SecurityPkg/OpalPassword: Secure erase is available if encryption is supported

[edk2-devel] [PATCH] SecurityPkg/OpalPassword: Secure erase is available if encryption is supported

Posted by Maggie Chu 3 years, 6 months ago

From: Maggie Chu <maggie.chu@intel.com>

https://bugzilla.tianocore.org/show_bug.cgi?id=3004

Secure erase is performed by generating a new encryption key,
this is only available if encryption is supported.
This commit will hide "secure erase" option from setup page
if connected device doesn't support encryption.

Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
---
 SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
index b5b6aec98c..bf5e374163 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
@@ -88,7 +88,11 @@ OpalSupportGetAvailableActions(
     // Secure erase is performed by generating a new encryption key
     // this is only available if encryption is supported
     //
-    AvalDiskActions->SecureErase = 1;
+    if (SupportedAttributes->MediaEncryption) {
+      AvalDiskActions->SecureErase = 1;
+    } else {
+      AvalDiskActions->SecureErase = 0;
+    }
   } else {
     AvalDiskActions->PsidRevert = 0;
     AvalDiskActions->SecureErase = 0;
-- 
2.16.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#66237): https://edk2.groups.io/g/devel/message/66237
Mute This Topic: https://groups.io/mt/77523234/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] SecurityPkg/OpalPassword: Secure erase is available if encryption is supported

Posted by Yao, Jiewen 3 years, 6 months ago

Thanks Maggie.

My feeling is that it is weird and unnecessary to put MediaEncryption check under (PyriteSscV2 || MediaEncryption)
===============
if (SupportedAttributes->PyriteSscV2 || SupportedAttributes->MediaEncryption) {
  if (SupportedAttributes->MediaEncryption) {
  }
}
===============
Is that necessary to check PyriteSscV2 for SecureErase ?

If it is not needed, can we write code in below way to make logic clear?
===============
if (SupportedAttributes->PyriteSscV2) {
  ...
} else {
  ...
}

if (SupportedAttributes->MediaEncryption) {
  ...
} else {
  ...
}
===============



> -----Original Message-----
> From: Chu, Maggie <maggie.chu@intel.com>
> Sent: Thursday, October 15, 2020 3:15 PM
> To: devel@edk2.groups.io
> Cc: Chu, Maggie <maggie.chu@intel.com>; Dong, Eric <eric.dong@intel.com>;
> Wang, Jian J <jian.j.wang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
> Subject: [PATCH] SecurityPkg/OpalPassword: Secure erase is available if
> encryption is supported
> 
> From: Maggie Chu <maggie.chu@intel.com>
> 
> https://bugzilla.tianocore.org/show_bug.cgi?id=3004
> 
> Secure erase is performed by generating a new encryption key,
> this is only available if encryption is supported.
> This commit will hide "secure erase" option from setup page
> if connected device doesn't support encryption.
> 
> Signed-off-by: Maggie Chu <maggie.chu@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Qi Zhang <qi1.zhang@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> ---
>  SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> index b5b6aec98c..bf5e374163 100644
> --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> @@ -88,7 +88,11 @@ OpalSupportGetAvailableActions(
>      // Secure erase is performed by generating a new encryption key
> 
>      // this is only available if encryption is supported
> 
>      //
> 
> -    AvalDiskActions->SecureErase = 1;
> 
> +    if (SupportedAttributes->MediaEncryption) {
> 
> +      AvalDiskActions->SecureErase = 1;
> 
> +    } else {
> 
> +      AvalDiskActions->SecureErase = 0;
> 
> +    }
> 
>    } else {
> 
>      AvalDiskActions->PsidRevert = 0;
> 
>      AvalDiskActions->SecureErase = 0;
> 
> --
> 2.16.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#66575): https://edk2.groups.io/g/devel/message/66575
Mute This Topic: https://groups.io/mt/77523234/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] SecurityPkg/OpalPassword: Secure erase is available if encryption is supported

