tpm2: implement locking firmware rollback counter

TPM1.2 is using the somewhat misnamed tlcl_set_global_lock() command function to lock the hardware rollback counter. For TPM2 let's implement and use the TPM2 command to lock an NV Ram location (TPM2_NV_WriteLock). BRANCH=none BUG=chrome-os-partner:50645 TEST=verified that TPM2_NV_WriteLock command is invoked before RO firmware starts RW, and succeeds. Change-Id: I52aa8db95b908488ec4cf0843afeb6310dc7f38b Signed-off-by: Martin Roth <martinroth@chromium.org> Original-Commit-Id: 2f859335dfccfeea900f15bbb8c6cb3fd5ec8c77 Original-Change-Id: I62f22b9991522d4309cccc44180a5ebd4dca488d Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Original-Reviewed-on: https://chromium-review.googlesource.com/358097 Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org> Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org> Reviewed-on: https://review.coreboot.org/15638 Tested-by: build bot (Jenkins) Reviewed-by: Patrick Georgi <pgeorgi@google.com>
2016-07-03 17:08:10 -07:00
parent 1ec76030ed
commit 4c0851cc37
5 changed files with 49 additions and 17 deletions
--- a/src/include/tpm_lite/tlcl.h
+++ b/src/include/tpm_lite/tlcl.h
@ -135,6 +135,11 @@ uint32_t tlcl_get_flags(uint8_t *disable, uint8_t *deactivated,
 */
 uint32_t tlcl_set_global_lock(void);

+/**
+ * Make an NV Ram location read_only.  The TPM error code is returned.
+ */
+uint32_t tlcl_lock_nv_write(uint32_t index);
+
 /**
 * Perform a TPM_Extend.
 */