From 4c0851cc37f42ed88d62b876357b71cfdaac480f Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@chromium.org>
Date: Sun, 3 Jul 2016 17:08:10 -0700
Subject: tpm2: implement locking firmware rollback counter

TPM1.2 is using the somewhat misnamed tlcl_set_global_lock() command
function to lock the hardware rollback counter. For TPM2 let's
implement and use the TPM2 command to lock an NV Ram location
(TPM2_NV_WriteLock).

BRANCH=none
BUG=chrome-os-partner:50645
TEST=verified that TPM2_NV_WriteLock command is invoked before RO
     firmware starts RW, and succeeds.

Change-Id: I52aa8db95b908488ec4cf0843afeb6310dc7f38b
Signed-off-by: Martin Roth <martinroth@chromium.org>
Original-Commit-Id: 2f859335dfccfeea900f15bbb8c6cb3fd5ec8c77
Original-Change-Id: I62f22b9991522d4309cccc44180a5ebd4dca488d
Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/358097
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-on: https://review.coreboot.org/15638
Tested-by: build bot (Jenkins)
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
---
 src/lib/tpm2_tlcl.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

(limited to 'src/lib/tpm2_tlcl.c')

diff --git a/src/lib/tpm2_tlcl.c b/src/lib/tpm2_tlcl.c
index 312fe36414..3003400033 100644
--- a/src/lib/tpm2_tlcl.c
+++ b/src/lib/tpm2_tlcl.c
@@ -201,19 +201,22 @@ uint32_t tlcl_set_enable(void)
 	return TPM_SUCCESS;
 }
 
-uint32_t tlcl_set_global_lock(void)
+uint32_t tlcl_lock_nv_write(uint32_t index)
 {
-	/*
-	 * This is where the locking of the RO NVram index is supposed to
-	 * happen. The most likely way to achieve it is to extend PCR used for
-	 * policy when defining this space.
-	 */
-	printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__);
-	return TPM_SUCCESS;
-}
-uint32_t tlcl_set_nv_locked(void)
-{
-	printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__);
+	struct tpm2_response *response;
+	/* TPM Wll reject attempts to write at non-defined index. */
+	struct tpm2_nv_write_lock_cmd nv_wl = {
+		.nvIndex = HR_NV_INDEX + index,
+	};
+
+	response = tpm_process_command(TPM2_NV_WriteLock, &nv_wl);
+
+	printk(BIOS_INFO, "%s: response is %x\n",
+	       __func__, response ? response->hdr.tpm_code : -1);
+
+	if (!response || response->hdr.tpm_code)
+		return TPM_E_IOERROR;
+
 	return TPM_SUCCESS;
 }
 
-- 
cgit v1.2.3