/**
Lock physical presence if needed.
@param[in] PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation
@param[in] NotifyDescriptor Address of the notification descriptor data structure.
@param[in] Ppi Address of the PPI that was installed.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_ABORTED physicalPresenceCMDEnable is locked.
@retval EFI_DEVICE_ERROR The command was unsuccessful.
**/
EFI_STATUS
EFIAPI
PhysicalPresencePpiNotifyCallback (
IN EFI_PEI_SERVICES **PeiServices,
IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,
IN VOID *Ppi
)
{
EFI_STATUS Status;
PEI_LOCK_PHYSICAL_PRESENCE_PPI *LockPhysicalPresencePpi;
BOOLEAN LifetimeLock;
BOOLEAN CmdEnable;
TIS_TPM_HANDLE TpmHandle;
TpmHandle = (TIS_TPM_HANDLE) (UINTN) TPM_BASE_ADDRESS;
LockPhysicalPresencePpi = (PEI_LOCK_PHYSICAL_PRESENCE_PPI *) Ppi;
if (!LockPhysicalPresencePpi->LockPhysicalPresence ((CONST EFI_PEI_SERVICES**) PeiServices)) {
return EFI_SUCCESS;
}
//
// Lock TPM physical presence.
//
Status = TpmCommGetCapability (PeiServices, TpmHandle, NULL, &LifetimeLock, &CmdEnable);
if (EFI_ERROR (Status)) {
return Status;
}
if (!CmdEnable) {
if (LifetimeLock) {
//
// physicalPresenceCMDEnable is locked, can't change.
//
return EFI_ABORTED;
}
//
// Enable physical presence command
// It is necessary in order to lock physical presence
//
Status = TpmCommPhysicalPresence (
PeiServices,
TpmHandle,
TPM_PHYSICAL_PRESENCE_CMD_ENABLE
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// Lock physical presence
//
Status = TpmCommPhysicalPresence (
PeiServices,
TpmHandle,
TPM_PHYSICAL_PRESENCE_LOCK
);
return Status;
}
/**
Set physicalPresenceLifetimeLock, physicalPresenceHWEnable and physicalPresenceCMDEnable bit by corresponding PCDs.
And lock physical presence if needed.
@param[in] PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation
@param[in] NotifyDescriptor Address of the notification descriptor data structure.
@param[in] Ppi Address of the PPI that was installed.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_ABORTED physicalPresenceCMDEnable is locked.
@retval EFI_DEVICE_ERROR The command was unsuccessful.
**/
EFI_STATUS
EFIAPI
PhysicalPresencePpiNotifyCallback (
IN EFI_PEI_SERVICES **PeiServices,
IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,
IN VOID *Ppi
)
{
EFI_STATUS Status;
TPM_PERMANENT_FLAGS TpmPermanentFlags;
PEI_LOCK_PHYSICAL_PRESENCE_PPI *LockPhysicalPresencePpi;
TPM_PHYSICAL_PRESENCE PhysicalPresenceValue;
Status = Tpm12GetCapabilityFlagPermanent (&TpmPermanentFlags);
if (EFI_ERROR (Status)) {
return Status;
}
//
// 1. Set physicalPresenceLifetimeLock, physicalPresenceHWEnable and physicalPresenceCMDEnable bit by PCDs.
//
if (PcdGetBool (PcdPhysicalPresenceLifetimeLock) && !TpmPermanentFlags.physicalPresenceLifetimeLock) {
//
// Lock TPM LifetimeLock is required, and LifetimeLock is not locked yet.
//
PhysicalPresenceValue = TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK;
TpmPermanentFlags.physicalPresenceLifetimeLock = TRUE;
if (PcdGetBool (PcdPhysicalPresenceCmdEnable)) {
PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_CMD_ENABLE;
TpmPermanentFlags.physicalPresenceCMDEnable = TRUE;
} else {
PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_CMD_DISABLE;
TpmPermanentFlags.physicalPresenceCMDEnable = FALSE;
}
if (PcdGetBool (PcdPhysicalPresenceHwEnable)) {
PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_HW_ENABLE;
} else {
PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_HW_DISABLE;
}
Status = Tpm12PhysicalPresence (
PhysicalPresenceValue
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// 2. Lock physical presence if it is required.
