Christian Walter has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/38617 )
Change subject: security/tpm/tss: Add ClearControl Function ......................................................................
security/tpm/tss: Add ClearControl Function
Add ClearControl Function which is needed for a follow-up patch.
Change-Id: Ia19185528fd821e420b0bdb424760c93b79523a4 Signed-off-by: Christian Walter christian.walter@9elements.com --- M src/security/tpm/tss.h M src/security/tpm/tss/tcg-2.0/tss.c M src/security/tpm/tss/tcg-2.0/tss_structures.h 3 files changed, 27 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/17/38617/1
diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h index 336935d..5237387 100644 --- a/src/security/tpm/tss.h +++ b/src/security/tpm/tss.h @@ -171,6 +171,11 @@ uint32_t tlcl_force_clear(void);
/** + * Set Clear Control. The TPM error code is returned. + */ +uint32_t tlcl_clear_control(bool disable); + +/** * Set the bGlobalLock flag, which only a reboot can clear. The TPM error * code is returned. */ diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c index 6bc3096..49a6cea 100644 --- a/src/security/tpm/tss/tcg-2.0/tss.c +++ b/src/security/tpm/tss/tcg-2.0/tss.c @@ -170,6 +170,23 @@ return TPM_SUCCESS; }
+uint32_t tlcl_clear_control(bool disable) +{ + struct tpm2_response *response; + struct tpm2_clear_control_cmd cc = { + .disable = 0, + }; + + response = tpm_process_command(TPM2_ClearControl, &cc); + printk(BIOS_INFO, "%s: response is %x\n", + __func__, response ? response->hdr.tpm_code : -1); + + if (!response || response->hdr.tpm_code) + return TPM_E_IOERROR; + + return TPM_SUCCESS; +} + static uint8_t tlcl_init_done;
/* This function is called directly by vboot, uses vboot return types. */ diff --git a/src/security/tpm/tss/tcg-2.0/tss_structures.h b/src/security/tpm/tss/tcg-2.0/tss_structures.h index 1530613..ade9b27 100644 --- a/src/security/tpm/tss/tcg-2.0/tss_structures.h +++ b/src/security/tpm/tss/tcg-2.0/tss_structures.h @@ -84,6 +84,7 @@ /* TPM command codes. */ #define TPM2_Hierarchy_Control ((TPM_CC)0x00000121) #define TPM2_Clear ((TPM_CC)0x00000126) +#define TPM2_ClearControl ((TPM_CC)0x00000127) #define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A) #define TPM2_NV_Write ((TPM_CC)0x00000137) #define TPM2_NV_WriteLock ((TPM_CC)0x00000138) @@ -417,6 +418,10 @@ TPML_DIGEST_VALUES digests; };
+struct tpm2_clear_control_cmd { + TPMI_YES_NO disable; +}; + struct tpm2_hierarchy_control_cmd { TPMI_RH_ENABLES enable; TPMI_YES_NO state;
Christian Walter has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/38617 )
Change subject: security/tpm/tss: Add ClearControl Function ......................................................................
Patch Set 2:
This change is ready for review.
Philipp Deppenwiese has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/38617 )
Change subject: security/tpm/tss: Add ClearControl Function ......................................................................
Patch Set 3: Code-Review+2
Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/38617 )
Change subject: security/tpm/tss: Add ClearControl Function ......................................................................
security/tpm/tss: Add ClearControl Function
Add ClearControl Function which is needed for a follow-up patch.
