From: Marc-André Lureau <marcandre.lur...@redhat.com>

Cloned "SecurityPkg/Library/DxeTcg2PhysicalPresenceLib" and:

- removed all the functions that are unreachable from
  Tcg2PhysicalPresenceLibProcessRequest()

- replaced everything that's related to the
  TCG2_PHYSICAL_PRESENCE*_VARIABLE variables, with direct access to
  the QEMU structures.

This commit is based on initial experimental work from Stefan Berger.
In particular, he wrote most of QEMU PPI support, and designed the
qemu/firmware interaction. Initially, Stefan tried to reuse the
existing SecurityPkg code, but we eventually decided to get rid of the
variables and simplify the ovmf/qemu version.

Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Marc-André Lureau <marcandre.lur...@redhat.com>
---
 OvmfPkg/OvmfPkgIa32.dsc                                                        
                                                |   2 +-
 OvmfPkg/OvmfPkgIa32X64.dsc                                                     
                                                |   2 +-
 OvmfPkg/OvmfPkgX64.dsc                                                         
                                                |   2 +-
 {SecurityPkg/Library/DxeTcg2PhysicalPresenceLib => 
OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu}/DxeTcg2PhysicalPresenceLib.inf |  
25 +-
 OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.c       
                                                | 889 ++++++++++++++++++++
 {SecurityPkg/Library/DxeTcg2PhysicalPresenceLib => 
OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu}/DxeTcg2PhysicalPresenceLib.uni |   
3 +-
 {SecurityPkg/Library/DxeTcg2PhysicalPresenceLib => 
OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu}/PhysicalPresenceStrings.uni    |  
28 +-
 7 files changed, 911 insertions(+), 40 deletions(-)

diff --git a/OvmfPkg/OvmfPkgIa32.dsc b/OvmfPkg/OvmfPkgIa32.dsc
index 6c361b73cd55..251434a9ff7c 100644
--- a/OvmfPkg/OvmfPkgIa32.dsc
+++ b/OvmfPkg/OvmfPkgIa32.dsc
@@ -206,7 +206,7 @@ [LibraryClasses]
 
 !if $(TPM2_ENABLE) == TRUE
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
-  
Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+  
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
 !else
   
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
diff --git a/OvmfPkg/OvmfPkgIa32X64.dsc b/OvmfPkg/OvmfPkgIa32X64.dsc
index 62a6075a671d..ce247a59d61a 100644
--- a/OvmfPkg/OvmfPkgIa32X64.dsc
+++ b/OvmfPkg/OvmfPkgIa32X64.dsc
@@ -211,7 +211,7 @@ [LibraryClasses]
 
 !if $(TPM2_ENABLE) == TRUE
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
-  
Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+  
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
 !else
   
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
diff --git a/OvmfPkg/OvmfPkgX64.dsc b/OvmfPkg/OvmfPkgX64.dsc
index cbab1aa328c6..67f7e155ee3e 100644
--- a/OvmfPkg/OvmfPkgX64.dsc
+++ b/OvmfPkg/OvmfPkgX64.dsc
@@ -211,7 +211,7 @@ [LibraryClasses]
 
 !if $(TPM2_ENABLE) == TRUE
   Tpm2CommandLib|SecurityPkg/Library/Tpm2CommandLib/Tpm2CommandLib.inf
-  
Tcg2PhysicalPresenceLib|SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+  
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
   
Tcg2PpVendorLib|SecurityPkg/Library/Tcg2PpVendorLibNull/Tcg2PpVendorLibNull.inf
 !else
   
Tcg2PhysicalPresenceLib|OvmfPkg/Library/Tcg2PhysicalPresenceLibNull/DxeTcg2PhysicalPresenceLib.inf
diff --git 
a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf 
b/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
similarity index 80%
copy from 
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
copy to 
OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
index fc10129989f6..6b2d70c711fe 100644
--- 
a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.inf
+++ b/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.inf
@@ -8,6 +8,7 @@
 #  This driver will have external input - variable.
 #  This external input must be validated carefully to avoid security issue.
 #
+# Copyright (C) 2018, Red Hat, Inc.
 # Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
 # This program and the accompanying materials
 # are licensed and made available under the terms and conditions of the BSD 
License
@@ -22,10 +23,10 @@ [Defines]
   INF_VERSION                    = 0x00010005
   BASE_NAME                      = DxeTcg2PhysicalPresenceLib
   MODULE_UNI_FILE                = DxeTcg2PhysicalPresenceLib.uni
-  FILE_GUID                      = 7E507A86-DE8B-4AD3-BC4C-0498389098D3
+  FILE_GUID                      = 41D3E698-9EEC-41FF-9CBB-5FE79A0CF326
   MODULE_TYPE                    = DXE_DRIVER
   VERSION_STRING                 = 1.0
-  LIBRARY_CLASS                  = Tcg2PhysicalPresenceLib|DXE_DRIVER 
DXE_RUNTIME_DRIVER DXE_SAL_DRIVER UEFI_APPLICATION UEFI_DRIVER 
+  LIBRARY_CLASS                  = Tcg2PhysicalPresenceLib|DXE_DRIVER 
DXE_RUNTIME_DRIVER DXE_SAL_DRIVER UEFI_APPLICATION UEFI_DRIVER
 
 #
 # The following information is for reference only and not required by the 
build tools.
@@ -40,33 +41,27 @@ [Sources]
 [Packages]
   MdePkg/MdePkg.dec
   MdeModulePkg/MdeModulePkg.dec
+  OvmfPkg/OvmfPkg.dec
   SecurityPkg/SecurityPkg.dec
 
 [LibraryClasses]
-  MemoryAllocationLib
-  UefiLib
-  UefiBootServicesTableLib
-  UefiDriverEntryPoint
-  UefiRuntimeServicesTableLib
   BaseMemoryLib
   DebugLib
-  PrintLib
   HiiLib
   HobLib
+  MemoryAllocationLib
+  PrintLib
+  QemuFwCfgLib
   Tpm2CommandLib
-  Tcg2PpVendorLib
+  UefiBootServicesTableLib
+  UefiLib
+  UefiRuntimeServicesTableLib
 
