFI_STATUS Status; + + if (UserPasswordVarStruct =3D=3D NULL) { + Status =3D mSmmVariable->SmmSetVariable ( + USER_AUTHENTICATION_VAR_NAME, + UserGuid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABL= E_NON_VOLATILE, + 0, + NULL + ); + } else { + Status =3D mSmmVariable->SmmSetVariable ( + USER_AUTHENTICATION_VAR_NAME, + UserGuid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABL= E_NON_VOLATILE, + sizeof(*UserPasswordVarStruct), + UserPasswordVarStruct + ); + } + if (EFI_ERROR (Status)) { + DEBUG ((DEBUG_ERROR, "SavePasswordHashToVariable fails with %r\n", Sta= tus)); + } + + return Status; +} + +/** + Save old password hash data to non-volatile variable region as history. + + The number of password history variable is limited. + If all the password history variables are used, the new password history + will override the oldest one. + + @param[in] UserGuid The user GUID of the password variab= le. + @param[in] UserPasswordVarStruct The storage of password in variable. + + @retval EFI_SUCCESS The password hash is saved successfully. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to save the passw= ord hash. +**/ +EFI_STATUS +SaveOldPasswordToHistory ( + IN EFI_GUID *UserGuid, + IN USER_PASSWORD_VAR_STRUCT *UserPasswordVarStruct + ) +{ + EFI_STATUS Status; + UINTN DataSize; + UINT32 LastIndex; + CHAR16 PasswordName[sizeof(USER_AUTHENTICATIO= N_VAR_NAME)/sizeof(CHAR16) + 5]; + + DEBUG ((DEBUG_INFO, "SaveOldPasswordToHistory\n")); + + DataSize =3D sizeof(LastIndex); + Status =3D mSmmVariable->SmmGetVariable ( + USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME, + UserGuid, + NULL, + &DataSize, + &LastIndex + ); + if (EFI_ERROR(Status)) { + LastIndex =3D 0; + } + if (LastIndex >=3D PASSWORD_HISTORY_CHECK_COUNT) { + LastIndex =3D 0; + } + + LastIndex ++; + UnicodeSPrint (PasswordName, sizeof (PasswordName), L"%s%04x", USER_AUTH= ENTICATION_VAR_NAME, LastIndex); + + + Status =3D mSmmVariable->SmmSetVariable ( + PasswordName, + UserGuid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_= NON_VOLATILE, + sizeof(*UserPasswordVarStruct), + UserPasswordVarStruct + ); + DEBUG ((DEBUG_INFO, " -- to %s, %r\n", PasswordName, Status)); + if (!EFI_ERROR(Status)) { + Status =3D mSmmVariable->SmmSetVariable ( + USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME, + UserGuid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABL= E_NON_VOLATILE, + sizeof(LastIndex), + &LastIndex + ); + DEBUG ((DEBUG_INFO, " LastIndex - 0x%04x, %r\n", LastIndex, Status)); + } + + return Status; +} + +/** + Calculate password hash data and save it to non-volatile variable region. + + @param[in] UserGuid The user GUID of the password variabl= e. + @param[in] Password The user input password. + NULL means delete the password variab= le. + @param[in] PasswordSize The size of Password in byte. + + @retval EFI_SUCCESS The password hash is calculated and save= d. + @retval EFI_OUT_OF_RESOURCES Insufficient resources to save the passw= ord hash. +**/ +EFI_STATUS +SavePasswordToVariable ( + IN EFI_GUID *UserGuid, + IN CHAR8 *Password, OPTIONAL + IN UINTN PasswordSize + ) +{ + EFI_STATUS Status; + USER_PASSWORD_VAR_STRUCT UserPasswordVarStruct; + BOOLEAN HashOk; + + // + // If password is NULL, it means we want to clean password field saved i= n variable region. + // + if (Password !