From 11dd2f21307daf384c63977c9035e808bd615c29 Mon Sep 17 00:00:00 2001 From: Vadim Bendebury Date: Fri, 11 Nov 2016 09:25:20 -0800 Subject: tpm2: do not lock kernel space when locking physical presence There is no direct concept of physical presence in TPM2, the platform hierarchy could be used to manage access to various NVRAM spaces instead. The kernel NVRAM space does not have to be explicitly locked, disabling platform hierarchy is enough to prevent writes into this space. BRANCH=none BUG=chrome-os-partner:59651 TEST=verified that the system boots fine in both normal and recovery modes; using tpmc confirmed that the kernel space is readable in both and writeable only in recovery mode. Change-Id: I3cd8344ad897d061f6b07424f1589a7b547a161f Signed-off-by: Vadim Bendebury Reviewed-on: https://chromium-review.googlesource.com/410127 Reviewed-by: Randall Spangler Reviewed-by: Andrey Pronin --- firmware/lib/tpm2_lite/tlcl.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/firmware/lib/tpm2_lite/tlcl.c b/firmware/lib/tpm2_lite/tlcl.c index 84929cfa..bb726f10 100644 --- a/firmware/lib/tpm2_lite/tlcl.c +++ b/firmware/lib/tpm2_lite/tlcl.c @@ -408,16 +408,10 @@ uint32_t TlclSetGlobalLock(void) */ uint32_t TlclLockPhysicalPresence(void) { - uint32_t rv; - if (tpm_is_ph_disabled()) return TPM_SUCCESS; - rv = tlcl_lock_nv_write(KERNEL_NV_INDEX); - if (rv == TPM_SUCCESS) - rv = tlcl_disable_platform_hierarchy(); - - return rv; + return tlcl_disable_platform_hierarchy(); } uint32_t TlclRead(uint32_t index, void* data, uint32_t length) -- cgit v1.2.1