sravan/system76-coreboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

tpm2: implement locking firmware rollback counter

Browse Source 
TPM1.2 is using the somewhat misnamed tlcl_set_global_lock() command
function to lock the hardware rollback counter. For TPM2 let's
implement and use the TPM2 command to lock an NV Ram location
(TPM2_NV_WriteLock).

BRANCH=none
BUG=chrome-os-partner:50645
TEST=verified that TPM2_NV_WriteLock command is invoked before RO
     firmware starts RW, and succeeds.

Change-Id: I52aa8db95b908488ec4cf0843afeb6310dc7f38b
Signed-off-by: Martin Roth <martinroth@chromium.org>
Original-Commit-Id: 2f859335dfccfeea900f15bbb8c6cb3fd5ec8c77
Original-Change-Id: I62f22b9991522d4309cccc44180a5ebd4dca488d
Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/358097
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-on: https://review.coreboot.org/15638
Tested-by: build bot (Jenkins)
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
This commit is contained in:
Vadim Bendebury
2016-07-03 17:08:10 -07:00
committed by Martin Roth
parent 1ec76030ed
commit 4c0851cc37
5 changed files with 49 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/lib/tpm2_marshaling.c
View File

@@ -303,6 +303,15 @@ static void marshal_nv_write(void **buffer,
marshal_u16(buffer, command_body->offset, buffer_space);
}
static void marshal_nv_write_lock(void **buffer,
struct tpm2_nv_write_lock_cmd *command_body,
size_t *buffer_space)
{
uint32_t handles[] = { TPM_RH_PLATFORM, command_body->nvIndex };
marshal_common_session_header(buffer, handles,
ARRAY_SIZE(handles), buffer_space);
}
static void marshal_nv_read(void **buffer,
struct tpm2_nv_read_cmd *command_body,
size_t *buffer_space)
@@ -364,6 +373,10 @@ int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
marshal_nv_write(&cmd_body, tpm_command_body, &body_size);
break;
case TPM2_NV_WriteLock:
marshal_nv_write_lock(&cmd_body, tpm_command_body, &body_size);
break;
case TPM2_SelfTest:
marshal_selftest(&cmd_body, tpm_command_body, &body_size);
break;
@@ -533,6 +546,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command,
case TPM2_Clear:
case TPM2_NV_DefineSpace:
case TPM2_NV_Write:
case TPM2_NV_WriteLock:
/* Session data included in response can be safely ignored. */
cr_size = 0;
break;