diff options
| -rw-r--r-- | SecurityPkg/SecurityPkg.dec | 10 | ||||
| -rw-r--r-- | SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c | 16 | ||||
| -rw-r--r-- | SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf | 2 |
3 files changed, 20 insertions, 8 deletions
diff --git a/SecurityPkg/SecurityPkg.dec b/SecurityPkg/SecurityPkg.dec index 3314f1854b..96db80c2d2 100644 --- a/SecurityPkg/SecurityPkg.dec +++ b/SecurityPkg/SecurityPkg.dec @@ -422,11 +422,11 @@ # @Prompt Possible TPM2 Interrupt Number buffer
gEfiSecurityPkgTokenSpaceGuid.PcdTpm2PossibleIrqNumBuf|{0x00, 0x00, 0x00, 0x00}|VOID*|0x0001001D
- ## Indicates if Opal DXE driver skip unlock device flow.<BR><BR>
- # TRUE - Skip unlock device flow.<BR>
- # FALSE - Does not skip unlock device flow.<BR>
- # @Prompt Skip Opal DXE driver unlock device flow.
- gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock|FALSE|BOOLEAN|0x00010020
+ ## Indicates if Opal DXE driver skip password prompt.<BR><BR>
+ # TRUE - Skip password prompt.<BR>
+ # FALSE - Does not skip password prompt.<BR>
+ # @Prompt Skip Opal DXE driver password prompt.
+ gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt|FALSE|BOOLEAN|0x00010020
[PcdsDynamic, PcdsDynamicEx]
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c index 965205c0b2..e14fa32354 100644 --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalDriver.c @@ -899,8 +899,20 @@ OpalDriverRequestPassword ( IsLocked = OpalDeviceLocked (&Dev->OpalDisk.SupportedAttributes, &Dev->OpalDisk.LockingFeature);
- if (IsLocked && PcdGetBool (PcdSkipOpalDxeUnlock)) {
- return;
+ //
+ // Add PcdSkipOpalPasswordPrompt to determin whether to skip password prompt.
+ // Due to board design, device may not power off during system warm boot, which result in
+ // security status remain unlocked status, hence we add device security status check here.
+ //
+ // If device is in the locked status, device keeps locked and system continues booting.
+ // If device is in the unlocked status, system is forced shutdown to support security requirement.
+ //
+ if (PcdGetBool (PcdSkipOpalPasswordPrompt)) {
+ if (IsLocked) {
+ return;
+ } else {
+ gRT->ResetSystem (EfiResetShutdown, EFI_SUCCESS, 0, NULL);
+ }
}
while (Count < MAX_PASSWORD_TRY_COUNT) {
diff --git a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf index e74f147aaa..87519198c0 100644 --- a/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf +++ b/SecurityPkg/Tcg/Opal/OpalPassword/OpalPasswordDxe.inf @@ -71,7 +71,7 @@ gS3StorageDeviceInitListGuid ## SOMETIMES_PRODUCES ## UNDEFINED
[Pcd]
- gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalDxeUnlock ## CONSUMES
+ gEfiSecurityPkgTokenSpaceGuid.PcdSkipOpalPasswordPrompt ## CONSUMES
[Depex]
gEfiHiiStringProtocolGuid AND gEfiHiiDatabaseProtocolGuid
|