From: Stefan Berger stefanb@linux.vnet.ibm.com
Rework the assertion of physical presence by calling assert_physical_presence in tpm_setup. This call will assert physical presence if SW assertion is possible or by checking whether HW physical presence is enabled. The TPM menu will only be shown if physical presence is asserted or HW physical presence is enabled after this call.
Signed-off-by: Stefan Berger stefanb@linux.vnet.ibm.com --- src/boot.c | 4 ++-- src/tcgbios.c | 31 ++++++++++++++----------------- src/tcgbios.h | 2 +- 3 files changed, 17 insertions(+), 20 deletions(-)
diff --git a/src/boot.c b/src/boot.c index a251eb4..a045a8e 100644 --- a/src/boot.c +++ b/src/boot.c @@ -486,7 +486,7 @@ interactive_bootmenu(void) printf("%d. %s\n", maxmenu , strtcpy(desc, pos->description, ARRAY_SIZE(desc))); } - if (tpm_is_working()) { + if (tpm_can_show_menu()) { printf("\nt. TPM Configuration\n"); }
@@ -499,7 +499,7 @@ interactive_bootmenu(void) scan_code = get_keystroke(1000); if (scan_code == 1 && !irqtimer_check(esc_accepted_time)) continue; - if (tpm_is_working() && scan_code == 20 /* t */) { + if (tpm_can_show_menu() && scan_code == 20 /* t */) { printf("\n"); tpm_menu(); } diff --git a/src/tcgbios.c b/src/tcgbios.c index 545e9b6..ceeb5fb 100644 --- a/src/tcgbios.c +++ b/src/tcgbios.c @@ -60,6 +60,8 @@ struct { u8 * log_area_last_entry; } tpm_state VARLOW;
+static int TPM_has_physical_presence; + static struct tcpa_descriptor_rev2 * find_tcpa_by_rsdp(struct rsdp_descriptor *rsdp) { @@ -158,12 +160,18 @@ tpm_log_event(struct pcpes *pcpes, const void *event)
u8 TPM_working VARLOW;
-int +static int tpm_is_working(void) { return CONFIG_TCGBIOS && TPM_working; }
+int +tpm_can_show_menu(void) +{ + return tpm_is_working() && TPM_has_physical_presence; +} + /* * Send a TPM command with the given ordinal. Append the given buffer * containing all data in network byte order to the command (this is @@ -462,6 +470,11 @@ tpm_startup(void) if (ret) goto err_exit;
+ /* assertion of physical presence is only possible after startup */ + ret = assert_physical_presence(); + if (!ret) + TPM_has_physical_presence = 1; + ret = determine_timeouts(); if (ret) return -1; @@ -957,10 +970,6 @@ enable_tpm(int enable, int verbose) if (pf.flags[PERM_FLAG_IDX_DISABLE] && !enable) return 0;
- ret = assert_physical_presence(); - if (ret) - return -1; - ret = build_and_send_cmd(0, enable ? TPM_ORD_PhysicalEnable : TPM_ORD_PhysicalDisable, NULL, 0, TPM_DURATION_TYPE_SHORT); @@ -995,10 +1004,6 @@ activate_tpm(int activate, int allow_reset, int verbose) if (pf.flags[PERM_FLAG_IDX_DISABLE]) return 0;
- ret = assert_physical_presence(); - if (ret) - return -1; - ret = build_and_send_cmd(0, TPM_ORD_PhysicalSetDeactivated, activate ? CommandFlag_FALSE : CommandFlag_TRUE, @@ -1058,10 +1063,6 @@ force_clear(int enable_activate_before, int enable_activate_after, int verbose) } }
- ret = assert_physical_presence(); - if (ret) - return -1; - ret = build_and_send_cmd(0, TPM_ORD_ForceClear, NULL, 0, TPM_DURATION_TYPE_SHORT); if (ret) @@ -1107,10 +1108,6 @@ set_owner_install(int allow, int verbose) return 0; }
- ret = assert_physical_presence(); - if (ret) - return -1; - ret = build_and_send_cmd(0, TPM_ORD_SetOwnerInstall, (allow) ? CommandFlag_TRUE : CommandFlag_FALSE, diff --git a/src/tcgbios.h b/src/tcgbios.h index 6040b0c..32fb941 100644 --- a/src/tcgbios.h +++ b/src/tcgbios.h @@ -13,7 +13,7 @@ void tpm_add_bcv(u32 bootdrv, const u8 *addr, u32 length); void tpm_add_cdrom(u32 bootdrv, const u8 *addr, u32 length); void tpm_add_cdrom_catalog(const u8 *addr, u32 length); void tpm_option_rom(const void *addr, u32 len); -int tpm_is_working(void); +int tpm_can_show_menu(void); void tpm_menu(void);
#endif /* TCGBIOS_H */