1 files changed, 30 insertions, 0 deletions

diff --git a/firmware/2lib/include/2api.h b/firmware/2lib/include/2api.h
index 55753e1e..9bf67727 100644
--- a/firmware/2lib/include/2api.h
+++ b/firmware/2lib/include/2api.h
@@ -29,6 +29,21 @@
 #include "2recovery_reasons.h"
 #include "2return_codes.h"
 
+/* Modes for vb2ex_tpm_set_mode. */
+enum vb2_tpm_mode {
+	/*
+	 * TPM is enabled tentatively, and may be set to either
+	 * ENABLED or DISABLED mode.
+	 */
+	VB2_TPM_MODE_ENABLED_TENTATIVE = 0,
+
+	/* TPM is enabled, and mode may not be changed. */
+	VB2_TPM_MODE_ENABLED = 1,
+
+	/* TPM is disabled, and mode may not be changed. */
+	VB2_TPM_MODE_DISABLED = 2,
+};
+
 /* Flags for vb2_context.
  *
  * Unless otherwise noted, flags are set by verified boot and may be read (but
@@ -697,4 +712,19 @@ int vb2api_digest_buffer(const uint8_t *buf,
 			 uint8_t *digest,
 			 uint32_t digest_size);
 
+/*
+ * Set the current TPM mode value, and validate that it was changed.  If one
+ * of the following occurs, the function call fails:
+ *   - TPM does not understand the instruction (old version)
+ *   - TPM has already left the TpmModeEnabledTentative mode
+ *   - TPM responds with a mode other than the requested mode
+ *   - Some other communication error occurs
+ *  Otherwise, the function call succeeds.
+ *
+ * @param mode_val       Desired TPM mode to set.  May be one of ENABLED
+ *                       or DISABLED from vb2_tpm_mode enum.
+ * @returns VB2_SUCCESS, or non-zero error code.
+ */
+int vb2ex_tpm_set_mode(enum vb2_tpm_mode mode_val);
+
 #endif  /* VBOOT_2_API_H_ */