Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/29326
Change subject: security/tpm: Move TPM2 NVRAM specific settings ......................................................................
security/tpm: Move TPM2 NVRAM specific settings
* Move TPM2 NVRAM default parameters from vboot to a tpm2 specific header
Change-Id: Iec9d1c272ed8d0872c9bbc406e98a19ac7a376bd Signed-off-by: Philipp Deppenwiese zaolin@das-labor.org --- M src/security/tpm/tss/tcg-2.0/tss_structures.h M src/security/vboot/secdata_tpm.c 2 files changed, 30 insertions(+), 29 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/26/29326/1
diff --git a/src/security/tpm/tss/tcg-2.0/tss_structures.h b/src/security/tpm/tss/tcg-2.0/tss_structures.h index e902f3c..89f7219 100644 --- a/src/security/tpm/tss/tcg-2.0/tss_structures.h +++ b/src/security/tpm/tss/tcg-2.0/tss_structures.h @@ -151,6 +151,36 @@ #define PT_VAR (PT_GROUP * 2) #define TPM_PT_PERMANENT ((TPM_PT)(PT_VAR + 0))
+/* + * Different sets of NVRAM space attributes apply to the "ro" spaces, + * i.e. those which should not be possible to delete or modify once + * the RO exits, and the rest of the NVRAM spaces. + */ +const static TPMA_NV ro_space_attributes = { + .TPMA_NV_PPWRITE = 1, + .TPMA_NV_AUTHREAD = 1, + .TPMA_NV_PPREAD = 1, + .TPMA_NV_PLATFORMCREATE = 1, + .TPMA_NV_WRITE_STCLEAR = 1, + .TPMA_NV_POLICY_DELETE = 1, +}; + +const static TPMA_NV rw_space_attributes = { + .TPMA_NV_PPWRITE = 1, + .TPMA_NV_AUTHREAD = 1, + .TPMA_NV_PPREAD = 1, + .TPMA_NV_PLATFORMCREATE = 1, +}; + +/* + * This policy digest was obtained using TPM2_PolicyPCR + * selecting only PCR_0 with a value of all zeros. + */ +const static uint8_t pcr0_unchanged_policy[] = { + 0x09, 0x93, 0x3C, 0xCE, 0xEB, 0xB4, 0x41, 0x11, 0x18, 0x81, 0x1D, + 0xD4, 0x47, 0x78, 0x80, 0x08, 0x88, 0x86, 0x62, 0x2D, 0xD7, 0x79, + 0x94, 0x46, 0x62, 0x26, 0x68, 0x8E, 0xEE, 0xE6, 0x6A, 0xA1}; + /* Structures of payloads of various TPM2 commands. */ struct tpm2_get_capability { TPM_CAP capability; diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index c62f18b..286b2be 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -168,35 +168,6 @@ static const uint8_t rec_hash_data[REC_HASH_NV_SIZE] = { };
#if IS_ENABLED(CONFIG_TPM2) -/* - * Different sets of NVRAM space attributes apply to the "ro" spaces, - * i.e. those which should not be possible to delete or modify once - * the RO exits, and the rest of the NVRAM spaces. - */ -const static TPMA_NV ro_space_attributes = { - .TPMA_NV_PPWRITE = 1, - .TPMA_NV_AUTHREAD = 1, - .TPMA_NV_PPREAD = 1, - .TPMA_NV_PLATFORMCREATE = 1, - .TPMA_NV_WRITE_STCLEAR = 1, - .TPMA_NV_POLICY_DELETE = 1, -}; - -const static TPMA_NV rw_space_attributes = { - .TPMA_NV_PPWRITE = 1, - .TPMA_NV_AUTHREAD = 1, - .TPMA_NV_PPREAD = 1, - .TPMA_NV_PLATFORMCREATE = 1, -}; - -/* - * This policy digest was obtained using TPM2_PolicyPCR - * selecting only PCR_0 with a value of all zeros. - */ -const static uint8_t pcr0_unchanged_policy[] = { - 0x09, 0x93, 0x3C, 0xCE, 0xEB, 0xB4, 0x41, 0x11, 0x18, 0x81, 0x1D, - 0xD4, 0x47, 0x78, 0x80, 0x08, 0x88, 0x86, 0x62, 0x2D, 0xD7, 0x79, - 0x94, 0x46, 0x62, 0x26, 0x68, 0x8E, 0xEE, 0xE6, 0x6A, 0xA1};
/* Nothing special in the TPM2 path yet. */ static uint32_t safe_write(uint32_t index, const void *data, uint32_t length)