diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2017-02-21 18:41:42 -0800 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2017-05-31 00:24:01 -0700 |
| commit | fb5a05ab223b56b22a3e0978333586ec13604374 (patch) | |
| tree | a8c04844e8051a08ffc55f851cd19ba77f21848f /include/tpm_registers.h | |
| parent | bff0a8093402790f3f58af80eb09509c27cafdaf (diff) | |
| download | chrome-ec-fb5a05ab223b56b22a3e0978333586ec13604374.tar.gz | |
cr50: read fwmp and act on it when controlling console restrictions
It needs to be possible to prevent unlocking of CCD on enterprise
enrolled devices, in particular to prevent users from moving into dev
mode.
A bit in the FWMP structure flags field was allocated for the purposes
of preventing console unlock in those cases.
This patch adds code to read the FWMP structure from the TPM NVMEM,
verify it and determine if it should be possible to unlock the
console. The restriction is not honored by Cr50 DBG images.
The FWMP value is read only once per TPM reset, this means each time
the admin console changes the relevant flag bit, the Chrome OS device
has to be rebooted to pick up the new flag value.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=verified that FWMP is properly read and acted upon.
Change-Id: I17e15ea2b2293a0c096858fba3ccc389452caede
Reviewed-on: https://chromium-review.googlesource.com/457824
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Diffstat (limited to 'include/tpm_registers.h')
| -rw-r--r-- | include/tpm_registers.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/tpm_registers.h b/include/tpm_registers.h index 9812c7c131..ed26591791 100644 --- a/include/tpm_registers.h +++ b/include/tpm_registers.h @@ -69,5 +69,6 @@ struct tpm_cmd_header { * crosbug.com/p/55667 for detals. */ #define TPM2_PCR_Read 0x0000017e +#define TPM2_Startup 0x00000144 #endif /* __CROS_EC_TPM_REGISTERS_H */ |