 [Protocols]
   gEfiTcg2ProtocolGuid                 ## SOMETIMES_CONSUMES
-  gEdkiiVariableLockProtocolGuid       ## SOMETIMES_CONSUMES
-
-[Pcd]
-  gEfiSecurityPkgTokenSpaceGuid.PcdTcg2PhysicalPresenceFlags       ## 
SOMETIMES_CONSUMES
 
 [Guids]
   ## SOMETIMES_CONSUMES ## HII
   ## SOMETIMES_PRODUCES ## Variable:L"Tcg2PhysicalPresence"
   ## SOMETIMES_CONSUMES ## Variable:L"Tcg2PhysicalPresence"
-  ## SOMETIMES_PRODUCES ## Variable:L"Tcg2PhysicalPresenceFlags"
-  ## SOMETIMES_CONSUMES ## Variable:L"Tcg2PhysicalPresenceFlags"
   gEfiTcg2PhysicalPresenceGuid
diff --git 
a/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.c 
b/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.c
new file mode 100644
index 000000000000..a1b84724b138
--- /dev/null
+++ b/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.c
@@ -0,0 +1,889 @@
+/** @file
+  Execute pending TPM2 requests from OS or BIOS.
+
+  Caution: This module requires additional review when modified.
+  This driver will have external input - variable.
+  This external input must be validated carefully to avoid security issue.
+
+  Tcg2ExecutePendingTpmRequest() will receive untrusted input and do 
validation.
+
+Copyright (C) 2018, Red Hat, Inc.
+Copyright (c) 2018, IBM Corporation. All rights reserved.<BR>
+Copyright (c) 2013 - 2016, Intel Corporation. All rights reserved.<BR>
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD 
License
+which accompanies this distribution.  The full text of the license may be 
found at
+http://opensource.org/licenses/bsd-license.php
+
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
+WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
+
+**/
+
+#include <PiDxe.h>
+
+#include <Guid/Tcg2PhysicalPresenceData.h>
+#include <IndustryStandard/QemuTpm.h>
+#include <Protocol/Tcg2Protocol.h>
+
+#include <Library/BaseMemoryLib.h>
+#include <Library/DebugLib.h>
+#include <Library/HiiLib.h>
+#include <Library/HobLib.h>
+#include <Library/MemoryAllocationLib.h>
+#include <Library/PrintLib.h>
+#include <Library/QemuFwCfgLib.h>
+#include <Library/Tpm2CommandLib.h>
+#include <Library/UefiBootServicesTableLib.h>
+#include <Library/UefiLib.h>
+#include <Library/UefiRuntimeServicesTableLib.h>
+
+#include <Library/Tcg2PhysicalPresenceLib.h>
+
+#define CONFIRM_BUFFER_SIZE         4096
+
+EFI_HII_HANDLE mTcg2PpStringPackHandle;
+
+#define TPM_PPI_FLAGS (QEMU_TPM_PPI_FUNC_ALLOWED_USR_REQ)
+
+STATIC CONST UINT8 mTpm2PPIFuncs[] = {
+  [TCG2_PHYSICAL_PRESENCE_NO_ACTION] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_CLEAR] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_2] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_3] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_CHANGE_EPS] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID] = TPM_PPI_FLAGS,
+  [TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID] = TPM_PPI_FLAGS,
+};
+
+STATIC QEMU_TPM_PPI *mPpi;
+
+
+/**
+  Reads QEMU PPI config from fw_cfg.
+
+  @param[in]  The Config structure to read to.
+
+  @retval EFI_SUCCESS           Operation completed successfully.
+  @retval EFI_PROTOCOL_ERROR    Invalid fw_cfg entry size.
+**/
+EFI_STATUS
+QemuTpmReadConfig (
+  IN QEMU_FWCFG_TPM_CONFIG *Config
+  )
+{
+  EFI_STATUS           Status;
+  FIRMWARE_CONFIG_ITEM FwCfgItem;
+  UINTN                FwCfgSize;
+
+  Status = QemuFwCfgFindFile ("etc/tpm/config", &FwCfgItem, &FwCfgSize);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  if (FwCfgSize != sizeof (*Config)) {
+    return EFI_PROTOCOL_ERROR;
+  }
+
+  QemuFwCfgSelectItem (FwCfgItem);
+  QemuFwCfgReadBytes (sizeof (*Config), Config);
+  return EFI_SUCCESS;
+}
+
+
+/**
+  Initializes QEMU PPI memory region.
+
+  @retval EFI_SUCCESS           Operation completed successfully.
+  @retval EFI_INVALID_PARAMETER PPI address is invalid.
+**/
+EFI_STATUS
+QemuTpmInitPPI (
+  VOID
+  )
+{
+  EFI_STATUS Status;
+  QEMU_FWCFG_TPM_CONFIG Config;
+
+  if (mPpi) {
+    return EFI_SUCCESS;
+  }
+
+  Status = QemuTpmReadConfig (&Config);
+  if (EFI_ERROR (Status)) {
+    return Status;
+  }
+
+  mPpi = (QEMU_TPM_PPI *)(unsigned long)Config.PpiAddress;
+  if (!mPpi) {
+    return EFI_INVALID_PARAMETER;
+  }
+
+  DEBUG ((EFI_D_INFO, "[TPM2PP] mPpi=%x version=%d\n", mPpi, 
Config.TpmVersion));
+  ZeroMem (&mPpi->Func, sizeof (mPpi->Func));
+  switch (Config.TpmVersion) {
+  case QEMU_TPM_VERSION_2:
+    CopyMem (&mPpi->Func, mTpm2PPIFuncs, sizeof (mTpm2PPIFuncs));
+    break;
+  }
+
+  if (!mPpi->In) {
+    mPpi->In = 1;
+    mPpi->Request = TCG2_PHYSICAL_PRESENCE_NO_ACTION;
+    mPpi->LastRequest = TCG2_PHYSICAL_PRESENCE_NO_ACTION;
+    mPpi->NextStep = TCG2_PHYSICAL_PRESENCE_NO_ACTION;
+  }
+
+  return EFI_SUCCESS;
+}
+
+
+/**
+  Get string by string id from HII Interface.
+
+  @param[in] Id          String ID.
+
+  @retval    CHAR16 *    String from ID.
+  @retval    NULL        If error occurs.
+
+**/
+CHAR16 *
+Tcg2PhysicalPresenceGetStringById (
+  IN  EFI_STRING_ID   Id
+  )
+{
+  return HiiGetString (mTcg2PpStringPackHandle, Id, NULL);
+}
+
+
+/**
+  Send ClearControl and Clear command to TPM.
+
+  @param[in]  PlatformAuth      platform auth value. NULL means no platform 
auth change.
+
+  @retval EFI_SUCCESS           Operation completed successfully.
+  @retval EFI_TIMEOUT           The register can't run into the expected 
status in time.
+  @retval EFI_BUFFER_TOO_SMALL  Response data buffer is too small.
+  @retval EFI_DEVICE_ERROR      Unexpected device behavior.
+
+**/
+EFI_STATUS
+EFIAPI
+Tpm2CommandClear (
+  IN TPM2B_AUTH                *PlatformAuth  OPTIONAL
+  )
+{
+  EFI_STATUS                Status;
+  TPMS_AUTH_COMMAND         *AuthSession;
+  TPMS_AUTH_COMMAND         LocalAuthSession;
+
+  if (PlatformAuth == NULL) {
+    AuthSession = NULL;
+  } else {
+    AuthSession = &LocalAuthSession;
+    ZeroMem (&LocalAuthSession, sizeof (LocalAuthSession));
+    LocalAuthSession.sessionHandle = TPM_RS_PW;
+    LocalAuthSession.hmac.size = PlatformAuth->size;
+    CopyMem (LocalAuthSession.hmac.buffer, PlatformAuth->buffer, 
PlatformAuth->size);
+  }
+
+  DEBUG ((EFI_D_INFO, "Tpm2ClearControl ... \n"));
