/** @file | |
Public API for Opal Core library. | |
Copyright (c) 2016 - 2018, Intel Corporation. All rights reserved.<BR> | |
SPDX-License-Identifier: BSD-2-Clause-Patent | |
**/ | |
#include <Uefi.h> | |
#include <Library/BaseLib.h> | |
#include <Library/DebugLib.h> | |
#include <Library/TcgStorageOpalLib.h> | |
#include "TcgStorageOpalLibInternal.h" | |
#define OPAL_MSID_LENGTH 128 | |
/** | |
Creates a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts device using Admin SP Revert method. | |
@param[in] Session, The session info for one opal device. | |
@param[in] Psid PSID of device to revert. | |
@param[in] PsidLength Length of PSID in bytes. | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilPsidRevert ( | |
OPAL_SESSION *Session, | |
const VOID *Psid, | |
UINT32 PsidLength | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
UINT32 RemovalTimeOut; | |
NULL_CHECK (Session); | |
NULL_CHECK (Psid); | |
RemovalTimeOut = GetRevertTimeOut (Session); | |
DEBUG ((DEBUG_INFO, "OpalUtilPsidRevert: Timeout value = %d\n", RemovalTimeOut)); | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_ADMIN_SP, | |
TRUE, | |
PsidLength, | |
Psid, | |
OPAL_ADMIN_SP_PSID_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
Ret = OpalPyrite2PsidRevert (Session, RemovalTimeOut); | |
if (Ret != TcgResultSuccess) { | |
// | |
// If revert was successful, session was already ended by TPer, so only end session on failure | |
// | |
OpalEndSession (Session); | |
} | |
} | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY, | |
sets the OPAL_UID_ADMIN_SP_C_PIN_SID column with the new password, | |
and activates the locking SP to copy SID PIN to Admin1 Locking SP PIN | |
@param[in] Session, The session info for one opal device. | |
@param[in] GeneratedSid Generated SID of disk | |
@param[in] SidLength Length of generatedSid in bytes | |
@param[in] Password New admin password to set | |
@param[in] PassLength Length of password in bytes | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilSetAdminPasswordAsSid ( | |
OPAL_SESSION *Session, | |
const VOID *GeneratedSid, | |
UINT32 SidLength, | |
const VOID *Password, | |
UINT32 PassLength | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
NULL_CHECK (Session); | |
NULL_CHECK (GeneratedSid); | |
NULL_CHECK (Password); | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_ADMIN_SP, | |
TRUE, | |
SidLength, | |
GeneratedSid, | |
OPAL_ADMIN_SP_SID_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "start session with admin SP as SID authority failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus)); | |
goto done; | |
} | |
// | |
// 1. Update SID = new Password | |
// | |
Ret = OpalSetPassword ( | |
Session, | |
OPAL_UID_ADMIN_SP_C_PIN_SID, | |
Password, | |
PassLength, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
OpalEndSession (Session); | |
DEBUG ((DEBUG_INFO, "set Password failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus)); | |
goto done; | |
} | |
// | |
// 2. Activate locking SP | |
// | |
Ret = OpalActivateLockingSp (Session, &MethodStatus); | |
OpalEndSession (Session); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "activate locking SP failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus)); | |
goto done; | |
} | |
done: | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
Opens a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY, | |
and updates the specified locking range with the provided column values | |
@param[in] Session, The session info for one opal device. | |
@param[in] Password New admin password to set | |
@param[in] PassLength Length of password in bytes | |
@param[in] LockingRangeUid Locking range UID to set values | |
@param[in] RangeStart Value to set RangeStart column for Locking Range | |
