tpm2_lite: use null password authorization for ReadLock

Most of the indexes used in practice, have AUTHREAD set with null
password authentication. The only index, for which READ_STCLEAR is
set and TlclReadLock() is called is the one used by mount-encrypted.
It has AUTHREAD with empty password and should be lockable after
platform hierarchy is disabled. So, use null password authorization
instead of platform authorization in TlclReadLock().

BUG=chrome-os-partner:54708
BRANCH=none
TEST=Start with OOBE, corporate enroll, reboot, verify that the system
     doesn't go back to OOBE. Check mount-encrypted.log on start: it
     should contain "Read-locking NVRAM area succeeded".

Change-Id: Iaac78ba4dd048edac992adfab6fb94b69b2e989a
Reviewed-on: https://chromium-review.googlesource.com/410780
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

1 files changed, 2 insertions, 1 deletions

diff --git a/firmware/lib/tpm2_lite/marshaling.c b/firmware/lib/tpm2_lite/marshaling.c
index 23a46555..97b20fe1 100644
--- a/firmware/lib/tpm2_lite/marshaling.c
+++ b/firmware/lib/tpm2_lite/marshaling.c
@@ -542,7 +542,7 @@ static void marshal_nv_read_lock(void **buffer,
 	struct tpm2_session_header session_header;
 
 	tpm_tag = TPM_ST_SESSIONS;
-	marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space);
+	marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space);
 	marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space);
 	memset(&session_header, 0, sizeof(session_header));
 	session_header.session_handle = TPM_RS_PW;
@@ -764,6 +764,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command,
 	case TPM2_Hierarchy_Control:
 	case TPM2_NV_Write:
 	case TPM2_NV_WriteLock:
+	case TPM2_NV_ReadLock:
 	case TPM2_Clear:
 	case TPM2_SelfTest:
 	case TPM2_Startup: