<p>Philipp Deppenwiese has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/28085">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security/tpm: Fix TPM 1.2 state machine issues<br><br>* Add hard_reset mechanism and result checks<br>  for the ramstage TPM driver.<br>* Move enabling TPM before activating otherwise<br>  it isn't successful.<br><br>More information can be found via the TCG<br>specification.<br><br>Tested=Elgon<br><br>Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b<br>Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org><br>---<br>M src/drivers/tpm/tpm.c<br>M src/security/tpm/tspi/tspi.c<br>2 files changed, 24 insertions(+), 19 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/85/28085/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/drivers/tpm/tpm.c b/src/drivers/tpm/tpm.c</span><br><span>index e4a81c3..e7c1165 100644</span><br><span>--- a/src/drivers/tpm/tpm.c</span><br><span>+++ b/src/drivers/tpm/tpm.c</span><br><span>@@ -17,6 +17,7 @@</span><br><span> #include <stddef.h></span><br><span> #include <bootstate.h></span><br><span> #include <security/tpm/tspi.h></span><br><span style="color: hsl(120, 100%, 40%);">+#include <reset.h></span><br><span> </span><br><span> #if IS_ENABLED(CONFIG_ARCH_X86)</span><br><span> #include <arch/acpi.h></span><br><span>@@ -24,12 +25,15 @@</span><br><span> </span><br><span> static void init_tpm_dev(void *unused)</span><br><span> {</span><br><span style="color: hsl(120, 100%, 40%);">+   uint32_t result;</span><br><span> #if IS_ENABLED(CONFIG_ARCH_X86)</span><br><span>  int s3resume = acpi_is_wakeup_s3();</span><br><span style="color: hsl(0, 100%, 40%);">-     tpm_setup(s3resume);</span><br><span style="color: hsl(120, 100%, 40%);">+  result = tpm_setup(s3resume);</span><br><span> #else</span><br><span style="color: hsl(0, 100%, 40%);">-  tpm_setup(false);</span><br><span style="color: hsl(120, 100%, 40%);">+     result = tpm_setup(false);</span><br><span> #endif</span><br><span style="color: hsl(120, 100%, 40%);">+  if (result == TPM_E_MUST_REBOOT)</span><br><span style="color: hsl(120, 100%, 40%);">+              do_hard_reset();</span><br><span> }</span><br><span> </span><br><span> BOOT_STATE_INIT_ENTRY(BS_DEV_INIT, BS_ON_ENTRY, init_tpm_dev, NULL);</span><br><span>diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c</span><br><span>index 950e930..f3093e7 100644</span><br><span>--- a/src/security/tpm/tspi/tspi.c</span><br><span>+++ b/src/security/tpm/tspi/tspi.c</span><br><span>@@ -25,17 +25,31 @@</span><br><span> #if IS_ENABLED(CONFIG_TPM1)</span><br><span> static uint32_t tpm1_invoke_state_machine(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">-     uint8_t disable;</span><br><span style="color: hsl(120, 100%, 40%);">+      uint8_t disabled;</span><br><span>    uint8_t deactivated;</span><br><span>         uint32_t result = TPM_SUCCESS;</span><br><span> </span><br><span>   /* Check that the TPM is enabled and activated. */</span><br><span style="color: hsl(0, 100%, 40%);">-      result = tlcl_get_flags(&disable, &deactivated, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+        result = tlcl_get_flags(&disabled, &deactivated, NULL);</span><br><span>      if (result != TPM_SUCCESS) {</span><br><span>                 printk(BIOS_ERR, "TPM: Can't read capabilities.\n");</span><br><span>           return result;</span><br><span>       }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (disabled) {</span><br><span style="color: hsl(120, 100%, 40%);">+               printk(BIOS_INFO, "TPM: disabled (%d)."</span><br><span style="color: hsl(120, 100%, 40%);">+                    "Enabling...\n", disabled);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+                result = tlcl_set_enable();</span><br><span style="color: hsl(120, 100%, 40%);">+           if (result != TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+                  printk(BIOS_ERR, "TPM: Can't set enabled state.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+                    return result;</span><br><span style="color: hsl(120, 100%, 40%);">+                }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+           printk(BIOS_INFO, "TPM: Must reboot to re-enable\n");</span><br><span style="color: hsl(120, 100%, 40%);">+               result = TPM_E_MUST_REBOOT;</span><br><span style="color: hsl(120, 100%, 40%);">+   }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>  if (!!deactivated != IS_ENABLED(CONFIG_TPM_DEACTIVATE)) {</span><br><span>            printk(BIOS_INFO,</span><br><span>                   "TPM: Unexpected TPM deactivated state. Toggling...\n");</span><br><span>@@ -50,19 +64,6 @@</span><br><span>               result = TPM_E_MUST_REBOOT;</span><br><span>  }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-   if (disable && !deactivated) {</span><br><span style="color: hsl(0, 100%, 40%);">-          printk(BIOS_INFO, "TPM: disabled (%d). Enabling...\n", disable);</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">-              result = tlcl_set_enable();</span><br><span style="color: hsl(0, 100%, 40%);">-             if (result != TPM_SUCCESS) {</span><br><span style="color: hsl(0, 100%, 40%);">-                    printk(BIOS_ERR, "TPM: Can't set enabled state.\n");</span><br><span style="color: hsl(0, 100%, 40%);">-                      return result;</span><br><span style="color: hsl(0, 100%, 40%);">-          }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">-               printk(BIOS_INFO, "TPM: Must reboot to re-enable\n");</span><br><span style="color: hsl(0, 100%, 40%);">-         result = TPM_E_MUST_REBOOT;</span><br><span style="color: hsl(0, 100%, 40%);">-     }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span>    return result;</span><br><span> }</span><br><span> #endif</span><br><span>@@ -122,8 +123,8 @@</span><br><span>          result = tlcl_physical_presence_cmd_enable();</span><br><span>                if (result != TPM_SUCCESS) {</span><br><span>                         printk(</span><br><span style="color: hsl(0, 100%, 40%);">-                     BIOS_ERR,</span><br><span style="color: hsl(0, 100%, 40%);">-                       "TPM: Can't enable physical presence command.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+                          BIOS_ERR,</span><br><span style="color: hsl(120, 100%, 40%);">+                             "TPM: Can't enable physical presence command.\n");</span><br><span>                     goto out;</span><br><span>            }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/28085">change 28085</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/28085"/><meta itemprop="name" content="View Change"/></div></div>

<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b </div>
<div style="display:none"> Gerrit-Change-Number: 28085 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>