=3D NULL) { + KeyLibGenerateSalt (UserPasswordVarStruct.PasswordSalt, sizeof(UserPas= swordVarStruct.PasswordSalt)); + HashOk =3D KeyLibGeneratePBKDF2Hash ( + HASH_TYPE_SHA256, + (UINT8 *)Password, + PasswordSize, + UserPasswordVarStruct.PasswordSalt, + sizeof(UserPasswordVarStruct.PasswordSalt), + UserPasswordVarStruct.PasswordHash, + sizeof(UserPasswordVarStruct.PasswordHash) + ); + if (!HashOk) { + return EFI_DEVICE_ERROR; + } + Status =3D SavePasswordHashToVariable (UserGuid, &UserPasswordVarStruc= t); + // + // Save Password data to history variable + // + if (!EFI_ERROR(Status)) { + SaveOldPasswordToHistory (UserGuid, &UserPasswordVarStruct); + } + } else { + Status =3D SavePasswordHashToVariable (UserGuid, NULL); + } + + return Status; +} + +/** + Verify the password. + If the password variable does not exist, it passes the verification. + If the password variable exists, it does verification based upon passwor= d variable. + + @param[in] UserGuid The user GUID of the password variabl= e. + @param[in] Password The user input password. + @param[in] PasswordSize The size of Password in byte. + + @retval TRUE The verification passes. + @retval FALSE The verification fails. +**/ +BOOLEAN +IsPasswordVerified ( + IN EFI_GUID *UserGuid, + IN CHAR8 *Password, + IN UINTN PasswordSize + ) +{ + USER_PASSWORD_VAR_STRUCT UserPasswordVarStruct; + EFI_STATUS Status; + UINTN *PasswordTryCount; + + PasswordTryCount =3D &mAdminPasswordTryCount; + + Status =3D GetPasswordHashFromVariable (UserGuid, 0, &UserPasswordVarStr= uct); + if (EFI_ERROR(Status)) { + return TRUE; + } + + // + // Old password exists + // + Status =3D VerifyPassword (Password, PasswordSize, &UserPasswordVarStruc= t); + if (EFI_ERROR(Status)) { + if (Password[0] !=3D 0) { + *PasswordTryCount =3D *PasswordTryCount + 1; + } + return FALSE; + } + + return TRUE; +} + +/** + Return if the password is set. + + @param[in] UserGuid The user GUID of the password variabl= e. + + @retval TRUE The password is set. + @retval FALSE The password is not set. +**/ +BOOLEAN +IsPasswordSet ( + IN EFI_GUID *UserGuid + ) +{ + USER_PASSWORD_VAR_STRUCT UserPasswordVarStruct; + EFI_STATUS Status; + + Status =3D GetPasswordHashFromVariable(UserGuid, 0, &UserPasswordVarStru= ct); + if (EFI_ERROR(Status)) { + return FALSE; + } + return TRUE; +} + +/** + Return if the password is strong. + Criteria: + 1) length >=3D PASSWORD_MIN_SIZE + 2) include lower case, upper case, number, symbol. + + @param[in] Password The user input password. + @param[in] PasswordSize The size of Password in byte. + + @retval TRUE The password is strong. + @retval FALSE The password is weak. +**/ +BOOLEAN +IsPasswordStrong ( + IN CHAR8 *Password, + IN UINTN PasswordSize + ) +{ + UINTN Index; + BOOLEAN HasLowerCase; + BOOLEAN HasUpperCase; + BOOLEAN HasNumber; + BOOLEAN HasSymbol; + + if (PasswordSize < PASSWORD_MIN_SIZE) { + return FALSE; + } + + HasLowerCase =3D FALSE; + HasUpperCase =3D FALSE; + HasNumber =3D FALSE; + HasSymbol =3D FALSE; + for (Index =3D 0; Index < PasswordSize - 1; Index++) { + if (Password[Index] >=3D 'a' && Password[Index] <=3D 'z') { + HasLowerCase =3D TRUE; + } else if (Password[Index] >=3D 'A' && Password[Index] <=3D 'Z') { + HasUpperCase =3D TRUE; + } else if (Password[Index] >=3D '0' && Password[Index] <=3D '9') { + HasNumber =3D TRUE; + } else { + HasSymbol =3D TRUE; + } + } + if ((!HasLowerCase) || (!HasUpperCase) || (!HasNumber) || (!HasSymbol)) { + return FALSE; + } + return TRUE; +} + +/** + Return if the password is set before in PASSWORD_HISTORY_CHECK_COUNT. + + @param[in] UserGuid The user GUID of the password variabl= e. + @param[in] Password The user input password. + @param[in] PasswordSize The size of Password in byte. + + @retval TRUE The password is set before. + @retval FALSE The password is not set before. +**/ +BOOLEAN +IsPasswordInHistory ( + IN EFI_GUID *UserGuid, + IN CHAR8 *Password, + IN UINTN PasswordSize + ) +{ + EFI_STATUS Status; + USER_PASSWORD_VAR_STRUCT UserPasswordVarStruct; + UINTN Index; + + for (Index =3D 1; Index <=3D PASSWORD_HISTORY_CHECK_COUNT; Index++) { + Status =3D GetPasswordHashFromVariable (UserGuid, Index, &UserPassword= VarStruct); + if (!EFI_ERROR(Status)) { + Status =3D VerifyPassword (Password, PasswordSize, &UserPasswordVarS= truct); + if (!EFI_ERROR(Status)) { + return TRUE; + } + } + } + + return FALSE; +} + +/** + Communication service SMI Handler entry. + + This SMI handler provides services for password management. + + @param[in] DispatchHandle The unique handle assigned to this handle= r by SmiHandlerRegister(). + @param[in] RegisterContext Points to an optional handler context whi= ch was specified when the + handler was registered. + @param[in, out] CommBuffer A pointer to a collection of data in memo= ry that will + be conveyed from a non-SMM environment in= to an SMM environment. + @param[in, out] CommBufferSize The size of the CommBuffer. + + @retval EFI_SUCCESS The interrupt was handled an= d quiesced. No other handlers + should still be called. + @retval EFI_WARN_INTERRUPT_SOURCE_QUIESCED The interrupt has been quies= ced but other handlers should + still be called. + @retval EFI_WARN_INTERRUPT_SOURCE_PENDING The interrupt is still pendi= ng and other handlers should still + be called. + @retval EFI_INTERRUPT_PENDING The interrupt could not be q= uiesced. +**/ +EFI_STATUS +EFIAPI +SmmPasswordHandler ( + IN EFI_HANDLE DispatchHandle, + IN CONST VOID *RegisterContext, + IN OUT VOID *CommBuffer, + IN OUT UINTN *CommBufferSize + ) +{ + EFI_STATUS Status; + SMM_PASSWORD_COMMUNICATE_HEADER *SmmFunctionHeader; + UINTN CommBufferPayloadSize; + UINTN TempCommBufferSize; + SMM_PASSWORD_COMMUNICATE_SET_PASSWORD SmmCommunicateSetPassword; + SMM_PASSWORD_COMMUNICATE_VERIFY_PASSWORD SmmCommunicateVerifyPassword; + SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY SmmCommunicateSetVerifyPolicy; + SMM_PASSWORD_COMMUNICATE_VERIFY_POLICY *SmmCommunicateGetVerifyPolicy; + UINTN PasswordLen; + EFI_GUID *UserGuid; + UINTN *PasswordTryCount; + + // + // If input is invalid, stop processing this SMI + // + if (CommBuffer =3D=3D NULL || CommBufferSize =3D=3D NULL) { + return EFI_SUCCESS; + } + + TempCommBufferSize =3D *CommBufferSize; + PasswordLen =3D 0; + + if (TempCommBufferSize < sizeof (SMM_PASSWORD_COMMUNICATE_HEADER)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: SMM communication buffer siz= e invalid!\n")); + return EFI_SUCCESS; + } + + CommBufferPayloadSize =3D TempCommBufferSize - sizeof (SMM_PASSWORD_COMM= UNICATE_HEADER); + + Status =3D EFI_SUCCESS; + SmmFunctionHeader =3D (SMM_PASSWORD_COMMUNICATE_HEADER *)CommBuffer; + + UserGuid =3D &gUserAuthenticationGuid; + PasswordTryCount =3D &mAdminPasswordTryCount; + + switch (SmmFunctionHeader->Function) { + case SMM_PASSWORD_FUNCTION_IS_PASSWORD_SET: + PasswordTryCount =3D NULL; + if (CommBufferPayloadSize !=3D 0) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: IS_PASSWORD_SET payload bu= ffer invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + if (IsPasswordSet(UserGuid)) { + Status =3D EFI_SUCCESS; + } else { + Status =3D EFI_NOT_FOUND; + } + break; + case SMM_PASSWORD_FUNCTION_SET_PASSWORD: + if (*PasswordTryCount >=3D PASSWORD_MAX_TRY_COUNT) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: SET_PASSWORD try count rea= ch!\n")); + PasswordTryCount =3D NULL; + Status =3D EFI_ACCESS_DENIED; + goto EXIT; + } + if (CommBufferPayloadSize !=3D sizeof(SMM_PASSWORD_COMMUNICATE_SET_PAS= SWORD)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: SET_PASSWORD payload buffe= r invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + CopyMem (&SmmCommunicateSetPassword, SmmFunctionHeader + 1, sizeof(Smm= CommunicateSetPassword)); + + PasswordLen =3D AsciiStrnLenS(SmmCommunicateSetPassword.OldPassword, s= izeof(SmmCommunicateSetPassword.OldPassword)); + if (PasswordLen =3D=3D sizeof(SmmCommunicateSetPassword.OldPassword)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: OldPassword invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + + if (!IsPasswordVerified (UserGuid, SmmCommunicateSetPassword.OldPasswo= rd, PasswordLen + 1)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: PasswordVerify - FAIL\n")); + Status =3D EFI_SECURITY_VIOLATION; + goto EXIT; + } + + PasswordLen =3D AsciiStrnLenS(SmmCommunicateSetPassword.NewPassword, s= izeof(SmmCommunicateSetPassword.NewPassword)); + if (PasswordLen =3D=3D sizeof(SmmCommunicateSetPassword.NewPassword)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: NewPassword invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + if (PasswordLen !=3D 0 && !IsPasswordStrong (SmmCommunicateSetPassword= .NewPassword, PasswordLen + 1)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: NewPassword too weak!\n")); + Status =3D EFI_UNSUPPORTED; + goto EXIT; + } + if (PasswordLen !=3D 0 && IsPasswordInHistory (UserGuid, SmmCommunicat= eSetPassword.NewPassword, PasswordLen + 1)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: NewPassword in history!\n"= )); + Status =3D EFI_ALREADY_STARTED; + goto EXIT; + } + + if (PasswordLen =3D=3D 0) { + Status =3D SavePasswordToVariable (UserGuid, NULL, 0); + } else { + Status =3D SavePasswordToVariable (UserGuid, SmmCommunicateSetPasswo= rd.NewPassword, PasswordLen + 1); + } + break; + + case SMM_PASSWORD_FUNCTION_VERIFY_PASSWORD: + if (*PasswordTryCount >=3D PASSWORD_MAX_TRY_COUNT) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: VERIFY_PASSWORD try count = reach!