Change-Id: Ia19185528fd821e420b0bdb424760c93b79523a4 Signed-off-by: Christian Walter christian.walter@9elements.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/38617 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Philipp Deppenwiese zaolin.daisuki@gmail.com --- M src/security/tpm/tss.h M src/security/tpm/tss/tcg-2.0/tss.c M src/security/tpm/tss/tcg-2.0/tss_marshaling.c M src/security/tpm/tss/tcg-2.0/tss_structures.h 4 files changed, 50 insertions(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Philipp Deppenwiese: Looks good to me, approved
diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h index 336935d..5237387 100644 --- a/src/security/tpm/tss.h +++ b/src/security/tpm/tss.h @@ -171,6 +171,11 @@ uint32_t tlcl_force_clear(void);
/** + * Set Clear Control. The TPM error code is returned. + */ +uint32_t tlcl_clear_control(bool disable); + +/** * Set the bGlobalLock flag, which only a reboot can clear. The TPM error * code is returned. */ diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c index 6bc3096..49a6cea 100644 --- a/src/security/tpm/tss/tcg-2.0/tss.c +++ b/src/security/tpm/tss/tcg-2.0/tss.c @@ -170,6 +170,23 @@ return TPM_SUCCESS; }
+uint32_t tlcl_clear_control(bool disable) +{ + struct tpm2_response *response; + struct tpm2_clear_control_cmd cc = { + .disable = 0, + }; + + response = tpm_process_command(TPM2_ClearControl, &cc); + printk(BIOS_INFO, "%s: response is %x\n", + __func__, response ? response->hdr.tpm_code : -1); + + if (!response || response->hdr.tpm_code) + return TPM_E_IOERROR; + + return TPM_SUCCESS; +} + static uint8_t tlcl_init_done;
/* This function is called directly by vboot, uses vboot return types. */ diff --git a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c index 48798c7..45ade1a 100644 --- a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c +++ b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c @@ -281,6 +281,24 @@ return rc; }
+static int marshal_clear_control(struct obuf *ob, + struct tpm2_clear_control_cmd *command_body) +{ + int rc = 0; + struct tpm2_session_header session_header; + + tpm_tag = TPM_ST_SESSIONS; + + rc |= marshal_TPM_HANDLE(ob, TPM_RH_PLATFORM); + memset(&session_header, 0, sizeof(session_header)); + session_header.session_handle = TPM_RS_PW; + rc |= marshal_session_header(ob, &session_header); + + rc |= obuf_write_be8(ob, command_body->disable); + + return rc; +} + static int marshal_cr50_vendor_command(struct obuf *ob, void *command_body) { int rc = 0; @@ -383,6 +401,10 @@ rc |= marshal_hierarchy_control(ob, tpm_command_body); break;
+ case TPM2_ClearControl: + rc |= marshal_clear_control(ob, tpm_command_body); + break; + case TPM2_Clear: rc |= marshal_clear(ob); break; @@ -583,6 +605,7 @@
case TPM2_Hierarchy_Control: case TPM2_Clear: + case TPM2_ClearControl: case TPM2_NV_DefineSpace: case TPM2_NV_Write: case TPM2_NV_WriteLock: diff --git a/src/security/tpm/tss/tcg-2.0/tss_structures.h b/src/security/tpm/tss/tcg-2.0/tss_structures.h index 1530613..ade9b27 100644 --- a/src/security/tpm/tss/tcg-2.0/tss_structures.h +++ b/src/security/tpm/tss/tcg-2.0/tss_structures.h @@ -84,6 +84,7 @@ /* TPM command codes. */ #define TPM2_Hierarchy_Control ((TPM_CC)0x00000121) #define TPM2_Clear ((TPM_CC)0x00000126) +#define TPM2_ClearControl ((TPM_CC)0x00000127) #define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A) #define TPM2_NV_Write ((TPM_CC)0x00000137) #define TPM2_NV_WriteLock ((TPM_CC)0x00000138) @@ -417,6 +418,10 @@ TPML_DIGEST_VALUES digests; };
+struct tpm2_clear_control_cmd { + TPMI_YES_NO disable; +}; + struct tpm2_hierarchy_control_cmd { TPMI_RH_ENABLES enable; TPMI_YES_NO state;
9elements QA has posted comments on this change. ( https://review.coreboot.org/c/coreboot/+/38617 )
Change subject: security/tpm/tss: Add ClearControl Function ......................................................................
Patch Set 4:
Automatic boot test returned (PASS/FAIL/TOTAL): 3/0/3 Emulation targets: EMULATION_QEMU_X86_Q35 using payload TianoCore : SUCCESS : https://lava.9esec.io/r/430 EMULATION_QEMU_X86_Q35 using payload SeaBIOS : SUCCESS : https://lava.9esec.io/r/429 EMULATION_QEMU_X86_I440FX using payload SeaBIOS : SUCCESS : https://lava.9esec.io/r/428
Please note: This test is under development and might not be accurate at all!
-
9elements QA (Code Review) -
Christian Walter (Code Review)
-
Patrick Georgi (Code Review)
-
Philipp Deppenwiese (Code Review)