diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2016-07-06 09:07:54 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-07-09 11:25:24 -0700 |
| commit | ae703f681965ffdbe676fa291d445f765f93e2ab (patch) | |
| tree | 086909c7ba02eb7a3172ec00268e5e03bfe5cff9 /firmware/include/tpm2_tss_constants.h | |
| parent | eb4f39d3db535109959cacc9a6066ec8400c0875 (diff) | |
| download | vboot-ae703f681965ffdbe676fa291d445f765f93e2ab.tar.gz | |
tpm2: add nvram lock and hierarchy control commands
The firmware needs to lock the kernel rollback index before starting
up the kernel. The TPM2_NV_WriteLock command is used for that.
We also want to limit the amount of control the user space apps have
over TPM. With TPM1.2 it was achieved by deasserting physical
presence. TPM2 specification allows to achieve the same goal by
disabling Platform Hierarchy, which is active out of reset.
BRANCH=none
BUG=chrome-os-partner:50465
TEST=verified that all commands succeed and chrome OS boots up fine.
Change-Id: Ia5893460e0b29f1945cb2aae45a5f10b08fe1ed1
Reviewed-on: https://chromium-review.googlesource.com/358351
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Diffstat (limited to 'firmware/include/tpm2_tss_constants.h')
| -rw-r--r-- | firmware/include/tpm2_tss_constants.h | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/firmware/include/tpm2_tss_constants.h b/firmware/include/tpm2_tss_constants.h index cec91e61..fa341c0f 100644 --- a/firmware/include/tpm2_tss_constants.h +++ b/firmware/include/tpm2_tss_constants.h @@ -17,8 +17,10 @@ #define TPM_ST_SESSIONS 0x8002 /* TPM2 command codes. */ -#define TPM2_NV_Write ((TPM_CC)0x00000137) -#define TPM2_NV_Read ((TPM_CC)0x0000014E) +#define TPM2_Hierarchy_Control ((TPM_CC)0x00000121) +#define TPM2_NV_Write ((TPM_CC)0x00000137) +#define TPM2_NV_WriteLock ((TPM_CC)0x00000138) +#define TPM2_NV_Read ((TPM_CC)0x0000014E) /* TCG Spec defined, verify for TPM2. */ #define TPM_E_BADINDEX ((uint32_t) 0x00000002) @@ -32,9 +34,11 @@ #define TPM_RS_PW 0x40000009 +typedef uint8_t TPMI_YES_NO; typedef uint32_t TPM_CC; typedef uint32_t TPM_HANDLE; typedef TPM_HANDLE TPMI_RH_NV_INDEX; +typedef TPM_HANDLE TPMI_RH_ENABLES; typedef struct { uint16_t size; @@ -61,6 +65,15 @@ struct tpm2_nv_write_cmd { uint16_t offset; }; +struct tpm2_nv_write_lock_cmd { + TPMI_RH_NV_INDEX nvIndex; +}; + +struct tpm2_hierarchy_control_cmd { + TPMI_RH_ENABLES enable; + TPMI_YES_NO state; +}; + /* Common command/response header. */ struct tpm_header { uint16_t tpm_tag; |