[coreboot-gerrit] Change in coreboot[master]: security/tpm: TPM software stack cleanup (1/3)
Philipp Deppenwiese (Code Review)
gerrit at coreboot.org
Wed May 2 15:22:29 CEST 2018
Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/25988
Change subject: security/tpm: TPM software stack cleanup (1/3)
......................................................................
security/tpm: TPM software stack cleanup (1/3)
Change-Id: I2d818d9e1b5c3ad7ebc4f2cdb1e3070f843fb2aa
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
---
M src/cpu/intel/haswell/romstage.c
M src/drivers/i2c/tpm/Kconfig
M src/drivers/i2c/tpm/Makefile.inc
M src/drivers/intel/fsp1_1/romstage.c
M src/drivers/intel/fsp2_0/Kconfig
M src/drivers/intel/fsp2_0/memory_init.c
M src/drivers/pc80/tpm/Kconfig
M src/drivers/pc80/tpm/Makefile.inc
M src/drivers/spi/tpm/Kconfig
M src/drivers/spi/tpm/Makefile.inc
M src/mainboard/asus/kgpe-d16/romstage.c
M src/mainboard/gigabyte/ga-b75m-d3h/Kconfig
M src/mainboard/google/auron/Kconfig
M src/mainboard/google/beltino/Kconfig
M src/mainboard/google/butterfly/Kconfig
M src/mainboard/google/chell/Kconfig
M src/mainboard/google/cyan/Kconfig
M src/mainboard/google/eve/Kconfig
M src/mainboard/google/fizz/Kconfig
M src/mainboard/google/glados/Kconfig
M src/mainboard/google/gru/Kconfig
M src/mainboard/google/jecht/Kconfig
M src/mainboard/google/kahlee/Kconfig
M src/mainboard/google/kahlee/bootblock/bootblock.c
M src/mainboard/google/lars/Kconfig
M src/mainboard/google/link/Kconfig
M src/mainboard/google/link/romstage.c
M src/mainboard/google/oak/Kconfig
M src/mainboard/google/octopus/Kconfig
M src/mainboard/google/parrot/Kconfig
M src/mainboard/google/parrot/romstage.c
M src/mainboard/google/poppy/Kconfig
M src/mainboard/google/rambi/Kconfig
M src/mainboard/google/reef/Kconfig
M src/mainboard/google/slippy/Kconfig
M src/mainboard/google/stout/Kconfig
M src/mainboard/google/stout/romstage.c
M src/mainboard/google/zoombini/Kconfig
M src/mainboard/hp/8460p/Kconfig
M src/mainboard/hp/revolve_810_g1/Kconfig
M src/mainboard/intel/emeraldlake2/romstage.c
M src/mainboard/intel/galileo/Kconfig
M src/mainboard/intel/glkrvp/Kconfig
M src/mainboard/intel/kblrvp/Kconfig
M src/mainboard/lenovo/s230u/Kconfig
M src/mainboard/lenovo/t420/Kconfig
M src/mainboard/lenovo/t420s/Kconfig
M src/mainboard/lenovo/t430/Kconfig
M src/mainboard/lenovo/t430s/Kconfig
M src/mainboard/lenovo/t520/Kconfig
M src/mainboard/lenovo/t530/Kconfig
M src/mainboard/lenovo/x131e/Kconfig
M src/mainboard/lenovo/x1_carbon_gen1/Kconfig
M src/mainboard/lenovo/x201/Kconfig
M src/mainboard/lenovo/x201/romstage.c
M src/mainboard/lenovo/x220/Kconfig
M src/mainboard/lenovo/x230/Kconfig
M src/mainboard/pcengines/apu2/Kconfig
M src/mainboard/pcengines/apu2/romstage.c
M src/mainboard/samsung/lumpy/Kconfig
M src/mainboard/samsung/lumpy/romstage.c
M src/mainboard/samsung/stumpy/Kconfig
M src/mainboard/samsung/stumpy/romstage.c
M src/northbridge/intel/sandybridge/romstage.c
M src/security/tpm/Kconfig
M src/security/tpm/Makefile.inc
M src/security/tpm/tis.h
A src/security/tpm/tspi.h
A src/security/tpm/tspi/tspi.c
M src/security/tpm/tss.h
A src/security/tpm/tss/common/tss_common.h
M src/security/tpm/tss/tcg-1.2/tss.c
A src/security/tpm/tss/tcg-1.2/tss_commands.h
M src/security/tpm/tss/tcg-1.2/tss_structures.h
M src/security/tpm/tss/tcg-2.0/tss.c
M src/security/tpm/tss/tcg-2.0/tss_marshaling.h
M src/security/tpm/tss/tcg-2.0/tss_structures.h
A src/security/tpm/tss/vendor/cr50/Kconfig
A src/security/tpm/tss/vendor/cr50/Makefile.inc
A src/security/tpm/tss/vendor/cr50/tss.c
A src/security/tpm/tss/vendor/cr50/tss_structures.h
D src/security/tpm/tss_constants.h
D src/security/tpm/tss_error_messages.h
A src/security/tpm/tss_errors.h
M src/soc/intel/apollolake/Kconfig
M src/soc/intel/baytrail/romstage/romstage.c
M src/soc/intel/braswell/romstage/romstage.c
M src/soc/intel/broadwell/romstage/romstage.c
M src/soc/intel/common/Makefile.inc
M src/vendorcode/google/chromeos/Kconfig
M src/vendorcode/google/chromeos/Makefile.inc
91 files changed, 1,069 insertions(+), 982 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/88/25988/1
diff --git a/src/cpu/intel/haswell/romstage.c b/src/cpu/intel/haswell/romstage.c
index 6d9fbc4..1c293d4 100644
--- a/src/cpu/intel/haswell/romstage.c
+++ b/src/cpu/intel/haswell/romstage.c
@@ -42,7 +42,7 @@
#include "northbridge/intel/haswell/raminit.h"
#include "southbridge/intel/lynxpoint/pch.h"
#include "southbridge/intel/lynxpoint/me.h"
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
static inline void reset_system(void)
{
@@ -245,8 +245,8 @@
romstage_handoff_init(wake_from_s3);
post_code(0x3f);
- if (IS_ENABLED(CONFIG_LPC_TPM))
- init_tpm(wake_from_s3);
+ if (IS_ENABLED(CONFIG_TPM1) || IS_ENABLED(CONFIG_TPM2))
+ tpm_setup(wake_from_s3);
}
asmlinkage void romstage_after_car(void)
diff --git a/src/drivers/i2c/tpm/Kconfig b/src/drivers/i2c/tpm/Kconfig
index db6777e..509dd7d 100644
--- a/src/drivers/i2c/tpm/Kconfig
+++ b/src/drivers/i2c/tpm/Kconfig
@@ -1,32 +1,28 @@
config I2C_TPM
- bool "I2C TPM"
- depends on TPM || TPM2
+ bool
+ help
+ I2C TPM driver is enabled!
