diff options
| author | Randall Spangler <rspangler@chromium.org> | 2012-06-19 10:03:53 -0700 |
|---|---|---|
| committer | Gerrit <chrome-bot@google.com> | 2012-08-15 14:31:53 -0700 |
| commit | 29e8807ea045e119e3adeaec40c5f8421901b6fb (patch) | |
| tree | 7cde1c7d68b710a9647e80890d19e02c718976c7 /host | |
| parent | 59576e11e5120513f37658628b2b3bbf9827d471 (diff) | |
| download | vboot-29e8807ea045e119e3adeaec40c5f8421901b6fb.tar.gz | |
Add clear TPM owner request
This adds two new flags to crossystem:
clear_tpm_owner_request
clear_tpm_owner_done
The first one requests that the firmware clear the TPM owner on the
next boot. When the firmware does this, it will set
clear_tpm_owner_request=0, and set clear_tpm_owner_done=1. The OS can
use the done-flag as a hint that trusted things guarded by the TPM are
no longer trustable.
BUG=chromium-os:31974
TEST=manual
crossystem
// both flags initially 0
crossystem clear_tpm_owner_request=1
crossystem clear_tpm_owner_done=1
// request=1, done=0; done can be cleared but not set by crossystem
reboot
tpmc getownership
// owned=no
crossystem
// request=0, done=1
crossystem clear_tpm_owner_done=0
crossystem
// both flags 0 again
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Change-Id: I49f83f3c39c3efc3945116c51a241d255c2e42cd
Reviewed-on: https://gerrit.chromium.org/gerrit/25646
Diffstat (limited to 'host')
| -rw-r--r-- | host/lib/crossystem.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/host/lib/crossystem.c b/host/lib/crossystem.c index e120abcc..d89c85ce 100644 --- a/host/lib/crossystem.c +++ b/host/lib/crossystem.c @@ -403,6 +403,10 @@ int VbGetSystemPropertyInt(const char* name) { value = VbGetNvStorage(VBNV_DEBUG_RESET_MODE); } else if (!strcasecmp(name,"disable_dev_request")) { value = VbGetNvStorage(VBNV_DISABLE_DEV_REQUEST); + } else if (!strcasecmp(name,"clear_tpm_owner_request")) { + value = VbGetNvStorage(VBNV_CLEAR_TPM_OWNER_REQUEST); + } else if (!strcasecmp(name,"clear_tpm_owner_done")) { + value = VbGetNvStorage(VBNV_CLEAR_TPM_OWNER_DONE); } else if (!strcasecmp(name,"fwb_tries")) { value = VbGetNvStorage(VBNV_TRY_B_COUNT); } else if (!strcasecmp(name,"fwupdate_tries")) { @@ -493,6 +497,11 @@ int VbSetSystemPropertyInt(const char* name, int value) { return VbSetNvStorage(VBNV_DEBUG_RESET_MODE, value); } else if (!strcasecmp(name,"disable_dev_request")) { return VbSetNvStorage(VBNV_DISABLE_DEV_REQUEST, value); + } else if (!strcasecmp(name,"clear_tpm_owner_request")) { + return VbSetNvStorage(VBNV_CLEAR_TPM_OWNER_REQUEST, value); + } else if (!strcasecmp(name,"clear_tpm_owner_done")) { + /* Can only clear this flag; it's set by firmware. */ + return VbSetNvStorage(VBNV_CLEAR_TPM_OWNER_DONE, 0); } else if (!strcasecmp(name,"fwb_tries")) { return VbSetNvStorage(VBNV_TRY_B_COUNT, value); } else if (!strcasecmp(name,"fwupdate_tries")) { |