diff options
| author | Andrey Pronin <apronin@google.com> | 2016-07-22 18:45:37 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-07-26 23:54:28 -0700 |
| commit | 3e0a3524898c8d0c633f740a0b715bb9ad32b999 (patch) | |
| tree | b62b4b37c44faf1289d9d73715c039824226dc17 /firmware/include/tpm2_marshaling.h | |
| parent | c37f0f82056adca65de7b99419663dff437365c1 (diff) | |
| download | vboot-3e0a3524898c8d0c633f740a0b715bb9ad32b999.tar.gz | |
Modify 'tpmc block' to lock only the FW index
As discussed in https://chromium-review.googlesource.com/#/c/361381/,
instead of being a synonym to 'tpmc pplock', the 'tpmc block' command
should protect just the FW index using WriteLock.
Additionally, both TlclSetGlobalLock and TlclLockPhysicalPresence in
tlcl (which are used by 'tpmc block' and 'tpmc pplock') are updated
to first check if the platform hierarchy is already disabled and
return success, if so. That's needed to prevent command failures
when rollback protection is already on.
BRANCH=none
BUG=chrome-os-partner:55210
BUG=chrome-os-partner:55250
TEST=boot on kevin, verify that 'tpmc block' and 'tpmc pplock'
work as expected:
- pplock is possible after block
- pplock and block succeed both for enabled and disabled PH
- block locks FW index
- pplock disables PH
Change-Id: I32bff2b590a51315b11da361b97c684dcce8ab36
Reviewed-on: https://chromium-review.googlesource.com/362772
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Diffstat (limited to 'firmware/include/tpm2_marshaling.h')
| -rw-r--r-- | firmware/include/tpm2_marshaling.h | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/firmware/include/tpm2_marshaling.h b/firmware/include/tpm2_marshaling.h index 2022986b..3d6fb8aa 100644 --- a/firmware/include/tpm2_marshaling.h +++ b/firmware/include/tpm2_marshaling.h @@ -50,11 +50,22 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command, * tpm_set_ph_disabled * * Sets the flag that indicates if platform hierarchy is disabled. - * certain commands, like NV_Read, may need to use different + * Certain commands, like NV_Read, may need to use different * authorization if platform hierarchy is disabled. * * @flag: 1 if platform hierarchy is disabled, 0 otherwise */ void tpm_set_ph_disabled(int flag); +/** + * tpm_is_ph_disabled + * + * Gets the flag that indicates if platform hierarchy is disabled. + * Certain commands, like NV_Read, may need to use different + * authorization if platform hierarchy is disabled. + * + * Returns 1 if platform hierarchy is disabled, 0 otherwise + */ +int tpm_is_ph_disabled(void); + #endif // __SRC_LIB_TPM2_MARSHALING_H |