+  Status = Tpm2ClearControl (TPM_RH_PLATFORM, AuthSession, NO);
+  DEBUG ((EFI_D_INFO, "Tpm2ClearControl - %r\n", Status));
+  if (EFI_ERROR (Status)) {
+    goto Done;
+  }
+  DEBUG ((EFI_D_INFO, "Tpm2Clear ... \n"));
+  Status = Tpm2Clear (TPM_RH_PLATFORM, AuthSession);
+  DEBUG ((EFI_D_INFO, "Tpm2Clear - %r\n", Status));
+
+Done:
+  ZeroMem (&LocalAuthSession.hmac, sizeof (LocalAuthSession.hmac));
+  return Status;
+}
+
+
+/**
+  Change EPS.
+
+  @param[in]  PlatformAuth      platform auth value. NULL means no platform 
auth change.
+
+  @retval EFI_SUCCESS Operation completed successfully.
+**/
+EFI_STATUS
+Tpm2CommandChangeEps (
+  IN TPM2B_AUTH                *PlatformAuth  OPTIONAL
+  )
+{
+  EFI_STATUS                Status;
+  TPMS_AUTH_COMMAND         *AuthSession;
+  TPMS_AUTH_COMMAND         LocalAuthSession;
+
+  if (PlatformAuth == NULL) {
+    AuthSession = NULL;
+  } else {
+    AuthSession = &LocalAuthSession;
+    ZeroMem (&LocalAuthSession, sizeof (LocalAuthSession));
+    LocalAuthSession.sessionHandle = TPM_RS_PW;
+    LocalAuthSession.hmac.size = PlatformAuth->size;
+    CopyMem (LocalAuthSession.hmac.buffer, PlatformAuth->buffer, 
PlatformAuth->size);
+  }
+
+  Status = Tpm2ChangeEPS (TPM_RH_PLATFORM, AuthSession);
+  DEBUG ((EFI_D_INFO, "Tpm2ChangeEPS - %r\n", Status));
+
+  ZeroMem (&LocalAuthSession.hmac, sizeof(LocalAuthSession.hmac));
+  return Status;
+}
+
+
+/**
+  Execute physical presence operation requested by the OS.
+
+  @param[in]      PlatformAuth        platform auth value. NULL means no 
platform auth change.
+  @param[in]      CommandCode         Physical presence operation value.
+  @param[in]      CommandParameter    Physical presence operation parameter.
+
+  @retval TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE   Unknown physical presence 
operation.
+  @retval TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE   Error occurred during 
sending command to TPM or
+                                                   receiving response from TPM.
+  @retval Others                                   Return code from the TPM 
device after command execution.
+**/
+UINT32
+Tcg2ExecutePhysicalPresence (
+  IN      TPM2B_AUTH                       *PlatformAuth,  OPTIONAL
+  IN      UINT32                           CommandCode,
+  IN      UINT32                           CommandParameter
+  )
+{
+  EFI_STATUS                        Status;
+  EFI_TCG2_EVENT_ALGORITHM_BITMAP   TpmHashAlgorithmBitmap;
+  UINT32                            ActivePcrBanks;
+
+  switch (CommandCode) {
+    case TCG2_PHYSICAL_PRESENCE_CLEAR:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_2:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_3:
+      Status = Tpm2CommandClear (PlatformAuth);
+      if (EFI_ERROR (Status)) {
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      } else {
+        return TCG_PP_OPERATION_RESPONSE_SUCCESS;
+      }
+
+    case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
+      Status = Tpm2GetCapabilitySupportedAndActivePcrs 
(&TpmHashAlgorithmBitmap, &ActivePcrBanks);
+      ASSERT_EFI_ERROR (Status);
+
+      //
+      // PP spec requirements:
+      //    Firmware should check that all requested (set) hashing algorithms 
are supported with respective PCR banks.
+      //    Firmware has to ensure that at least one PCR banks is active.
+      // If not, an error is returned and no action is taken.
+      //
+      if (CommandParameter == 0 || (CommandParameter & 
(~TpmHashAlgorithmBitmap)) != 0) {
+        DEBUG((DEBUG_ERROR, "PCR banks %x to allocate are not supported by 
TPM. Skip operation\n", CommandParameter));
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      }
+
+      Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, 
CommandParameter);
+      if (EFI_ERROR (Status)) {
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      } else {
+        return TCG_PP_OPERATION_RESPONSE_SUCCESS;
+      }
+
+    case TCG2_PHYSICAL_PRESENCE_CHANGE_EPS:
+      Status = Tpm2CommandChangeEps (PlatformAuth);
+      if (EFI_ERROR (Status)) {
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      } else {
+        return TCG_PP_OPERATION_RESPONSE_SUCCESS;
+      }
+
+    case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:
+      Status = Tpm2GetCapabilitySupportedAndActivePcrs 
(&TpmHashAlgorithmBitmap, &ActivePcrBanks);
+      ASSERT_EFI_ERROR (Status);
+      Status = Tpm2PcrAllocateBanks (PlatformAuth, TpmHashAlgorithmBitmap, 
TpmHashAlgorithmBitmap);
+      if (EFI_ERROR (Status)) {
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      } else {
+        return TCG_PP_OPERATION_RESPONSE_SUCCESS;
+      }
+
+    default:
+      if (CommandCode <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
+        return TCG_PP_OPERATION_RESPONSE_SUCCESS;
+      } else {
+        return TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+      }
+  }
+}
+
+
+/**
+  Read the specified key for user confirmation.
+
+  @param[in]  CautionKey  If true,  F12 is used as confirm key;
+                          If false, F10 is used as confirm key.
+
+  @retval     TRUE        User confirmed the changes by input.
+  @retval     FALSE       User discarded the changes.
+**/
+BOOLEAN
+Tcg2ReadUserKey (
+  IN     BOOLEAN                    CautionKey
+  )
+{
+  EFI_STATUS                        Status;
+  EFI_INPUT_KEY                     Key;
+  UINT16                            InputKey;
+
+  InputKey = 0;
+  do {
+    Status = gBS->CheckEvent (gST->ConIn->WaitForKey);
+    if (!EFI_ERROR (Status)) {
+      Status = gST->ConIn->ReadKeyStroke (gST->ConIn, &Key);
+      if (Key.ScanCode == SCAN_ESC) {
+        InputKey = Key.ScanCode;
+      }
+      if ((Key.ScanCode == SCAN_F10) && !CautionKey) {
+        InputKey = Key.ScanCode;
+      }
+      if ((Key.ScanCode == SCAN_F12) && CautionKey) {
+        InputKey = Key.ScanCode;
+      }
+    }
+  } while (InputKey == 0);
+
+  if (InputKey != SCAN_ESC) {
+    return TRUE;
+  }
+
+  return FALSE;
+}
+
+
+/**
+  Fill Buffer With BootHashAlg.
+
