Hi According to WHCK: https://msdn.microsoft.com/en-us/library/windows/hardware/jj128256.aspx ============================== UEFI 2.3.1 The implementation of the Trusted Computing Group Platform Reset Attack Mitigation Specification (http://www.trustedcomputinggroup.org/resources/pc_client_work_group_platform_reset_attack_mitigation_specification_version_10) MUST unconditionally issue TPer Reset (OPAL v2.0 in section 3.2.3) for all scenarios whenever memory is cleared. The EFI_STORAGE_SECURITY_COMMAND_PROTOCOL and the TPer Reset command MUST be included in the base UEFI image (not in a separate image of a UEFI driver). The system MUST enumerate all Encrypted Drives and TPer Reset MUST be issued prior to executing any firmware code not provided by the platform manufacturer in the base UEFI image. ============================
It seems platform MUST enumerate all Encrypted Drives and TPer reset before EndOfDxe, if MOR happens. Thank you Yao Jiewen -----Original Message----- From: Anbazhagan, Baraneedharan [mailto:anbazha...@hp.com] Sent: Friday, June 26, 2015 8:45 PM To: edk2-devel@lists.sourceforge.net; Yao, Jiewen; Zeng, Star Subject: RE: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives Whether EFI_STORAGE_SECURITY_COMMAND_PROTOCOL will be available on EndOfDxe callback? I thought both AtaBusDxe and NvmExpressDxe modules will install EFI_STORAGE_SECURITY_COMMAND_PROTOCOL as part of ConnectController in Bds which is after EndOfDxe. -Baranee > -----Original Message----- > From: Tian, Feng [mailto:feng.t...@intel.com] > Sent: Friday, June 26, 2015 12:21 AM > To: edk2-devel@lists.sourceforge.net; Yao, Jiewen; Zeng, Star > Subject: Re: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives > > Yes, you are right. I forget removing these from AtaBus driver. > > -----Original Message----- > From: Zeng, Star [mailto:star.z...@intel.com] > Sent: Friday, June 26, 2015 13:16 > To: edk2-devel@lists.sourceforge.net; Yao, Jiewen > Subject: Re: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives > > Also need to remove #include <Guid/MemoryOverwriteControl.h> from > AtaBus.h and gEfiMemoryOverwriteControlDataGuid from AtaBusDxe.inf? > > Others are good to me. > > Thanks, > Star > -----Original Message----- > From: Tian Feng [mailto:feng.t...@intel.com] > Sent: Thursday, June 25, 2015 12:01 PM > To: zeng.s...@intel.com; Yao, Jiewen > Cc: edk2-devel@lists.sourceforge.net > Subject: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives > > At past we only did TPer Reset for ATA device in AtaBus driver. > Now a common logic to do TPer Reset is extracted and putted in TcgMor module. > > By this way, all encrypted drives whose driver produces > EFI_STORAGE_SECURITY_ COMMAND_PROTOCOL could be force reset at EndOfDxe. > > Tian Feng (2): > MdeModulePkg/AtaBus: remove TPer Reset operation in DriverBindingStart > SecurityPkg/TcgMor: move TPer Reset operation to this module > > MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.c | 208 +---------------- > MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.h | 17 +- > SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.c | 264 > +++++++++++++++++++++- > SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.h | 22 +- > SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf | 13 +- > 5 files changed, 296 insertions(+), 228 deletions(-) > > -- > 1.9.5.msysgit.0 > > > ---------------------------------------------------------------------- > -------- Monitor 25 network devices or servers for free with > OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download > now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel > > ---------------------------------------------------------------------- > -------- Monitor 25 network devices or servers for free with > OpManager! > OpManager is web-based network management software that monitors > network devices and physical & virtual servers, alerts via email & sms > for fault. Monitor 25 devices for free with no restriction. Download > now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > _______________________________________________ > edk2-devel mailing list > edk2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/edk2-devel > ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
