tlcl: use different NV_Read authorizations for fw and userland

Let's use an earlier version of CL 360944 that relies on the
global flag to decide if the platform authorization is to
be used.

As it turned out, we can't read NVRAM with empty
password authorization if platform hierarchy is still enabled
(as it is in firmware), so we keep platform authorization for
firmware, and use empty password only for userland utilities,
like tpmc.

BRANCH=none
BUG=chrome-os-partner:55531
TEST=Run 'initctl stop trunksd; tpmc read 0x1008 0xd" on
     kevin, verify that it returns the right output.

Change-Id: Ic878ebde9086e803d2487d90c55c0f19001cf94b
Signed-off-by: Andrey Pronin <apronin@google.com>
Reviewed-on: https://chromium-review.googlesource.com/362520
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/firmware/include/tpm2_marshaling.h b/firmware/include/tpm2_marshaling.h
index c72b076b..2022986b 100644
--- a/firmware/include/tpm2_marshaling.h
+++ b/firmware/include/tpm2_marshaling.h
@@ -46,4 +46,15 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command,
 					     void *response_body,
 					     int response_size);
 
+/**
+ * tpm_set_ph_disabled
+ *
+ * Sets the flag that indicates if platform hierarchy is disabled.
+ * certain commands, like NV_Read, may need to use different
+ * authorization if platform hierarchy is disabled.
+ *
+ * @flag: 1 if platform hierarchy is disabled, 0 otherwise
+ */
+void tpm_set_ph_disabled(int flag);
+
 #endif // __SRC_LIB_TPM2_MARSHALING_H