diff options
| -rw-r--r-- | firmware/include/tpm2_marshaling.h | 13 | ||||
| -rw-r--r-- | firmware/lib/tpm2_lite/marshaling.c | 5 | ||||
| -rw-r--r-- | firmware/lib/tpm2_lite/tlcl.c | 20 | ||||
| -rw-r--r-- | firmware/linktest/main.c | 2 | ||||
| -rw-r--r-- | utility/tpmc.c | 15 |
5 files changed, 48 insertions, 7 deletions
diff --git a/firmware/include/tpm2_marshaling.h b/firmware/include/tpm2_marshaling.h index 2022986b..3d6fb8aa 100644 --- a/firmware/include/tpm2_marshaling.h +++ b/firmware/include/tpm2_marshaling.h @@ -50,11 +50,22 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command, * tpm_set_ph_disabled * * Sets the flag that indicates if platform hierarchy is disabled. - * certain commands, like NV_Read, may need to use different + * Certain commands, like NV_Read, may need to use different * authorization if platform hierarchy is disabled. * * @flag: 1 if platform hierarchy is disabled, 0 otherwise */ void tpm_set_ph_disabled(int flag); +/** + * tpm_is_ph_disabled + * + * Gets the flag that indicates if platform hierarchy is disabled. + * Certain commands, like NV_Read, may need to use different + * authorization if platform hierarchy is disabled. + * + * Returns 1 if platform hierarchy is disabled, 0 otherwise + */ +int tpm_is_ph_disabled(void); + #endif // __SRC_LIB_TPM2_MARSHALING_H diff --git a/firmware/lib/tpm2_lite/marshaling.c b/firmware/lib/tpm2_lite/marshaling.c index 73285c3d..037e696d 100644 --- a/firmware/lib/tpm2_lite/marshaling.c +++ b/firmware/lib/tpm2_lite/marshaling.c @@ -520,3 +520,8 @@ void tpm_set_ph_disabled(int flag) { ph_disabled = flag; } + +int tpm_is_ph_disabled(void) +{ + return ph_disabled; +} diff --git a/firmware/lib/tpm2_lite/tlcl.c b/firmware/lib/tpm2_lite/tlcl.c index a03125d3..efc528d1 100644 --- a/firmware/lib/tpm2_lite/tlcl.c +++ b/firmware/lib/tpm2_lite/tlcl.c @@ -277,6 +277,23 @@ static uint32_t tlcl_disable_platform_hierarchy(void) } /** + * The name of the function was kept to maintain the existing TPM API, but + * TPM2.0 does not use the global lock to protect the FW rollback counter. + * Instead it calls WriteLock for the FW NVRAM index to prevent future + * writes to it. + * + * It first checks if the platform hierarchy is already disabled, and does + * nothing, if so. Otherwise, WriteLock for the index obviously fails. + */ +uint32_t TlclSetGlobalLock(void) +{ + if (tpm_is_ph_disabled()) + return TPM_SUCCESS; + else + return tlcl_lock_nv_write(FIRMWARE_NV_INDEX); +} + +/** * Turn off physical presence and locks it off until next reboot. The TPM * error code is returned. * @@ -292,6 +309,9 @@ uint32_t TlclLockPhysicalPresence(void) { uint32_t rv; + if (tpm_is_ph_disabled()) + return TPM_SUCCESS; + rv = tlcl_lock_nv_write(KERNEL_NV_INDEX); if (rv == TPM_SUCCESS) rv = tlcl_disable_platform_hierarchy(); diff --git a/firmware/linktest/main.c b/firmware/linktest/main.c index 1c9b614d..9dca9571 100644 --- a/firmware/linktest/main.c +++ b/firmware/linktest/main.c @@ -44,13 +44,13 @@ int main(void) TlclSetEnable(); TlclSetDeactivated(0); TlclGetFlags(0, 0, 0); + TlclSetGlobalLock(); TlclExtend(0, 0, 0); TlclGetPermissions(0, 0); #ifndef TPM2_MODE TlclAssertPhysicalPresence(); TlclSetNvLocked(); TlclClearEnable(); - TlclSetGlobalLock(); #endif /* vboot_api.h - entry points INTO vboot_reference */ diff --git a/utility/tpmc.c b/utility/tpmc.c index beb739f9..d7c76f01 100644 --- a/utility/tpmc.c +++ b/utility/tpmc.c @@ -452,15 +452,20 @@ command_record command_table[] = { { "setnvlocked", "setnv", "set the nvLocked flag permanently (IRREVERSIBLE!)", TlclSetNvLocked }, #endif - { "lockphysicalpresence", "pplock", "lock (turn off) PP until reboot", - TlclLockPhysicalPresence }, + { "lockphysicalpresence", "pplock", #ifdef TPM2_MODE - { "setbgloballock", "block", "set rollback protection lock until reboot", + "set rollback protection lock for kernel image until reboot", +#else + "lock (turn off) PP until reboot", +#endif TlclLockPhysicalPresence }, + { "setbgloballock", "block", +#ifdef TPM2_MODE + "set rollback protection lock for R/W firmware until reboot", #else - { "setbgloballock", "block", "set the bGlobalLock until reboot", - TlclSetGlobalLock }, + "set the bGlobalLock until reboot", #endif + TlclSetGlobalLock }, { "definespace", "def", "define a space (def <index> <size> <perm>)", HandlerDefineSpace }, { "write", "write", "write to a space (write <index> [<byte0> <byte1> ...])", |