/** Check and execute the pending TPM request and Lock TPM. The TPM request may come from OS or BIOS. This API will display request information and wait for user confirmation if TPM request exists. The TPM request will be sent to TPM device after the TPM request is confirmed, and one or more reset may be required to make TPM request to take effect. At last, it will lock TPM to prevent TPM state change by malware. This API should be invoked after console in and console out are all ready as they are required to display request information and get user input to confirm the request. This API should also be invoked as early as possible as TPM is locked in this function. **/ VOID EFIAPI TcgPhysicalPresenceLibProcessRequest ( VOID ) { EFI_STATUS Status; BOOLEAN LifetimeLock; BOOLEAN CmdEnable; UINTN DataSize; EFI_PHYSICAL_PRESENCE TcgPpData; EFI_TCG_PROTOCOL *TcgProtocol; EDKII_VARIABLE_LOCK_PROTOCOL *VariableLockProtocol; UINT8 PpiFlags; Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol); if (EFI_ERROR (Status)) { return ; } // // Initialize physical presence flags. // DataSize = sizeof (UINT8); Status = gRT->GetVariable ( PHYSICAL_PRESENCE_FLAGS_VARIABLE, &gEfiPhysicalPresenceGuid, NULL, &DataSize, &PpiFlags ); if (EFI_ERROR (Status)) { PpiFlags = FLAG_NO_PPI_PROVISION; Status = gRT->SetVariable ( PHYSICAL_PRESENCE_FLAGS_VARIABLE, &gEfiPhysicalPresenceGuid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, sizeof (UINT8), &PpiFlags ); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "[TPM] Set physical presence flag failed, Status = %r\n", Status)); return ; } } DEBUG ((EFI_D_INFO, "[TPM] PpiFlags = %x\n", PpiFlags)); // // This flags variable controls whether physical presence is required for TPM command. // It should be protected from malicious software. We set it as read-only variable here. // Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol); if (!EFI_ERROR (Status)) { Status = VariableLockProtocol->RequestToLock ( VariableLockProtocol, PHYSICAL_PRESENCE_FLAGS_VARIABLE, &gEfiPhysicalPresenceGuid ); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "[TPM] Error when lock variable %s, Status = %r\n", PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status)); ASSERT_EFI_ERROR (Status); } } // // Initialize physical presence variable. // DataSize = sizeof (EFI_PHYSICAL_PRESENCE); Status = gRT->GetVariable ( PHYSICAL_PRESENCE_VARIABLE, &gEfiPhysicalPresenceGuid, NULL, &DataSize, &TcgPpData ); if (EFI_ERROR (Status)) { ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData)); DataSize = sizeof (EFI_PHYSICAL_PRESENCE); Status = gRT->SetVariable ( PHYSICAL_PRESENCE_VARIABLE, &gEfiPhysicalPresenceGuid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, &TcgPpData ); if (EFI_ERROR (Status)) { DEBUG ((EFI_D_ERROR, "[TPM] Set physical presence variable failed, Status = %r\n", Status)); return; } } DEBUG ((EFI_D_INFO, "[TPM] Flags=%x, PPRequest=%x\n", PpiFlags, TcgPpData.PPRequest)); if (TcgPpData.PPRequest == PHYSICAL_PRESENCE_NO_ACTION) { // // No operation request // return; } Status = GetTpmCapability (TcgProtocol, &LifetimeLock, &CmdEnable); if (EFI_ERROR (Status)) { return ; } if (!CmdEnable) { if (LifetimeLock) { // // physicalPresenceCMDEnable is locked, can't execute physical presence command. // return ; } Status = TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_CMD_ENABLE); if (EFI_ERROR (Status)) { return ; } } // // Set operator physical presence flags // TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_PRESENT); // // Execute pending TPM request. // ExecutePendingTpmRequest (TcgProtocol, &TcgPpData, PpiFlags); DEBUG ((EFI_D_INFO, "[TPM] PPResponse = %x\n", TcgPpData.PPResponse)); // // Lock physical presence. // TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_NOTPRESENT | TPM_PHYSICAL_PRESENCE_LOCK); }