config MAINBOARD_HAS_I2C_TPM_ATMEL
bool
default n
+ select I2C_TPM if TPM1 || TPM2
+ help
+ Board has an Atmel I2C TPM support
config MAINBOARD_HAS_I2C_TPM_CR50
bool
default n
+ select I2C_TPM if TPM1 || TPM2
+ help
+ Board has a Cr50 I2C TPM support
-choice
- prompt "I2C TPM Driver"
- default I2C_TPM_ATMEL if MAINBOARD_HAS_I2C_TPM_ATMEL
- default I2C_TPM_CR50 if MAINBOARD_HAS_I2C_TPM_CR50
- default I2C_TPM_GENERIC if !MAINBOARD_HAS_I2C_TPM_CR50 && !MAINBOARD_HAS_I2C_TPM_ATMEL
- depends on I2C_TPM
-
-config I2C_TPM_GENERIC
- bool "Generic I2C TPM Driver"
-
-config I2C_TPM_ATMEL
- bool "ATMEL I2C TPM Driver"
-
-config I2C_TPM_CR50
- bool "CR50 I2C TPM Driver"
-
-endchoice
+config MAINBOARD_HAS_I2C_TPM_GENERIC
+ bool
+ default n
+ select I2C_TPM if TPM1 || TPM2
+ help
+ Board has a generic I2C TPM support
config DRIVER_TIS_DEFAULT
bool
diff --git a/src/drivers/i2c/tpm/Makefile.inc b/src/drivers/i2c/tpm/Makefile.inc
index afcb33b..effe1ae 100644
--- a/src/drivers/i2c/tpm/Makefile.inc
+++ b/src/drivers/i2c/tpm/Makefile.inc
@@ -1,3 +1,4 @@
+ifneq ($(CONFIG_TPM1),$(CONFIG_TPM2),)
ramstage-$(CONFIG_DRIVER_TIS_DEFAULT) += tis.c
romstage-$(CONFIG_DRIVER_TIS_DEFAULT) += tis.c
@@ -9,14 +10,16 @@
verstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_ATMEL) += tis_atmel.c
bootblock-$(CONFIG_MAINBOARD_HAS_I2C_TPM_ATMEL) += tis_atmel.c
-ramstage-$(CONFIG_I2C_TPM_GENERIC) += tpm.c
-romstage-$(CONFIG_I2C_TPM_GENERIC) += tpm.c
-verstage-$(CONFIG_I2C_TPM_GENERIC) += tpm.c
-bootblock-$(CONFIG_I2C_TPM_GENERIC) += tpm.c
+ramstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GENERIC) += tpm.c
+romstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GENERIC) += tpm.c
+verstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GENERIC) += tpm.c
+bootblock-$(CONFIG_MAINBOARD_HAS_I2C_TPM_GENERIC) += tpm.c
-ramstage-$(CONFIG_I2C_TPM_CR50) += cr50.c
-romstage-$(CONFIG_I2C_TPM_CR50) += cr50.c
-verstage-$(CONFIG_I2C_TPM_CR50) += cr50.c
-bootblock-$(CONFIG_I2C_TPM_CR50) += cr50.c
+ramstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
+romstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
+verstage-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
+bootblock-$(CONFIG_MAINBOARD_HAS_I2C_TPM_CR50) += cr50.c
ramstage-$(CONFIG_DRIVER_I2C_TPM_ACPI) += chip.c
+
+endif
diff --git a/src/drivers/intel/fsp1_1/romstage.c b/src/drivers/intel/fsp1_1/romstage.c
index ba08cdc..0320bf5 100644
--- a/src/drivers/intel/fsp1_1/romstage.c
+++ b/src/drivers/intel/fsp1_1/romstage.c
@@ -37,7 +37,7 @@
#include <stage_cache.h>
#include <string.h>
#include <timestamp.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include <vendorcode/google/chromeos/chromeos.h>
asmlinkage void *romstage_main(FSP_INFO_HEADER *fih)
@@ -172,9 +172,9 @@
* Initialize the TPM, unless the TPM was already initialized
* in verstage and used to verify romstage.
*/
- if (IS_ENABLED(CONFIG_LPC_TPM) &&
+ if ((IS_ENABLED(CONFIG_TPM1) || IS_ENABLED(CONFIG_TPM2)) &&
!IS_ENABLED(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK))
- init_tpm(params->power_state->prev_sleep_state ==
+ tpm_setup(params->power_state->prev_sleep_state ==
ACPI_S3);
}
diff --git a/src/drivers/intel/fsp2_0/Kconfig b/src/drivers/intel/fsp2_0/Kconfig
index 1ff8aa6..f149544 100644
--- a/src/drivers/intel/fsp2_0/Kconfig
+++ b/src/drivers/intel/fsp2_0/Kconfig
@@ -119,6 +119,8 @@
config FSP2_0_USES_TPM_MRC_HASH
bool
+ depends on TPM1 || TPM2
+ depends on VBOOT
default y if HAS_RECOVERY_MRC_CACHE
default n
select VBOOT_HAS_REC_HASH_SPACE
diff --git a/src/drivers/intel/fsp2_0/memory_init.c b/src/drivers/intel/fsp2_0/memory_init.c
index 30987ce..4e236c0 100644
--- a/src/drivers/intel/fsp2_0/memory_init.c
+++ b/src/drivers/intel/fsp2_0/memory_init.c
@@ -11,14 +11,13 @@
* (at your option) any later version.
*/
-#include <compiler.h>
-#include <security/tpm/antirollback.h>
-#include <arch/io.h>
#include <arch/cpu.h>
+#include <arch/io.h>
#include <arch/symbols.h>
#include <assert.h>
#include <cbfs.h>
#include <cbmem.h>
+#include <compiler.h>
#include <console/console.h>
#include <elog.h>
#include <fsp/api.h>
@@ -28,12 +27,12 @@
#include <program_loading.h>
#include <reset.h>
#include <romstage_handoff.h>
+#include <security/tpm/tspi.h>
+#include <security/vboot/antirollback.h>
+#include <security/vboot/vboot_common.h>
#include <string.h>
#include <symbols.h>
#include <timestamp.h>
-#include <security/tpm/tis.h>
-#include <security/tpm/tss.h>
-#include <security/vboot/vboot_common.h>
#include <vb2_api.h>
static void mrc_cache_update_tpm_hash(const uint8_t *data, size_t size)
@@ -68,7 +67,8 @@
/* Calculate hash of data generated by MRC. */
if (vb2_digest_buffer(data, size, VB2_HASH_SHA256, data_hash,
sizeof(data_hash))) {
- printk(BIOS_ERR, "MRC: SHA-256 calculation failed for data. "
+ printk(BIOS_ERR,
+ "MRC: SHA-256 calculation failed for data. "
"Not updating TPM hash space.\n");
/*
* Since data is being updated in recovery cache, the hash
@@ -92,7 +92,7 @@
static void save_memory_training_data(bool s3wake, uint32_t fsp_version)
{
- size_t mrc_data_size;
+ size_t mrc_data_size;
const void *mrc_data;
if (!IS_ENABLED(CONFIG_CACHE_MRC_SETTINGS) || s3wake)
@@ -111,7 +111,8 @@
* training data matches this one.
*/
if (mrc_cache_stash_data(MRC_TRAINING_DATA, fsp_version, mrc_data,
- mrc_data_size) < 0)
+ mrc_data_size)
+ < 0)
printk(BIOS_ERR, "Failed to stash MRC data\n");
mrc_cache_update_tpm_hash(mrc_data, mrc_data_size);
@@ -127,20 +128,20 @@
/* initialize cbmem by adding FSP reserved memory first thing */
if (!s3wake) {
cbmem_initialize_empty_id_size(CBMEM_ID_FSP_RESERVED_MEMORY,
- range_entry_size(&fsp_mem));
+ range_entry_size(&fsp_mem));
} else if (cbmem_initialize_id_size(CBMEM_ID_FSP_RESERVED_MEMORY,
- range_entry_size(&fsp_mem))) {
+ range_entry_size(&fsp_mem))) {
if (IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)) {
printk(BIOS_ERR,
- "Failed to recover CBMEM in S3 resume.\n");
+ "Failed to recover CBMEM in S3 resume.\n");
/* Failed S3 resume, reset to come up cleanly */
hard_reset();
}
}
/* make sure FSP memory is reserved in cbmem */
- if (range_entry_base(&fsp_mem) !=
- (uintptr_t)cbmem_find(CBMEM_ID_FSP_RESERVED_MEMORY))
+ if (range_entry_base(&fsp_mem)
+ != (uintptr_t)cbmem_find(CBMEM_ID_FSP_RESERVED_MEMORY))
die("Failed to accommodate FSP reserved memory request!\n");
save_memory_training_data(s3wake, fsp_version);
@@ -152,9 +153,9 @@
* Initialize the TPM, unless the TPM was already initialized
* in verstage and used to verify romstage.