\n")); + PasswordTryCount =3D NULL; + Status =3D EFI_ACCESS_DENIED; + goto EXIT; + } + if (CommBufferPayloadSize !=3D sizeof(SMM_PASSWORD_COMMUNICATE_VERIFY_= PASSWORD)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: VERIFY_PASSWORD payload bu= ffer invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + CopyMem (&SmmCommunicateVerifyPassword, SmmFunctionHeader + 1, sizeof(= SmmCommunicateVerifyPassword)); + + PasswordLen =3D AsciiStrnLenS(SmmCommunicateVerifyPassword.Password, s= izeof(SmmCommunicateVerifyPassword.Password)); + if (PasswordLen =3D=3D sizeof(SmmCommunicateVerifyPassword.Password)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: Password invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + if (!IsPasswordVerified (UserGuid, SmmCommunicateVerifyPassword.Passwo= rd, PasswordLen + 1)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: PasswordVerify - FAIL\n")); + Status =3D EFI_SECURITY_VIOLATION; + goto EXIT; + } + mPasswordVerified =3D TRUE; + Status =3D EFI_SUCCESS; + break; + + case SMM_PASSWORD_FUNCTION_SET_VERIFY_POLICY: + PasswordTryCount =3D NULL; + if (CommBufferPayloadSize !=3D sizeof(SMM_PASSWORD_COMMUNICATE_VERIFY_= POLICY)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: SET_VERIFY_POLICY payload = buffer invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + CopyMem (&SmmCommunicateSetVerifyPolicy, SmmFunctionHeader + 1, sizeof= (SmmCommunicateSetVerifyPolicy)); + mNeedReVerify =3D SmmCommunicateSetVerifyPolicy.NeedReVerify; + break; + + case SMM_PASSWORD_FUNCTION_GET_VERIFY_POLICY: + PasswordTryCount =3D NULL; + if (CommBufferPayloadSize !=3D sizeof(SMM_PASSWORD_COMMUNICATE_VERIFY_= POLICY)) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: GET_VERIFY_POLICY payload = buffer invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + SmmCommunicateGetVerifyPolicy =3D (SMM_PASSWORD_COMMUNICATE_VERIFY_POL= ICY *) (SmmFunctionHeader + 1); + SmmCommunicateGetVerifyPolicy->NeedReVerify =3D mNeedReVerify; + break; + case SMM_PASSWORD_FUNCTION_WAS_PASSWORD_VERIFIED: + PasswordTryCount =3D NULL; + if (CommBufferPayloadSize !=3D 0) { + DEBUG ((DEBUG_ERROR, "SmmPasswordHandler: WAS_PASSWORD_VERIFIED payl= oad buffer invalid!\n")); + Status =3D EFI_INVALID_PARAMETER; + goto EXIT; + } + if (mPasswordVerified) { + Status =3D EFI_SUCCESS; + } else { + Status =3D EFI_NOT_STARTED; + } + break; + + default: + PasswordTryCount =3D NULL; + Status =3D EFI_UNSUPPORTED; + break; + } + +EXIT: + if (PasswordTryCount !=3D NULL) { + if (Status =3D=3D EFI_SUCCESS) { + *PasswordTryCount =3D 0; + } + } + SmmFunctionHeader->ReturnStatus =3D Status; + + return EFI_SUCCESS; +} + +/** + Main entry for this driver. + + @param ImageHandle Image handle this driver. + @param SystemTable Pointer to SystemTable. + + @retval EFI_SUCESS This function always complete successfully. + +**/ +EFI_STATUS +EFIAPI +PasswordSmmInit ( + IN EFI_HANDLE ImageHandle, + IN EFI_SYSTEM_TABLE *SystemTable + ) +{ + EFI_STATUS Status; + EFI_HANDLE SmmHandle; + EDKII_VARIABLE_LOCK_PROTOCOL *VariableLock; + CHAR16 