+  @param[in] Buffer               Buffer to be filled.
+  @param[in] BufferSize           Size of buffer.
+  @param[in] BootHashAlg          BootHashAlg.
+
+**/
+VOID
+Tcg2FillBufferWithBootHashAlg (
+  IN UINT16  *Buffer,
+  IN UINTN   BufferSize,
+  IN UINT32  BootHashAlg
+  )
+{
+  Buffer[0] = 0;
+  if ((BootHashAlg & EFI_TCG2_BOOT_HASH_ALG_SHA1) != 0) {
+    if (Buffer[0] != 0) {
+      StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L", ", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+    }
+    StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L"SHA1", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+  }
+  if ((BootHashAlg & EFI_TCG2_BOOT_HASH_ALG_SHA256) != 0) {
+    if (Buffer[0] != 0) {
+      StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L", ", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+    }
+    StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L"SHA256", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+  }
+  if ((BootHashAlg & EFI_TCG2_BOOT_HASH_ALG_SHA384) != 0) {
+    if (Buffer[0] != 0) {
+      StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L", ", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+    }
+    StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L"SHA384", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+  }
+  if ((BootHashAlg & EFI_TCG2_BOOT_HASH_ALG_SHA512) != 0) {
+    if (Buffer[0] != 0) {
+      StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L", ", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+    }
+    StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L"SHA512", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+  }
+  if ((BootHashAlg & EFI_TCG2_BOOT_HASH_ALG_SM3_256) != 0) {
+    if (Buffer[0] != 0) {
+      StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L", ", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+    }
+    StrnCatS (Buffer, BufferSize / sizeof (CHAR16), L"SM3_256", (BufferSize / 
sizeof (CHAR16)) - StrLen (Buffer) - 1);
+  }
+}
+
+
+/**
+  Display the confirm text and get user confirmation.
+
+  @param[in] TpmPpCommand             The requested TPM physical presence 
command.
+  @param[in] TpmPpCommandParameter    The requested TPM physical presence 
command parameter.
+
+  @retval    TRUE          The user has confirmed the changes.
+  @retval    FALSE         The user doesn't confirm the changes.
+**/
+BOOLEAN
+Tcg2UserConfirm (
+  IN      UINT32                    TpmPpCommand,
+  IN      UINT32                    TpmPpCommandParameter
+  )
+{
+  CHAR16                            *ConfirmText;
+  CHAR16                            *TmpStr1;
+  CHAR16                            *TmpStr2;
+  UINTN                             BufSize;
+  BOOLEAN                           CautionKey;
+  BOOLEAN                           NoPpiInfo;
+  UINT16                            Index;
+  CHAR16                            DstStr[81];
+  CHAR16                            TempBuffer[1024];
+  CHAR16                            TempBuffer2[1024];
+  EFI_TCG2_PROTOCOL                 *Tcg2Protocol;
+  EFI_TCG2_BOOT_SERVICE_CAPABILITY  ProtocolCapability;
+  UINT32                            CurrentPCRBanks;
+  EFI_STATUS                        Status;
+
+  TmpStr2     = NULL;
+  CautionKey  = FALSE;
+  NoPpiInfo   = FALSE;
+  BufSize     = CONFIRM_BUFFER_SIZE;
+  ConfirmText = AllocateZeroPool (BufSize);
+  ASSERT (ConfirmText != NULL);
+
+  mTcg2PpStringPackHandle = HiiAddPackages (&gEfiTcg2PhysicalPresenceGuid, 
gImageHandle, DxeTcg2PhysicalPresenceLibStrings, NULL);
+  ASSERT (mTcg2PpStringPackHandle != NULL);
+
+  switch (TpmPpCommand) {
+
+    case TCG2_PHYSICAL_PRESENCE_CLEAR:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_2:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_3:
+      CautionKey = TRUE;
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN (TPM_CLEAR));
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_HEAD_STR));
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
+      FreePool (TmpStr1);
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_WARNING_CLEAR));
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), L" \n\n", (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      FreePool (TmpStr1);
+
+      break;
+
+    case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
+      Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) 
&Tcg2Protocol);
+      ASSERT_EFI_ERROR (Status);
+
+      ProtocolCapability.Size = sizeof(ProtocolCapability);
+      Status = Tcg2Protocol->GetCapability (
+                               Tcg2Protocol,
+                               &ProtocolCapability
+                               );
+      ASSERT_EFI_ERROR (Status);
+
+      Status = Tcg2Protocol->GetActivePcrBanks (
+                               Tcg2Protocol,
+                               &CurrentPCRBanks
+                               );
+      ASSERT_EFI_ERROR (Status);
+
+      CautionKey = TRUE;
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_SET_PCR_BANKS));
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_HEAD_STR));
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
+      FreePool (TmpStr1);
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_WARNING_SET_PCR_BANKS_1));
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      FreePool (TmpStr1);
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_WARNING_SET_PCR_BANKS_2));
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      FreePool (TmpStr1);
+
+      Tcg2FillBufferWithBootHashAlg (TempBuffer, sizeof(TempBuffer), 
TpmPpCommandParameter);
+      Tcg2FillBufferWithBootHashAlg (TempBuffer2, sizeof(TempBuffer2), 
CurrentPCRBanks);
+
+      TmpStr1 = AllocateZeroPool (BufSize);
+      ASSERT (TmpStr1 != NULL);
+      UnicodeSPrint (TmpStr1, BufSize, L"Current PCRBanks is 0x%x. (%s)\nNew 
PCRBanks is 0x%x. (%s)\n", CurrentPCRBanks, TempBuffer2, TpmPpCommandParameter, 
TempBuffer);
+
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), L" \n", (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      FreePool (TmpStr1);
+
+      break;
+