*/
- if (IS_ENABLED(CONFIG_LPC_TPM) &&
- !IS_ENABLED(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK))
- init_tpm(s3wake);
+ if (IS_ENABLED(CONFIG_LPC_TPM)
+ && !IS_ENABLED(CONFIG_VBOOT_STARTS_IN_BOOTBLOCK))
+ tpm_setup(s3wake);
}
static int mrc_cache_verify_tpm_hash(const uint8_t *data, size_t size)
@@ -194,7 +195,8 @@
return 0;
}
- printk(BIOS_INFO, "MRC: Hash comparison successful. "
+ printk(BIOS_INFO,
+ "MRC: Hash comparison successful. "
"Using data from RECOVERY_MRC_CACHE\n");
return 1;
}
@@ -238,22 +240,25 @@
arch_upd->NvsBufferPtr = data;
printk(BIOS_SPEW, "MRC cache found, size %zx\n",
- region_device_sz(&rdev));
+ region_device_sz(&rdev));
}
static enum cb_err check_region_overlap(const struct memranges *ranges,
const char *description,
uintptr_t begin, uintptr_t end)
{
- const struct range_entry *r;
+ const struct range_entry *r = NULL;
- memranges_each_entry(r, ranges) {
+ memranges_each_entry(r, ranges)
+ {
if (end <= range_entry_base(r))
continue;
if (begin >= range_entry_end(r))
continue;
- printk(BIOS_CRIT, "'%s' overlaps currently running program: "
- "[%p, %p)\n", description, (void *)begin, (void *)end);
+ printk(BIOS_CRIT,
+ "'%s' overlaps currently running program: "
+ "[%p, %p)\n",
+ description, (void *)begin, (void *)end);
return CB_ERR;
}
@@ -261,8 +266,9 @@
}
static enum cb_err fsp_fill_common_arch_params(FSPM_ARCH_UPD *arch_upd,
- bool s3wake, uint32_t fsp_version,
- const struct memranges *memmap)
+ bool s3wake,
+ uint32_t fsp_version,
+ const struct memranges *memmap)
{
uintptr_t stack_begin;
uintptr_t stack_end;
@@ -275,8 +281,8 @@
stack_end = (uintptr_t)_car_region_end;
stack_begin = stack_end - arch_upd->StackSize;
- if (check_region_overlap(memmap, "FSPM stack", stack_begin,
- stack_end) != CB_SUCCESS)
+ if (check_region_overlap(memmap, "FSPM stack", stack_begin, stack_end)
+ != CB_SUCCESS)
return CB_ERR;
arch_upd->StackBase = (void *)stack_begin;
@@ -343,7 +349,7 @@
}
static void do_fsp_memory_init(struct fsp_header *hdr, bool s3wake,
- const struct memranges *memmap)
+ const struct memranges *memmap)
{
uint32_t status;
fsp_memory_init_fn fsp_raminit;
@@ -369,8 +375,8 @@
arch_upd->BootLoaderTolumSize = cbmem_overhead_size();
/* Fill common settings on behalf of chipset. */
- if (fsp_fill_common_arch_params(arch_upd, s3wake, fsp_version,
- memmap) != CB_SUCCESS)
+ if (fsp_fill_common_arch_params(arch_upd, s3wake, fsp_version, memmap)
+ != CB_SUCCESS)
die("FSPM_ARCH_UPD not found!\n");
/* Give SoC and mainboard a chance to update the UPD */
@@ -403,8 +409,8 @@
/* Load the binary into the memory specified by the info header. */
static enum cb_err load_fspm_mem(struct fsp_header *hdr,
- const struct region_device *rdev,
- const struct memranges *memmap)
+ const struct region_device *rdev,
+ const struct memranges *memmap)
{
uintptr_t fspm_begin;
uintptr_t fspm_end;
@@ -415,8 +421,8 @@
fspm_begin = hdr->image_base;
fspm_end = fspm_begin + hdr->image_size;
- if (check_region_overlap(memmap, "FSPM", fspm_begin, fspm_end) !=
- CB_SUCCESS)
+ if (check_region_overlap(memmap, "FSPM", fspm_begin, fspm_end)
+ != CB_SUCCESS)
return CB_ERR;
/* Load binary into memory at provided address. */
@@ -428,7 +434,7 @@
/* Handle the case when FSPM is running XIP. */
static enum cb_err load_fspm_xip(struct fsp_header *hdr,
- const struct region_device *rdev)
+ const struct region_device *rdev)
{
void *base;
@@ -438,7 +444,7 @@
base = rdev_mmap_full(rdev);
if ((uintptr_t)base != hdr->image_base) {
printk(BIOS_CRIT, "FSPM XIP base does not match: %p vs %p\n",
- (void *)(uintptr_t)hdr->image_base, base);
+ (void *)(uintptr_t)hdr->image_base, base);
return CB_ERR;
}
@@ -472,7 +478,7 @@
/* Build up memory map of romstage address space including CAR. */
memranges_init_empty(&memmap, &freeranges[0], ARRAY_SIZE(freeranges));
memranges_insert(&memmap, (uintptr_t)_car_region_start,
- _car_relocatable_data_end - _car_region_start, 0);
+ _car_relocatable_data_end - _car_region_start, 0);
memranges_insert(&memmap, (uintptr_t)_program, _program_size, 0);
if (!IS_ENABLED(CONFIG_FSP_M_XIP))
diff --git a/src/drivers/pc80/tpm/Kconfig b/src/drivers/pc80/tpm/Kconfig
index 879b4a2..fe48a75 100644
--- a/src/drivers/pc80/tpm/Kconfig
+++ b/src/drivers/pc80/tpm/Kconfig
@@ -1,11 +1,8 @@
config LPC_TPM
- bool "Enable TPM support"
- depends on MAINBOARD_HAS_LPC_TPM
+ bool
default n
help
- Enable this option to enable LPC TPM support in coreboot.
-
- If unsure, say N.
+ LPC TPM driver is enabled!
config TPM_TIS_BASE_ADDRESS
hex
@@ -25,33 +22,9 @@
This can be used to specify a PIRQ to use instead of SERIRQ,
which is needed for SPI TPM interrupt support on x86.
-config TPM_INIT_FAILURE_IS_FATAL
+config MAINBOARD_HAS_LPC_TPM
bool
default n
- depends on LPC_TPM
+ select LPC_TPM if TPM1 || TPM2
help
- What to do if TPM init failed. If true, force a hard reset,
- otherwise just log error message to console.
-
-config SKIP_TPM_STARTUP_ON_NORMAL_BOOT
- bool
- default n
- depends on LPC_TPM
- help
- Skip TPM init on normal boot. Useful if payload does TPM init.
-
-config TPM_DEACTIVATE
- bool "Deactivate TPM"
- default n
- depends on LPC_TPM
- help
- Deactivate TPM by issuing deactivate command.
-
-config TPM_RDRESP_NEED_DELAY
- bool "Enable Delay Workaround for TPM"
- default n
- depends on LPC_TPM
- help
- Certain TPMs seem to need some delay when reading response
- to work around a race-condition-related issue, possibly
- caused by ill-programmed TPM firmware.
+ Board has LPC TPM support
diff --git a/src/drivers/pc80/tpm/Makefile.inc b/src/drivers/pc80/tpm/Makefile.inc
index 9d428b5..1f28fd3 100644
--- a/src/drivers/pc80/tpm/Makefile.inc
+++ b/src/drivers/pc80/tpm/Makefile.inc
@@ -1,8 +1,11 @@
+ifneq ($(CONFIG_TPM1),$(CONFIG_TPM2),)
+
ifeq ($(CONFIG_ARCH_X86),y)
verstage-$(CONFIG_LPC_TPM) += tis.c
romstage-$(CONFIG_LPC_TPM) += tis.c
ramstage-$(CONFIG_LPC_TPM) += tis.c
-romstage-$(CONFIG_LPC_TPM) += romstage.c
+
+endif
endif
diff --git a/src/drivers/spi/tpm/Kconfig b/src/drivers/spi/tpm/Kconfig
index 9022d00..a02a7bc 100644
--- a/src/drivers/spi/tpm/Kconfig
+++ b/src/drivers/spi/tpm/Kconfig
@@ -1,6 +1,7 @@
config SPI_TPM
- bool "SPI TPM"
- depends on TPM2
+ bool
+ help
+ SPI TPM driver is enabled!
config DRIVER_TPM_SPI_BUS
hex "SPI bus TPM chip is connected to"
@@ -15,3 +16,6 @@
config MAINBOARD_HAS_SPI_TPM_CR50
bool
default n
+ select SPI_TPM if TPM1 || TPM2
+ help
+ Board has SPI TPM support
diff --git a/src/drivers/spi/tpm/Makefile.inc b/src/drivers/spi/tpm/Makefile.inc
index cc7d715..2e48873 100644
--- a/src/drivers/spi/tpm/Makefile.inc
+++ b/src/drivers/spi/tpm/Makefile.inc
@@ -1,3 +1,5 @@
+ifneq ($(CONFIG_TPM1),$(CONFIG_TPM2),)
+
verstage-$(CONFIG_SPI_TPM) += tis.c tpm.c
romstage-$(CONFIG_SPI_TPM) += tis.c tpm.c
ramstage-$(CONFIG_SPI_TPM) += tis.c tpm.c
@@ -7,3 +9,5 @@
romstage-$(CONFIG_SPI_TPM) += tis.c tpm.c
ramstage-$(CONFIG_SPI_TPM) += tis.c tpm.c
endif
+
+endif
diff --git a/src/mainboard/asus/kgpe-d16/romstage.c b/src/mainboard/asus/kgpe-d16/romstage.c
index 89b654f..8bcb062 100644
--- a/src/mainboard/asus/kgpe-d16/romstage.c
+++ b/src/mainboard/asus/kgpe-d16/romstage.c
@@ -46,7 +46,7 @@
#include <cpu/amd/family_10h-family_15h/init_cpus.h>
#include <arch/early_variables.h>
#include <cbmem.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include "resourcemap.c"
#include "cpu/amd/quadcore/quadcore.c"
@@ -627,8 +627,8 @@
pci_write_config16(PCI_DEV(0, 0x14, 0), 0x56, 0x0bb0);
pci_write_config16(PCI_DEV(0, 0x14, 0), 0x5a, 0x0ff0);
- if (IS_ENABLED(CONFIG_LPC_TPM))
- init_tpm(s3resume);
+ if (IS_ENABLED(CONFIG_TPM1) || IS_ENABLED(CONFIG_TPM2))
+ tpm_setup(s3resume);
}
/**
diff --git a/src/mainboard/gigabyte/ga-b75m-d3h/Kconfig b/src/mainboard/gigabyte/ga-b75m-d3h/Kconfig
index 36c7158..580a9ad 100644
--- a/src/mainboard/gigabyte/ga-b75m-d3h/Kconfig
+++ b/src/mainboard/gigabyte/ga-b75m-d3h/Kconfig
@@ -18,7 +18,6 @@
select SERIRQ_CONTINUOUS_MODE
select MAINBOARD_HAS_LIBGFXINIT
select MAINBOARD_HAS_LPC_TPM
- select TPM
config DRAM_RESET_GATE_GPIO
int
diff --git a/src/mainboard/google/auron/Kconfig b/src/mainboard/google/auron/Kconfig
index 791dcba..92dd9e4 100644
--- a/src/mainboard/google/auron/Kconfig
+++ b/src/mainboard/google/auron/Kconfig
@@ -10,6 +10,7 @@
select HAVE_SMI_HANDLER
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select INTEL_INT15
select SYSTEM_TYPE_LAPTOP
diff --git a/src/mainboard/google/beltino/Kconfig b/src/mainboard/google/beltino/Kconfig
index a029fec..428db73 100644
--- a/src/mainboard/google/beltino/Kconfig
+++ b/src/mainboard/google/beltino/Kconfig
@@ -12,6 +12,7 @@
select HAVE_SMI_HANDLER
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
if BOARD_GOOGLE_BASEBOARD_BELTINO
diff --git a/src/mainboard/google/butterfly/Kconfig b/src/mainboard/google/butterfly/Kconfig
index 1f4547d..d5fce5e 100644
--- a/src/mainboard/google/butterfly/Kconfig
+++ b/src/mainboard/google/butterfly/Kconfig
@@ -14,6 +14,7 @@
select HAVE_ACPI_RESUME
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select INTEL_INT15
select SERIRQ_CONTINUOUS_MODE # Workaround for EC/KBC IRQ1.