PasswordHistoryName[sizeof(USER_AU= THENTICATION_VAR_NAME)/sizeof(CHAR16) + 5]; + UINTN Index; + + ASSERT (PASSWORD_HASH_SIZE =3D=3D SHA256_DIGEST_SIZE); + ASSERT (PASSWORD_HISTORY_CHECK_COUNT < 0xFFFF); + + Status =3D gSmst->SmmLocateProtocol (&gEfiSmmVariableProtocolGuid, NULL,= (VOID**)&mSmmVariable); + ASSERT_EFI_ERROR (Status); + + // + // Make password variables read-only for DXE driver for security concern. + // + Status =3D gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (= VOID **) &VariableLock); + if (!EFI_ERROR (Status)) { + Status =3D VariableLock->RequestToLock (VariableLock, USER_AUTHENTICAT= ION_VAR_NAME, &gUserAuthenticationGuid); + ASSERT_EFI_ERROR (Status); + + for (Index =3D 1; Index <=3D PASSWORD_HISTORY_CHECK_COUNT; Index++) { + UnicodeSPrint (PasswordHistoryName, sizeof (PasswordHistoryName), L"= %s%04x", USER_AUTHENTICATION_VAR_NAME, Index); + Status =3D VariableLock->RequestToLock (VariableLock, PasswordHistor= yName, &gUserAuthenticationGuid); + ASSERT_EFI_ERROR (Status); + } + Status =3D VariableLock->RequestToLock (VariableLock, USER_AUTHENTICAT= ION_HISTORY_LAST_VAR_NAME, &gUserAuthenticationGuid); + ASSERT_EFI_ERROR (Status); + } + + SmmHandle =3D NULL; + Status =3D gSmst->SmiHandlerRegister (SmmPasswordHandler, &gUserAuthe= nticationGuid, &SmmHandle); + ASSERT_EFI_ERROR (Status); + if (EFI_ERROR (Status)) { + return Status; + } + + if (IsPasswordCleared()) { + DEBUG ((DEBUG_INFO, "IsPasswordCleared\n")); + SavePasswordToVariable (&gUserAuthenticationGuid, NULL, 0); + } + + return EFI_SUCCESS; +} + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationSmm.h b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentica= tion/UserAuthenticationSmm.h new file mode 100644 index 0000000000..2f8c3c8c67 --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationSmm.h @@ -0,0 +1,52 @@ +/** @file + Header file for UserAuthenticationSmm. + + Copyright (c) 2018, Intel Corporation. All rights reserved.
+ SPDX-License-Identifier: BSD-2-Clause-Patent + +**/ + +#ifndef __USER_AUTHENTICATION_SMM_H__ +#define __USER_AUTHENTICATION_SMM_H__ + +#include + +#include +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "KeyService.h" + +#define PASSWORD_SALT_SIZE 32 +#define PASSWORD_HASH_SIZE 32 // SHA256_DIGEST_SIZE + +#define PASSWORD_MAX_TRY_COUNT 3 +#define PASSWORD_HISTORY_CHECK_COUNT 5 + +// +// Name of the variable +// +#define USER_AUTHENTICATION_VAR_NAME L"Password" +#define USER_AUTHENTICATION_HISTORY_LAST_VAR_NAME L"PasswordLast" + +// +// Variable storage +// +typedef struct { + UINT8 PasswordHash[PASSWORD_HASH_SIZE]; + UINT8 PasswordSalt[PASSWORD_SALT_SIZE]; +} USER_PASSWORD_VAR_STRUCT; + +#endif diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/User= AuthenticationSmm.inf b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthenti= cation/UserAuthenticationSmm.inf new file mode 100644 index 0000000000..b8b3512a3f --- /dev/null +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserAuthentication/UserAuthent= icationSmm.inf @@ -0,0 +1,53 @@ +## @file +# User Authentication Smm Driver. +# +# This driver provides SMM services for DXE user authentication module. +# +# Copyright (c) 2017 - 2018, Intel Corporation. All rights reserved.
