From ce58a4e0021eb1b1bb6ab26bdb3bbbff26a5ad83 Mon Sep 17 00:00:00 2001 From: Vladimir Serbinenko Date: Mon, 18 May 2015 10:46:57 +0200 Subject: Deactivate TPM Just not exporting TPM isn't good enough as it can still be accessed. You need to send it a deactivate command. Change-Id: I3eb84660949c2d1e2b492d541e01d4ba78037630 Signed-off-by: Vladimir Serbinenko Reviewed-on: http://review.coreboot.org/10270 Tested-by: build bot (Jenkins) Reviewed-by: Patrick Georgi --- src/drivers/pc80/tpm/Kconfig | 7 +++++++ src/drivers/pc80/tpm/acpi/tpm.asl | 10 +++++----- src/drivers/pc80/tpm/romstage.c | 19 +++++++++++++++++++ 3 files changed, 31 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/drivers/pc80/tpm/Kconfig b/src/drivers/pc80/tpm/Kconfig index fc9270be58..148387128d 100644 --- a/src/drivers/pc80/tpm/Kconfig +++ b/src/drivers/pc80/tpm/Kconfig @@ -37,3 +37,10 @@ config SKIP_TPM_STARTUP_ON_NORMAL_BOOT depends on LPC_TPM help Skip TPM init on normal boot. Useful if payload does TPM init. + +config TPM_DEACTIVATE + bool "Deactivate TPM" + default n + depends on LPC_TPM + help + Deactivate TPM by issuing deactivate command. diff --git a/src/drivers/pc80/tpm/acpi/tpm.asl b/src/drivers/pc80/tpm/acpi/tpm.asl index 30b14ce897..0562f2a935 100644 --- a/src/drivers/pc80/tpm/acpi/tpm.asl +++ b/src/drivers/pc80/tpm/acpi/tpm.asl @@ -27,11 +27,11 @@ Device (TPM) Method (_STA, 0) { - If (CONFIG_LPC_TPM) { - Return (0xf) - } Else { - Return (0x0) - } +#if CONFIG_LPC_TPM && !CONFIG_TPM_DEACTIVATE + Return (0xf) +#else + Return (0x0) +#endif } Name (IBUF, ResourceTemplate () diff --git a/src/drivers/pc80/tpm/romstage.c b/src/drivers/pc80/tpm/romstage.c index 5e29e3a14d..96760e22f4 100644 --- a/src/drivers/pc80/tpm/romstage.c +++ b/src/drivers/pc80/tpm/romstage.c @@ -50,6 +50,12 @@ static const struct { {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x1 } }; +static const struct { + u8 buffer[12]; +} tpm_deactivate_cmd = { + {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x3 } +}; + static const struct { u8 buffer[10]; } tpm_continueselftest_cmd = { @@ -181,6 +187,19 @@ void init_tpm(int s3resume) u32 result; u8 response[TPM_LARGE_ENOUGH_COMMAND_SIZE]; + if (CONFIG_TPM_DEACTIVATE) { + printk(BIOS_SPEW, "TPM: Deactivate\n"); + result = TlclSendReceive(tpm_deactivate_cmd.buffer, + response, sizeof(response)); + if (result == TPM_SUCCESS) { + printk(BIOS_SPEW, "TPM: OK.\n"); + return; + } + + printk(BIOS_ERR, "TPM: Error code 0x%x.\n", result); + return; + } + /* Doing TPM startup when we're not coming in on the S3 resume path * saves us roughly 20ms in boot time only. This does not seem to * be worth an API change to vboot_reference-firmware right now, so -- cgit v1.2.3