diff --git a/src/mainboard/google/chell/Kconfig b/src/mainboard/google/chell/Kconfig
index f958d91..9257b5a 100644
--- a/src/mainboard/google/chell/Kconfig
+++ b/src/mainboard/google/chell/Kconfig
@@ -17,6 +17,7 @@
select HAVE_SMI_HANDLER
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select SOC_INTEL_SKYLAKE
select SYSTEM_TYPE_LAPTOP
diff --git a/src/mainboard/google/cyan/Kconfig b/src/mainboard/google/cyan/Kconfig
index 7b8fd44..fdd6316 100644
--- a/src/mainboard/google/cyan/Kconfig
+++ b/src/mainboard/google/cyan/Kconfig
@@ -10,6 +10,7 @@
select HAVE_OPTION_TABLE
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select SOC_INTEL_BRASWELL
select HAVE_ACPI_RESUME
select PCIEXP_L1_SUB_STATE if !BOARD_GOOGLE_CYAN
diff --git a/src/mainboard/google/eve/Kconfig b/src/mainboard/google/eve/Kconfig
index ea65030..7d47463 100644
--- a/src/mainboard/google/eve/Kconfig
+++ b/src/mainboard/google/eve/Kconfig
@@ -14,12 +14,11 @@
select EC_GOOGLE_CHROMEEC_LPC
select HAVE_ACPI_RESUME
select HAVE_ACPI_TABLES
- select I2C_TPM
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_I2C_TPM_CR50
+ select MAINBOARD_HAS_TPM2
select MAINBOARD_USES_FSP2_0
select SOC_INTEL_KABYLAKE
- select TPM2
config VBOOT
select EC_GOOGLE_CHROMEEC_SWITCHES
diff --git a/src/mainboard/google/fizz/Kconfig b/src/mainboard/google/fizz/Kconfig
index 1ca3090..9907ab9 100644
--- a/src/mainboard/google/fizz/Kconfig
+++ b/src/mainboard/google/fizz/Kconfig
@@ -15,8 +15,7 @@
select NO_FADT_8042
select SOC_INTEL_KABYLAKE
select MAINBOARD_HAS_SPI_TPM_CR50
- select SPI_TPM
- select TPM2
+ select MAINBOARD_HAS_TPM2
select GENERIC_SPD_BIN
select RT8168_GET_MAC_FROM_VPD
select RT8168_SET_LED_MODE
diff --git a/src/mainboard/google/glados/Kconfig b/src/mainboard/google/glados/Kconfig
index de78aae..9a2e4cc 100644
--- a/src/mainboard/google/glados/Kconfig
+++ b/src/mainboard/google/glados/Kconfig
@@ -17,6 +17,7 @@
select HAVE_SMI_HANDLER
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select SOC_INTEL_SKYLAKE
select SYSTEM_TYPE_LAPTOP
diff --git a/src/mainboard/google/gru/Kconfig b/src/mainboard/google/gru/Kconfig
index e97dce4..11bf18c 100644
--- a/src/mainboard/google/gru/Kconfig
+++ b/src/mainboard/google/gru/Kconfig
@@ -57,11 +57,13 @@
select SPI_FLASH
select SPI_FLASH_GIGADEVICE
select SPI_FLASH_WINBOND
+ select MAINBOARD_HAS_SPI_TPM_CR50 if GRU_HAS_TPM2
+ select MAINBOARD_HAS_I2C_TPM_GENERIC if !GRU_HAS_TPM2
+ select MAINBOARD_HAS_TPM1 if !GRU_HAS_TPM2
+ select MAINBOARD_HAS_TPM2 if GRU_HAS_TPM2
config VBOOT
select EC_GOOGLE_CHROMEEC_SWITCHES
- select MAINBOARD_HAS_SPI_TPM_CR50 if GRU_HAS_TPM2
- select SPI_TPM if GRU_HAS_TPM2
select VBOOT_VBNV_FLASH
config MAINBOARD_DIR
diff --git a/src/mainboard/google/jecht/Kconfig b/src/mainboard/google/jecht/Kconfig
index fdb5ee0..e980205 100644
--- a/src/mainboard/google/jecht/Kconfig
+++ b/src/mainboard/google/jecht/Kconfig
@@ -9,6 +9,7 @@
select HAVE_SMI_HANDLER
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
if BOARD_GOOGLE_BASEBOARD_JECHT
diff --git a/src/mainboard/google/kahlee/Kconfig b/src/mainboard/google/kahlee/Kconfig
index 22925f4..fe23206 100644
--- a/src/mainboard/google/kahlee/Kconfig
+++ b/src/mainboard/google/kahlee/Kconfig
@@ -30,7 +30,6 @@
select GFXUMA
select GOOGLE_SMBIOS_MAINBOARD_VERSION
select MAINBOARD_HAS_CHROMEOS
- select MAINBOARD_HAS_LPC_TPM if BOARD_GOOGLE_KAHLEE
select SERIRQ_CONTINUOUS_MODE
select STONEYRIDGE_UART
select SOC_AMD_PSP_SELECTABLE_SMU_FW
@@ -103,22 +102,14 @@
int
default 1
-# Select this option to enable use of cr50 I2C TPM on kahlee
-config KAHLEE_USE_I2C_TPM
- bool
- default y if !BOARD_GOOGLE_KAHLEE
- select I2C_TPM
- select MAINBOARD_HAS_I2C_TPM_CR50
- select TPM2
-
config DRIVER_TPM_I2C_BUS
hex
- depends on KAHLEE_USE_I2C_TPM
+ depends on TPM2
default 0x01
config DRIVER_TPM_I2C_ADDR
hex
- depends on KAHLEE_USE_I2C_TPM
+ depends on TPM2
default 0x50
config GRUNT_AUDIO
@@ -128,4 +119,16 @@
select DRIVERS_GENERIC_MAX98357A
select DRIVERS_I2C_DA7219
+config GRUNT_TPM
+ bool
+ default y if !BOARD_GOOGLE_KAHLEE
+ select MAINBOARD_HAS_I2C_TPM_CR50
+ select MAINBOARD_HAS_TPM2
+
+config KAHLEE_TPM
+ bool
+ default y if !BOARD_GOOGLE_GRUNT
+ select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
+
endif # BOARD_GOOGLE_BASEBOARD_KAHLEE
diff --git a/src/mainboard/google/kahlee/bootblock/bootblock.c b/src/mainboard/google/kahlee/bootblock/bootblock.c
index 577c105..3debed7 100644
--- a/src/mainboard/google/kahlee/bootblock/bootblock.c
+++ b/src/mainboard/google/kahlee/bootblock/bootblock.c
@@ -44,8 +44,8 @@
sb_tpm_decode_spi();
/* Configure cr50 interrupt pin for use in polling tpm status */
- if (IS_ENABLED(CONFIG_MAINBOARD_HAS_TPM_CR50)) {
- const uint32_t flags = GPIO_EDGE_TRIG | GPIO_ACTIVE_LOW |
+ if (IS_ENABLED(CONFIG_TPM_CR50)) {
+ const uint32_t flags = GPIO_EDGEL_TRIG | GPIO_ACTIVE_LOW |
GPIO_INT_STATUS_EN;
gpio_set_interrupt(H1_PCH_INT, flags);
}
diff --git a/src/mainboard/google/lars/Kconfig b/src/mainboard/google/lars/Kconfig
index fdcc7ab..e9c27be 100644
--- a/src/mainboard/google/lars/Kconfig
+++ b/src/mainboard/google/lars/Kconfig
@@ -19,6 +19,7 @@
select HAVE_SMI_HANDLER
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select SOC_INTEL_SKYLAKE
select SYSTEM_TYPE_LAPTOP
diff --git a/src/mainboard/google/link/Kconfig b/src/mainboard/google/link/Kconfig
index 32f9fb6..b7f0c77 100644
--- a/src/mainboard/google/link/Kconfig