Posted by Dong, Eric 3 years, 6 months ago

Reviewed-by: Eric Dong <eric.dong@intel.com>

-----Original Message-----
From: Chu, Maggie <maggie.chu@intel.com> 
Sent: Thursday, October 15, 2020 3:15 PM
To: devel@edk2.groups.io
Cc: Chu, Maggie <maggie.chu@intel.com>; Dong, Eric <eric.dong@intel.com>; Wang, Jian J <jian.j.wang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
Subject: [PATCH] SecurityPkg/OpalPassword: Secure erase is available if encryption is supported

From: Maggie Chu <maggie.chu@intel.com>

https://bugzilla.tianocore.org/show_bug.cgi?id=3004

Secure erase is performed by generating a new encryption key,
this is only available if encryption is supported.
This commit will hide "secure erase" option from setup page
if connected device doesn't support encryption.

Signed-off-by: Maggie Chu <maggie.chu@intel.com>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Qi Zhang <qi1.zhang@intel.com>
Cc: Rahul Kumar <rahul1.kumar@intel.com>
---
 SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
index b5b6aec98c..bf5e374163 100644
--- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
+++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
@@ -88,7 +88,11 @@ OpalSupportGetAvailableActions(
     // Secure erase is performed by generating a new encryption key

     // this is only available if encryption is supported

     //

-    AvalDiskActions->SecureErase = 1;

+    if (SupportedAttributes->MediaEncryption) {

+      AvalDiskActions->SecureErase = 1;

+    } else {

+      AvalDiskActions->SecureErase = 0;

+    }

   } else {

     AvalDiskActions->PsidRevert = 0;

     AvalDiskActions->SecureErase = 0;

-- 
2.16.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#66296): https://edk2.groups.io/g/devel/message/66296
Mute This Topic: https://groups.io/mt/77523234/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH] SecurityPkg/OpalPassword: Secure erase is available if encryption is supported

Posted by Yao, Jiewen 3 years, 6 months ago

Reviewed-by: Jiewen Yao <Jiewen.yao@intel.com>

> -----Original Message-----
> From: Chu, Maggie <maggie.chu@intel.com>
> Sent: Thursday, October 15, 2020 3:15 PM
> To: devel@edk2.groups.io
> Cc: Chu, Maggie <maggie.chu@intel.com>; Dong, Eric <eric.dong@intel.com>;
> Wang, Jian J <jian.j.wang@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Zhang, Qi1 <qi1.zhang@intel.com>; Kumar, Rahul1 <rahul1.kumar@intel.com>
> Subject: [PATCH] SecurityPkg/OpalPassword: Secure erase is available if
> encryption is supported
> 
> From: Maggie Chu <maggie.chu@intel.com>
> 
> https://bugzilla.tianocore.org/show_bug.cgi?id=3004
> 
> Secure erase is performed by generating a new encryption key,
> this is only available if encryption is supported.
> This commit will hide "secure erase" option from setup page
> if connected device doesn't support encryption.
> 
> Signed-off-by: Maggie Chu <maggie.chu@intel.com>
> Cc: Eric Dong <eric.dong@intel.com>
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Qi Zhang <qi1.zhang@intel.com>
> Cc: Rahul Kumar <rahul1.kumar@intel.com>
> ---
>  SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> index b5b6aec98c..bf5e374163 100644
> --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c
> @@ -88,7 +88,11 @@ OpalSupportGetAvailableActions(
>      // Secure erase is performed by generating a new encryption key
> 
>      // this is only available if encryption is supported
> 
>      //
> 
> -    AvalDiskActions->SecureErase = 1;
> 
> +    if (SupportedAttributes->MediaEncryption) {
> 
> +      AvalDiskActions->SecureErase = 1;
> 
> +    } else {
> 
> +      AvalDiskActions->SecureErase = 0;
> 
> +    }
> 
>    } else {
> 
>      AvalDiskActions->PsidRevert = 0;
> 
>      AvalDiskActions->SecureErase = 0;
> 
> --
> 2.16.2.windows.1



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#66254): https://edk2.groups.io/g/devel/message/66254
Mute This Topic: https://groups.io/mt/77523234/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-