<p>Joel Kitching has uploaded this change for <strong>review</strong>.</p><p><a href="https://review.coreboot.org/29646">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">tss: implement tlcl_save_state for running TPM_Shutdown(ST_STATE)<br><br>When an untrusted OS is running, we would like to use the Cr50<br>vendor-specific VENDOR_CC_TPM_MODE command to disable TPM.<br>Before doing this, we should save TPM state. Implement<br>tlcl_save_state for this purpose.<br><br>This needs to live in coreboot codebase since on S3 resume path,<br>depthcharge is not reached.<br><br>BUG=b:70681930,b:118202153<br>TEST=None<br><br>Signed-off-by: Joel Kitching <kitching@google.com><br>Change-Id: I8b51ca68456fc9b655e4dc2d0958b7c040d50510<br>---<br>M src/security/tpm/tss.h<br>M src/security/tpm/tss/tcg-2.0/tss.c<br>M src/security/tpm/tss/tcg-2.0/tss_marshaling.c<br>M src/security/tpm/tss/tcg-2.0/tss_structures.h<br>4 files changed, 48 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://review.coreboot.org:29418/coreboot refs/changes/46/29646/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h</span><br><span>index c053df9..9050ec8 100644</span><br><span>--- a/src/security/tpm/tss.h</span><br><span>+++ b/src/security/tpm/tss.h</span><br><span>@@ -102,6 +102,12 @@</span><br><span> uint32_t tlcl_resume(void);</span><br><span> </span><br><span> /**</span><br><span style="color: hsl(120, 100%, 40%);">+ * Send a TPM_Shutdown(ST_STATE). The TPM error code is returned (0 for</span><br><span style="color: hsl(120, 100%, 40%);">+ * success).</span><br><span style="color: hsl(120, 100%, 40%);">+ */</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tlcl_save_state(void);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+/**</span><br><span> * Run the self test.</span><br><span> *</span><br><span> * Note---this is synchronous. To run this in parallel with other firmware,</span><br><span>diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c</span><br><span>index c67fdfa..e579bff 100644</span><br><span>--- a/src/security/tpm/tss/tcg-2.0/tss.c</span><br><span>+++ b/src/security/tpm/tss/tcg-2.0/tss.c</span><br><span>@@ -87,6 +87,35 @@</span><br><span> return tlcl_send_startup(TPM_SU_STATE);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static uint32_t tlcl_send_shutdown(TPM_SU type)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ struct tpm2_shutdown shutdown;</span><br><span style="color: hsl(120, 100%, 40%);">+ struct tpm2_response *response;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ shutdown.shutdown_type = type;</span><br><span style="color: hsl(120, 100%, 40%);">+ response = tpm_process_command(TPM2_Shutdown, &shutdown);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* IO error, tpm2_response pointer is empty. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (response == NULL) {</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_ERR, "%s: TPM communication error\n", __func__);</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_IOERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ printk(BIOS_INFO, "%s: Shutdown return code is %x\n",</span><br><span style="color: hsl(120, 100%, 40%);">+ __func__, response->hdr.tpm_code);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ if (response->hdr.tpm_code == TPM2_RC_SUCCESS)</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Collapse any other errors into TPM_E_IOERROR. */</span><br><span style="color: hsl(120, 100%, 40%);">+ return TPM_E_IOERROR;</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+uint32_t tlcl_save_state(void)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ return tlcl_send_shutdown(TPM_SU_STATE);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> uint32_t tlcl_assert_physical_presence(void)</span><br><span> {</span><br><span> /*</span><br><span>diff --git a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c</span><br><span>index ad23d9b..af57248 100644</span><br><span>--- a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c</span><br><span>+++ b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c</span><br><span>@@ -28,6 +28,11 @@</span><br><span> return obuf_write_be16(ob, cmd_body->startup_type);</span><br><span> }</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+static int marshal_shutdown(struct obuf *ob, struct tpm2_shutdown *cmd_body)</span><br><span style="color: hsl(120, 100%, 40%);">+{</span><br><span style="color: hsl(120, 100%, 40%);">+ return obuf_write_be16(ob, cmd_body->shutdown_type);</span><br><span style="color: hsl(120, 100%, 40%);">+}</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> static int marshal_get_capability(struct obuf *ob,</span><br><span> struct tpm2_get_capability *cmd_body)</span><br><span> {</span><br><span>@@ -302,6 +307,10 @@</span><br><span> rc |= marshal_startup(ob, tpm_command_body);</span><br><span> break;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ case TPM2_Shutdown:</span><br><span style="color: hsl(120, 100%, 40%);">+ rc |= marshal_shutdown(ob, tpm_command_body);</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> case TPM2_GetCapability:</span><br><span> rc |= marshal_get_capability(ob, tpm_command_body);</span><br><span> break;</span><br><span>@@ -499,6 +508,9 @@</span><br><span> case TPM2_Startup:</span><br><span> break;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ case TPM2_Shutdown:</span><br><span style="color: hsl(120, 100%, 40%);">+ break;</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span> case TPM2_GetCapability:</span><br><span> rc |= unmarshal_get_capability(ib, &tpm2_resp->gc);</span><br><span> break;</span><br><span>diff --git a/src/security/tpm/tss/tcg-2.0/tss_structures.h b/src/security/tpm/tss/tcg-2.0/tss_structures.h</span><br><span>index e902f3c..12c84e1 100644</span><br><span>--- a/src/security/tpm/tss/tcg-2.0/tss_structures.h</span><br><span>+++ b/src/security/tpm/tss/tcg-2.0/tss_structures.h</span><br><span>@@ -71,6 +71,7 @@</span><br><span> #define TPM2_NV_WriteLock ((TPM_CC)0x00000138)</span><br><span> #define TPM2_SelfTest ((TPM_CC)0x00000143)</span><br><span> #define TPM2_Startup ((TPM_CC)0x00000144)</span><br><span style="color: hsl(120, 100%, 40%);">+#define TPM2_Shutdown ((TPM_CC)0x00000145)</span><br><span> #define TPM2_NV_Read ((TPM_CC)0x0000014E)</span><br><span> #define TPM2_GetCapability ((TPM_CC)0x0000017A)</span><br><span> #define TPM2_PCR_Extend ((TPM_CC)0x00000182)</span><br><span></span><br></pre><p>To view, visit <a href="https://review.coreboot.org/29646">change 29646</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://review.coreboot.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://review.coreboot.org/29646"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: coreboot </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I8b51ca68456fc9b655e4dc2d0958b7c040d50510 </div>
<div style="display:none"> Gerrit-Change-Number: 29646 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Joel Kitching <kitching@google.com> </div>