+++ b/src/mainboard/google/link/Kconfig
@@ -13,6 +13,7 @@
select HAVE_ACPI_RESUME
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select SERIRQ_CONTINUOUS_MODE
select MAINBOARD_HAS_NATIVE_VGA_INIT
select HAVE_LINEAR_FRAMEBUFFER if MAINBOARD_DO_NATIVE_VGA_INIT
diff --git a/src/mainboard/google/link/romstage.c b/src/mainboard/google/link/romstage.c
index a1bbe34..cc2ef22 100644
--- a/src/mainboard/google/link/romstage.c
+++ b/src/mainboard/google/link/romstage.c
@@ -36,7 +36,7 @@
#include <arch/cpu.h>
#include <cpu/x86/msr.h>
#include <halt.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include <cbfs.h>
#include <southbridge/intel/bd82x6x/chip.h>
diff --git a/src/mainboard/google/oak/Kconfig b/src/mainboard/google/oak/Kconfig
index bab142b..5ee2e5b 100644
--- a/src/mainboard/google/oak/Kconfig
+++ b/src/mainboard/google/oak/Kconfig
@@ -23,6 +23,7 @@
default y if BOARD_GOOGLE_ROWAN
default n
select MAINBOARD_HAS_I2C_TPM_CR50
+ select MAINBOARD_HAS_TPM2
config BOARD_SPECIFIC_OPTIONS
def_bool y
diff --git a/src/mainboard/google/octopus/Kconfig b/src/mainboard/google/octopus/Kconfig
index 3254ec6..aad4917 100644
--- a/src/mainboard/google/octopus/Kconfig
+++ b/src/mainboard/google/octopus/Kconfig
@@ -12,11 +12,11 @@
select EC_GOOGLE_CHROMEEC
select EC_GOOGLE_CHROMEEC_BOARDID
select EC_GOOGLE_CHROMEEC_LPC
- select HAS_TPM if !VBOOT_MOCK_SECDATA
select HAVE_ACPI_RESUME
select HAVE_ACPI_TABLES
select MAINBOARD_HAS_CHROMEOS
select SOC_ESPI
+ select MAINBOARD_HAS_SPI_TPM_CR50
if BOARD_GOOGLE_BASEBOARD_OCTOPUS
@@ -67,14 +67,6 @@
default "PHASER TEST 7167" if BOARD_GOOGLE_PHASER
default "OCTOPUS TEST 6859" if BOARD_GOOGLE_OCTOPUS
-config HAS_TPM
- bool
- default n
- select MAINBOARD_HAS_SPI_TPM_CR50
- select MAINBOARD_HAS_TPM2
- select SPI_TPM
- select TPM2
-
config MAX_CPUS
int
default 4
diff --git a/src/mainboard/google/parrot/Kconfig b/src/mainboard/google/parrot/Kconfig
index fa45e4a..50f28e7 100644
--- a/src/mainboard/google/parrot/Kconfig
+++ b/src/mainboard/google/parrot/Kconfig
@@ -13,6 +13,7 @@
select HAVE_ACPI_RESUME
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select INTEL_INT15
# Workaround for EC/KBC IRQ1.
select SERIRQ_CONTINUOUS_MODE
diff --git a/src/mainboard/google/parrot/romstage.c b/src/mainboard/google/parrot/romstage.c
index 12c1114..30fa7c2 100644
--- a/src/mainboard/google/parrot/romstage.c
+++ b/src/mainboard/google/parrot/romstage.c
@@ -36,7 +36,7 @@
#include <cpu/x86/msr.h>
#include <halt.h>
#include <cbfs.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include "ec/compal/ene932/ec.h"
void pch_enable_lpc(void)
diff --git a/src/mainboard/google/poppy/Kconfig b/src/mainboard/google/poppy/Kconfig
index 8cd636d..8df7c53 100644
--- a/src/mainboard/google/poppy/Kconfig
+++ b/src/mainboard/google/poppy/Kconfig
@@ -33,15 +33,15 @@
default "variants/baseboard/devicetree.cb"
config DRIVER_TPM_I2C_BUS
- depends on VARIANT_HAS_I2C_TPM
+ depends on MAINBOARD_HAS_I2C_TPM_CR50
default 0x1
config DRIVER_TPM_I2C_ADDR
- depends on VARIANT_HAS_I2C_TPM
+ depends on MAINBOARD_HAS_I2C_TPM_CR50
default 0x50
config DRIVER_TPM_SPI_BUS
- depends on VARIANT_HAS_SPI_TPM
+ depends on MAINBOARD_HAS_SPI_TPM_CR50
default 0x1
config GBB_HWID
@@ -124,27 +124,11 @@
default "nocturne" if BOARD_GOOGLE_NOCTURNE
default "soraka" if BOARD_GOOGLE_SORAKA
-# Select this option to enable use of cr50 I2C TPM on the variant.
-config VARIANT_HAS_I2C_TPM
- bool
- default n
- select I2C_TPM
- select MAINBOARD_HAS_I2C_TPM_CR50
- select TPM2
-
# Select this option to enable camera ACPI support on the variant.
config VARIANT_HAS_CAMERA_ACPI
bool
default n
-# Select this option to enable use of cr50 SPI TPM on the variant.
-config VARIANT_HAS_SPI_TPM
- bool
- default n
- select MAINBOARD_HAS_SPI_TPM_CR50
- select SPI_TPM
- select TPM2
-
config VARIANT_SPECIFIC_OPTIONS_ATLAS
def_bool n
select CHROMEOS_WIFI_SAR if CHROMEOS
@@ -153,14 +137,16 @@
select DRIVERS_PS2_KEYBOARD
select DRIVERS_SPI_ACPI
select EXCLUDE_NATIVE_SD_INTERFACE
- select VARIANT_HAS_SPI_TPM if !VBOOT_MOCK_SECDATA
+ select MAINBOARD_HAS_SPI_TPM_CR50
+ select MAINBOARD_HAS_TPM2
config VARIANT_SPECIFIC_OPTIONS_POPPY
def_bool n
select DRIVERS_I2C_MAX98927
select NO_FADT_8042
select VARIANT_HAS_CAMERA_ACPI
- select VARIANT_HAS_I2C_TPM if !VBOOT_MOCK_SECDATA
+ select MAINBOARD_HAS_I2C_TPM_CR50
+ select MAINBOARD_HAS_TPM2
config VARIANT_SPECIFIC_OPTIONS_NAMI
def_bool n
@@ -169,7 +155,8 @@
select DRIVERS_PS2_KEYBOARD
select DRIVERS_SPI_ACPI
select EXCLUDE_NATIVE_SD_INTERFACE
- select VARIANT_HAS_SPI_TPM if !VBOOT_MOCK_SECDATA
+ select MAINBOARD_HAS_SPI_TPM_CR50
+ select MAINBOARD_HAS_TPM2
config VARIANT_SPECIFIC_OPTIONS_NAUTILUS
def_bool n
@@ -178,7 +165,8 @@
select DRIVERS_I2C_DA7219
select DRIVERS_PS2_KEYBOARD
select VARIANT_HAS_CAMERA_ACPI
- select VARIANT_HAS_I2C_TPM if !VBOOT_MOCK_SECDATA
+ select MAINBOARD_HAS_I2C_TPM_CR50
+ select MAINBOARD_HAS_TPM2
config VARIANT_SPECIFIC_OPTIONS_NOCTURNE
def_bool n
@@ -187,14 +175,16 @@
select DRIVERS_I2C_DA7219
select DRIVERS_SPI_ACPI
select EXCLUDE_NATIVE_SD_INTERFACE
- select VARIANT_HAS_SPI_TPM if !VBOOT_MOCK_SECDATA
+ select MAINBOARD_HAS_SPI_TPM_CR50
+ select MAINBOARD_HAS_TPM2
config VARIANT_SPECIFIC_OPTIONS_SORAKA
def_bool n
select DRIVERS_I2C_MAX98927
select NO_FADT_8042
select VARIANT_HAS_CAMERA_ACPI
- select VARIANT_HAS_I2C_TPM if !VBOOT_MOCK_SECDATA
+ select MAINBOARD_HAS_I2C_TPM_CR50
