From 7b9b576c71c71ed134f50497fd58f862109dd80b Mon Sep 17 00:00:00 2001
From: Star Zeng <star.zeng@intel.com>
Date: Fri, 18 Nov 2016 15:34:54 +0800
Subject: SecurityPkg DxeTcg2PPLib: Lock Tcg2PhysicalPresenceFlags variable on
 S4

The code updates Tcg2PhysicalPresenceLibProcessRequest() to also lock
Tcg2PhysicalPresenceFlags variable on S4.

Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Chao Zhang <chao.b.zhang@intel.com>
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Star Zeng <star.zeng@intel.com>
Reviewed-by: Chao Zhang <chao.b.zhang@intel.com>
---
 .../DxeTcg2PhysicalPresenceLib.c                   | 34 +++++++++++-----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
index 4cec0f7527..bfecffa0fe 100644
--- a/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
+++ b/SecurityPkg/Library/DxeTcg2PhysicalPresenceLib/DxeTcg2PhysicalPresenceLib.c
@@ -794,6 +794,23 @@ Tcg2PhysicalPresenceLibProcessRequest (
   if (EFI_ERROR (Status)) {
     return ;
   }
+
+  //
+  // This flags variable controls whether physical presence is required for TPM command. 
+  // It should be protected from malicious software. We set it as read-only variable here.
+  //
+  Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);
+  if (!EFI_ERROR (Status)) {
+    Status = VariableLockProtocol->RequestToLock (
+                                     VariableLockProtocol,
+                                     TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
+                                     &gEfiTcg2PhysicalPresenceGuid
+                                     );
+    if (EFI_ERROR (Status)) {
+      DEBUG ((EFI_D_ERROR, "[TPM2] Error when lock variable %s, Status = %r\n", TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status));
+      ASSERT_EFI_ERROR (Status);
+    }
+  }
   
   //
   // Check S4 resume
@@ -832,23 +849,6 @@ Tcg2PhysicalPresenceLibProcessRequest (
     }
   }
   DEBUG ((EFI_D_INFO, "[TPM2] PpiFlags = %x\n", PpiFlags.PPFlags));
-
-  //
-  // This flags variable controls whether physical presence is required for TPM command. 
-  // It should be protected from malicious software. We set it as read-only variable here.
-  //
-  Status = gBS->LocateProtocol (&gEdkiiVariableLockProtocolGuid, NULL, (VOID **)&VariableLockProtocol);
-  if (!EFI_ERROR (Status)) {
-    Status = VariableLockProtocol->RequestToLock (
-                                     VariableLockProtocol,
-                                     TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE,
-                                     &gEfiTcg2PhysicalPresenceGuid
-                                     );
-    if (EFI_ERROR (Status)) {
-      DEBUG ((EFI_D_ERROR, "[TPM2] Error when lock variable %s, Status = %r\n", TCG2_PHYSICAL_PRESENCE_FLAGS_VARIABLE, Status));
-      ASSERT_EFI_ERROR (Status);
-    }
-  }
   
   //
   // Initialize physical presence variable.
-- 
cgit v1.2.3