@param[in] RangeLength Value to set RangeLength column for Locking Range | |
@param[in] ReadLockEnabled Value to set readLockEnabled column for Locking Range | |
@param[in] WriteLockEnabled Value to set writeLockEnabled column for Locking Range | |
@param[in] ReadLocked Value to set ReadLocked column for Locking Range | |
@param[in] WriteLocked Value to set WriteLocked column for Locking Range | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilSetOpalLockingRange ( | |
OPAL_SESSION *Session, | |
const VOID *Password, | |
UINT32 PassLength, | |
TCG_UID LockingRangeUid, | |
UINT64 RangeStart, | |
UINT64 RangeLength, | |
BOOLEAN ReadLockEnabled, | |
BOOLEAN WriteLockEnabled, | |
BOOLEAN ReadLocked, | |
BOOLEAN WriteLocked | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
NULL_CHECK (Session); | |
NULL_CHECK (Password); | |
// | |
// Start session with Locking SP using current admin Password | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
PassLength, | |
Password, | |
OPAL_LOCKING_SP_ADMIN1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "start session with locking SP failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus)); | |
goto done; | |
} | |
// | |
// Enable locking range | |
// | |
Ret = OpalSetLockingRange ( | |
Session, | |
LockingRangeUid, | |
RangeStart, | |
RangeLength, | |
ReadLockEnabled, | |
WriteLockEnabled, | |
ReadLocked, | |
WriteLocked, | |
&MethodStatus | |
); | |
OpalEndSession (Session); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "set locking range failed: Ret=%d MethodStatus=0x%x\n", Ret, MethodStatus)); | |
} | |
done: | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_SID_AUTHORITY, | |
sets OPAL_UID_ADMIN_SP_C_PIN_SID with the new password, | |
and sets OPAL_LOCKING_SP_C_PIN_ADMIN1 with the new password. | |
@param[in] Session, The session info for one opal device. | |
@param[in] OldPassword Current admin password | |
@param[in] OldPasswordLength Length of current admin password in bytes | |
@param[in] NewPassword New admin password to set | |
@param[in] NewPasswordLength Length of new password in bytes | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilSetAdminPassword ( | |
OPAL_SESSION *Session, | |
const VOID *OldPassword, | |
UINT32 OldPasswordLength, | |
const VOID *NewPassword, | |
UINT32 NewPasswordLength | |
) | |
{ | |
TCG_RESULT Ret; | |
UINT8 MethodStatus; | |
NULL_CHECK (Session); | |
NULL_CHECK (OldPassword); | |
NULL_CHECK (NewPassword); | |
// | |
// Unknown ownership | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_ADMIN_SP, | |
TRUE, | |
OldPasswordLength, | |
OldPassword, | |
OPAL_ADMIN_SP_SID_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "start session with admin SP using old Password failed\n")); | |
goto done; | |
} | |
// | |
// Update SID = new pw | |
// | |
Ret = OpalSetPassword (Session, OPAL_UID_ADMIN_SP_C_PIN_SID, NewPassword, NewPasswordLength, &MethodStatus); | |
OpalEndSession (Session); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "set new admin SP Password failed\n")); | |
goto done; | |
} | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
OldPasswordLength, | |
OldPassword, | |
OPAL_LOCKING_SP_ADMIN1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "start session with locking SP using old Password failed\n")); | |
goto done; | |
} | |
// | |
// Update admin locking SP to new pw | |
// | |
Ret = OpalSetPassword (Session, OPAL_LOCKING_SP_C_PIN_ADMIN1, NewPassword, NewPasswordLength, &MethodStatus); | |
OpalEndSession (Session); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "set new locking SP Password failed\n")); | |
goto done; | |
} | |
done: | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY | |
and sets the User1 SP authority to enabled and sets the User1 password. | |
