Currently the code considers the absence of the NVRAM firmware
rollback space a a trigger for invoking the TPM factory initialization
sequence.
Note that the kernel rollback and MRC cache hash spaces are created
after the firmware rollback space. This opens an ever so narrow window
of opportunity for bricking the device, in case a startup is
interrupted after firmware space has been created, but before kernel
and MRC hash spaces are created.
The suggested solution is to create the firmware space last, and to
allow for kernel and MRC cache spaces to exist during TPM factory
initialization.
BRANCH=none
BUG=chrome-os-partner:59654
TEST=odified the code not to create the firmware space, wiped out the
TPM NVRAM and booted the device. Observed it create kernel and
MRC cache spaces on the first run, and then reporting return code
0x14c for already existing spaces on the following restarts.
Verified that the device boots fine in normal and recovery modes
and TPM NVRAM spaces are writeable in recovery mode.
Change-Id: Id0e772448d6af1340e800ec3b78ec67913aa6289
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://review.coreboot.org/17398
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Tested-by: build bot (Jenkins)
This function is not used anywhere else in the code.
BRANCH=none
BUG=none
TEST=reef and kevin boards (using tpm1.2 and tpm2.0 respectively)
build successfully.
Change-Id: Ifcc345ae9c22b25fdcfc2e547e70766021d27e32
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://review.coreboot.org/17387
Reviewed-by: Furquan Shaikh <furquan@google.com>
Tested-by: build bot (Jenkins)
1. Add a new index for recovery hash space in TPM - 0x100b
2. Add helper functions to read/write/lock recovery hash space in TPM
3. Add Kconfig option that can be selected by mainboards that want to
define this space.
4. Lock this new space while jumping from RO to RW.
BUG=chrome-os-partner:59355
BRANCH=None
TEST=Verified use of recovery hash space on reef.
Change-Id: I1cacd54f0a896d0f2af32d4b7c9ae581a918f9bb
Signed-off-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-on: https://review.coreboot.org/17273
Tested-by: build bot (Jenkins)
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
There is no code which uses the backup space in TPM created for vboot
nvram.
All chromebooks currently supported at the trunk store vboot nvram
in flash directly or as a backup.
BUG=chrome-os-partner:47915
BRANCH=none
TEST=emerge-samus coreboot
Change-Id: I9445dfd822826d668b3bfed8ca50dc9386f2b2b0
Signed-off-by: Patrick Georgi <pgeorgi@chromium.org>
Original-Commit-Id: 5cee2d54c96ad7952af2a2c1f773ba09c5248f41
Original-Change-Id: Ied0cec0ed489df3b39f6b9afd3941f804557944f
Original-Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/395507
Original-Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://review.coreboot.org/16997
Tested-by: build bot (Jenkins)
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Martin Roth <martinroth@google.com>
Function which invoked when TPM clear is requested was left empty,
this patch fixes it.
BRANCH=gru
BUG=chrome-os-partner:57411
TEST=verified on a chromeos device that tpm is in fact cleared when
CLEAR_TPM_OWNER_REQUEST is set by userland.
Change-Id: I4370792afd512309ecf7f4961ed4d44a04a3e2aa
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://review.coreboot.org/16805
Tested-by: build bot (Jenkins)
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@googlemail.com>
VBOOT_VERIFY_FIRMWARE should be independent of CHROMEOS. This allows use
of verified boot library without having to stick to CHROMEOS.
BUG=chrome-os-partner:55639
Change-Id: Ia2c328712caedd230ab295b8a613e3c1ed1532d9
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://review.coreboot.org/15867
Tested-by: build bot (Jenkins)
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
