Security Advisory

23. OPAL driver has PP issue on BlockSid


EDKII open source has OPAL driver at SecurityPkg\Tcg\Opal. It includes a feature named BlockSid, which is defined in TCG Physical Presence and TCG OPAL BlockSid specification. The TCG PP spec defines PP opcode to enable/disableBlockSid, which may need user confirmation. However, current EDKII OPAL driver just uses a normal variable (OPAL_EXTRA_INFO_VAR_NAME/gOpalExtraInfoVariableGuid) to store the BlockSid enable/disable. This driver does not follow TCG recommendation to use PP process to request user confirmation on BlockSid state change. Also this variable is NOT locked. It means any one can overwrite this variable and bypass BlockSid operation.


We had better follow TCG PP specification, and implement TCG storage operation (96~101). So that: 1. User confirmation is needed when BlockSid state is changed. (This follows TCG PP spec) 2. This BlockSid state is still saved into variable, but the variable is locked via EDKII_VARIABLE_LOCK_PROTOCOL (This makes sure no malicious code may modify BlockSid enable/disable state.)
This is addressed by EDK2 GIT e92ddda2b547f0b952935abaf44fd72e97dbf755..4e3b05a49f454bc257252ae9090421e3c8447737, bee13c00218f3ed3118d8d87683c11b31ca04564, 01dd077315c6759c94af9af4232f8318db13cf8d.


Reported by Yao, Jiewen [email protected].


  • USRT M1620
  • TCG PC Client Platform Physical Presence Interface Specification
  • TCG Storage Feature Set: Block SID Authentication