+    case TCG2_PHYSICAL_PRESENCE_CHANGE_EPS:
+      CautionKey = TRUE;
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_CHANGE_EPS));
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_HEAD_STR));
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
+      FreePool (TmpStr1);
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_WARNING_CHANGE_EPS_1));
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      FreePool (TmpStr1);
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_WARNING_CHANGE_EPS_2));
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      FreePool (TmpStr1);
+
+      break;
+
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TCG_STORAGE_ENABLE_BLOCK_SID));
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TCG_STORAGE_HEAD_STR));
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
+      FreePool (TmpStr1);
+      break;
+
+    case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
+      TmpStr2 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TCG_STORAGE_DISABLE_BLOCK_SID));
+
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TCG_STORAGE_HEAD_STR));
+      UnicodeSPrint (ConfirmText, BufSize, TmpStr1, TmpStr2);
+      FreePool (TmpStr1);
+      break;
+
+    default:
+      ;
+  }
+
+  if (TmpStr2 == NULL) {
+    FreePool (ConfirmText);
+    return FALSE;
+  }
+
+  if (TpmPpCommand < TCG2_PHYSICAL_PRESENCE_STORAGE_MANAGEMENT_BEGIN) {
+    if (CautionKey) {
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_CAUTION_KEY));
+    } else {
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_ACCEPT_KEY));
+    }
+    StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+    FreePool (TmpStr1);
+
+    if (NoPpiInfo) {
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_NO_PPI_INFO));
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      FreePool (TmpStr1);
+    }
+
+    TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TPM_REJECT_KEY));
+  } else {
+    if (CautionKey) {
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TCG_STORAGE_CAUTION_KEY));
+    } else {
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TCG_STORAGE_ACCEPT_KEY));
+    }
+    StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+    FreePool (TmpStr1);
+
+    if (NoPpiInfo) {
+      TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TCG_STORAGE_NO_PPI_INFO));
+      StrnCatS (ConfirmText, BufSize / sizeof (CHAR16), TmpStr1, (BufSize / 
sizeof (CHAR16)) - StrLen (ConfirmText) - 1);
+      FreePool (TmpStr1);
+    }
+
+    TmpStr1 = Tcg2PhysicalPresenceGetStringById (STRING_TOKEN 
(TCG_STORAGE_REJECT_KEY));
+  }
+  BufSize -= StrSize (ConfirmText);
+  UnicodeSPrint (ConfirmText + StrLen (ConfirmText), BufSize, TmpStr1, 
TmpStr2);
+
+  DstStr[80] = L'\0';
+  for (Index = 0; Index < StrLen (ConfirmText); Index += 80) {
+    StrnCpyS (DstStr, sizeof (DstStr) / sizeof (CHAR16), ConfirmText + Index, 
sizeof (DstStr) / sizeof (CHAR16) - 1);
+    Print (DstStr);
+  }
+
+  FreePool (TmpStr1);
+  FreePool (TmpStr2);
+  FreePool (ConfirmText);
+  HiiRemovePackages (mTcg2PpStringPackHandle);
+
+  if (Tcg2ReadUserKey (CautionKey)) {
+    return TRUE;
+  }
+
+  return FALSE;
+}
+
+
+/**
+  Check if there is a valid physical presence command request. Also updates 
parameter value
+  to whether the requested physical presence command already confirmed by user
+
+   @param[out] RequestConfirmed          If the physical presence operation 
command required user confirm from UI.
+                                           True, it indicates the command 
doesn't require user confirm, or already confirmed
+                                                 in last boot cycle by user.
+                                           False, it indicates the command 
need user confirm from UI.
+
+   @retval  TRUE        Physical Presence operation command is valid.
+   @retval  FALSE       Physical Presence operation command is invalid.
+
+**/
+BOOLEAN
+Tcg2HaveValidTpmRequest  (
+  OUT     BOOLEAN                          *RequestConfirmed
+  )
+{
+  EFI_TCG2_PROTOCOL                 *Tcg2Protocol;
+  EFI_STATUS                        Status;
+
+  *RequestConfirmed = FALSE;
+
+  if (mPpi->Request <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
+    //
+    // Need TCG2 protocol.
+    //
+    Status = gBS->LocateProtocol (&gEfiTcg2ProtocolGuid, NULL, (VOID **) 
&Tcg2Protocol);
+    if (EFI_ERROR (Status)) {
+      return FALSE;
+    }
+  }
+
+  switch (mPpi->Request) {
+    case TCG2_PHYSICAL_PRESENCE_NO_ACTION:
+    case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:
+      *RequestConfirmed = TRUE;
+      return TRUE;
+
+    case TCG2_PHYSICAL_PRESENCE_CLEAR:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_2:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_3:
+    case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
+    case TCG2_PHYSICAL_PRESENCE_CHANGE_EPS:
+    case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
+    case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
+      break;
+
+    default:
+      //
+      // Wrong Physical Presence command
+      //
+      return FALSE;
+  }
+
+  //
+  // Physical Presence command is correct
+  //
+  return TRUE;
+}
+
+
+/**
+  Check and execute the requested physical presence command.
+
+  @param[in]      PlatformAuth      platform auth value. NULL means no 
platform auth change.
+**/
+VOID
+Tcg2ExecutePendingTpmRequest (
+  IN      TPM2B_AUTH                       *PlatformAuth OPTIONAL
+  )
+{
+  BOOLEAN                           RequestConfirmed;
+
+  if (mPpi->Request == TCG2_PHYSICAL_PRESENCE_NO_ACTION) {
+    //
+    // No operation request
+    //
+    return;
+  }
+
+  if (!Tcg2HaveValidTpmRequest (&RequestConfirmed)) {
+    //
+    // Invalid operation request.
+    //
+    if (mPpi->Request <= TCG2_PHYSICAL_PRESENCE_NO_ACTION_MAX) {
+      mPpi->Response = TCG_PP_OPERATION_RESPONSE_SUCCESS;
+    } else {
+      mPpi->Response = TCG_PP_OPERATION_RESPONSE_BIOS_FAILURE;
+    }
+    mPpi->LastRequest = mPpi->Request;
+    mPpi->Request = TCG2_PHYSICAL_PRESENCE_NO_ACTION;
+    mPpi->RequestParameter = 0;
