diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2021-10-13 15:27:54 -0700 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2021-10-14 18:13:58 +0000 |
| commit | 5c95b1abffdb48495ea0f0309e3fa66e88074be7 (patch) | |
| tree | e70c98c079deb744d7552299578bc9c2740a109b | |
| parent | b72f2a1c948ad6e1a5a4402cf07121d815400d58 (diff) | |
| download | chrome-ec-5c95b1abffdb48495ea0f0309e3fa66e88074be7.tar.gz | |
ap_ro_verification: Do not allow over USB
It should not be possible to trigger AP RO verification by sending the
vendor command over the USB interface, it should be triggered only
when the user enters the existing key sequence, or when coming from
the AP as a TPM command.
When verification is triggered by the key sequence the verification
function is still invoked as a TPM vendor command, because a context
switch into TPM task is required to be able to use its large stack.
The problem is that when TPM task processes context switching
commands, it unconditionally sets the bit indicating that they come
from USB. This is required for some CCD commands, but not for the AP
RO verification request.
Let's introduce a new flag to be able to tell between commands coming
from USB and from alternative sources, and allow AP RO verification be
triggered by alternative sources but not from USB.
BUG=b:202902506
TEST=AP RO verification still could be triggered by key presses and
through a TPM command coming from the AP, but is rejected if sent
over USB by the host.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Ib3b5bd9867cc3038d9123b23c7a25886331a179c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3221776
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
| -rw-r--r-- | common/extension.c | 9 | ||||
| -rw-r--r-- | common/tpm_registers.c | 2 | ||||
| -rw-r--r-- | include/extension.h | 9 |
3 files changed, 13 insertions, 7 deletions
diff --git a/common/extension.c b/common/extension.c index e65cf18880..c91ca987e4 100644 --- a/common/extension.c +++ b/common/extension.c @@ -24,7 +24,7 @@ uint32_t extension_route_command(struct vendor_cmd_params *p) #endif /* Filter commands from USB */ - if (p->flags & VENDOR_CMD_FROM_USB) { + if (p->flags & (VENDOR_CMD_FROM_USB | VENDOR_CMD_FROM_ALT_IF)) { switch (p->code) { #ifdef CR50_DEV case VENDOR_CC_IMMEDIATE_RESET: @@ -45,8 +45,13 @@ uint32_t extension_route_command(struct vendor_cmd_params *p) case VENDOR_CC_RMA_CHALLENGE_RESPONSE: case VENDOR_CC_SPI_HASH: /* Requires physical presence. */ case VENDOR_CC_TURN_UPDATE_ON: - case VENDOR_CC_AP_RO_VALIDATE: break; + case VENDOR_CC_AP_RO_VALIDATE: + /* This command is allowed if triggered locally. */ + if (p->flags & VENDOR_CMD_FROM_ALT_IF) + break; + + /* Fall through to the default case. */ default: /* Otherwise, we don't allow this command. */ why_ignore = "usb"; diff --git a/common/tpm_registers.c b/common/tpm_registers.c index 6ef281b313..d0ae42e904 100644 --- a/common/tpm_registers.c +++ b/common/tpm_registers.c @@ -1026,7 +1026,7 @@ void tpm_task(void *u) response_size = buffer_size; call_extension_command(tpmh, &response_size, alt_if_command ? - VENDOR_CMD_FROM_USB : 0); + VENDOR_CMD_FROM_ALT_IF : 0); } else #endif { diff --git a/include/extension.h b/include/extension.h index 5ce0410f57..451ad62672 100644 --- a/include/extension.h +++ b/include/extension.h @@ -14,12 +14,13 @@ /* Flags for vendor or extension commands */ enum vendor_cmd_flags { + /* Command is coming from the USB interface. */ + VENDOR_CMD_FROM_USB = BIT(0), /* - * Command is coming from the USB interface (either via the vendor - * command endpoint or the console). If this flag is not present, - * the command is coming from the AP. + * Command is coming through TPM task, but was not originated in the + * AP. */ - VENDOR_CMD_FROM_USB = BIT(0), + VENDOR_CMD_FROM_ALT_IF = BIT(1), }; /* Parameters for vendor commands */ |