> -----Original Message----- > From: Yao, Jiewen [mailto:jiewen....@intel.com] > Sent: Friday, June 26, 2015 8:23 AM > To: Anbazhagan, Baraneedharan; edk2-devel@lists.sourceforge.net; Zeng, Star > Subject: RE: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives > > Hi > According to WHCK: https://msdn.microsoft.com/en- > us/library/windows/hardware/jj128256.aspx > ============================== > UEFI 2.3.1 > The implementation of the Trusted Computing Group Platform Reset Attack > Mitigation Specification > (http://www.trustedcomputinggroup.org/resources/pc_client_work_group_platform > _reset_attack_mitigation_specification_version_10) MUST unconditionally issue > TPer Reset (OPAL v2.0 in section 3.2.3) for all scenarios whenever memory is > cleared. > The EFI_STORAGE_SECURITY_COMMAND_PROTOCOL and the TPer Reset command > MUST be included in the base UEFI image (not in a separate image of a UEFI > driver). > The system MUST enumerate all Encrypted Drives and TPer Reset MUST be issued > prior to executing any firmware code not provided by the platform > manufacturer in > the base UEFI image. > ============================ > > It seems platform MUST enumerate all Encrypted Drives and TPer reset before > EndOfDxe, if MOR happens. Does it make sense to have sample implementation in PlatformBdsLib? Platform can provide device path for those controllers similar to Console devices in PlatformData.c. PlatformBdsLib can make use of that device path if MOR happens and connect to it before EndOfDxe?
> > Thank you > Yao Jiewen > > -----Original Message----- > From: Anbazhagan, Baraneedharan [mailto:anbazha...@hp.com] > Sent: Friday, June 26, 2015 8:45 PM > To: edk2-devel@lists.sourceforge.net; Yao, Jiewen; Zeng, Star > Subject: RE: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives > > Whether EFI_STORAGE_SECURITY_COMMAND_PROTOCOL will be available on > EndOfDxe callback? I thought both AtaBusDxe and NvmExpressDxe modules will > install EFI_STORAGE_SECURITY_COMMAND_PROTOCOL as part of ConnectController > in Bds which is after EndOfDxe. > > -Baranee > > > -----Original Message----- > > From: Tian, Feng [mailto:feng.t...@intel.com] > > Sent: Friday, June 26, 2015 12:21 AM > > To: edk2-devel@lists.sourceforge.net; Yao, Jiewen; Zeng, Star > > Subject: Re: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives > > > > Yes, you are right. I forget removing these from AtaBus driver. > > > > -----Original Message----- > > From: Zeng, Star [mailto:star.z...@intel.com] > > Sent: Friday, June 26, 2015 13:16 > > To: edk2-devel@lists.sourceforge.net; Yao, Jiewen > > Subject: Re: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives > > > > Also need to remove #include <Guid/MemoryOverwriteControl.h> from > > AtaBus.h and gEfiMemoryOverwriteControlDataGuid from AtaBusDxe.inf? > > > > Others are good to me. > > > > Thanks, > > Star > > -----Original Message----- > > From: Tian Feng [mailto:feng.t...@intel.com] > > Sent: Thursday, June 25, 2015 12:01 PM > > To: zeng.s...@intel.com; Yao, Jiewen > > Cc: edk2-devel@lists.sourceforge.net > > Subject: [edk2] [patch 0/2] Do TPer Reset for all encrypted drives > > > > At past we only did TPer Reset for ATA device in AtaBus driver. > > Now a common logic to do TPer Reset is extracted and putted in TcgMor > > module. > > > > By this way, all encrypted drives whose driver produces > > EFI_STORAGE_SECURITY_ COMMAND_PROTOCOL could be force reset at EndOfDxe. > > > > Tian Feng (2): > > MdeModulePkg/AtaBus: remove TPer Reset operation in DriverBindingStart > > SecurityPkg/TcgMor: move TPer Reset operation to this module > > > > MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.c | 208 +---------------- > > MdeModulePkg/Bus/Ata/AtaBusDxe/AtaBus.h | 17 +- > > SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.c | 264 > > +++++++++++++++++++++- > > SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.h | 22 +- > > SecurityPkg/Tcg/MemoryOverwriteControl/TcgMor.inf | 13 +- > > 5 files changed, 296 insertions(+), 228 deletions(-) > > > > -- > > 1.9.5.msysgit.0 > > > > > > ---------------------------------------------------------------------- > > -------- Monitor 25 network devices or servers for free with > > OpManager! > > OpManager is web-based network management software that monitors > > network devices and physical & virtual servers, alerts via email & sms > > for fault. Monitor 25 devices for free with no restriction. Download > > now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/edk2-devel > > > > ---------------------------------------------------------------------- > > -------- Monitor 25 network devices or servers for free with > > OpManager! > > OpManager is web-based network management software that monitors > > network devices and physical & virtual servers, alerts via email & sms > > for fault. Monitor 25 devices for free with no restriction. Download > > now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o > > _______________________________________________ > > edk2-devel mailing list > > edk2-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/edk2-devel > > > ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ edk2-devel mailing list edk2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/edk2-devel