+    return;
+  }
+
+  if (!RequestConfirmed) {
+    //
+    // Print confirm text and wait for approval.
+    //
+    RequestConfirmed = Tcg2UserConfirm (mPpi->Request, mPpi->RequestParameter);
+  }
+
+  //
+  // Execute requested physical presence command
+  //
+  mPpi->Response = TCG_PP_OPERATION_RESPONSE_USER_ABORT;
+  if (RequestConfirmed) {
+    mPpi->Response = Tcg2ExecutePhysicalPresence (
+                                                  PlatformAuth,
+                                                  mPpi->Request,
+                                                  mPpi->RequestParameter
+                                                  );
+  }
+
+  //
+  // Clear request
+  //
+  mPpi->LastRequest = mPpi->Request;
+  mPpi->Request = TCG2_PHYSICAL_PRESENCE_NO_ACTION;
+  mPpi->RequestParameter = 0;
+
+  if (mPpi->Response == TCG_PP_OPERATION_RESPONSE_USER_ABORT) {
+    return;
+  }
+
+  //
+  // Reset system to make new TPM settings in effect
+  //
+  switch (mPpi->LastRequest) {
+  case TCG2_PHYSICAL_PRESENCE_CLEAR:
+  case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR:
+  case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_2:
+  case TCG2_PHYSICAL_PRESENCE_ENABLE_CLEAR_3:
+  case TCG2_PHYSICAL_PRESENCE_SET_PCR_BANKS:
+  case TCG2_PHYSICAL_PRESENCE_CHANGE_EPS:
+  case TCG2_PHYSICAL_PRESENCE_LOG_ALL_DIGESTS:
+    break;
+
+  case TCG2_PHYSICAL_PRESENCE_ENABLE_BLOCK_SID:
+  case TCG2_PHYSICAL_PRESENCE_DISABLE_BLOCK_SID:
+    break;
+
+  default:
+    if (mPpi->Request != TCG2_PHYSICAL_PRESENCE_NO_ACTION) {
+      break;
+    }
+    return;
+  }
+
+  Print (L"Rebooting system to make TPM2 settings in effect\n");
+  gRT->ResetSystem (EfiResetCold, EFI_SUCCESS, 0, NULL);
+  ASSERT (FALSE);
+}
+
+
+/**
+   Check and execute the pending TPM request.
+
+   The TPM request may come from OS or BIOS. This API will display request 
information and wait
+   for user confirmation if TPM request exists. The TPM request will be sent 
to TPM device after
+   the TPM request is confirmed, and one or more reset may be required to make 
TPM request to
+   take effect.
+
+   This API should be invoked after console in and console out are all ready 
as they are required
+   to display request information and get user input to confirm the request.
+
+   @param[in]  PlatformAuth                   platform auth value. NULL means 
no platform auth change.
+**/
+VOID
+EFIAPI
+Tcg2PhysicalPresenceLibProcessRequest (
+  IN      TPM2B_AUTH                     *PlatformAuth  OPTIONAL
+  )
+{
+  EFI_STATUS Status;
+
+  Status = QemuTpmInitPPI ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((EFI_D_INFO, "[TPM2PP] no TPM\n"));
+    return ;
+  }
+
+  //
+  // Check S4 resume
+  //
+  if (GetBootModeHob () == BOOT_ON_S4_RESUME) {
+    DEBUG ((EFI_D_INFO, "S4 Resume, Skip TPM PP process!\n"));
+    return ;
+  }
+
+  DEBUG ((EFI_D_INFO, "[TPM2PP] PPRequest=%x (PPRequestParameter=%x)\n", 
mPpi->Request, mPpi->RequestParameter));
+  Tcg2ExecutePendingTpmRequest (PlatformAuth);
+}
+
+
+/**
+  The handler for TPM physical presence function:
+  Return TPM Operation Response to OS Environment.
+
+  @param[out]     MostRecentRequest Most recent operation request.
+  @param[out]     Response          Response to the most recent operation 
request.
+
+  @return Return Code for Return TPM Operation Response to OS Environment.
+**/
+UINT32
+EFIAPI
+Tcg2PhysicalPresenceLibReturnOperationResponseToOsFunction (
+  OUT UINT32                *MostRecentRequest,
+  OUT UINT32                *Response
+  )
+{
+  EFI_STATUS Status;
+
+  DEBUG ((EFI_D_INFO, "[TPM2PP] ReturnOperationResponseToOsFunction\n"));
+
+  Status = QemuTpmInitPPI ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((EFI_D_INFO, "[TPM2PP] no TPM\n"));
+    *MostRecentRequest = 0;
+    *Response          = 0;
+    return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_FAILURE;
+  }
+
+  *MostRecentRequest = mPpi->LastRequest;
+  *Response          = mPpi->Response;
+
+  return TCG_PP_RETURN_TPM_OPERATION_RESPONSE_SUCCESS;
+}
+
+
+/**
+  The handler for TPM physical presence function:
+  Submit TPM Operation Request to Pre-OS Environment and
+  Submit TPM Operation Request to Pre-OS Environment 2.
+
+  Caution: This function may receive untrusted input.
+
+  @param[in]      OperationRequest TPM physical presence operation request.
+  @param[in]      RequestParameter TPM physical presence operation request 
parameter.
+
+  @return Return Code for Submit TPM Operation Request to Pre-OS Environment 
and
+          Submit TPM Operation Request to Pre-OS Environment 2.
+**/
+UINT32
+EFIAPI
+Tcg2PhysicalPresenceLibSubmitRequestToPreOSFunction (
+  IN UINT32                 OperationRequest,
+  IN UINT32                 RequestParameter
+  )
+{
+  EFI_STATUS Status;
+
+  DEBUG ((EFI_D_INFO, "[TPM2PP] SubmitRequestToPreOSFunction, Request = %x, 
%x\n", OperationRequest, RequestParameter));
+
+  Status = QemuTpmInitPPI ();
+  if (EFI_ERROR (Status)) {
+    DEBUG ((EFI_D_INFO, "[TPM2PP] no TPM\n"));
+    return TCG_PP_SUBMIT_REQUEST_TO_PREOS_GENERAL_FAILURE;
+  }
+
+  mPpi->Request = OperationRequest;
+  mPpi->RequestParameter = RequestParameter;
+
+  return TCG_PP_SUBMIT_REQUEST_TO_PREOS_SUCCESS;
+}
diff --git 
a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.uni 
b/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.uni
similarity index 97%
copy from 
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.uni
copy to 
OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.uni
index 7cb7072c174a..aaae8f5014e7 100644
--- 
a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.uni
+++ b/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/DxeTcg2PhysicalPresenceLib.uni
@@ -3,7 +3,7 @@
 //
 // This library will check and execute TPM 2.0 request from OS or BIOS. The 
request may
 // ask for user confirmation before execution.
-// 
+//
 // Caution: This module requires additional review when modified.
 // This driver will have external input - variable.
 // This external input must be validated carefully to avoid security issue.
@@ -24,4 +24,3 @@
 
