From 5d996696083b544179da32ece60247b166a17d57 Mon Sep 17 00:00:00 2001
From: Stephen Barber <smbarber@chromium.org>
Date: Thu, 4 Aug 2016 16:05:01 -0700
Subject: tlcl: add implementations for GetOwnership and Read/WriteLock

mount-encrypted needs to be aware of TPM ownership status, and
will also want to issue a read lock for the early access NVRAM
index.

BRANCH=none
BUG=chromium:625037
TEST=mount-encrypted shows ownership at boot with kevin

Change-Id: I42f43f91d892137e1c46c7cacd88e3b749ce7f04
Reviewed-on: https://chromium-review.googlesource.com/366443
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
---
 firmware/include/tpm2_tss_constants.h |  5 +++++
 firmware/lib/tpm2_lite/marshaling.c   | 18 +++++++++++++++++
 firmware/lib/tpm2_lite/tlcl.c         | 38 ++++++++++++++++++++++++++++++++---
 3 files changed, 58 insertions(+), 3 deletions(-)

diff --git a/firmware/include/tpm2_tss_constants.h b/firmware/include/tpm2_tss_constants.h
index bee607be..7b1ab7b6 100644
--- a/firmware/include/tpm2_tss_constants.h
+++ b/firmware/include/tpm2_tss_constants.h
@@ -25,6 +25,7 @@
 #define TPM2_Startup           ((TPM_CC)0x00000144)
 #define TPM2_Shutdown          ((TPM_CC)0x00000145)
 #define TPM2_NV_Read           ((TPM_CC)0x0000014E)
+#define TPM2_NV_ReadLock       ((TPM_CC)0x0000014F)
 #define TPM2_GetCapability     ((TPM_CC)0x0000017A)
 
 /* TCG Spec defined, verify for TPM2.
@@ -111,6 +112,10 @@ struct tpm2_nv_write_cmd {
 	uint16_t offset;
 };
 
+struct tpm2_nv_read_lock_cmd {
+	TPMI_RH_NV_INDEX nvIndex;
+};
+
 struct tpm2_nv_write_lock_cmd {
 	TPMI_RH_NV_INDEX nvIndex;
 };
diff --git a/firmware/lib/tpm2_lite/marshaling.c b/firmware/lib/tpm2_lite/marshaling.c
index 42e9c401..786bfc0b 100644
--- a/firmware/lib/tpm2_lite/marshaling.c
+++ b/firmware/lib/tpm2_lite/marshaling.c
@@ -349,6 +349,20 @@ static void marshal_nv_read(void **buffer,
 	marshal_u16(buffer, command_body->offset, buffer_space);
 }
 
+static void marshal_nv_read_lock(void **buffer,
+				  struct tpm2_nv_read_lock_cmd *command_body,
+				  int *buffer_space)
+{
+	struct tpm2_session_header session_header;
+
+	tpm_tag = TPM_ST_SESSIONS;
+	marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space);
+	marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space);
+	Memset(&session_header, 0, sizeof(session_header));
+	session_header.session_handle = TPM_RS_PW;
+	marshal_session_header(buffer, &session_header, buffer_space);
+}
+
 static void marshal_nv_write_lock(void **buffer,
 				  struct tpm2_nv_write_lock_cmd *command_body,
 				  int *buffer_space)
@@ -452,6 +466,10 @@ int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
 		marshal_nv_write(&cmd_body, tpm_command_body, &body_size);
 		break;
 
+	case TPM2_NV_ReadLock:
+		marshal_nv_read_lock(&cmd_body, tpm_command_body, &body_size);
+		break;
+
 	case TPM2_NV_WriteLock:
 		marshal_nv_write_lock(&cmd_body, tpm_command_body, &body_size);
 		break;
diff --git a/firmware/lib/tpm2_lite/tlcl.c b/firmware/lib/tpm2_lite/tlcl.c
index 39c97eaa..938fdd66 100644
--- a/firmware/lib/tpm2_lite/tlcl.c
+++ b/firmware/lib/tpm2_lite/tlcl.c
@@ -289,8 +289,16 @@ uint32_t TlclGetSTClearFlags(TPM_STCLEAR_FLAGS *pflags)
 
 uint32_t TlclGetOwnership(uint8_t *owned)
 {
+	uint32_t rv;
+	TPM_PERMANENT_FLAGS flags;
 	*owned = 0;
-	VBDEBUG(("%s called, NOT YET IMPLEMENTED\n", __func__));
+
+	rv = TlclGetPermanentFlags(&flags);
+	if (rv != TPM_SUCCESS)
+		return rv;
+
+	*owned = flags.ownerAuthSet;
+
 	return TPM_SUCCESS;
 }
 
@@ -434,13 +442,37 @@ uint32_t TlclPCRRead(uint32_t index, void *data, uint32_t length)
 
 uint32_t TlclWriteLock(uint32_t index)
 {
-	VBDEBUG(("%s called, NOT YET IMPLEMENTED\n", __func__));
+	struct tpm2_nv_write_lock_cmd nv_writelockc;
+	struct tpm2_response *response;
+
+	Memset(&nv_writelockc, 0, sizeof(nv_writelockc));
+
+	nv_writelockc.nvIndex = HR_NV_INDEX | index;
+
+	response = tpm_process_command(TPM2_NV_WriteLock, &nv_writelockc);
+
+	/* Need to map tpm error codes into internal values. */
+	if (!response)
+		return TPM_E_WRITE_FAILURE;
+
 	return TPM_SUCCESS;
 }
 
 uint32_t TlclReadLock(uint32_t index)
 {
-	VBDEBUG(("%s called, NOT YET IMPLEMENTED\n", __func__));
+	struct tpm2_nv_read_lock_cmd nv_readlockc;
+	struct tpm2_response *response;
+
+	Memset(&nv_readlockc, 0, sizeof(nv_readlockc));
+
+	nv_readlockc.nvIndex = HR_NV_INDEX | index;
+
+	response = tpm_process_command(TPM2_NV_ReadLock, &nv_readlockc);
+
+	/* Need to map tpm error codes into internal values. */
+	if (!response)
+		return TPM_E_READ_FAILURE;
+
 	return TPM_SUCCESS;
 }
 
-- 
cgit v1.2.1