/** Check if the pending TPM request needs user input to confirm. The TPM request may come from OS. This API will check if TPM request exists and need user input to confirmation. @retval TRUE TPM needs input to confirm user physical presence. @retval FALSE TPM doesn't need input to confirm user physical presence. **/ BOOLEAN EFIAPI TcgPhysicalPresenceLibNeedUserConfirm( VOID ) { EFI_STATUS Status; EFI_PHYSICAL_PRESENCE TcgPpData; UINTN DataSize; BOOLEAN RequestConfirmed; BOOLEAN LifetimeLock; BOOLEAN CmdEnable; EFI_TCG_PROTOCOL *TcgProtocol; UINT8 PpiFlags; Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol); if (EFI_ERROR (Status)) { return FALSE; } // // Check Tpm requests // DataSize = sizeof (EFI_PHYSICAL_PRESENCE); Status = gRT->GetVariable ( PHYSICAL_PRESENCE_VARIABLE, &gEfiPhysicalPresenceGuid, NULL, &DataSize, &TcgPpData ); if (EFI_ERROR (Status)) { return FALSE; } DataSize = sizeof (UINT8); Status = gRT->GetVariable ( PHYSICAL_PRESENCE_FLAGS_VARIABLE, &gEfiPhysicalPresenceGuid, NULL, &DataSize, &PpiFlags ); if (EFI_ERROR (Status)) { return FALSE; } if (TcgPpData.PPRequest == PHYSICAL_PRESENCE_NO_ACTION) { // // No operation request // return FALSE; } if (!HaveValidTpmRequest(&TcgPpData, PpiFlags, &RequestConfirmed)) { // // Invalid operation request. // return FALSE; } // // Check Tpm Capability // Status = GetTpmCapability (TcgProtocol, &LifetimeLock, &CmdEnable); if (EFI_ERROR (Status)) { return FALSE; } if (!CmdEnable) { if (LifetimeLock) { // // physicalPresenceCMDEnable is locked, can't execute physical presence command. // return FALSE; } } if (!RequestConfirmed) { // // Need UI to confirm // return TRUE; } return FALSE; }
/** Check and execute the pending TPM request and Lock TPM. The TPM request may come from OS or BIOS. This API will display request information and wait for user confirmation if TPM request exists. The TPM request will be sent to TPM device after the TPM request is confirmed, and one or more reset may be required to make TPM request to take effect. At last, it will lock TPM to prevent TPM state change by malware. This API should be invoked after console in and console out are all ready as they are required to display request information and get user input to confirm the request. This API should also be invoked as early as possible as TPM is locked in this function. **/ VOID EFIAPI TcgPhysicalPresenceLibProcessRequest ( VOID ) { EFI_STATUS Status; BOOLEAN LifetimeLock; BOOLEAN CmdEnable; UINTN DataSize; EFI_PHYSICAL_PRESENCE TcgPpData; EFI_TCG_PROTOCOL *TcgProtocol; Status = gBS->LocateProtocol (&gEfiTcgProtocolGuid, NULL, (VOID **)&TcgProtocol); if (EFI_ERROR (Status)) { return ; } // // Initialize physical presence variable. // DataSize = sizeof (EFI_PHYSICAL_PRESENCE); Status = gRT->GetVariable ( PHYSICAL_PRESENCE_VARIABLE, &gEfiPhysicalPresenceGuid, NULL, &DataSize, &TcgPpData ); if (EFI_ERROR (Status)) { if (Status == EFI_NOT_FOUND) { ZeroMem ((VOID*)&TcgPpData, sizeof (TcgPpData)); TcgPpData.Flags |= FLAG_NO_PPI_PROVISION; DataSize = sizeof (EFI_PHYSICAL_PRESENCE); Status = gRT->SetVariable ( PHYSICAL_PRESENCE_VARIABLE, &gEfiPhysicalPresenceGuid, EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS, DataSize, &TcgPpData ); } ASSERT_EFI_ERROR (Status); } DEBUG ((EFI_D_INFO, "[TPM] Flags=%x, PPRequest=%x\n", TcgPpData.Flags, TcgPpData.PPRequest)); Status = GetTpmCapability (TcgProtocol, &LifetimeLock, &CmdEnable); if (EFI_ERROR (Status)) { return ; } if (!CmdEnable) { if (LifetimeLock) { // // physicalPresenceCMDEnable is locked, can't execute physical presence command. // return ; } Status = TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_CMD_ENABLE); if (EFI_ERROR (Status)) { return ; } } // // Set operator physical presence flags // TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_PRESENT); // // Execute pending TPM request. // ExecutePendingTpmRequest (TcgProtocol, &TcgPpData); DEBUG ((EFI_D_INFO, "[TPM] PPResponse = %x\n", TcgPpData.PPResponse)); // // Lock physical presence. // TpmPhysicalPresence (TcgProtocol, TPM_PHYSICAL_PRESENCE_NOTPRESENT | TPM_PHYSICAL_PRESENCE_LOCK); }