@param[in] Session, The session info for one opal device. | |
@param[in] OldPassword Current admin password | |
@param[in] OldPasswordLength Length of current admin password in bytes | |
@param[in] NewPassword New admin password to set | |
@param[in] NewPasswordLength Length of new password in bytes | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilSetUserPassword ( | |
OPAL_SESSION *Session, | |
const VOID *OldPassword, | |
UINT32 OldPasswordLength, | |
const VOID *NewPassword, | |
UINT32 NewPasswordLength | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
NULL_CHECK (Session); | |
NULL_CHECK (OldPassword); | |
NULL_CHECK (NewPassword); | |
// | |
// See if updating user1 authority | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
OldPasswordLength, | |
OldPassword, | |
OPAL_LOCKING_SP_USER1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
Ret = OpalSetPassword ( | |
Session, | |
OPAL_LOCKING_SP_C_PIN_USER1, | |
NewPassword, | |
NewPasswordLength, | |
&MethodStatus | |
); | |
OpalEndSession (Session); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
return Ret; | |
} | |
} | |
// | |
// Setting Password for first time or setting Password as admin | |
// | |
// | |
// Start session with Locking SP using current admin Password | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
OldPasswordLength, | |
OldPassword, | |
OPAL_LOCKING_SP_ADMIN1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "StartSession with locking SP as admin1 authority failed\n")); | |
goto done; | |
} | |
// | |
// Enable User1 and set its PIN | |
// | |
Ret = OpalSetLockingSpAuthorityEnabledAndPin ( | |
Session, | |
OPAL_LOCKING_SP_C_PIN_USER1, | |
OPAL_LOCKING_SP_USER1_AUTHORITY, | |
NewPassword, | |
NewPasswordLength, | |
&MethodStatus | |
); | |
OpalEndSession (Session); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "OpalSetLockingSpAuthorityEnabledAndPin failed\n")); | |
goto done; | |
} | |
done: | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
Verify whether user input the correct password. | |
@param[in] Session, The session info for one opal device. | |
@param[in] Password Admin password | |
@param[in] PasswordLength Length of password in bytes | |
@param[in/out] HostSigningAuthority Use the Host signing authority type. | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilVerifyPassword ( | |
OPAL_SESSION *Session, | |
const VOID *Password, | |
UINT32 PasswordLength, | |
TCG_UID HostSigningAuthority | |
) | |
{ | |
TCG_RESULT Ret; | |
UINT8 MethodStatus; | |
NULL_CHECK (Session); | |
NULL_CHECK (Password); | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
PasswordLength, | |
Password, | |
HostSigningAuthority, | |
&MethodStatus | |
); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
OpalEndSession (Session); | |
return TcgResultSuccess; | |
} | |
return TcgResultFailure; | |
} | |
/** | |
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_USER1_AUTHORITY or OPAL_LOCKING_SP_ADMIN1_AUTHORITY | |
and generates a new global locking range key to erase the Data. | |
@param[in] Session, The session info for one opal device. | |
@param[in] Password Admin or user password | |
@param[in] PasswordLength Length of password in bytes | |
@param[in/out] PasswordFailed indicates if password failed (start session didn't work) | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilSecureErase ( | |
OPAL_SESSION *Session, | |
const VOID *Password, | |
UINT32 PasswordLength, | |
BOOLEAN *PasswordFailed | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
NULL_CHECK (Session); | |
NULL_CHECK (Password); | |
NULL_CHECK (PasswordFailed); | |
// | |
// Try to generate a new key with admin1 | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
PasswordLength, | |
Password, | |
OPAL_LOCKING_SP_ADMIN1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
