Aseda Aboagye has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/52919 )
Change subject: chromeos/Kconfig: Add TPM20_CREATE_FWMP ......................................................................
chromeos/Kconfig: Add TPM20_CREATE_FWMP
This commit adds a new config option, TPM20_CREATE_FWMP which instructs coreboot to create the Chrome OS Firmware Management Parameters space in the TPM. When selected, coreboot will simply define this space, but not initialize the contents. The space can be written to by the TPM owner from userspace.
BUG=b:184677625 BRANCH=None TEST=emerge-keeby coreboot
Signed-off-by: Aseda Aboagye aaboagye@google.com Change-Id: I1f566e00f11046ff9a9891c65660af50fbb83675 --- M src/security/vboot/secdata_tpm.c M src/vendorcode/google/chromeos/Kconfig 2 files changed, 30 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/19/52919/1
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index db5f2e7..7011039 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -10,6 +10,7 @@ #include <security/tpm/tspi.h> #include <security/tpm/tss.h> #include <security/tpm/tss/tcg-1.2/tss_structures.h> +#include <security/tpm/tss/tcg-2.0/tss_structures.h> #include <vb2_api.h> #include <console/console.h>
@@ -205,6 +206,8 @@
static uint32_t _factory_initialize_tpm(struct vb2_context *ctx) { + uint32_t rv; + vb2api_secdata_kernel_create(ctx);
RETURN_ON_FAILURE(tlcl_force_clear()); @@ -227,6 +230,27 @@ if (CONFIG(VBOOT_HAS_REC_HASH_SPACE)) RETURN_ON_FAILURE(set_mrc_hash_space(MRC_REC_HASH_NV_INDEX, mrc_hash_data));
+ /* Define and write firmware management parameters space. */ + if (CONFIG(TPM20_CREATE_FWMP)) { + const TPMA_NV fwmp_attr = { + .TPMA_NV_PLATFORMCREATE = 1, + .TPMA_NV_OWNERWRITE = 1, + .TPMA_NV_AUTHREAD = 1, + .TPMA_NV_PPREAD = 1, + }; + + VBDEBUG("TPM: Defining FMWP space\n") + rv = tlcl_define_space(FWMP_NV_INDEX, VB2_SECDATA_FWMP_MAX_SIZE, + fwmp_attr, pcr0_allowed_policy, + sizeof(pcr0_allowed_policy))); + if (rv == TPM_E_NV_DEFINED) { + VBDEBUG("TPM: FWMP space already defined\n"); + } else { + VBDEBUG("TPM: 0x%08x returned by tlcl_define_space\n", rv); + return rv; + } + } + RETURN_ON_FAILURE(set_firmware_space(ctx->secdata_firmware));
return TPM_SUCCESS; diff --git a/src/vendorcode/google/chromeos/Kconfig b/src/vendorcode/google/chromeos/Kconfig index e6d45e1..b0ab2ec 100644 --- a/src/vendorcode/google/chromeos/Kconfig +++ b/src/vendorcode/google/chromeos/Kconfig @@ -92,5 +92,11 @@ bool depends on ACPI_SOC_NVS
+config TPM20_CREATE_FWMP + def_bool n + depends on TPM2 + help + Instruct coreboot to create the firmware management parameters (FWMP) space in the TPM. + endif # CHROMEOS endmenu