summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/include/tpm_lite/tlcl.h5
-rw-r--r--src/lib/Makefile.inc2
-rw-r--r--src/lib/tpm2_marshaling.c23
-rw-r--r--src/lib/tpm2_tlcl.c16
-rw-r--r--src/lib/tpm2_tlcl_structures.h26
-rw-r--r--src/vendorcode/google/chromeos/Kconfig14
-rw-r--r--src/vendorcode/google/chromeos/Makefile.inc1
-rw-r--r--src/vendorcode/google/chromeos/tpm2.c45
8 files changed, 122 insertions, 10 deletions
diff --git a/src/include/tpm_lite/tlcl.h b/src/include/tpm_lite/tlcl.h
index 8ea5564ecb..95bae77f42 100644
--- a/src/include/tpm_lite/tlcl.h
+++ b/src/include/tpm_lite/tlcl.h
@@ -151,4 +151,9 @@ uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest,
*/
uint32_t tlcl_get_permanent_flags(TPM_PERMANENT_FLAGS *pflags);
+/**
+ * Disable platform hierarchy. Specific to TPM2. The TPM error code is returned.
+ */
+uint32_t tlcl_disable_platform_hierarchy(void);
+
#endif /* TPM_LITE_TLCL_H_ */
diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc
index 2d5aa57fe7..9a9ddc865e 100644
--- a/src/lib/Makefile.inc
+++ b/src/lib/Makefile.inc
@@ -144,6 +144,8 @@ ramstage-$(CONFIG_GENERIC_GPIO_LIB) += gpio.c
ramstage-$(CONFIG_GENERIC_UDELAY) += timer.c
ramstage-y += b64_decode.c
ramstage-$(CONFIG_ACPI_NHLT) += nhlt.c
+ramstage-$(CONFIG_TPM2) += tpm2_marshaling.c
+ramstage-$(CONFIG_TPM2) += tpm2_tlcl.c
romstage-y += cbmem_common.c
romstage-y += imd_cbmem.c
diff --git a/src/lib/tpm2_marshaling.c b/src/lib/tpm2_marshaling.c
index 1edc69007a..38c8d2f05c 100644
--- a/src/lib/tpm2_marshaling.c
+++ b/src/lib/tpm2_marshaling.c
@@ -373,6 +373,23 @@ static void marshal_selftest(void **buffer,
marshal_u8(buffer, command_body->yes_no, buffer_space);
}
+static void marshal_hierarchy_control(void **buffer,
+ struct tpm2_hierarchy_control_cmd *command_body,
+ size_t *buffer_space)
+{
+ struct tpm2_session_header session_header;
+
+ car_set_var(tpm_tag, TPM_ST_SESSIONS);
+
+ marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space);
+ memset(&session_header, 0, sizeof(session_header));
+ session_header.session_handle = TPM_RS_PW;
+ marshal_session_header(buffer, &session_header, buffer_space);
+
+ marshal_TPM_HANDLE(buffer, command_body->enable, buffer_space);
+ marshal_u8(buffer, command_body->state, buffer_space);
+}
+
int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
void *buffer, size_t buffer_size)
{
@@ -414,6 +431,11 @@ int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
marshal_selftest(&cmd_body, tpm_command_body, &body_size);
break;
+ case TPM2_Hierarchy_Control:
+ marshal_hierarchy_control(&cmd_body, tpm_command_body,
+ &body_size);
+ break;
+
case TPM2_Clear:
marshal_clear(&cmd_body, &body_size);
break;
@@ -583,6 +605,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command,
&tpm2_resp->nvr);
break;
+ case TPM2_Hierarchy_Control:
case TPM2_Clear:
case TPM2_NV_DefineSpace:
case TPM2_NV_Write:
diff --git a/src/lib/tpm2_tlcl.c b/src/lib/tpm2_tlcl.c
index 6f5243e160..6c0cd6e2b2 100644
--- a/src/lib/tpm2_tlcl.c
+++ b/src/lib/tpm2_tlcl.c
@@ -369,3 +369,19 @@ uint32_t tlcl_define_space(uint32_t space_index, size_t space_size)
return TPM_E_INTERNAL_INCONSISTENCY;
}
}
+
+uint32_t tlcl_disable_platform_hierarchy(void)
+{
+ struct tpm2_response *response;
+ struct tpm2_hierarchy_control_cmd hc = {
+ .enable = TPM_RH_PLATFORM,
+ .state = 0,
+ };
+
+ response = tpm_process_command(TPM2_Hierarchy_Control, &hc);
+
+ if (!response || response->hdr.tpm_code)
+ return TPM_E_INTERNAL_INCONSISTENCY;
+
+ return TPM_SUCCESS;
+}
diff --git a/src/lib/tpm2_tlcl_structures.h b/src/lib/tpm2_tlcl_structures.h
index 36a3e8b253..c5c6d87985 100644
--- a/src/lib/tpm2_tlcl_structures.h
+++ b/src/lib/tpm2_tlcl_structures.h
@@ -28,7 +28,7 @@ typedef uint8_t TPMI_YES_NO;
typedef TPM_ALG_ID TPMI_ALG_HASH;
typedef TPM_HANDLE TPMI_DH_PCR;
typedef TPM_HANDLE TPMI_RH_NV_INDEX;
-typedef TPM_HANDLE TPMI_RH_PROVISION;
+typedef TPM_HANDLE TPMI_RH_ENABLES;
typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
