2api: add callbacks for tpm_{get,set}_mode

When booting into Alt OS legacy mode, we plan to disable TPM before handing off control to the OS. On a warm reboot back to Chrome OS, we must check the TPM mode. If it is disabled, a hard reboot should be triggered to restore TPM functionality. Add vboot2 callbacks for tpm_get_mode and tpm_set_mode. vboot_reference code needs to use these TPM vendor-specific commands from depthcharge, but doesn't make sense to re-implement them in the vboot_reference TPM driver (which probably shouldn't exist in the first place). BUG=b:120587305 TEST=compile vboot_reference and depthcharge Change-Id: I8285e518b50e031c6f0cf76f82439ad316ddc6fd Reviewed-on: https://chromium-review.googlesource.com/c/1354139 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Ting Shen <phoenixshen@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
author: Joel Kitching <kitching@google.com> 2018-11-27 14:32:36 +0800
committer: ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> 2018-12-06 10:47:57 +0000
commit: 55736737c278ba45b75fee876750b6a0e3b4225a (patch)
tree: 4cbf847660f0b4fb2845a2cba6f75a0666a265f4
parent: d331bcd2e1ed6f92f47366a0ed4bfc743eaff857 (diff)
download: vboot-55736737c278ba45b75fee876750b6a0e3b4225a.tar.gz
3 files changed, 59 insertions, 0 deletions
diff --git a/firmware/2lib/2stub.c b/firmware/2lib/2stub.c
index 2e08de97..cca28831 100644
--- a/firmware/2lib/2stub.c
+++ b/firmware/2lib/2stub.c
@@ -58,3 +58,15 @@ int vb2ex_hwcrypto_digest_finalize(uint8_t *digest,
 {
 	return VB2_ERROR_SHA_FINALIZE_ALGORITHM; /* Should not be called. */
 }
+
+__attribute__((weak))
+int vb2ex_tpm_get_mode(enum vb2_tpm_mode *mode_val)
+{
+	return VB2_ERROR_EX_TPM_GET_MODE_UNIMPLEMENTED;
+}
+
+__attribute__((weak))
+int vb2ex_tpm_set_mode(enum vb2_tpm_mode mode_val)
+{
+	return VB2_ERROR_EX_TPM_SET_MODE_UNIMPLEMENTED;
+}
diff --git a/firmware/2lib/include/2api.h b/firmware/2lib/include/2api.h
index e2100516..3874aa71 100644
--- a/firmware/2lib/include/2api.h
+++ b/firmware/2lib/include/2api.h
@@ -57,6 +57,19 @@
 /* Recommended buffer size for vb2api_get_pcr_digest */
 #define VB2_PCR_DIGEST_RECOMMENDED_SIZE 32
 
+/* Modes for vb2ex_tpm_get_mode and vb2ex_tpm_set_mode. */
+enum vb2_tpm_mode {
+	/* TPM is enabled tentatively, and may be set to either
+	 * ENABLED or DISABLED mode. */
+	VB2_TPM_MODE_ENABLED_TENTATIVE = 0,
+
+	/* TPM is enabled, and mode may not be changed. */
+	VB2_TPM_MODE_ENABLED = 1,
+
+	/* TPM is disabled, and mode may not be changed. */
+	VB2_TPM_MODE_DISABLED = 2,
+};
+
 /* Flags for vb2_context.
  *
  * Unless otherwise noted, flags are set by verified boot and may be read (but
@@ -686,4 +699,32 @@ int vb2api_digest_buffer(const uint8_t *buf,
 			 uint8_t *digest,
 			 uint32_t digest_size);
 
+/**
+ * Retrieve the current TPM mode value.  If one of the following occurs,
+ * the function call fails:
+ *   - TPM does not understand the instruction (old version)
+ *   - Some other communication error occurs
+ *  Otherwise, the function call succeeds.
+ *
+ * @param mode_val       Output pointer for current TPM mode.
+ *                       Possible values are in vb2_tpm_mode enum.
+ * @returns VB2_SUCCESS, or non-zero error code.
+ */
+int vb2ex_tpm_get_mode(enum vb2_tpm_mode *mode_val);
+
+/*
+ * Set the current TPM mode value, and validate that it was changed.  If one
+ * of the following occurs, the function call fails:
+ *   - TPM does not understand the instruction (old version)
+ *   - TPM has already left the TpmModeEnabledTentative mode
+ *   - TPM responds with a mode other than the requested mode
+ *   - Some other communication error occurs
+ *  Otherwise, the function call succeeds.
+ *
+ * @param mode_val       Desired TPM mode to set.  May be one of ENABLED
+ *                       or DISABLED from vb2_tpm_mode enum.
+ * @returns VB2_SUCCESS, or non-zero error code.
+ */
+int vb2ex_tpm_set_mode(enum vb2_tpm_mode mode_val);
+
 #endif  /* VBOOT_2_API_H_ */
diff --git a/firmware/2lib/include/2return_codes.h b/firmware/2lib/include/2return_codes.h
index b66cf6b4..913c625a 100644
--- a/firmware/2lib/include/2return_codes.h
+++ b/firmware/2lib/include/2return_codes.h
@@ -609,6 +609,12 @@ enum vb2_return_code {
 	/* TPM does not understand this command */
 	VB2_ERROR_EX_TPM_NO_SUCH_COMMAND,
 
+	/* TPM get mode function is unimplemented (stubbed in 2lib/2stub.c) */
+	VB2_ERROR_EX_TPM_GET_MODE_UNIMPLEMENTED,
+
+	/* TPM set mode function is unimplemented (stubbed in 2lib/2stub.c) */
+	VB2_ERROR_EX_TPM_SET_MODE_UNIMPLEMENTED,
+
 
         /**********************************************************************
 	 * Errors generated by host library (non-firmware) start here.
author	Joel Kitching <kitching@google.com>	2018-11-27 14:32:36 +0800
committer	ChromeOS Commit Bot <chromeos-commit-bot@chromium.org>	2018-12-06 10:47:57 +0000
commit	55736737c278ba45b75fee876750b6a0e3b4225a (patch)
tree	4cbf847660f0b4fb2845a2cba6f75a0666a265f4
parent	d331bcd2e1ed6f92f47366a0ed4bfc743eaff857 (diff)
download	vboot-55736737c278ba45b75fee876750b6a0e3b4225a.tar.gz