[coreboot-gerrit] Change in coreboot[master]: security/tpm: Fix TPM 1.2 state machine issues

Philipp Deppenwiese (Code Review) gerrit at coreboot.org
Tue Aug 21 17:45:19 CEST 2018 

Philipp Deppenwiese has submitted this change and it was merged. ( https://review.coreboot.org/28085 )

Change subject: security/tpm: Fix TPM 1.2 state machine issues
......................................................................

security/tpm: Fix TPM 1.2 state machine issues

* Fix ACPI resume path compilation for TPM ramstage
  driver
* Move enabling of the TPM prior activation and remove
  reboot return status from TPM enable.

More information can be found via the TCG
specification v1.2

Tested=Elgon

Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
Reviewed-on: https://review.coreboot.org/28085
Reviewed-by: Patrick Rudolph <patrick.rudolph at 9elements.com>
Reviewed-by: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Tested-by: build bot (Jenkins) <no-reply at coreboot.org>
---
M src/drivers/tpm/tpm.c
M src/security/tpm/tspi/tspi.c
2 files changed, 18 insertions(+), 19 deletions(-)

Approvals:
  build bot (Jenkins): Verified
  Philipp Deppenwiese: Looks good to me, approved
  Patrick Rudolph: Looks good to me, but someone else must approve



diff --git a/src/drivers/tpm/tpm.c b/src/drivers/tpm/tpm.c
index e4a81c3..77d3a8e 100644
--- a/src/drivers/tpm/tpm.c
+++ b/src/drivers/tpm/tpm.c
@@ -18,16 +18,18 @@
 #include <bootstate.h>
 #include <security/tpm/tspi.h>
 
-#if IS_ENABLED(CONFIG_ARCH_X86)
+#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)
 #include <arch/acpi.h>
 #endif
 
 static void init_tpm_dev(void *unused)
 {
-#if IS_ENABLED(CONFIG_ARCH_X86)
+#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)
 	int s3resume = acpi_is_wakeup_s3();
 	tpm_setup(s3resume);
 #else
+	/* This can lead to PCR reset attacks but currently there
+	   is no generic way to detect resume on other platforms. */
 	tpm_setup(false);
 #endif
 }
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 950e930..fccf224 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -25,17 +25,27 @@
 #if IS_ENABLED(CONFIG_TPM1)
 static uint32_t tpm1_invoke_state_machine(void)
 {
-	uint8_t disable;
+	uint8_t disabled;
 	uint8_t deactivated;
 	uint32_t result = TPM_SUCCESS;
 
 	/* Check that the TPM is enabled and activated. */
-	result = tlcl_get_flags(&disable, &deactivated, NULL);
+	result = tlcl_get_flags(&disabled, &deactivated, NULL);
 	if (result != TPM_SUCCESS) {
 		printk(BIOS_ERR, "TPM: Can't read capabilities.\n");
 		return result;
 	}
 
+	if (disabled) {
+		printk(BIOS_INFO, "TPM: is disabled. Enabling...\n");
+
+		result = tlcl_set_enable();
+		if (result != TPM_SUCCESS) {
+			printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
+			return result;
+		}
+	}
+
 	if (!!deactivated != IS_ENABLED(CONFIG_TPM_DEACTIVATE)) {
 		printk(BIOS_INFO,
 		       "TPM: Unexpected TPM deactivated state. Toggling...\n");
@@ -50,19 +60,6 @@
 		result = TPM_E_MUST_REBOOT;
 	}
 
-	if (disable && !deactivated) {
-		printk(BIOS_INFO, "TPM: disabled (%d). Enabling...\n", disable);
-
-		result = tlcl_set_enable();
-		if (result != TPM_SUCCESS) {
-			printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
-			return result;
-		}
-
-		printk(BIOS_INFO, "TPM: Must reboot to re-enable\n");
-		result = TPM_E_MUST_REBOOT;
-	}
-
 	return result;
 }
 #endif
@@ -122,8 +119,8 @@
 		result = tlcl_physical_presence_cmd_enable();
 		if (result != TPM_SUCCESS) {
 			printk(
-			    BIOS_ERR,
-			    "TPM: Can't enable physical presence command.\n");
+				BIOS_ERR,
+				"TPM: Can't enable physical presence command.\n");
 			goto out;
 		}
 

-- 
To view, visit https://review.coreboot.org/28085
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b
Gerrit-Change-Number: 28085
Gerrit-PatchSet: 11
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Patrick Rudolph <patrick.rudolph at 9elements.com>
Gerrit-Reviewer: Paul Menzel <paulepanter at users.sourceforge.net>
Gerrit-Reviewer: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
Gerrit-Reviewer: Randall Spangler <randall at spanglers.com>
Gerrit-Reviewer: Vadim Bendebury <vbendeb at chromium.org>
Gerrit-Reviewer: Vadim Bendebury <vbendeb at google.com>
Gerrit-Reviewer: build bot (Jenkins) <no-reply at coreboot.org>
Gerrit-CC: Patrick Georgi <pgeorgi at google.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180821/d302d466/attachment.html>

More information about the coreboot-gerrit mailing list