+ select MAINBOARD_HAS_TPM2
config VBOOT
select EC_GOOGLE_CHROMEEC_SWITCHES
diff --git a/src/mainboard/google/rambi/Kconfig b/src/mainboard/google/rambi/Kconfig
index 3db8ac6..440276d 100644
--- a/src/mainboard/google/rambi/Kconfig
+++ b/src/mainboard/google/rambi/Kconfig
@@ -10,6 +10,7 @@
select HAVE_ACPI_RESUME
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select SYSTEM_TYPE_LAPTOP if !BOARD_GOOGLE_NINJA && !BOARD_GOOGLE_SUMO
if BOARD_GOOGLE_BASEBOARD_RAMBI
diff --git a/src/mainboard/google/reef/Kconfig b/src/mainboard/google/reef/Kconfig
index bea7fd0..9214421 100644
--- a/src/mainboard/google/reef/Kconfig
+++ b/src/mainboard/google/reef/Kconfig
@@ -13,10 +13,9 @@
select EC_GOOGLE_CHROMEEC_LPC
select HAVE_ACPI_RESUME
select HAVE_ACPI_TABLES
- select I2C_TPM
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_I2C_TPM_CR50
- select TPM2
+ select MAINBOARD_HAS_TPM2
select GOOGLE_SMBIOS_MAINBOARD_VERSION
select DRIVERS_INTEL_WIFI
select USE_SAR
diff --git a/src/mainboard/google/slippy/Kconfig b/src/mainboard/google/slippy/Kconfig
index 392333a..c43b713 100644
--- a/src/mainboard/google/slippy/Kconfig
+++ b/src/mainboard/google/slippy/Kconfig
@@ -13,6 +13,7 @@
select HAVE_SMI_HANDLER
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select INTEL_INT15
select MAINBOARD_HAS_LIBGFXINIT
diff --git a/src/mainboard/google/stout/Kconfig b/src/mainboard/google/stout/Kconfig
index eca4eae..ebec5a5 100644
--- a/src/mainboard/google/stout/Kconfig
+++ b/src/mainboard/google/stout/Kconfig
@@ -14,6 +14,7 @@
select HAVE_ACPI_RESUME
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select INTEL_INT15
select SANDYBRIDGE_IVYBRIDGE_LVDS
diff --git a/src/mainboard/google/stout/romstage.c b/src/mainboard/google/stout/romstage.c
index 4f7f869..9ad03f7 100644
--- a/src/mainboard/google/stout/romstage.c
+++ b/src/mainboard/google/stout/romstage.c
@@ -36,7 +36,7 @@
#include <cpu/x86/msr.h>
#include <halt.h>
#include <bootmode.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include <cbfs.h>
#include <ec/quanta/it8518/ec.h>
#include "ec.h"
diff --git a/src/mainboard/google/zoombini/Kconfig b/src/mainboard/google/zoombini/Kconfig
index 78ef386..d28f662 100644
--- a/src/mainboard/google/zoombini/Kconfig
+++ b/src/mainboard/google/zoombini/Kconfig
@@ -97,17 +97,15 @@
config ZOOMBINI_USE_I2C_TPM
bool
default n
- select I2C_TPM
select MAINBOARD_HAS_I2C_TPM_CR50
- select TPM2
+ select MAINBOARD_HAS_TPM2
# Select this option to enable use of cr50 SPI TPM on zoombini.
config ZOOMBINI_USE_SPI_TPM
bool
default y
select MAINBOARD_HAS_SPI_TPM_CR50
- select SPI_TPM
- select TPM2
+ select MAINBOARD_HAS_TPM2
config TPM_TIS_ACPI_INTERRUPT
int
diff --git a/src/mainboard/hp/8460p/Kconfig b/src/mainboard/hp/8460p/Kconfig
index 13d029f..1486659 100644
--- a/src/mainboard/hp/8460p/Kconfig
+++ b/src/mainboard/hp/8460p/Kconfig
@@ -30,6 +30,7 @@
select USE_NATIVE_RAMINIT
select MAINBOARD_HAS_LIBGFXINIT
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select GFX_GMA_INTERNAL_IS_LVDS
select EC_HP_KBC1126
select SUPERIO_SMSC_LPC47N217
diff --git a/src/mainboard/hp/revolve_810_g1/Kconfig b/src/mainboard/hp/revolve_810_g1/Kconfig
index 1d79ce4..7816da5 100644
--- a/src/mainboard/hp/revolve_810_g1/Kconfig
+++ b/src/mainboard/hp/revolve_810_g1/Kconfig
@@ -15,6 +15,7 @@
select SYSTEM_TYPE_LAPTOP
select USE_NATIVE_RAMINIT
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select GENERIC_SPD_BIN
select HAVE_OPTION_TABLE
select HAVE_CMOS_DEFAULT
diff --git a/src/mainboard/intel/emeraldlake2/romstage.c b/src/mainboard/intel/emeraldlake2/romstage.c
index 24c4b56..d23541f 100644
--- a/src/mainboard/intel/emeraldlake2/romstage.c
+++ b/src/mainboard/intel/emeraldlake2/romstage.c
@@ -36,7 +36,7 @@
#include <arch/cpu.h>
#include <cpu/x86/msr.h>
#include <halt.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#define SIO_PORT 0x164e
diff --git a/src/mainboard/intel/galileo/Kconfig b/src/mainboard/intel/galileo/Kconfig
index edea30f..87f82bc 100644
--- a/src/mainboard/intel/galileo/Kconfig
+++ b/src/mainboard/intel/galileo/Kconfig
@@ -22,6 +22,8 @@
select ENABLE_BUILTIN_HSUART1
select HAVE_ACPI_TABLES
select SOC_INTEL_QUARK
+ select MAINBOARD_HAS_I2C_TPM_ATMEL
+ select MAINBOARD_HAS_TPM2
config MAINBOARD_DIR
string
@@ -152,8 +154,6 @@
bool "Verified boot using the Crypto Shield board"
default n
select COLLECT_TIMESTAMPS
- select I2C_TPM
- select MAINBOARD_HAS_I2C_TPM_ATMEL
select VBOOT_SEPARATE_VERSTAGE
select VBOOT
select VBOOT_STARTS_IN_BOOTBLOCK
diff --git a/src/mainboard/intel/glkrvp/Kconfig b/src/mainboard/intel/glkrvp/Kconfig
index 3451640..eb6d595 100644
--- a/src/mainboard/intel/glkrvp/Kconfig
+++ b/src/mainboard/intel/glkrvp/Kconfig
@@ -10,7 +10,6 @@
select HAVE_ACPI_TABLES
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
- select MAINBOARD_HAS_TPM2
select DRIVERS_GENERIC_MAX98357A
select DRIVERS_I2C_DA7219
select SOC_ESPI
diff --git a/src/mainboard/intel/kblrvp/Kconfig b/src/mainboard/intel/kblrvp/Kconfig
index bbeb129..aed8297 100644
--- a/src/mainboard/intel/kblrvp/Kconfig
+++ b/src/mainboard/intel/kblrvp/Kconfig
@@ -14,33 +14,11 @@
select MAINBOARD_USES_FSP2_0
select MAINBOARD_HAS_CHROMEOS
select GENERIC_SPD_BIN
+ select MAINBOARD_HAS_LPC_TPM
config VBOOT
select VBOOT_LID_SWITCH
-choice
- prompt "TPM to USE"
- default KBLRVP_TPM1_2
- help
- This option allows you to select the TPM to use.
