<p>Philipp Deppenwiese <strong>merged</strong> this change.</p><p><a href="https://review.coreboot.org/28085">View Change</a></p><div style="white-space:pre-wrap">Approvals:
build bot (Jenkins): Verified
Philipp Deppenwiese: Looks good to me, approved
Patrick Rudolph: Looks good to me, but someone else must approve
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">security/tpm: Fix TPM 1.2 state machine issues<br><br>* Fix ACPI resume path compilation for TPM ramstage<br> driver<br>* Move enabling of the TPM prior activation and remove<br> reboot return status from TPM enable.<br><br>More information can be found via the TCG<br>specification v1.2<br><br>Tested=Elgon<br><br>Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b<br>Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org><br>Reviewed-on: https://review.coreboot.org/28085<br>Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com><br>Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com><br>Tested-by: build bot (Jenkins) <no-reply@coreboot.org><br>---<br>M src/drivers/tpm/tpm.c<br>M src/security/tpm/tspi/tspi.c<br>2 files changed, 18 insertions(+), 19 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/drivers/tpm/tpm.c b/src/drivers/tpm/tpm.c</span><br><span>index e4a81c3..77d3a8e 100644</span><br><span>--- a/src/drivers/tpm/tpm.c</span><br><span>+++ b/src/drivers/tpm/tpm.c</span><br><span>@@ -18,16 +18,18 @@</span><br><span> #include <bootstate.h></span><br><span> #include <security/tpm/tspi.h></span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">-#if IS_ENABLED(CONFIG_ARCH_X86)</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)</span><br><span> #include <arch/acpi.h></span><br><span> #endif</span><br><span> </span><br><span> static void init_tpm_dev(void *unused)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">-#if IS_ENABLED(CONFIG_ARCH_X86)</span><br><span style="color: hsl(120, 100%, 40%);">+#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)</span><br><span> int s3resume = acpi_is_wakeup_s3();</span><br><span> tpm_setup(s3resume);</span><br><span> #else</span><br><span style="color: hsl(120, 100%, 40%);">+ /* This can lead to PCR reset attacks but currently there</span><br><span style="color: hsl(120, 100%, 40%);">+ is no generic way to detect resume on other platforms. */</span><br><span> tpm_setup(false);</span><br><span> #endif</span><br><span> }</span><br><span>diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c</span><br><span>index 950e930..fccf224 100644</span><br><span>--- a/src/security/tpm/tspi/tspi.c</span><br><span>+++ b/src/security/tpm/tspi/tspi.c</span><br><span>@@ -25,17 +25,27 @@</span><br><span> #if IS_ENABLED(CONFIG_TPM1)</span><br><span> static uint32_t tpm1_invoke_state_machine(void)</span><br><span> {</span><br><span style="color: hsl(0, 100%, 40%);">- uint8_t disable;</span><br><span style="color: hsl(120, 100%, 40%);">+ uint8_t disabled;</span><br><span> uint8_t deactivated;</span><br><span> uint32_t result = TPM_SUCCESS;</span><br><span> </span><br><span> /* Check that the TPM is enabled and activated. */</span><br><span style="color: hsl(0, 100%, 40%);">- result = tlcl_get_flags(&disable, &deactivated, NULL);</span><br><span style="color: hsl(120, 100%, 40%);">+ result = tlcl_get_flags(&disabled, &deactivated, NULL);</span><br><span> if (result != TPM_SUCCESS) {</span><br><span> printk(BIOS_ERR, "TPM: Can't read capabilities.\n");</span><br><span> return result;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ if (disabled) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "TPM: is disabled. Enabling...\n");</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ result = tlcl_set_enable();</span><br><span style="color: hsl(120, 100%, 40%);">+ if (result != TPM_SUCCESS) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "TPM: Can't set enabled state.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ return result;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> if (!!deactivated != IS_ENABLED(CONFIG_TPM_DEACTIVATE)) {</span><br><span> printk(BIOS_INFO,</span><br><span> "TPM: Unexpected TPM deactivated state. Toggling...\n");</span><br><span>@@ -50,19 +60,6 @@</span><br><span> result = TPM_E_MUST_REBOOT;</span><br><span> }</span><br><span> </span><br><span style="color: hsl(0, 100%, 40%);">- if (disable && !deactivated) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_INFO, "TPM: disabled (%d). Enabling...\n", disable);</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- result = tlcl_set_enable();</span><br><span style="color: hsl(0, 100%, 40%);">- if (result != TPM_SUCCESS) {</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_ERR, "TPM: Can't set enabled state.\n");</span><br><span style="color: hsl(0, 100%, 40%);">- return result;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span style="color: hsl(0, 100%, 40%);">- printk(BIOS_INFO, "TPM: Must reboot to re-enable\n");</span><br><span style="color: hsl(0, 100%, 40%);">- result = TPM_E_MUST_REBOOT;</span><br><span style="color: hsl(0, 100%, 40%);">- }</span><br><span style="color: hsl(0, 100%, 40%);">-</span><br><span> return result;</span><br><span> }</span><br><span> #endif</span><br><span>@@ -122,8 +119,8 @@</span><br><span> result = tlcl_physical_presence_cmd_enable();</span><br><span> if (result != TPM_SUCCESS) {</span><br><span> printk(</span><br><span style="color: hsl(0, 100%, 40%);">- BIOS_ERR,</span><br><span style="color: hsl(0, 100%, 40%);">- "TPM: Can't enable physical presence command.\n");</span><br><span style="color: hsl(120, 100%, 40%);">+ BIOS_ERR,</span><br><span style="color: hsl(120, 100%, 40%);">+ "TPM: Can't enable physical presence command.\n");</span><br><span> goto out;</span><br><span> }</span><br><span> </span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/28085">change 28085</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/28085"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: merged </div>
<div style="display:none"> Gerrit-Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b </div>
<div style="display:none"> Gerrit-Change-Number: 28085 </div>
<div style="display:none"> Gerrit-PatchSet: 11 </div>
<div style="display:none"> Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph@9elements.com> </div>
<div style="display:none"> Gerrit-Reviewer: Paul Menzel <paulepanter@users.sourceforge.net> </div>
<div style="display:none"> Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki@gmail.com> </div>
<div style="display:none"> Gerrit-Reviewer: Randall Spangler <randall@spanglers.com> </div>
<div style="display:none"> Gerrit-Reviewer: Vadim Bendebury <vbendeb@chromium.org> </div>
<div style="display:none"> Gerrit-Reviewer: Vadim Bendebury <vbendeb@google.com> </div>
<div style="display:none"> Gerrit-Reviewer: build bot (Jenkins) <no-reply@coreboot.org> </div>
<div style="display:none"> Gerrit-CC: Patrick Georgi <pgeorgi@google.com> </div>