diff options
-rw-r--r-- | src/include/tpm_lite/tlcl.h | 5 | ||||
-rw-r--r-- | src/lib/Makefile.inc | 2 | ||||
-rw-r--r-- | src/lib/tpm2_marshaling.c | 23 | ||||
-rw-r--r-- | src/lib/tpm2_tlcl.c | 16 | ||||
-rw-r--r-- | src/lib/tpm2_tlcl_structures.h | 26 | ||||
-rw-r--r-- | src/vendorcode/google/chromeos/Kconfig | 14 | ||||
-rw-r--r-- | src/vendorcode/google/chromeos/Makefile.inc | 1 | ||||
-rw-r--r-- | src/vendorcode/google/chromeos/tpm2.c | 45 |
8 files changed, 122 insertions, 10 deletions
diff --git a/src/include/tpm_lite/tlcl.h b/src/include/tpm_lite/tlcl.h index 8ea5564ecb..95bae77f42 100644 --- a/src/include/tpm_lite/tlcl.h +++ b/src/include/tpm_lite/tlcl.h @@ -151,4 +151,9 @@ uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest, */ uint32_t tlcl_get_permanent_flags(TPM_PERMANENT_FLAGS *pflags); +/** + * Disable platform hierarchy. Specific to TPM2. The TPM error code is returned. + */ +uint32_t tlcl_disable_platform_hierarchy(void); + #endif /* TPM_LITE_TLCL_H_ */ diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc index 2d5aa57fe7..9a9ddc865e 100644 --- a/src/lib/Makefile.inc +++ b/src/lib/Makefile.inc @@ -144,6 +144,8 @@ ramstage-$(CONFIG_GENERIC_GPIO_LIB) += gpio.c ramstage-$(CONFIG_GENERIC_UDELAY) += timer.c ramstage-y += b64_decode.c ramstage-$(CONFIG_ACPI_NHLT) += nhlt.c +ramstage-$(CONFIG_TPM2) += tpm2_marshaling.c +ramstage-$(CONFIG_TPM2) += tpm2_tlcl.c romstage-y += cbmem_common.c romstage-y += imd_cbmem.c diff --git a/src/lib/tpm2_marshaling.c b/src/lib/tpm2_marshaling.c index 1edc69007a..38c8d2f05c 100644 --- a/src/lib/tpm2_marshaling.c +++ b/src/lib/tpm2_marshaling.c @@ -373,6 +373,23 @@ static void marshal_selftest(void **buffer, marshal_u8(buffer, command_body->yes_no, buffer_space); } +static void marshal_hierarchy_control(void **buffer, + struct tpm2_hierarchy_control_cmd *command_body, + size_t *buffer_space) +{ + struct tpm2_session_header session_header; + + car_set_var(tpm_tag, TPM_ST_SESSIONS); + + marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space); + memset(&session_header, 0, sizeof(session_header)); + session_header.session_handle = TPM_RS_PW; + marshal_session_header(buffer, &session_header, buffer_space); + + marshal_TPM_HANDLE(buffer, command_body->enable, buffer_space); + marshal_u8(buffer, command_body->state, buffer_space); +} + int tpm_marshal_command(TPM_CC command, void *tpm_command_body, void *buffer, size_t buffer_size) { @@ -414,6 +431,11 @@ int tpm_marshal_command(TPM_CC command, void *tpm_command_body, marshal_selftest(&cmd_body, tpm_command_body, &body_size); break; + case TPM2_Hierarchy_Control: + marshal_hierarchy_control(&cmd_body, tpm_command_body, + &body_size); + break; + case TPM2_Clear: marshal_clear(&cmd_body, &body_size); break; @@ -583,6 +605,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command, &tpm2_resp->nvr); break; + case TPM2_Hierarchy_Control: case TPM2_Clear: case TPM2_NV_DefineSpace: case TPM2_NV_Write: diff --git a/src/lib/tpm2_tlcl.c b/src/lib/tpm2_tlcl.c index 6f5243e160..6c0cd6e2b2 100644 --- a/src/lib/tpm2_tlcl.c +++ b/src/lib/tpm2_tlcl.c @@ -369,3 +369,19 @@ uint32_t tlcl_define_space(uint32_t space_index, size_t space_size) return TPM_E_INTERNAL_INCONSISTENCY; } } + +uint32_t tlcl_disable_platform_hierarchy(void) +{ + struct tpm2_response *response; + struct tpm2_hierarchy_control_cmd hc = { + .enable = TPM_RH_PLATFORM, + .state = 0, + }; + + response = tpm_process_command(TPM2_Hierarchy_Control, &hc); + + if (!response || response->hdr.tpm_code) + return TPM_E_INTERNAL_INCONSISTENCY; + + return TPM_SUCCESS; +} diff --git a/src/lib/tpm2_tlcl_structures.h b/src/lib/tpm2_tlcl_structures.h index 36a3e8b253..c5c6d87985 100644 --- a/src/lib/tpm2_tlcl_structures.h +++ b/src/lib/tpm2_tlcl_structures.h @@ -28,7 +28,7 @@ typedef uint8_t TPMI_YES_NO; typedef TPM_ALG_ID TPMI_ALG_HASH; typedef TPM_HANDLE TPMI_DH_PCR; typedef TPM_HANDLE TPMI_RH_NV_INDEX; -typedef TPM_HANDLE TPMI_RH_PROVISION; +typedef TPM_HANDLE TPMI_RH_ENABLES; typedef TPM_HANDLE