- Select whether the board does not have TPM, TPM 1.1 or TPM 2.0
-
-config KBLRVP_NO_TPM
- bool "No TPM"
- select VBOOT_MOCK_SECDATA if VBOOT
-
-config KBLRVP_TPM1_2
- bool "TPM 1.1"
- select MAINBOARD_HAS_LPC_TPM
-
-config KBLRVP_TPM2_0
- bool "TPM 2.0"
- select TPM2
- select MAINBOARD_HAS_TPM2
- select MAINBOARD_HAS_LPC_TPM
-
-endchoice
-
config IRQ_SLOT_COUNT
int
default 18
diff --git a/src/mainboard/lenovo/s230u/Kconfig b/src/mainboard/lenovo/s230u/Kconfig
index f724784..2c579b0 100644
--- a/src/mainboard/lenovo/s230u/Kconfig
+++ b/src/mainboard/lenovo/s230u/Kconfig
@@ -17,6 +17,7 @@
select SANDYBRIDGE_IVYBRIDGE_LVDS
select SERIRQ_CONTINUOUS_MODE
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select GENERIC_SPD_BIN
config HAVE_IFD_BIN
diff --git a/src/mainboard/lenovo/t420/Kconfig b/src/mainboard/lenovo/t420/Kconfig
index c0b4752..1ee0b97 100644
--- a/src/mainboard/lenovo/t420/Kconfig
+++ b/src/mainboard/lenovo/t420/Kconfig
@@ -20,6 +20,7 @@
select ENABLE_VMX
select DRIVERS_RICOH_RCE822
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select MAINBOARD_HAS_LIBGFXINIT
select GFX_GMA_INTERNAL_IS_LVDS
select DRIVERS_LENOVO_HYBRID_GRAPHICS
diff --git a/src/mainboard/lenovo/t420s/Kconfig b/src/mainboard/lenovo/t420s/Kconfig
index 08052b1..8b6c0fe 100644
--- a/src/mainboard/lenovo/t420s/Kconfig
+++ b/src/mainboard/lenovo/t420s/Kconfig
@@ -18,6 +18,7 @@
select INTEL_INT15
select SANDYBRIDGE_IVYBRIDGE_LVDS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select DRIVERS_LENOVO_HYBRID_GRAPHICS
# Workaround for EC/KBC IRQ1.
diff --git a/src/mainboard/lenovo/t430/Kconfig b/src/mainboard/lenovo/t430/Kconfig
index a621fdb..0d7d966 100644
--- a/src/mainboard/lenovo/t430/Kconfig
+++ b/src/mainboard/lenovo/t430/Kconfig
@@ -13,6 +13,7 @@
select HAVE_OPTION_TABLE
select HAVE_CMOS_DEFAULT
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select INTEL_INT15
select NORTHBRIDGE_INTEL_IVYBRIDGE
select SANDYBRIDGE_IVYBRIDGE_LVDS
diff --git a/src/mainboard/lenovo/t430s/Kconfig b/src/mainboard/lenovo/t430s/Kconfig
index f45fb0d..2f0c976 100644
--- a/src/mainboard/lenovo/t430s/Kconfig
+++ b/src/mainboard/lenovo/t430s/Kconfig
@@ -19,6 +19,7 @@
select SANDYBRIDGE_IVYBRIDGE_LVDS
select ENABLE_VMX
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select MAINBOARD_HAS_LIBGFXINIT
select GFX_GMA_INTERNAL_IS_LVDS
diff --git a/src/mainboard/lenovo/t520/Kconfig b/src/mainboard/lenovo/t520/Kconfig
index 2adfa33..afc174c 100644
--- a/src/mainboard/lenovo/t520/Kconfig
+++ b/src/mainboard/lenovo/t520/Kconfig
@@ -16,6 +16,7 @@
select INTEL_INT15
select SANDYBRIDGE_IVYBRIDGE_LVDS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select DRIVERS_LENOVO_HYBRID_GRAPHICS
# Workaround for EC/KBC IRQ1.
diff --git a/src/mainboard/lenovo/t530/Kconfig b/src/mainboard/lenovo/t530/Kconfig
index 065fd3c..de867c2 100644
--- a/src/mainboard/lenovo/t530/Kconfig
+++ b/src/mainboard/lenovo/t530/Kconfig
@@ -19,8 +19,8 @@
select SANDYBRIDGE_IVYBRIDGE_LVDS
select ENABLE_VMX
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select DRIVERS_LENOVO_HYBRID_GRAPHICS
-
# Workaround for EC/KBC IRQ1.
select SERIRQ_CONTINUOUS_MODE
diff --git a/src/mainboard/lenovo/x131e/Kconfig b/src/mainboard/lenovo/x131e/Kconfig
index 2341d90..3cf3078 100644
--- a/src/mainboard/lenovo/x131e/Kconfig
+++ b/src/mainboard/lenovo/x131e/Kconfig
@@ -18,6 +18,7 @@
select INTEL_INT15
select SANDYBRIDGE_IVYBRIDGE_LVDS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select MAINBOARD_HAS_LIBGFXINIT
select GFX_GMA_INTERNAL_IS_LVDS
select SERIRQ_CONTINUOUS_MODE
diff --git a/src/mainboard/lenovo/x1_carbon_gen1/Kconfig b/src/mainboard/lenovo/x1_carbon_gen1/Kconfig
index 4f9d7fb..abd3dc3 100644
--- a/src/mainboard/lenovo/x1_carbon_gen1/Kconfig
+++ b/src/mainboard/lenovo/x1_carbon_gen1/Kconfig
@@ -19,6 +19,7 @@
select SANDYBRIDGE_IVYBRIDGE_LVDS
select DRIVERS_RICOH_RCE822
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select MAINBOARD_HAS_LIBGFXINIT
select GFX_GMA_INTERNAL_IS_LVDS
diff --git a/src/mainboard/lenovo/x201/Kconfig b/src/mainboard/lenovo/x201/Kconfig
index ba590eb..2351209 100644
--- a/src/mainboard/lenovo/x201/Kconfig
+++ b/src/mainboard/lenovo/x201/Kconfig
@@ -18,6 +18,7 @@
select SUPERIO_NSC_PC87382
select DRIVERS_LENOVO_WACOM
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
config MAINBOARD_DIR
string
diff --git a/src/mainboard/lenovo/x201/romstage.c b/src/mainboard/lenovo/x201/romstage.c
index 029c5e5..1169a6ca 100644
--- a/src/mainboard/lenovo/x201/romstage.c
+++ b/src/mainboard/lenovo/x201/romstage.c
@@ -35,7 +35,7 @@
#include <timestamp.h>
#include <arch/acpi.h>
#include <cbmem.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include "dock.h"
#include "arch/early_variables.h"
@@ -284,7 +284,6 @@
if (!s3resume)
quick_ram_check();
-#if IS_ENABLED(CONFIG_LPC_TPM)
- init_tpm(s3resume);
-#endif
+ if (IS_ENABLED(CONFIG_TPM1) || IS_ENABLED(CONFIG_TPM2))
+ tpm_setup(s3resume);
}
diff --git a/src/mainboard/lenovo/x220/Kconfig b/src/mainboard/lenovo/x220/Kconfig
index 73fb860..93c6733 100644
--- a/src/mainboard/lenovo/x220/Kconfig
+++ b/src/mainboard/lenovo/x220/Kconfig
@@ -18,6 +18,7 @@
select SANDYBRIDGE_IVYBRIDGE_LVDS
select DRIVERS_RICOH_RCE822
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select MAINBOARD_HAS_LIBGFXINIT
select GFX_GMA_INTERNAL_IS_LVDS
diff --git a/src/mainboard/lenovo/x230/Kconfig b/src/mainboard/lenovo/x230/Kconfig
index 39af0e3..f0856d2 100644
--- a/src/mainboard/lenovo/x230/Kconfig
+++ b/src/mainboard/lenovo/x230/Kconfig
@@ -19,6 +19,7 @@
select SANDYBRIDGE_IVYBRIDGE_LVDS
select DRIVERS_RICOH_RCE822
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select MAINBOARD_HAS_LIBGFXINIT
select GFX_GMA_INTERNAL_IS_LVDS
diff --git a/src/mainboard/pcengines/apu2/Kconfig b/src/mainboard/pcengines/apu2/Kconfig
index f9a87dd..af14066 100644
--- a/src/mainboard/pcengines/apu2/Kconfig
+++ b/src/mainboard/pcengines/apu2/Kconfig
@@ -31,8 +31,8 @@
select HUDSON_DISABLE_IMC
select USE_BLOBS
select GENERIC_SPD_BIN
- select TPM
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
config MAINBOARD_DIR
string
diff --git a/src/mainboard/pcengines/apu2/romstage.c b/src/mainboard/pcengines/apu2/romstage.c
index c9984ca..093cad6 100644
--- a/src/mainboard/pcengines/apu2/romstage.c
+++ b/src/mainboard/pcengines/apu2/romstage.c
@@ -33,7 +33,7 @@
#include <cpu/x86/lapic.h>
#include <southbridge/amd/pi/hudson/hudson.h>
#include <Fch/Fch.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include "gpio_ftns.h"
@@ -103,7 +103,8 @@
post_code(0x41);
AGESAWRAPPER(amdinitenv);
- init_tpm(false);
+ if (IS_ENABLED(CONFIG_TPM1) || IS_ENABLED(CONFIG_TPM2))
+ tpm_setup(false);
outb(0xEA, 0xCD6);
outb(0x1, 0xcd7);
diff --git a/src/mainboard/samsung/lumpy/Kconfig b/src/mainboard/samsung/lumpy/Kconfig
index 0c5fce4..80f5dab 100644
