diff options
author | Andrey Pronin <apronin@chromium.org> | 2016-11-11 18:00:23 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2016-11-15 17:42:26 -0800 |
commit | 4ad42032f45c1a0e069e403adee62f6cc9abd309 (patch) | |
tree | eadb9fffdea849c8ca8547e8dfc344287dca563e /firmware/lib/tpm2_lite | |
parent | eedd4293582b86a43eab6400d0a967bccf14f1fe (diff) | |
download | vboot-4ad42032f45c1a0e069e403adee62f6cc9abd309.tar.gz |
tpm2_lite: use null password authorization for ReadLock
Most of the indexes used in practice, have AUTHREAD set with null
password authentication. The only index, for which READ_STCLEAR is
set and TlclReadLock() is called is the one used by mount-encrypted.
It has AUTHREAD with empty password and should be lockable after
platform hierarchy is disabled. So, use null password authorization
instead of platform authorization in TlclReadLock().
BUG=chrome-os-partner:54708
BRANCH=none
TEST=Start with OOBE, corporate enroll, reboot, verify that the system
doesn't go back to OOBE. Check mount-encrypted.log on start: it
should contain "Read-locking NVRAM area succeeded".
Change-Id: Iaac78ba4dd048edac992adfab6fb94b69b2e989a
Reviewed-on: https://chromium-review.googlesource.com/410780
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Diffstat (limited to 'firmware/lib/tpm2_lite')
-rw-r--r-- | firmware/lib/tpm2_lite/marshaling.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/firmware/lib/tpm2_lite/marshaling.c b/firmware/lib/tpm2_lite/marshaling.c index 23a46555..97b20fe1 100644 --- a/firmware/lib/tpm2_lite/marshaling.c +++ b/firmware/lib/tpm2_lite/marshaling.c @@ -542,7 +542,7 @@ static void marshal_nv_read_lock(void **buffer, struct tpm2_session_header session_header; tpm_tag = TPM_ST_SESSIONS; - marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space); + marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space); marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space); memset(&session_header, 0, sizeof(session_header)); session_header.session_handle = TPM_RS_PW; @@ -764,6 +764,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command, case TPM2_Hierarchy_Control: case TPM2_NV_Write: case TPM2_NV_WriteLock: + case TPM2_NV_ReadLock: case TPM2_Clear: case TPM2_SelfTest: case TPM2_Startup: |