From 4ad42032f45c1a0e069e403adee62f6cc9abd309 Mon Sep 17 00:00:00 2001 From: Andrey Pronin Date: Fri, 11 Nov 2016 18:00:23 -0800 Subject: tpm2_lite: use null password authorization for ReadLock Most of the indexes used in practice, have AUTHREAD set with null password authentication. The only index, for which READ_STCLEAR is set and TlclReadLock() is called is the one used by mount-encrypted. It has AUTHREAD with empty password and should be lockable after platform hierarchy is disabled. So, use null password authorization instead of platform authorization in TlclReadLock(). BUG=chrome-os-partner:54708 BRANCH=none TEST=Start with OOBE, corporate enroll, reboot, verify that the system doesn't go back to OOBE. Check mount-encrypted.log on start: it should contain "Read-locking NVRAM area succeeded". Change-Id: Iaac78ba4dd048edac992adfab6fb94b69b2e989a Reviewed-on: https://chromium-review.googlesource.com/410780 Commit-Ready: Andrey Pronin Tested-by: Andrey Pronin Reviewed-by: Vadim Bendebury --- firmware/lib/tpm2_lite/marshaling.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/firmware/lib/tpm2_lite/marshaling.c b/firmware/lib/tpm2_lite/marshaling.c index 23a46555..97b20fe1 100644 --- a/firmware/lib/tpm2_lite/marshaling.c +++ b/firmware/lib/tpm2_lite/marshaling.c @@ -542,7 +542,7 @@ static void marshal_nv_read_lock(void **buffer, struct tpm2_session_header session_header; tpm_tag = TPM_ST_SESSIONS; - marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space); + marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space); marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space); memset(&session_header, 0, sizeof(session_header)); session_header.session_handle = TPM_RS_PW; @@ -764,6 +764,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command, case TPM2_Hierarchy_Control: case TPM2_NV_Write: case TPM2_NV_WriteLock: + case TPM2_NV_ReadLock: case TPM2_Clear: case TPM2_SelfTest: case TPM2_Startup: -- cgit v1.2.1