 #string STR_MODULE_DESCRIPTION          #language en-US "This library will 
check and execute TPM 2.0 request from OS or BIOS. The request may ask for user 
confirmation before execution.\n"
                                                         "Caution: This module 
requires additional review when modified. This driver will have external input 
- variable. This external input must be validated carefully to avoid security 
issue."
-
diff --git 
a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/PhysicalPresenceStrings.uni 
b/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/PhysicalPresenceStrings.uni
similarity index 62%
copy from 
SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/PhysicalPresenceStrings.uni
copy to OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/PhysicalPresenceStrings.uni
index 0271b890e01c..1470286b4c3b 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/PhysicalPresenceStrings.uni
+++ b/OvmfPkg/Library/Tcg2PhysicalPresenceLibQemu/PhysicalPresenceStrings.uni
@@ -2,12 +2,12 @@
   String definitions for TPM 2.0 physical presence confirm text.
 
 Copyright (c) 2013 - 2014, Intel Corporation. All rights reserved.<BR>
-This program and the accompanying materials 
-are licensed and made available under the terms and conditions of the BSD 
License 
-which accompanies this distribution.  The full text of the license may be 
found at 
+This program and the accompanying materials
+are licensed and made available under the terms and conditions of the BSD 
License
+which accompanies this distribution.  The full text of the license may be 
found at
 http://opensource.org/licenses/bsd-license.php
 
-THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, 
+THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
 
 **/
@@ -15,10 +15,9 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #langdef en-US "English"
 
 #string TPM_HEAD_STR                  #language en-US    "A configuration 
change was requested to %s this computer's TPM (Trusted Platform Module)\n\n"
-#string TPM_PPI_HEAD_STR              #language en-US    "A configuration 
change was requested to allow the Operating System to %s the computer's TPM 
(Trusted Platform Module) without asking for user confirmation in the 
future.\n\n"
 
-#string TPM_ACCEPT_KEY                #language en-US    "Press F10 " 
-#string TPM_CAUTION_KEY               #language en-US    "Press F12 " 
+#string TPM_ACCEPT_KEY                #language en-US    "Press F10 "
+#string TPM_CAUTION_KEY               #language en-US    "Press F12 "
 #string TPM_REJECT_KEY                #language en-US    "to %s the TPM 
\nPress ESC to reject this change request and continue\n"
 
 #string TPM_ENABLE                    #language en-US    "enable"
@@ -26,36 +25,25 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER 
EXPRESS OR IMPLIED.
 #string TPM_CLEAR                     #language en-US    "clear"
 #string TPM_SET_PCR_BANKS                       #language en-US    "change the 
boot measurements to use PCR bank(s) of"
 #string TPM_CHANGE_EPS                          #language en-US    "clear and 
change identity of"
-#string TPM_DISABLE_ENDORSEMENT_ENABLE_STORAGE  #language en-US    "disable 
access to some secrets stored in"
 
 #string TPM_NO_PPI_MAINTAIN           #language en-US    "maintain"
 #string TPM_NO_PPI_TURN_ON            #language en-US    "turn on"
 #string TPM_NO_PPI_TURN_OFF           #language en-US    "turn off"
 #string TPM_NO_PPI_INFO               #language en-US    "to approve future 
Operating System requests "
 
-#string TPM_WARNING_DISABLE           #language en-US    "WARNING: Doing so 
might prevent security applications that rely on the TPM from functioning as 
expected.\n\n"
 #string TPM_WARNING_CLEAR             #language en-US    "WARNING: Clearing 
erases information stored on the TPM. You will lose all created keys and access 
to data encrypted by these keys. "
-#string TPM_NOTE_CLEAR                #language en-US    "NOTE: This action 
does not clear the TPM, but by approving this configuration change, future 
actions to clear the TPM will not require user confirmation.\n\n"
 #string TPM_WARNING_SET_PCR_BANKS_1                     #language en-US    
"WARNING: Changing the PCR bank(s) of the boot measurements may prevent the 
Operating System from properly processing the measurements. Please check if 
your Operating System supports the new PCR bank(s).\n\n"
 #string TPM_WARNING_SET_PCR_BANKS_2                     #language en-US    
"WARNING: Secrets in the TPM that are bound to the boot state of your machine 
may become unusable.\n\n"
 #string TPM_WARNING_CHANGE_EPS_1                        #language en-US    
"WARNING: Clearing erases information stored on the TPM. You will lose all 
created keys and access to data encrypted with these keys.\n\n"
 #string TPM_WARNING_CHANGE_EPS_2                        #language en-US    
"WARNING: Changing the identity of the TPM may require additional steps to 
establish trust into the new identity.\n\n"
-#string TPM_WARNING_PP_CHANGE_PCRS_FALSE                #language en-US    
"WARNING: Allowing future changes to format of the boot measurement log may 
affect the Operating System.\n\n"
-#string TPM_WARNING_PP_CHANGE_EPS_FALSE_1               #language en-US    
"WARNING: Allowing future changes to the TPM's firmware may affect the 
operation of the TPM and may erase information stored on the TPM.\n\n"
-#string TPM_WARNING_PP_CHANGE_EPS_FALSE_2               #language en-US    
"You may lose all created keys and access to data encrypted by these keys.\n\n"
-#string TPM_WARNING_DISABLE_ENDORSEMENT_ENABLE_STORAGE  #language en-US    
"WARNING: Doing so might prevent security applications that rely on the TPM 
from functioning as expected.\n\n"
 
 #string TCG_STORAGE_HEAD_STR                  #language en-US    "A 
configuration change was requested to %s on subsequent boots\n\n"
-#string TCG_STORAGE_PPI_HEAD_STR              #language en-US    "A 
configuration change was requested to allow the Operating System to %s without 
asking for user confirmation in the future.\n\n"
 
-#string TCG_STORAGE_ACCEPT_KEY                #language en-US    "Press F10 " 
-#string TCG_STORAGE_CAUTION_KEY               #language en-US    "Press F12 " 
+#string TCG_STORAGE_ACCEPT_KEY                #language en-US    "Press F10 "
+#string TCG_STORAGE_CAUTION_KEY               #language en-US    "Press F12 "
 #string TCG_STORAGE_REJECT_KEY                #language en-US    "to %s\nPress 
ESC to reject this change request and continue\n"
 
 #string TCG_STORAGE_NO_PPI_INFO               #language en-US    "to approve 
future Operating System requests "
 
 #string TCG_STORAGE_ENABLE_BLOCK_SID          #language en-US    "issue a 
Block SID authentication command"
 #string TCG_STORAGE_DISABLE_BLOCK_SID         #language en-US    "disable 
issuing a Block SID authentication command"
-
-#string TCG_STORAGE_PP_ENABLE_BLOCK_SID       #language en-US    "enable 
blocking SID authentication"
-#string TCG_STORAGE_PP_DISABLE_BLOCK_SID      #language en-US    "disable 
blocking SID authentication"
-- 
2.17.0.253.g3dd125b46d

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to