Julius Werner would like Joel Kitching to review this change.
vboot: Clear secdata change flags after factory init
factory_initialize_tpm() calls secdata_xxx_create() (for both firmware
and kernel space) and then immediately writes those spaces out to the
TPM. The create() functions make vboot think it just changed the secdata
(because it reinitialized the byte arrays in the context), so we also
need to clear the VB2_CONTEXT_SECDATA_xxx_CHANGED flags again, otherwise
vboot thinks it still needs to flush the spaces out to the TPM even
though we already did that.
Change-Id: I231fadcf7b35a1aec3b39254e7e41c3d456d4911
Signed-off-by: Julius Werner <jwerner@chromium.org>
---
M src/security/vboot/secdata_tpm.c
M src/security/vboot/vboot_logic.c
2 files changed, 6 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/71/37471/1
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index 0afd00d..e4d49f7 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -188,7 +188,7 @@
if (rv != TPM_SUCCESS)
return rv;
- return safe_write(index, data, length);
+ return write_secdata(index, data, length);
}
static uint32_t set_firmware_space(const void *firmware_blob)
@@ -398,6 +398,9 @@
if (result != TPM_SUCCESS)
return result;
+ ctx->flags &= ~(VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED |
+ VB2_CONTEXT_SECDATA_KERNEL_CHANGED);
+
VBDEBUG("TPM: factory initialization successful\n");
return TPM_SUCCESS;
diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c
index ccce148..6c4f8fd 100644
--- a/src/security/vboot/vboot_logic.c
+++ b/src/security/vboot/vboot_logic.c
@@ -265,10 +265,10 @@
void vboot_save_data(struct vb2_context *ctx)
{
- if (ctx->flags & VB2_CONTEXT_SECDATA_CHANGED) {
+ if (ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED) {
printk(BIOS_INFO, "Saving secdata\n");
antirollback_write_space_firmware(ctx);
- ctx->flags &= ~VB2_CONTEXT_SECDATA_CHANGED;
+ ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED;
}
vboot_save_nvdata_only(ctx);
To view, visit change 37471. To unsubscribe, or for help writing mail filters, visit settings.