Ret = OpalGlobalLockingRangeGenKey (Session, &MethodStatus); | |
*PasswordFailed = FALSE; | |
OpalEndSession (Session); | |
} else { | |
// | |
// Try to generate a new key with user1 | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
PasswordLength, | |
Password, | |
OPAL_LOCKING_SP_USER1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
Ret = OpalGlobalLockingRangeGenKey (Session, &MethodStatus); | |
*PasswordFailed = FALSE; | |
OpalEndSession (Session); | |
} else { | |
*PasswordFailed = TRUE; | |
} | |
} | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
Starts a session with OPAL_UID_LOCKING_SP as OPAL_LOCKING_SP_ADMIN1_AUTHORITY and disables the User1 authority. | |
@param[in] Session, The session info for one opal device. | |
@param[in] Password Admin password | |
@param[in] PasswordLength Length of password in bytes | |
@param[in/out] PasswordFailed indicates if password failed (start session didn't work) | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilDisableUser ( | |
OPAL_SESSION *Session, | |
const VOID *Password, | |
UINT32 PasswordLength, | |
BOOLEAN *PasswordFailed | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
NULL_CHECK (Session); | |
NULL_CHECK (Password); | |
NULL_CHECK (PasswordFailed); | |
// | |
// Start session with Locking SP using current admin Password | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
PasswordLength, | |
Password, | |
OPAL_LOCKING_SP_ADMIN1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "StartSession with Locking SP as Admin1 failed\n")); | |
*PasswordFailed = TRUE; | |
goto done; | |
} | |
*PasswordFailed = FALSE; | |
Ret = OpalDisableUser (Session, &MethodStatus); | |
OpalEndSession (Session); | |
done: | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
Opens a session with OPAL_UID_ADMIN_SP as OPAL_ADMIN_SP_PSID_AUTHORITY, then reverts the device using the RevertSP method. | |
@param[in] Session, The session info for one opal device. | |
@param[in] KeepUserData TRUE to keep existing Data on the disk, or FALSE to erase it | |
@param[in] Password Admin password | |
@param[in] PasswordLength Length of password in bytes | |
@param[in/out] PasswordFailed indicates if password failed (start session didn't work) | |
@param[in] Msid Msid info. | |
@param[in] MsidLength Msid data length. | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilRevert ( | |
OPAL_SESSION *Session, | |
BOOLEAN KeepUserData, | |
const VOID *Password, | |
UINT32 PasswordLength, | |
BOOLEAN *PasswordFailed, | |
UINT8 *Msid, | |
UINT32 MsidLength | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
UINT32 RemovalTimeOut; | |
NULL_CHECK (Session); | |
NULL_CHECK (Msid); | |
NULL_CHECK (Password); | |
NULL_CHECK (PasswordFailed); | |
RemovalTimeOut = GetRevertTimeOut (Session); | |
DEBUG ((DEBUG_INFO, "OpalUtilRevert: Timeout value = %d\n", RemovalTimeOut)); | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
PasswordLength, | |
Password, | |
OPAL_LOCKING_SP_ADMIN1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "error starting session: Ret=%d, MethodStatus=%u\n", Ret, MethodStatus)); | |
*PasswordFailed = TRUE; | |
goto done; | |
} | |
*PasswordFailed = FALSE; | |
// | |
// Try to revert with admin1 | |
// | |
Ret = OpalPyrite2AdminRevert (Session, KeepUserData, &MethodStatus, RemovalTimeOut); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
// | |
// Device ends the session on successful revert, so only call OpalEndSession when fail. | |
// | |
DEBUG ((DEBUG_INFO, "OpalAdminRevert as admin failed\n")); | |
OpalEndSession (Session); | |
} | |
Ret = OpalUtilSetSIDtoMSID (Session, Password, PasswordLength, Msid, MsidLength); | |
done: | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
After revert success, set SID to MSID. | |
