[coreboot-gerrit] Change in coreboot[master]: vboot/secdata_tpm: Add WRITE_STCLEAR attr to kernel ARB space

16 Jul 2021

Aseda Aboagye has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/56358 )
Change subject: vboot/secdata_tpm: Add WRITE_STCLEAR attr to kernel ARB space
......................................................................
vboot/secdata_tpm: Add WRITE_STCLEAR attr to kernel ARB space
This commit adds the WRITE_STCLEAR TPM attribute to the kernel
antirollback space.  When an STCLEAR attribute is set, this indicates
that the TPM object will need to be reloaded after any TPM
Startup(CLEAR).  This is useful for protecting the kernel antirollback
space from being written to by the OS via the WriteLock command, and
allowing platformHierarchy to remain enabled if desired.  One use case
could be to update the TPM firmware without having to clear the owner.
BUG=b:186029006
BRANCH=None
TEST=Build and flash a chromebook with no kernel antirollback space set
up, boot to chrome OS, run `tpm_manager_client get_space_info
--index=0x1007` and verify that the WRITE_STCLEAR attribute is present.
Signed-off-by: Aseda Aboagye aaboagye@google.com
Change-Id: I3181b4c18acd908e924ad858b677e891312423fe
---
M src/security/vboot/secdata_tpm.c
1 file changed, 9 insertions(+), 1 deletion(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/58/56358/1

diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index bedead7..2e3ec69 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -109,6 +109,14 @@
    .TPMA_NV_PLATFORMCREATE = 1,
 };
+static const TPMA_NV kernel_space_attributes = {
+	.TPMA_NV_PPWRITE = 1,
+	.TPMA_NV_AUTHREAD = 1,
+	.TPMA_NV_PPREAD = 1,
+	.TPMA_NV_PLATFORMCREATE = 1,
+	.TPMA_NV_WRITE_STCLEAR = 1,
+};
+
 static const TPMA_NV fwmp_attr = {
    .TPMA_NV_PLATFORMCREATE = 1,
    .TPMA_NV_OWNERWRITE = 1,
@@ -247,7 +255,7 @@
    uint32_t kernel_space_size = vb2api_secdata_kernel_create(ctx);
return setup_space("kernel", KERNEL_NV_INDEX, ctx->secdata_kernel,
-			    kernel_space_size, rw_space_attributes, NULL, 0);
+			    kernel_space_size, kernel_space_attributes, NULL, 0);
 }
static uint32_t set_mrc_hash_space(uint32_t index, const uint8_t *data)
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/56358
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I3181b4c18acd908e924ad858b677e891312423fe
Gerrit-Change-Number: 56358
Gerrit-PatchSet: 1
Gerrit-Owner: Aseda Aboagye aaboagye@google.com
Gerrit-MessageType: newchange



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: vboot/secdata_tpm: Add WRITE_STCLEAR attr to kernel ARB space