Vladimir Serbinenko (phcoder@gmail.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/10270
-gerrit
commit 0effa741f38d8dd2a575bb0b21d479cb2d0d5c69 Author: Vladimir Serbinenko phcoder@gmail.com Date: Mon May 18 10:46:57 2015 +0200
Deactivate TPM
Just not exporting TPM isn't good enough as it can still be accessed. You need to send it a deactivate command.
Change-Id: I3eb84660949c2d1e2b492d541e01d4ba78037630 Signed-off-by: Vladimir Serbinenko phcoder@gmail.com --- src/drivers/pc80/tpm/Kconfig | 7 +++++++ src/drivers/pc80/tpm/acpi/tpm.asl | 10 +++++----- src/drivers/pc80/tpm/romstage.c | 19 +++++++++++++++++++ 3 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/src/drivers/pc80/tpm/Kconfig b/src/drivers/pc80/tpm/Kconfig index 46f404e..8c64b0d 100644 --- a/src/drivers/pc80/tpm/Kconfig +++ b/src/drivers/pc80/tpm/Kconfig @@ -37,3 +37,10 @@ config SKIP_TPM_STARTUP_ON_NORMAL_BOOT depends on LPC_TPM help Skip TPM init on normal boot. Useful if payload does TPM init. + +config TPM_DEACTIVATE + bool "Deactivate TPM" + default n + depends on LPC_TPM + help + Deactivate TPM by issuing deactivate command. diff --git a/src/drivers/pc80/tpm/acpi/tpm.asl b/src/drivers/pc80/tpm/acpi/tpm.asl index 7500211..e6c28db 100644 --- a/src/drivers/pc80/tpm/acpi/tpm.asl +++ b/src/drivers/pc80/tpm/acpi/tpm.asl @@ -27,11 +27,11 @@ Device (TPM)
Method (_STA, 0) { - If (CONFIG_LPC_TPM) { - Return (0xf) - } Else { - Return (0x0) - } +#if CONFIG_LPC_TPM && !CONFIG_TPM_DEACTIVATE + Return (0xf) +#else + Return (0x0) +#endif }
Name (IBUF, ResourceTemplate () diff --git a/src/drivers/pc80/tpm/romstage.c b/src/drivers/pc80/tpm/romstage.c index b227f6c..0e4fe6f 100644 --- a/src/drivers/pc80/tpm/romstage.c +++ b/src/drivers/pc80/tpm/romstage.c @@ -51,6 +51,12 @@ static const struct { };
static const struct { + u8 buffer[12]; +} tpm_deactivate_cmd = { + {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x3 } +}; + +static const struct { u8 buffer[10]; } tpm_continueselftest_cmd = { { 0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53 } @@ -181,6 +187,19 @@ void init_tpm(int s3resume) u32 result; u8 response[TPM_LARGE_ENOUGH_COMMAND_SIZE];
+ if (CONFIG_TPM_DEACTIVATE) { + printk(BIOS_SPEW, "TPM: Deactivate\n"); + result = TlclSendReceive(tpm_deactivate_cmd.buffer, + response, sizeof(response)); + if (result == TPM_SUCCESS) { + printk(BIOS_SPEW, "TPM: OK.\n"); + return; + } + + printk(BIOS_ERR, "TPM: Error code 0x%x.\n", result); + return; + } + /* Doing TPM startup when we're not coming in on the S3 resume path * saves us roughly 20ms in boot time only. This does not seem to * be worth an API change to vboot_reference-firmware right now, so