@param Session, The session info for one opal device. | |
@param Password, Input password info. | |
@param PasswordLength, Input password length. | |
@param Msid Msid info. | |
@param MsidLength Msid data length. | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilSetSIDtoMSID ( | |
OPAL_SESSION *Session, | |
const VOID *Password, | |
UINT32 PasswordLength, | |
UINT8 *Msid, | |
UINT32 MsidLength | |
) | |
{ | |
TCG_RESULT Ret; | |
UINT8 MethodStatus; | |
NULL_CHECK (Session); | |
NULL_CHECK (Msid); | |
NULL_CHECK (Password); | |
// | |
// Start session with admin sp to update SID to MSID | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_ADMIN_SP, | |
TRUE, | |
PasswordLength, | |
Password, | |
OPAL_ADMIN_SP_SID_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
goto done; | |
} | |
// | |
// Update SID pin | |
// | |
Ret = OpalSetPassword (Session, OPAL_UID_ADMIN_SP_C_PIN_SID, Msid, MsidLength, &MethodStatus); | |
OpalEndSession (Session); | |
done: | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
Update global locking range. | |
@param Session, The session info for one opal device. | |
@param Password, Input password info. | |
@param PasswordLength, Input password length. | |
@param ReadLocked, Read lock info. | |
@param WriteLocked write lock info. | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilUpdateGlobalLockingRange ( | |
OPAL_SESSION *Session, | |
const VOID *Password, | |
UINT32 PasswordLength, | |
BOOLEAN ReadLocked, | |
BOOLEAN WriteLocked | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
NULL_CHECK (Session); | |
NULL_CHECK (Password); | |
// | |
// Try to start session with Locking SP as admin1 authority | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
PasswordLength, | |
Password, | |
OPAL_LOCKING_SP_ADMIN1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
Ret = OpalUpdateGlobalLockingRange ( | |
Session, | |
ReadLocked, | |
WriteLocked, | |
&MethodStatus | |
); | |
OpalEndSession (Session); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
goto done; | |
} | |
} | |
if (MethodStatus == TCG_METHOD_STATUS_CODE_AUTHORITY_LOCKED_OUT) { | |
DEBUG ((DEBUG_INFO, "unlock as admin failed with AUTHORITY_LOCKED_OUT\n")); | |
} | |
// | |
// Try user1 authority | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_LOCKING_SP, | |
TRUE, | |
PasswordLength, | |
Password, | |
OPAL_LOCKING_SP_USER1_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "StartSession with Locking SP as User1 failed\n")); | |
goto done; | |
} | |
Ret = OpalUpdateGlobalLockingRange (Session, ReadLocked, WriteLocked, &MethodStatus); | |
OpalEndSession (Session); | |
done: | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
if (MethodStatus == TCG_METHOD_STATUS_CODE_AUTHORITY_LOCKED_OUT) { | |
// | |
// Caller need to know this special error, but return status not has type for it. | |
// so here use TcgResultFailureInvalidType as an replacement. | |
// | |
Ret = TcgResultFailureInvalidType; | |
} else { | |
Ret = TcgResultFailure; | |
} | |
} | |
return Ret; | |
} | |
/** | |
Update global locking range. | |
@param Session, The session info for one opal device. | |
@param Msid, The data buffer to save Msid info. | |
@param MsidBufferLength, The data buffer length for Msid. | |
@param MsidLength, The actual data length for Msid. | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilGetMsid ( | |
OPAL_SESSION *Session, | |
UINT8 *Msid, | |
UINT32 MsidBufferLength, | |
UINT32 *MsidLength | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
NULL_CHECK (Session); | |
NULL_CHECK (Msid); | |
NULL_CHECK (MsidLength); | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_ADMIN_SP, | |
TRUE, | |
0, | |
NULL, | |
TCG_UID_NULL, | |
&MethodStatus | |
); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
