On Wed, Jan 06, 2016 at 01:15:57PM -0500, Stefan Berger wrote:
From: Stefan Berger stefanb@linux.vnet.ibm.com
After temporarily deactivating the TPM, also give up physical presence to disable more commands.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com
src/tcgbios.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/src/tcgbios.c b/src/tcgbios.c index 7bcbdde..685075f 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -227,6 +227,16 @@ tpm_set_failure(void) tpm_send_cmd(0, TPM_ORD_SetTempDeactivated, NULL, 0, TPM_DURATION_TYPE_SHORT);
- tpm_send_cmd(0, TPM_ORD_PhysicalPresence,
PhysicalPresence_CMD_ENABLE,sizeof(PhysicalPresence_CMD_ENABLE),TPM_DURATION_TYPE_SHORT);
I don't think this extra CMD_ENABLE makes sense here. Actually, can't we remove both the CMD_ENABLE and PRESENT from tpm_set_failure() now that it's always done during setup?
- tpm_send_cmd(0, TPM_ORD_PhysicalPresence,
PhysicalPresence_NOT_PRESENT_LOCK,sizeof(PhysicalPresence_NOT_PRESENT_LOCK),TPM_DURATION_TYPE_SHORT);
Instead of issuing NOT_PRESENT_LOCK in both prepboot and tpm_set_failure(), couldn't we just make sure prepboot issues NOT_PRESENT_LOCK whenever TPM_can_show_menu is true. Maybe rename TPM_can_show_menu to TPM_has_physical_presence.
-Kevin