Matt DeVillier has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/74856 )

Change subject: security/tpm: Add Kconfig to allow payload control of TPM1 ......................................................................

security/tpm: Add Kconfig to allow payload control of TPM1

Normally, for TPM1, coreboot will force activate/enable the TPM if TPM_DEACTIVATE is not selected, but this is not desireable in the case that the payload needs to be able to control activation/deactivation/ take ownership etc. Add a Kconfig to allow opting out of this forced enablement.

TEST=build/boot google/lulu with edk2, verify TPM can be enabled/ disabled/cleared from payload TPM menu.

Change-Id: Ieb7db109cbcc1a0166d95b6130b624b635bb7ac9 Signed-off-by: Matt DeVillier matt.devillier@gmail.com --- M src/security/tpm/Kconfig M src/security/tpm/tspi/tspi.c 2 files changed, 29 insertions(+), 1 deletion(-)

git pull ssh://review.coreboot.org:29418/coreboot refs/changes/56/74856/1

diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig index 39134c1..c89d4f9 100644 --- a/src/security/tpm/Kconfig +++ b/src/security/tpm/Kconfig @@ -59,6 +59,14 @@ help Deactivate TPM by issuing deactivate command.

+config TPM_PAYLOAD_CONTROL + bool "Allow payload control of TPM" + default n + depends on !VBOOT && !TPM_DEACTIVATE + depends on TPM1 + help + Allows the payload to handle activation/deactivation of TPM. + config DEBUG_TPM bool "Output verbose TPM debug messages" default n diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c index a771d2a..ed871f0 100644 --- a/src/security/tpm/tspi/tspi.c +++ b/src/security/tpm/tspi/tspi.c @@ -181,7 +181,8 @@ }

#if CONFIG(TPM1) - result = tpm1_invoke_state_machine(); + if (!CONFIG(TPM_PAYLOAD_CONTROL)) + result = tpm1_invoke_state_machine(); #endif if (CONFIG(TPM_MEASURED_BOOT)) result = tspi_measure_cache_to_pcr();