[coreboot-gerrit] New patch to review for coreboot: tpm2: add tlcl_force_clear and use it before factory init

Martin Roth (martinroth@google.com) gerrit at coreboot.org
Tue Jul 12 22:06:36 CEST 2016 

Martin Roth (martinroth at google.com) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/15636

-gerrit

commit 3d6361f5b40813293110fd160110c4e1ebb55523
Author: Vadim Bendebury <vbendeb at chromium.org>
Date:   Sun Jul 3 15:56:41 2016 -0700

    tpm2: add tlcl_force_clear and use it before factory init
    
    tlcl_force_clear() needs to be issued each time when the device mode
    switches between normal/development/recovery.
    
    This patch adds command implementation using TPM_Clear TPM2 command,
    and also invokes it before factory initialization.
    
    BRANCH=none
    BUG=chrome-os-partner:50645
    TEST=verified that TPM_Clear command succeeds at factory startup and
         the boot proceeds normally.
    
    Change-Id: Ia431390870cbe448bc1b6f1755ed17953be9bdf1
    Signed-off-by: Martin Roth <martinroth at chromium.org>
    Original-Commit-Id: 347ff17b97da45fa4df547ff32f9dd2c8972cefd
    Original-Change-Id: I2a0e62527ad46f9dd060afe5e75c7e4d56752849
    Original-Signed-off-by: Vadim Bendebury <vbendeb at chromium.org>
    Original-Reviewed-on: https://chromium-review.googlesource.com/358095
    Original-Reviewed-by: Aaron Durbin <adurbin at chromium.org>
    Original-Reviewed-by: Darren Krahn <dkrahn at chromium.org>
---
 src/lib/tpm2_tlcl.c                                  | 10 +++++++++-
 src/vendorcode/google/chromeos/vboot2/antirollback.c |  1 +
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/lib/tpm2_tlcl.c b/src/lib/tpm2_tlcl.c
index 8412ed0..ec20ca9 100644
--- a/src/lib/tpm2_tlcl.c
+++ b/src/lib/tpm2_tlcl.c
@@ -81,7 +81,15 @@ uint32_t tlcl_finalize_physical_presence(void)
 
 uint32_t tlcl_force_clear(void)
 {
-	printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__);
+	struct tpm2_response *response;
+
+	response = tpm_process_command(TPM2_Clear, NULL);
+	printk(BIOS_INFO, "%s: response is %x\n",
+	       __func__, response ? response->hdr.tpm_code : -1);
+
+	if (!response || response->hdr.tpm_code)
+		return TPM_E_IOERROR;
+
 	return TPM_SUCCESS;
 }
 
diff --git a/src/vendorcode/google/chromeos/vboot2/antirollback.c b/src/vendorcode/google/chromeos/vboot2/antirollback.c
index bce2ca1..5b738c4 100644
--- a/src/vendorcode/google/chromeos/vboot2/antirollback.c
+++ b/src/vendorcode/google/chromeos/vboot2/antirollback.c
@@ -145,6 +145,7 @@ static uint32_t set_kernel_space(const void *kernel_blob)
 
 static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
 {
+	RETURN_ON_FAILURE(tlcl_force_clear());
 	RETURN_ON_FAILURE(set_firmware_space(ctx->secdata));
 	RETURN_ON_FAILURE(set_kernel_space(secdata_kernel));
 	return TPM_SUCCESS;

More information about the coreboot-gerrit mailing list