typedef TPM_HANDLE TPM_RH;
@@ -59,15 +59,16 @@ struct tpm_header {
} __attribute__((packed));
/* TPM command codes. */
-#define TPM2_Clear ((TPM_CC)0x00000126)
-#define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A)
-#define TPM2_NV_Write ((TPM_CC)0x00000137)
-#define TPM2_NV_WriteLock ((TPM_CC)0x00000138)
-#define TPM2_SelfTest ((TPM_CC)0x00000143)
-#define TPM2_Startup ((TPM_CC)0x00000144)
-#define TPM2_NV_Read ((TPM_CC)0x0000014E)
-#define TPM2_GetCapability ((TPM_CC)0x0000017A)
-#define TPM2_PCR_Extend ((TPM_CC)0x00000182)
+#define TPM2_Hierarchy_Control ((TPM_CC)0x00000121)
+#define TPM2_Clear ((TPM_CC)0x00000126)
+#define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A)
+#define TPM2_NV_Write ((TPM_CC)0x00000137)
+#define TPM2_NV_WriteLock ((TPM_CC)0x00000138)
+#define TPM2_SelfTest ((TPM_CC)0x00000143)
+#define TPM2_Startup ((TPM_CC)0x00000144)
+#define TPM2_NV_Read ((TPM_CC)0x0000014E)
+#define TPM2_GetCapability ((TPM_CC)0x0000017A)
+#define TPM2_PCR_Extend ((TPM_CC)0x00000182)
/* Startup values. */
#define TPM_SU_CLEAR 0
@@ -334,4 +335,9 @@ struct tpm2_pcr_extend_cmd {
TPML_DIGEST_VALUES digests;
};
+struct tpm2_hierarchy_control_cmd {
+ TPMI_RH_ENABLES enable;
+ TPMI_YES_NO state;
+};
+
#endif // __SRC_LIB_TPM2_TLCL_STRUCTURES_H
diff --git a/src/vendorcode/google/chromeos/Kconfig b/src/vendorcode/google/chromeos/Kconfig
index 238b4e51b1..97dfc60c22 100644
--- a/src/vendorcode/google/chromeos/Kconfig
+++ b/src/vendorcode/google/chromeos/Kconfig
@@ -127,6 +127,20 @@ config CHROMEOS_FWID_VERSION
This is the second part of the FWID written to various regions of a
Chrome OS firmware image to identify its version.
+config CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME
+ bool
+ default y
+ depends on TPM2 && RESUME_PATH_SAME_AS_BOOT
+ help
+ Disable the platform heirarchy on resume path if the firmware
+ is involved in resume. The hierarchy is disabled prior to jumping
+ to the OS. Note that this option is sepcific to TPM2 boards.
+ This option is auto selected if CHROMEOS because it matches with
+ vboot_reference model which disables the platform hierarchy in
+ the boot loader. However, those operations need to be symmetric
+ on normal boot as well as resume and coreboot is only involved
+ in the resume piece w.r.t. the platform hierarchy.
+
menu "GBB configuration"
config GBB_HWID
diff --git a/src/vendorcode/google/chromeos/Makefile.inc b/src/vendorcode/google/chromeos/Makefile.inc
index 878b0684c0..f0762bcb55 100644
--- a/src/vendorcode/google/chromeos/Makefile.inc
+++ b/src/vendorcode/google/chromeos/Makefile.inc
@@ -24,6 +24,7 @@ ramstage-$(CONFIG_HAVE_ACPI_TABLES) += acpi.c
ramstage-$(CONFIG_CHROMEOS_RAMOOPS) += ramoops.c
romstage-y += vpd_decode.c
ramstage-y += vpd_decode.c cros_vpd.c vpd_mac.c vpd_serialno.c vpd_calibration.c
+ramstage-$(CONFIG_CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME) += tpm2.c
ramstage-$(CONFIG_HAVE_REGULATORY_DOMAIN) += wrdd.c
ramstage-$(CONFIG_USE_SAR) += sar.c
ifeq ($(CONFIG_ARCH_MIPS),)
diff --git a/src/vendorcode/google/chromeos/tpm2.c b/src/vendorcode/google/chromeos/tpm2.c
new file mode 100644
index 0000000000..fd1dac9a35
--- /dev/null
+++ b/src/vendorcode/google/chromeos/tpm2.c
@@ -0,0 +1,45 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Google Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <bootstate.h>
+#include <console/console.h>
+#include <tpm_lite/tlcl.h>
+#include <vb2_api.h>
+
+static void disable_platform_hierarchy(void *unused)
+{
+ int ret;
+
+ if (!IS_ENABLED(CONFIG_TPM2))
+ return;
+
+ if (!IS_ENABLED(CONFIG_RESUME_PATH_SAME_AS_BOOT))
+ return;
+
+ ret = tlcl_lib_init();
+
+ if (ret != VB2_SUCCESS) {
+ printk(BIOS_ERR, "tlcl_lib_init() failed: %x\n", ret);
+ return;
+ }
+
+ ret = tlcl_disable_platform_hierarchy();
+ if (ret != TPM_SUCCESS)
+ printk(BIOS_ERR, "Platform hierarchy disablement failed: %x\n",
+ ret);
+}
+
+BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, disable_platform_hierarchy,
+ NULL);