TPMI_SH_AUTH_SESSION; typedef TPM_HANDLE TPM_RH; @@ -59,15 +59,16 @@ struct tpm_header { } __attribute__((packed)); /* TPM command codes. */ -#define TPM2_Clear ((TPM_CC)0x00000126) -#define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A) -#define TPM2_NV_Write ((TPM_CC)0x00000137) -#define TPM2_NV_WriteLock ((TPM_CC)0x00000138) -#define TPM2_SelfTest ((TPM_CC)0x00000143) -#define TPM2_Startup ((TPM_CC)0x00000144) -#define TPM2_NV_Read ((TPM_CC)0x0000014E) -#define TPM2_GetCapability ((TPM_CC)0x0000017A) -#define TPM2_PCR_Extend ((TPM_CC)0x00000182) +#define TPM2_Hierarchy_Control ((TPM_CC)0x00000121) +#define TPM2_Clear ((TPM_CC)0x00000126) +#define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A) +#define TPM2_NV_Write ((TPM_CC)0x00000137) +#define TPM2_NV_WriteLock ((TPM_CC)0x00000138) +#define TPM2_SelfTest ((TPM_CC)0x00000143) +#define TPM2_Startup ((TPM_CC)0x00000144) +#define TPM2_NV_Read ((TPM_CC)0x0000014E) +#define TPM2_GetCapability ((TPM_CC)0x0000017A) +#define TPM2_PCR_Extend ((TPM_CC)0x00000182) /* Startup values. */ #define TPM_SU_CLEAR 0 @@ -334,4 +335,9 @@ struct tpm2_pcr_extend_cmd { TPML_DIGEST_VALUES digests; }; +struct tpm2_hierarchy_control_cmd { + TPMI_RH_ENABLES enable; + TPMI_YES_NO state; +}; + #endif // __SRC_LIB_TPM2_TLCL_STRUCTURES_H diff --git a/src/vendorcode/google/chromeos/Kconfig b/src/vendorcode/google/chromeos/Kconfig index 238b4e51b1..97dfc60c22 100644 --- a/src/vendorcode/google/chromeos/Kconfig +++ b/src/vendorcode/google/chromeos/Kconfig @@ -127,6 +127,20 @@ config CHROMEOS_FWID_VERSION This is the second part of the FWID written to various regions of a Chrome OS firmware image to identify its version. +config CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME + bool + default y + depends on TPM2 && RESUME_PATH_SAME_AS_BOOT + help + Disable the platform heirarchy on resume path if the firmware + is involved in resume. The hierarchy is disabled prior to jumping + to the OS. Note that this option is sepcific to TPM2 boards. + This option is auto selected if CHROMEOS because it matches with + vboot_reference model which disables the platform hierarchy in + the boot loader. However, those operations need to be symmetric + on normal boot as well as resume and coreboot is only involved + in the resume piece w.r.t. the platform hierarchy. + menu "GBB configuration" config GBB_HWID diff --git a/src/vendorcode/google/chromeos/Makefile.inc b/src/vendorcode/google/chromeos/Makefile.inc index 878b0684c0..f0762bcb55 100644 --- a/src/vendorcode/google/chromeos/Makefile.inc +++ b/src/vendorcode/google/chromeos/Makefile.inc @@ -24,6 +24,7 @@ ramstage-$(CONFIG_HAVE_ACPI_TABLES) += acpi.c ramstage-$(CONFIG_CHROMEOS_RAMOOPS) += ramoops.c romstage-y += vpd_decode.c ramstage-y += vpd_decode.c cros_vpd.c vpd_mac.c vpd_serialno.c vpd_calibration.c +ramstage-$(CONFIG_CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME) += tpm2.c ramstage-$(CONFIG_HAVE_REGULATORY_DOMAIN) += wrdd.c ramstage-$(CONFIG_USE_SAR) += sar.c ifeq ($(CONFIG_ARCH_MIPS),) diff --git a/src/vendorcode/google/chromeos/tpm2.c b/src/vendorcode/google/chromeos/tpm2.c new file mode 100644 index 0000000000..fd1dac9a35 --- /dev/null +++ b/src/vendorcode/google/chromeos/tpm2.c @@ -0,0 +1,45 @@ +/* + * This file is part of the coreboot project. + * + * Copyright 2017 Google Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <bootstate.h> +#include <console/console.h> +#include <tpm_lite/tlcl.h> +#include <vb2_api.h> + +static void disable_platform_hierarchy(void *unused) +{ + int ret; + + if (!IS_ENABLED(CONFIG_TPM2)) + return; + + if (!IS_ENABLED(CONFIG_RESUME_PATH_SAME_AS_BOOT)) + return; + + ret = tlcl_lib_init(); + + if (ret != VB2_SUCCESS) { + printk(BIOS_ERR, "tlcl_lib_init() failed: %x\n", ret); + return; + } + + ret = tlcl_disable_platform_hierarchy(); + if (ret != TPM_SUCCESS) + printk(BIOS_ERR, "Platform hierarchy disablement failed: %x\n", + ret); +} + +BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, disable_platform_hierarchy, + NULL); |