Change in coreboot[master]: vboot/secdata_tpm: Create FWMP space in coreboot - coreboot-gerrit

16 May 2021

Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/52919 )
Change subject: vboot/secdata_tpm: Create FWMP space in coreboot
......................................................................
vboot/secdata_tpm: Create FWMP space in coreboot
This commit has coreboot create the Chrome OS Firmware Management
Parameters (FWMP) space in the TPM. The space will be defined and the
contents initialized to the defaults.
BUG=b:184677625
BRANCH=None
TEST=emerge-keeby coreboot
Signed-off-by: Aseda Aboagye aaboagye@google.com
Change-Id: I1f566e00f11046ff9a9891c65660af50fbb83675
Reviewed-on: https://review.coreboot.org/c/coreboot/+/52919
Tested-by: build bot (Jenkins) no-reply@coreboot.org
Reviewed-by: Julius Werner jwerner@chromium.org
Reviewed-by: Andrey Pronin apronin@chromium.org
---
M src/security/vboot/secdata_tpm.c
1 file changed, 20 insertions(+), 0 deletions(-)
Approvals:
  build bot (Jenkins): Verified
  Julius Werner: Looks good to me, approved
  Andrey Pronin: Looks good to me, but someone else must approve

diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index 93a172d..dd36796 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -10,6 +10,7 @@
 #include <security/tpm/tspi.h>
 #include <security/tpm/tss.h>
 #include <security/tpm/tss/tcg-1.2/tss_structures.h>
+#include <security/tpm/tss/tcg-2.0/tss_structures.h>
 #include <vb2_api.h>
 #include <console/console.h>
@@ -108,6 +109,14 @@
    .TPMA_NV_PLATFORMCREATE = 1,
 };
+static const TPMA_NV fwmp_attr = {
+	.TPMA_NV_PLATFORMCREATE = 1,
+	.TPMA_NV_OWNERWRITE = 1,
+	.TPMA_NV_AUTHREAD = 1,
+	.TPMA_NV_PPREAD = 1,
+	.TPMA_NV_PPWRITE = 1,
+};
+
 /*
  * This policy digest was obtained using TPM2_PolicyOR on 3 digests
  * corresponding to a sequence of
@@ -188,6 +197,14 @@
    		   sizeof(pcr0_allowed_policy));
 }
+static uint32_t setup_fwmp_space(struct vb2_context *ctx)
+{
+	uint32_t fwmp_space_size = vb2api_secdata_fwmp_create(ctx);
+
+	return setup_space("FWMP", FWMP_NV_INDEX, ctx->secdata_fwmp, fwmp_space_size,
+			   fwmp_attr, NULL, 0);
+}
+
 static uint32_t setup_kernel_space(struct vb2_context *ctx)
 {
    uint32_t kernel_space_size = vb2api_secdata_kernel_create(ctx);
@@ -230,6 +247,9 @@
    if (CONFIG(VBOOT_HAS_REC_HASH_SPACE))
    	RETURN_ON_FAILURE(set_mrc_hash_space(MRC_REC_HASH_NV_INDEX, mrc_hash_data));
+	/* Define and write firmware management parameters space. */
+	RETURN_ON_FAILURE(setup_fwmp_space(ctx));
+
    RETURN_ON_FAILURE(setup_firmware_space(ctx));
return TPM_SUCCESS;
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/52919
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I1f566e00f11046ff9a9891c65660af50fbb83675
Gerrit-Change-Number: 52919
Gerrit-PatchSet: 9
Gerrit-Owner: Aseda Aboagye aaboagye@google.com
Gerrit-Reviewer: Aaron Durbin adurbin@chromium.org
Gerrit-Reviewer: Andrey Pronin apronin@chromium.org
Gerrit-Reviewer: Joel Kitching kitching@google.com
Gerrit-Reviewer: Julius Werner jwerner@chromium.org
Gerrit-Reviewer: Patrick Georgi pgeorgi@google.com
Gerrit-Reviewer: build bot (Jenkins) no-reply@coreboot.org
Gerrit-MessageType: merged



    