//
LockPhysicalPresencePpi = (PEI_LOCK_PHYSICAL_PRESENCE_PPI *) Ppi;
if (!LockPhysicalPresencePpi->LockPhysicalPresence ((CONST EFI_PEI_SERVICES**) PeiServices)) {
return EFI_SUCCESS;
}
if (!TpmPermanentFlags.physicalPresenceCMDEnable) {
if (TpmPermanentFlags.physicalPresenceLifetimeLock) {
//
// physicalPresenceCMDEnable is locked, can't change.
//
return EFI_ABORTED;
}
//
// Enable physical presence command
// It is necessary in order to lock physical presence
//
Status = Tpm12PhysicalPresence (
TPM_PHYSICAL_PRESENCE_CMD_ENABLE
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// Lock physical presence
//
Status = Tpm12PhysicalPresence (
TPM_PHYSICAL_PRESENCE_LOCK
);
return Status;
}
/**
Set physicalPresenceLifetimeLock, physicalPresenceHWEnable and physicalPresenceCMDEnable bit by corresponding PCDs.
And lock physical presence if needed.
@param[in] PeiServices An indirect pointer to the EFI_PEI_SERVICES table published by the PEI Foundation
@param[in] NotifyDescriptor Address of the notification descriptor data structure.
@param[in] Ppi Address of the PPI that was installed.
@retval EFI_SUCCESS Operation completed successfully.
@retval EFI_ABORTED physicalPresenceCMDEnable is locked.
@retval EFI_DEVICE_ERROR The command was unsuccessful.
**/
EFI_STATUS
EFIAPI
PhysicalPresencePpiNotifyCallback (
IN EFI_PEI_SERVICES **PeiServices,
IN EFI_PEI_NOTIFY_DESCRIPTOR *NotifyDescriptor,
IN VOID *Ppi
)
{
EFI_STATUS Status;
PEI_LOCK_PHYSICAL_PRESENCE_PPI *LockPhysicalPresencePpi;
BOOLEAN LifetimeLock;
BOOLEAN CmdEnable;
TIS_TPM_HANDLE TpmHandle;
TPM_PHYSICAL_PRESENCE PhysicalPresenceValue;
TpmHandle = (TIS_TPM_HANDLE) (UINTN) TPM_BASE_ADDRESS;
Status = TpmCommGetCapability (PeiServices, TpmHandle, NULL, &LifetimeLock, &CmdEnable);
if (EFI_ERROR (Status)) {
return Status;
}
//
// 1. Set physicalPresenceLifetimeLock, physicalPresenceHWEnable and physicalPresenceCMDEnable bit by PCDs.
//
if (PcdGetBool (PcdPhysicalPresenceLifetimeLock) && !LifetimeLock) {
//
// Lock TPM LifetimeLock is required, and LifetimeLock is not locked yet.
//
PhysicalPresenceValue = TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK;
if (PcdGetBool (PcdPhysicalPresenceCmdEnable)) {
PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_CMD_ENABLE;
CmdEnable = TRUE;
} else {
PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_CMD_DISABLE;
CmdEnable = FALSE;
}
if (PcdGetBool (PcdPhysicalPresenceHwEnable)) {
PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_HW_ENABLE;
} else {
PhysicalPresenceValue |= TPM_PHYSICAL_PRESENCE_HW_DISABLE;
}
Status = TpmCommPhysicalPresence (
PeiServices,
TpmHandle,
PhysicalPresenceValue
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// 2. Lock physical presence if it is required.
//
LockPhysicalPresencePpi = (PEI_LOCK_PHYSICAL_PRESENCE_PPI *) Ppi;
if (!LockPhysicalPresencePpi->LockPhysicalPresence ((CONST EFI_PEI_SERVICES**) PeiServices)) {
return EFI_SUCCESS;
}
if (!CmdEnable) {
if (LifetimeLock) {
//
// physicalPresenceCMDEnable is locked, can't change.
//
return EFI_ABORTED;
}
//
// Enable physical presence command
// It is necessary in order to lock physical presence
//
Status = TpmCommPhysicalPresence (
PeiServices,
TpmHandle,
TPM_PHYSICAL_PRESENCE_CMD_ENABLE
);
if (EFI_ERROR (Status)) {
return Status;
}
}
//
// Lock physical presence
//
Status = TpmCommPhysicalPresence (
PeiServices,
TpmHandle,
TPM_PHYSICAL_PRESENCE_LOCK
);
return Status;
}
