diff options
| author | Andrey Pronin <apronin@google.com> | 2016-07-22 18:45:37 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-07-26 23:54:28 -0700 |
| commit | 3e0a3524898c8d0c633f740a0b715bb9ad32b999 (patch) | |
| tree | b62b4b37c44faf1289d9d73715c039824226dc17 /utility/tpmc.c | |
| parent | c37f0f82056adca65de7b99419663dff437365c1 (diff) | |
| download | vboot-3e0a3524898c8d0c633f740a0b715bb9ad32b999.tar.gz | |
Modify 'tpmc block' to lock only the FW index
As discussed in https://chromium-review.googlesource.com/#/c/361381/,
instead of being a synonym to 'tpmc pplock', the 'tpmc block' command
should protect just the FW index using WriteLock.
Additionally, both TlclSetGlobalLock and TlclLockPhysicalPresence in
tlcl (which are used by 'tpmc block' and 'tpmc pplock') are updated
to first check if the platform hierarchy is already disabled and
return success, if so. That's needed to prevent command failures
when rollback protection is already on.
BRANCH=none
BUG=chrome-os-partner:55210
BUG=chrome-os-partner:55250
TEST=boot on kevin, verify that 'tpmc block' and 'tpmc pplock'
work as expected:
- pplock is possible after block
- pplock and block succeed both for enabled and disabled PH
- block locks FW index
- pplock disables PH
Change-Id: I32bff2b590a51315b11da361b97c684dcce8ab36
Reviewed-on: https://chromium-review.googlesource.com/362772
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Diffstat (limited to 'utility/tpmc.c')
| -rw-r--r-- | utility/tpmc.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/utility/tpmc.c b/utility/tpmc.c index beb739f9..d7c76f01 100644 --- a/utility/tpmc.c +++ b/utility/tpmc.c @@ -452,15 +452,20 @@ command_record command_table[] = { { "setnvlocked", "setnv", "set the nvLocked flag permanently (IRREVERSIBLE!)", TlclSetNvLocked }, #endif - { "lockphysicalpresence", "pplock", "lock (turn off) PP until reboot", - TlclLockPhysicalPresence }, + { "lockphysicalpresence", "pplock", #ifdef TPM2_MODE - { "setbgloballock", "block", "set rollback protection lock until reboot", + "set rollback protection lock for kernel image until reboot", +#else + "lock (turn off) PP until reboot", +#endif TlclLockPhysicalPresence }, + { "setbgloballock", "block", +#ifdef TPM2_MODE + "set rollback protection lock for R/W firmware until reboot", #else - { "setbgloballock", "block", "set the bGlobalLock until reboot", - TlclSetGlobalLock }, + "set the bGlobalLock until reboot", #endif + TlclSetGlobalLock }, { "definespace", "def", "define a space (def <index> <size> <perm>)", HandlerDefineSpace }, { "write", "write", "write to a space (write <index> [<byte0> <byte1> ...])", |