Ret = OpalGetMsid (Session, MsidBufferLength, Msid, MsidLength); | |
OpalEndSession (Session); | |
} | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
/** | |
The function determines who owns the device by attempting to start a session with different credentials. | |
If the SID PIN matches the MSID PIN, the no one owns the device. | |
If the SID PIN matches the ourSidPin, then "Us" owns the device. Otherwise it is unknown. | |
@param[in] Session The session info for one opal device. | |
@param Msid, The Msid info. | |
@param MsidLength, The data length for Msid. | |
**/ | |
OPAL_OWNER_SHIP | |
EFIAPI | |
OpalUtilDetermineOwnership ( | |
OPAL_SESSION *Session, | |
UINT8 *Msid, | |
UINT32 MsidLength | |
) | |
{ | |
UINT8 MethodStatus; | |
TCG_RESULT Ret; | |
OPAL_OWNER_SHIP Owner; | |
if ((Session == NULL) || (Msid == NULL)) { | |
return OpalOwnershipUnknown; | |
} | |
Owner = OpalOwnershipUnknown; | |
// | |
// Start Session as SID_UID with ADMIN_SP using MSID PIN | |
// | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_ADMIN_SP, | |
TRUE, | |
MsidLength, | |
Msid, | |
OPAL_ADMIN_SP_SID_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret == TcgResultSuccess) && (MethodStatus == TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
// | |
// now we know that SID PIN == MSID PIN | |
// | |
Owner = OpalOwnershipNobody; | |
OpalEndSession (Session); | |
} | |
return Owner; | |
} | |
/** | |
The function returns if admin password exists. | |
@param[in] OwnerShip The owner ship of the opal device. | |
@param[in] LockingFeature The locking info of the opal device. | |
@retval TRUE Admin password existed. | |
@retval FALSE Admin password not existed. | |
**/ | |
BOOLEAN | |
EFIAPI | |
OpalUtilAdminPasswordExists ( | |
IN UINT16 OwnerShip, | |
IN TCG_LOCKING_FEATURE_DESCRIPTOR *LockingFeature | |
) | |
{ | |
NULL_CHECK (LockingFeature); | |
// if it is Unknown who owns the device | |
// then someone has set password previously through our UI | |
// because the SID would no longer match the generated SID (ownership us) | |
// or someone has set password using 3rd party software | |
// | |
// Locking sp enabled is checked b/c it must be enabled to change the PIN of the Admin1. | |
// | |
return (OwnerShip == OpalOwnershipUnknown && LockingFeature->LockingEnabled); | |
} | |
/** | |
Get Active Data Removal Mechanism Value. | |
@param[in] Session The session info for one opal device. | |
@param[in] GeneratedSid Generated SID of disk | |
@param[in] SidLength Length of generatedSid in bytes | |
@param[out] ActiveDataRemovalMechanism Return the active data removal mechanism. | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilGetActiveDataRemovalMechanism ( | |
OPAL_SESSION *Session, | |
const VOID *GeneratedSid, | |
UINT32 SidLength, | |
UINT8 *ActiveDataRemovalMechanism | |
) | |
{ | |
TCG_RESULT Ret; | |
UINT8 MethodStatus; | |
NULL_CHECK (Session); | |
NULL_CHECK (GeneratedSid); | |
NULL_CHECK (ActiveDataRemovalMechanism); | |
Ret = OpalStartSession ( | |
Session, | |
OPAL_UID_ADMIN_SP, | |
TRUE, | |
SidLength, | |
GeneratedSid, | |
OPAL_ADMIN_SP_ANYBODY_AUTHORITY, | |
&MethodStatus | |
); | |
if ((Ret != TcgResultSuccess) || (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS)) { | |
DEBUG ((DEBUG_INFO, "Start session with admin SP as SID authority failed: Ret=%d MethodStatus=%u\n", Ret, MethodStatus)); | |
if (MethodStatus != TCG_METHOD_STATUS_CODE_SUCCESS) { | |
Ret = TcgResultFailure; | |
} | |
return Ret; | |
} | |
Ret = OpalPyrite2GetActiveDataRemovalMechanism ( | |
Session, | |
ActiveDataRemovalMechanism | |
); | |
if (Ret != TcgResultSuccess) { | |
DEBUG ((DEBUG_INFO, "Pyrite2 Get Active Data Removal Mechanism failed: Ret=%d\n", Ret)); | |
} | |
OpalEndSession (Session); | |