+# SPDX-License-Identifier: BSD-2-Clause-Patent +# +## + +[Defines] + INF_VERSION =3D 0x00010005 + BASE_NAME =3D UserAuthenticationSmm + FILE_GUID =3D 8fc6aaaa-4561-4815-8cf7-b87312992dce + MODULE_TYPE =3D DXE_SMM_DRIVER + VERSION_STRING =3D 1.0 + PI_SPECIFICATION_VERSION =3D 0x0001000A + ENTRY_POINT =3D PasswordSmmInit + +[Sources] + UserAuthenticationSmm.c + UserAuthenticationSmm.h + KeyService.c + KeyService.h + +[Packages] + MdePkg/MdePkg.dec + MdeModulePkg/MdeModulePkg.dec + CryptoPkg/CryptoPkg.dec + UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec + +[LibraryClasses] + UefiBootServicesTableLib + UefiDriverEntryPoint + DebugLib + BaseLib + BaseMemoryLib + PrintLib + SmmServicesTableLib + MemoryAllocationLib + UefiLib + BaseCryptLib + PlatformPasswordLib + +[Guids] + gUserAuthenticationGuid ## CONSUMES ## GUID + +[Protocols] + gEdkiiVariableLockProtocolGuid ## CONSUMES + gEfiSmmVariableProtocolGuid ## CONSUMES + +[Depex] + gEfiSmmVariableProtocolGuid AND gEfiVariableWriteArchProtocolGuid diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg= .dec b/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec index 7162637e24..50b28154bf 100644 --- a/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dec @@ -15,5 +15,20 @@ [Defines] DEC_SPECIFICATION =3D 0x00010017 PACKAGE_NAME =3D UserInterfaceFeaturePkg PACKAGE_VERSION =3D 0.1 PACKAGE_GUID =3D 5A92199C-C2ED-4A3F-9ED0-C278DEA0DA47 =20 +[Includes] + Include + +[Guids] + gEfiUserInterfaceFeaturePkgTokenSpaceGuid =3D { 0x13c2147c, 0x75b6, 0x4= 8ee, { 0xa4, 0x4b, 0xfc, 0x4, 0xb, 0x44, 0x97, 0xbd } } + ## Include Include/Guid/UserAuthentication.h + gUserAuthenticationGuid =3D { 0xee24a7f7, 0x606b, 0x4724, { 0xb3, 0xc9, = 0xf5, 0xae, 0x4a, 0x3b, 0x81, 0x65} } + +[PcdsFixedAtBuild,PcdsPatchableInModule,PcdsDynamic,PcdsDynamicEx] + ## Indicate whether the password is cleared. + # When it is configured to Dynamic or DynamicEx, it can be set through d= etection using + # a platform-specific method (e.g. Board Jumper set) in a actual platfor= m in early boot phase.

+ # @Prompt The password clear status + gEfiUserInterfaceFeaturePkgTokenSpaceGuid.PcdPasswordCleared|FALSE|BOOLE= AN|0x00000001 + diff --git a/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg= .dsc b/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dsc index 7098affee9..2c24e43f95 100644 --- a/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dsc +++ b/Platform/Intel/UserInterfaceFeaturePkg/UserInterfaceFeaturePkg.dsc @@ -19,5 +19,60 @@ [Defines] OUTPUT_DIRECTORY =3D Build/UserInterfaceFeaturePkg SUPPORTED_ARCHITECTURES =3D IA32|X64 BUILD_TARGETS =3D DEBUG|RELEASE|NOOPT SKUID_IDENTIFIER =3D DEFAULT =20 +[LibraryClasses] + UefiDriverEntryPoint|MdePkg/Library/UefiDriverEntryPoint/UefiDriverEntry= Point.inf + BaseLib|MdePkg/Library/BaseLib/BaseLib.inf + BaseMemoryLib|MdePkg/Library/BaseMemoryLib/BaseMemoryLib.inf + PrintLib|MdePkg/Library/BasePrintLib/BasePrintLib.inf + IoLib|MdePkg/Library/BaseIoLibIntrinsic/BaseIoLibIntrinsic.inf + UefiBootServicesTableLib|MdePkg/Library/UefiBootServicesTableLib/UefiBoo= tServicesTableLib.inf + UefiRuntimeServicesTableLib|MdePkg/Library/UefiRuntimeServicesTableLib/U= efiRuntimeServicesTableLib.inf + UefiLib|MdePkg/Library/UefiLib/UefiLib.inf + UefiHiiServicesLib|MdeModulePkg/Library/UefiHiiServicesLib/UefiHiiServic= esLib.inf + HiiLib|MdeModulePkg/Library/UefiHiiLib/UefiHiiLib.inf + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + TimerLib|MdePkg/Library/BaseTimerLibNullTemplate/BaseTimerLibNullTemplat= e.inf + PcdLib|MdePkg/Library/BasePcdLibNull/BasePcdLibNull.inf + DebugLib|MdePkg/Library/BaseDebugLibNull/BaseDebugLibNull.inf + IntrinsicLib|CryptoPkg/Library/IntrinsicLib/IntrinsicLib.inf + OpensslLib|CryptoPkg/Library/OpensslLib/OpensslLib.inf + PlatformPasswordLib|UserInterfaceFeaturePkg/Library/PlatformPasswordLibN= ull/PlatformPasswordLibNull.inf + UserPasswordLib|UserInterfaceFeaturePkg/Library/UserPasswordLib/UserPass= wordLib.inf + +[LibraryClasses.common.DXE_DRIVER] + MemoryAllocationLib|MdePkg/Library/UefiMemoryAllocationLib/UefiMemoryAll= ocationLib.inf + +[LibraryClasses.common.DXE_SMM_DRIVER] + MemoryAllocationLib|MdePkg/Library/SmmMemoryAllocationLib/SmmMemoryAlloc= ationLib.inf + SmmServicesTableLib|MdePkg/Library/SmmServicesTableLib/SmmServicesTableL= ib.inf + BaseCryptLib|CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf + +##########################################################################= ######################### +# +# Components Section - list of the modules and components that will be pro= cessed by compilation +# tools and the EDK II tools to generate PE32/PE32+/C= off image files. +# +# Note: The EDK II DSC file is not used to specify how compiled binary ima= ges get placed +# into firmware volume images. This section is just a list of module= s to compile from +# source into UEFI-compliant binaries. +# It is the FDF file that contains information on combining binary f= iles into firmware +# volume images, whose concept is beyond UEFI and is described in PI= specification. +# Binary modules do not need to be listed in this section, as they s= hould be +# specified in the FDF file. For example: Shell binary (Shell_Full.e= fi), FAT binary (Fat.efi), +# Logo (Logo.bmp), and etc. +# There may also be modules listed in this section that are not requ= ired in the FDF file, +# When a module listed here is excluded from FDF file, then UEFI-com= pliant binary will be +# generated for it, but the binary will not be put into any firmware= volume. +# +##########################################################################= ######################### +[Components] + UserInterfaceFeaturePkg/Library/PlatformPasswordLibNull/PlatformPassword= LibNull.inf + UserInterfaceFeaturePkg/Library/UserPasswordLib/UserPasswordLib.inf + UserInterfaceFeaturePkg/Library/UserPasswordUiLib/UserPasswordUiLib.inf + + UserInterfaceFeaturePkg/UserAuthentication/UserAuthenticationDxe.inf + UserInterfaceFeaturePkg/UserAuthentication/UserAuthentication2Dxe.inf + UserInterfaceFeaturePkg/UserAuthentication/UserAuthenticationSmm.inf + --=20 2.18.0.windows.1 -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#42490): https://edk2.groups.io/g/devel/message/42490 Mute This Topic: https://groups.io/mt/32092227/1787277 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-