diff options
| author | Philipp Deppenwiese <zaolin@das-labor.org> | 2018-08-14 09:46:55 -0700 |
|---|---|---|
| committer | Philipp Deppenwiese <zaolin.daisuki@gmail.com> | 2018-08-21 15:45:15 +0000 |
| commit | 4d2af9df7cc1aab4a48ddf0f06c3f92e6580f6fa (patch) | |
| tree | 8e68da928a527b66e785f397f03938c6fa47fad2 | |
| parent | e155e78a4726369aad2ef28054030adb7a2a204d (diff) | |
| download | coreboot-4d2af9df7cc1aab4a48ddf0f06c3f92e6580f6fa.tar.xz | |
security/tpm: Fix TPM 1.2 state machine issues
* Fix ACPI resume path compilation for TPM ramstage
driver
* Move enabling of the TPM prior activation and remove
reboot return status from TPM enable.
More information can be found via the TCG
specification v1.2
Tested=Elgon
Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b
Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org>
Reviewed-on: https://review.coreboot.org/28085
Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
| -rw-r--r-- | src/drivers/tpm/tpm.c | 6 | ||||
| -rw-r--r-- | src/security/tpm/tspi/tspi.c | 31 |
2 files changed, 18 insertions, 19 deletions
diff --git a/src/drivers/tpm/tpm.c b/src/drivers/tpm/tpm.c index e4a81c3da4..77d3a8e81e 100644 --- a/src/drivers/tpm/tpm.c +++ b/src/drivers/tpm/tpm.c @@ -18,16 +18,18 @@ #include <bootstate.h> #include <security/tpm/tspi.h> -#if IS_ENABLED(CONFIG_ARCH_X86) +#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME) #include <arch/acpi.h> #endif static void init_tpm_dev(void *unused) { -#if IS_ENABLED(CONFIG_ARCH_X86) +#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME) int s3resume = acpi_is_wakeup_s3(); tpm_setup(s3resume); #else + /* This can lead to PCR reset attacks but currently there + is no generic way to detect resume on other platforms. */ tpm_setup(false); #endif } diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index 950e930133..fccf224519 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -25,17 +25,27 @@ #if IS_ENABLED(CONFIG_TPM1) static uint32_t tpm1_invoke_state_machine(void) { - uint8_t disable; + uint8_t disabled; uint8_t deactivated; uint32_t result = TPM_SUCCESS; /* Check that the TPM is enabled and activated. */ - result = tlcl_get_flags(&disable, &deactivated, NULL); + result = tlcl_get_flags(&disabled, &deactivated, NULL); if (result != TPM_SUCCESS) { printk(BIOS_ERR, "TPM: Can't read capabilities.\n"); return result; } + if (disabled) { + printk(BIOS_INFO, "TPM: is disabled. Enabling...\n"); + + result = tlcl_set_enable(); + if (result != TPM_SUCCESS) { + printk(BIOS_ERR, "TPM: Can't set enabled state.\n"); + return result; + } + } + if (!!deactivated != IS_ENABLED(CONFIG_TPM_DEACTIVATE)) { printk(BIOS_INFO, "TPM: Unexpected TPM deactivated state. Toggling...\n"); @@ -50,19 +60,6 @@ static uint32_t tpm1_invoke_state_machine(void) result = TPM_E_MUST_REBOOT; } - if (disable && !deactivated) { - printk(BIOS_INFO, "TPM: disabled (%d). Enabling...\n", disable); - - result = tlcl_set_enable(); - if (result != TPM_SUCCESS) { - printk(BIOS_ERR, "TPM: Can't set enabled state.\n"); - return result; - } - - printk(BIOS_INFO, "TPM: Must reboot to re-enable\n"); - result = TPM_E_MUST_REBOOT; - } - return result; } #endif @@ -122,8 +119,8 @@ uint32_t tpm_setup(int s3flag) result = tlcl_physical_presence_cmd_enable(); if (result != TPM_SUCCESS) { printk( - BIOS_ERR, - "TPM: Can't enable physical presence command.\n"); + BIOS_ERR, + "TPM: Can't enable physical presence command.\n"); goto out; } |