diff options
| -rw-r--r-- | firmware/include/tlcl.h | 6 | ||||
| -rw-r--r-- | firmware/include/tpm2_marshaling.h | 11 | ||||
| -rw-r--r-- | firmware/lib/tpm2_lite/marshaling.c | 12 | ||||
| -rw-r--r-- | firmware/lib/tpm2_lite/tlcl.c | 5 | ||||
| -rw-r--r-- | firmware/lib/tpm_lite/tlcl.c | 4 | ||||
| -rw-r--r-- | utility/tpmc.c | 1 |
6 files changed, 38 insertions, 1 deletions
diff --git a/firmware/include/tlcl.h b/firmware/include/tlcl.h index 53731200..31347eba 100644 --- a/firmware/include/tlcl.h +++ b/firmware/include/tlcl.h @@ -28,6 +28,12 @@ uint32_t TlclLibInit(void); */ uint32_t TlclLibClose(void); +/** + * Indicate that we access tlcl with user privileges from OS userland + * as opposed to from firmware. May affect required NVRAM read authorization. + */ +void TlclLibAccessAsUser(void); + /* Low-level operations */ /** diff --git a/firmware/include/tpm2_marshaling.h b/firmware/include/tpm2_marshaling.h index c72b076b..2022986b 100644 --- a/firmware/include/tpm2_marshaling.h +++ b/firmware/include/tpm2_marshaling.h @@ -46,4 +46,15 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command, void *response_body, int response_size); +/** + * tpm_set_ph_disabled + * + * Sets the flag that indicates if platform hierarchy is disabled. + * certain commands, like NV_Read, may need to use different + * authorization if platform hierarchy is disabled. + * + * @flag: 1 if platform hierarchy is disabled, 0 otherwise + */ +void tpm_set_ph_disabled(int flag); + #endif // __SRC_LIB_TPM2_MARSHALING_H diff --git a/firmware/lib/tpm2_lite/marshaling.c b/firmware/lib/tpm2_lite/marshaling.c index febbc811..3a22b682 100644 --- a/firmware/lib/tpm2_lite/marshaling.c +++ b/firmware/lib/tpm2_lite/marshaling.c @@ -8,6 +8,7 @@ #include "utility.h" static uint16_t tpm_tag; /* Depends on the command type. */ +static int ph_disabled; /* Platform hierarchy disabled. */ static void write_be16(void *dest, uint16_t val) { @@ -263,7 +264,11 @@ static void marshal_nv_read(void **buffer, { struct tpm2_session_header session_header; - marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space); + /* Use empty password auth if platform hierarchy is disabled */ + if (ph_disabled) + marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space); + else + marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space); marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space); Memset(&session_header, 0, sizeof(session_header)); session_header.session_handle = TPM_RS_PW; @@ -419,3 +424,8 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command, /* The entire message have been parsed. */ return &tpm2_resp; } + +void tpm_set_ph_disabled(int flag) +{ + ph_disabled = flag; +} diff --git a/firmware/lib/tpm2_lite/tlcl.c b/firmware/lib/tpm2_lite/tlcl.c index f335ffb6..ae1fa5d8 100644 --- a/firmware/lib/tpm2_lite/tlcl.c +++ b/firmware/lib/tpm2_lite/tlcl.c @@ -52,6 +52,11 @@ uint32_t TlclLibClose(void) return VbExTpmClose(); } +void TlclLibAccessAsUser(void) +{ + tpm_set_ph_disabled(1); +} + uint32_t TlclSendReceive(const uint8_t *request, uint8_t *response, int max_length) { diff --git a/firmware/lib/tpm_lite/tlcl.c b/firmware/lib/tpm_lite/tlcl.c index bf2d27f9..181b516a 100644 --- a/firmware/lib/tpm_lite/tlcl.c +++ b/firmware/lib/tpm_lite/tlcl.c @@ -152,6 +152,10 @@ uint32_t TlclLibClose(void) { return VbExTpmClose(); } +void TlclLibAccessAsUser(void) { + /* no-op for TPM1.2 */ +} + uint32_t TlclStartup(void) { VBDEBUG(("TPM: Startup\n")); return Send(tpm_startup_cmd.buffer); diff --git a/utility/tpmc.c b/utility/tpmc.c index 76a63e02..8d2ed241 100644 --- a/utility/tpmc.c +++ b/utility/tpmc.c @@ -512,6 +512,7 @@ int main(int argc, char* argv[]) { } TlclLibInit(); + TlclLibAccessAsUser(); for (c = command_table; c < command_table + n_commands; c++) { if (strcmp(cmd, c->name) == 0 || strcmp(cmd, c->abbr) == 0) { |