return Ret; | |
} | |
/** | |
Calculate the estimated time. | |
@param[in] IsMinute Whether the input time value is minute type or second type. | |
@param[in] Time The input time value. | |
**/ | |
UINT32 | |
CalculateDataRemovalTime ( | |
IN BOOLEAN IsMinute, | |
IN UINT16 Time | |
) | |
{ | |
if (IsMinute) { | |
return Time * 2 * 60; | |
} else { | |
return Time * 2; | |
} | |
} | |
/** | |
Return the estimated time for specific type. | |
@param[in] Index The input data removal type. | |
@param[in] Descriptor DATA_REMOVAL_FEATURE_DESCRIPTOR | |
**/ | |
UINT32 | |
GetDataRemovalTime ( | |
IN UINT8 Index, | |
IN DATA_REMOVAL_FEATURE_DESCRIPTOR *Descriptor | |
) | |
{ | |
switch (Index) { | |
case OverwriteDataErase: | |
return CalculateDataRemovalTime (Descriptor->FormatBit0, SwapBytes16 (Descriptor->TimeBit0)); | |
case BlockErase: | |
return CalculateDataRemovalTime (Descriptor->FormatBit1, SwapBytes16 (Descriptor->TimeBit1)); | |
case CryptoErase: | |
return CalculateDataRemovalTime (Descriptor->FormatBit2, SwapBytes16 (Descriptor->TimeBit2)); | |
case Unmap: | |
return CalculateDataRemovalTime (Descriptor->FormatBit3, SwapBytes16 (Descriptor->TimeBit3)); | |
case ResetWritePointers: | |
return CalculateDataRemovalTime (Descriptor->FormatBit4, SwapBytes16 (Descriptor->TimeBit4)); | |
case VendorSpecificErase: | |
return CalculateDataRemovalTime (Descriptor->FormatBit5, SwapBytes16 (Descriptor->TimeBit5)); | |
default: | |
return 0; | |
} | |
} | |
/** | |
Get the supported Data Removal Mechanism list. | |
@param[in] Session The session info for one opal device. | |
@param[out] RemovalMechanismLists Return the supported data removal mechanism lists. | |
**/ | |
TCG_RESULT | |
EFIAPI | |
OpalUtilGetDataRemovalMechanismLists ( | |
IN OPAL_SESSION *Session, | |
OUT UINT32 *RemovalMechanismLists | |
) | |
{ | |
TCG_RESULT Ret; | |
UINTN DataSize; | |
DATA_REMOVAL_FEATURE_DESCRIPTOR Descriptor; | |
UINT8 Index; | |
UINT8 BitValue; | |
NULL_CHECK (Session); | |
NULL_CHECK (RemovalMechanismLists); | |
DataSize = sizeof (Descriptor); | |
Ret = OpalGetFeatureDescriptor (Session, TCG_FEATURE_DATA_REMOVAL, &DataSize, &Descriptor); | |
if (Ret != TcgResultSuccess) { | |
return TcgResultFailure; | |
} | |
ASSERT (Descriptor.RemovalMechanism != 0); | |
for (Index = 0; Index < ResearvedMechanism; Index++) { | |
BitValue = (BOOLEAN)BitFieldRead8 (Descriptor.RemovalMechanism, Index, Index); | |
if (BitValue == 0) { | |
RemovalMechanismLists[Index] = 0; | |
} else { | |
RemovalMechanismLists[Index] = GetDataRemovalTime (Index, &Descriptor); | |
} | |
} | |
return TcgResultSuccess; | |
} | |
/** | |
Get revert timeout value. | |
@param[in] Session The session info for one opal device. | |
**/ | |
UINT32 | |
GetRevertTimeOut ( | |
IN OPAL_SESSION *Session | |
) | |
{ | |
TCG_RESULT TcgResult; | |
OPAL_DISK_SUPPORT_ATTRIBUTE SupportedAttributes; | |
UINT16 BaseComId; | |
UINT32 MsidLength; | |
UINT8 Msid[OPAL_MSID_LENGTH]; | |
UINT32 RemovalMechanishLists[ResearvedMechanism]; | |
UINT8 ActiveDataRemovalMechanism; | |
TcgResult = OpalGetSupportedAttributesInfo (Session, &SupportedAttributes, &BaseComId); | |
if ((TcgResult != TcgResultSuccess) || (SupportedAttributes.DataRemoval == 0)) { | |
return 0; | |
} | |
TcgResult = OpalUtilGetMsid (Session, Msid, OPAL_MSID_LENGTH, &MsidLength); | |
if (TcgResult != TcgResultSuccess) { | |
return 0; | |
} | |
TcgResult = OpalUtilGetDataRemovalMechanismLists (Session, RemovalMechanishLists); | |
if (TcgResult != TcgResultSuccess) { | |
return 0; | |
} | |
TcgResult = OpalUtilGetActiveDataRemovalMechanism (Session, Msid, MsidLength, &ActiveDataRemovalMechanism); | |
if (TcgResult != TcgResultSuccess) { | |
return 0; | |
} | |
return RemovalMechanishLists[ActiveDataRemovalMechanism]; | |
} |