tpm2: do not lock kernel space when locking physical presence

There is no direct concept of physical presence in TPM2, the platform
hierarchy could be used to manage access to various NVRAM spaces
instead. The kernel NVRAM space does not have to be explicitly locked,
disabling platform hierarchy is enough to prevent writes into this
space.

BRANCH=none
BUG=chrome-os-partner:59651
TEST=verified that the system boots fine in both normal and recovery
     modes; using tpmc confirmed that the kernel space is readable in
     both and writeable only in recovery mode.

Change-Id: I3cd8344ad897d061f6b07424f1589a7b547a161f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/410127
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
(cherry picked from commit 11dd2f21307daf384c63977c9035e808bd615c29)
Reviewed-on: https://chromium-review.googlesource.com/428191
Reviewed-by: Philip Chen <philipchen@chromium.org>
Commit-Queue: Philip Chen <philipchen@chromium.org>
Tested-by: Philip Chen <philipchen@chromium.org>

1 files changed, 1 insertions, 7 deletions

diff --git a/firmware/lib/tpm2_lite/tlcl.c b/firmware/lib/tpm2_lite/tlcl.c
index 938fdd66..2e28e5b7 100644
--- a/firmware/lib/tpm2_lite/tlcl.c
+++ b/firmware/lib/tpm2_lite/tlcl.c
@@ -364,16 +364,10 @@ uint32_t TlclSetGlobalLock(void)
  */
 uint32_t TlclLockPhysicalPresence(void)
 {
-	uint32_t rv;
-
 	if (tpm_is_ph_disabled())
 		return TPM_SUCCESS;
 
-	rv = tlcl_lock_nv_write(KERNEL_NV_INDEX);
-	if (rv == TPM_SUCCESS)
-		rv = tlcl_disable_platform_hierarchy();
-
-	return rv;
+	return tlcl_disable_platform_hierarchy();
 }
 
 uint32_t TlclRead(uint32_t index, void* data, uint32_t length)