--- a/src/mainboard/samsung/lumpy/Kconfig
+++ b/src/mainboard/samsung/lumpy/Kconfig
@@ -6,6 +6,7 @@
select BOARD_ROMSIZE_KB_8192
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select CPU_INTEL_SOCKET_RPGA989
select EC_SMSC_MEC1308
select HAVE_ACPI_RESUME
diff --git a/src/mainboard/samsung/lumpy/romstage.c b/src/mainboard/samsung/lumpy/romstage.c
index ce17068..912d2c3 100644
--- a/src/mainboard/samsung/lumpy/romstage.c
+++ b/src/mainboard/samsung/lumpy/romstage.c
@@ -28,7 +28,7 @@
#include <cbmem.h>
#include <console/console.h>
#include <bootmode.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include <northbridge/intel/sandybridge/sandybridge.h>
#include <northbridge/intel/sandybridge/raminit.h>
#include <northbridge/intel/sandybridge/raminit_native.h>
diff --git a/src/mainboard/samsung/stumpy/Kconfig b/src/mainboard/samsung/stumpy/Kconfig
index f12de6e..8742e5e 100644
--- a/src/mainboard/samsung/stumpy/Kconfig
+++ b/src/mainboard/samsung/stumpy/Kconfig
@@ -5,6 +5,7 @@
select BOARD_ROMSIZE_KB_8192
select MAINBOARD_HAS_CHROMEOS
select MAINBOARD_HAS_LPC_TPM
+ select MAINBOARD_HAS_TPM1
select CPU_INTEL_SOCKET_RPGA989
select HAVE_ACPI_RESUME
select HAVE_ACPI_TABLES
diff --git a/src/mainboard/samsung/stumpy/romstage.c b/src/mainboard/samsung/stumpy/romstage.c
index 1b5d2ae..2c5fe08 100644
--- a/src/mainboard/samsung/stumpy/romstage.c
+++ b/src/mainboard/samsung/stumpy/romstage.c
@@ -38,7 +38,7 @@
#include <arch/cpu.h>
#include <cpu/x86/msr.h>
#include <halt.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#if IS_ENABLED(CONFIG_DRIVERS_UART_8250IO)
#include <superio/smsc/lpc47n207/lpc47n207.h>
#endif
diff --git a/src/northbridge/intel/sandybridge/romstage.c b/src/northbridge/intel/sandybridge/romstage.c
index 0426b83..61f5e4a 100644
--- a/src/northbridge/intel/sandybridge/romstage.c
+++ b/src/northbridge/intel/sandybridge/romstage.c
@@ -28,7 +28,7 @@
#include <device/pci_def.h>
#include <device/device.h>
#include <halt.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include <northbridge/intel/sandybridge/chip.h>
#include "southbridge/intel/bd82x6x/pch.h"
#include <southbridge/intel/common/gpio.h>
@@ -117,9 +117,8 @@
northbridge_romstage_finalize(s3resume);
- if (IS_ENABLED(CONFIG_LPC_TPM)) {
- init_tpm(s3resume);
- }
+ if (IS_ENABLED(CONFIG_TPM1) || IS_ENABLED(CONFIG_TPM2))
+ tpm_setup(s3resume);
post_code(0x3f);
}
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index 111f91a..c476c0f 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -1,6 +1,6 @@
## This file is part of the coreboot project.
##
-## Copyright (C) 2017 Philipp Deppenwiese, Facebook, Inc.
+## Copyright (C) 2018 Facebook Inc.
##
## This program is free software; you can redistribute it and/or modify
## it under the terms of the GNU General Public License as published by
@@ -12,58 +12,93 @@
## GNU General Public License for more details.
##
+source "src/security/tpm/tss/vendor/*/Kconfig"
+
menu "Trusted Platform Module"
-config TPM
+config TPM1
bool
- default n
- select LPC_TPM if MAINBOARD_HAS_LPC_TPM
- select I2C_TPM if !MAINBOARD_HAS_LPC_TPM && !SPI_TPM
- help
- Enable this option to enable TPM support in coreboot.
-
- If unsure, say N.
+ default y if MAINBOARD_HAS_TPM1 || USER_TPM1
+ depends on MAINBOARD_HAS_LPC_TPM || MAINBOARD_HAS_I2C_TPM_GENERIC \
+ || MAINBOARD_HAS_I2C_TPM_ATMEL
config TPM2
bool
- select LPC_TPM if MAINBOARD_HAS_LPC_TPM
- select I2C_TPM if !MAINBOARD_HAS_LPC_TPM && !SPI_TPM
- help
- Enable this option to enable TPM2 support in coreboot.
+ default y if MAINBOARD_HAS_TPM2 || USER_TPM2
+ depends on MAINBOARD_HAS_I2C_TPM_GENERIC || MAINBOARD_HAS_LPC_TPM \
+ || MAINBOARD_HAS_I2C_TPM_ATMEL || MAINBOARD_HAS_I2C_TPM_CR50 \
+ || MAINBOARD_HAS_SPI_TPM_CR50
+ select TPM_CR50 if MAINBOARD_HAS_SPI_TPM_CR50 || MAINBOARD_HAS_I2C_TPM_CR50
- If unsure, say N.
+config MAINBOARD_HAS_TPM1
+ bool
+
+config MAINBOARD_HAS_TPM2
+ bool
+
+if !MAINBOARD_HAS_TPM1 && !MAINBOARD_HAS_TPM2
+
+choice
+ prompt "Trusted Platform Module"
+ default USER_NO_TPM
+
+config USER_NO_TPM
+ bool "disabled"
+
+config USER_TPM1
+ bool "1.2"
+ depends on MAINBOARD_HAS_LPC_TPM || MAINBOARD_HAS_I2C_TPM_GENERIC \
+ || MAINBOARD_HAS_I2C_TPM_ATMEL
+ help
+ Enable this option to enable TPM 1.0 - 1.2 support in coreboot.
+
+ If unsure, say N.
+
+config USER_TPM2
+ bool "2.0"
+ depends on MAINBOARD_HAS_I2C_TPM_GENERIC || MAINBOARD_HAS_LPC_TPM \
+ || MAINBOARD_HAS_I2C_TPM_ATMEL || MAINBOARD_HAS_I2C_TPM_CR50 \
+ || MAINBOARD_HAS_SPI_TPM_CR50
+ help
+ Enable this option to enable TPM 2.0 support in coreboot.
+
+ If unsure, say N.
+
+endchoice
+
+endif
+
+config TPM_INIT_FAILURE_IS_FATAL
+ bool
+ default n
+ depends on LPC_TPM
+ help
+ What to do if TPM init failed. If true, force a hard reset,
+ otherwise just log error message to console.
+
+config TPM_DEACTIVATE
+ bool "Deactivate TPM"
+ default n
+ depends on !VBOOT
+ depends on TPM1
+ help
+ Deactivate TPM by issuing deactivate command.
config DEBUG_TPM
bool "Output verbose TPM debug messages"
default n
- depends on TPM || TPM2
+ select DRIVER_TPM_DISPLAY_TIS_BYTES if I2C_TPM
+ depends on TPM1 || TPM2
help
This option enables additional TPM related debug messages.
-config MAINBOARD_HAS_TPM_CR50
- bool
- default y if MAINBOARD_HAS_SPI_TPM_CR50 || MAINBOARD_HAS_I2C_TPM_CR50
+config TPM_RDRESP_NEED_DELAY
+ bool "Enable Delay Workaround for TPM"
default n
- select MAINBOARD_HAS_TPM2
- select POWER_OFF_ON_CR50_UPDATE if ARCH_X86
-
-config POWER_OFF_ON_CR50_UPDATE
- bool
+ depends on LPC_TPM
help
- Power off machine while waiting for CR50 update to take effect.
-
-config MAINBOARD_HAS_LPC_TPM
- bool
- default n
- help
- Board has TPM support
-
-config MAINBOARD_HAS_TPM2
- bool
- default n
- help
- There is a TPM device installed on the mainboard, and it is
- compliant with version 2 TCG TPM specification. Could be connected
- over LPC, SPI or I2C.
+ Certain TPMs seem to need some delay when reading response
+ to work around a race-condition-related issue, possibly
+ caused by ill-programmed TPM firmware.
endmenu # Trusted Platform Module (tpm)
diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc
index 2385635..2cc281e 100644
--- a/src/security/tpm/Makefile.inc
+++ b/src/security/tpm/Makefile.inc
@@ -1,14 +1,55 @@
+subdirs-$(CONFIG_TPM_CR50) += vendor/cr50
+
## TSS
-verstage-$(CONFIG_TPM) += tss/tcg-1.2/tss.c
-verstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss_marshaling.c
-verstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss.c
+ifeq ($(CONFIG_TPM1),y)
-ifeq ($(CONFIG_VBOOT_SEPARATE_VERSTAGE),y)
-romstage-$(CONFIG_TPM) += tss/tcg-1.2/tss.c
-romstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss_marshaling.c
-romstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss.c
-endif # CONFIG_VBOOT_SEPARATE_VERSTAGE
+ramstage-y += tss/tcg-1.2/tss.c
+romstage-y += tss/tcg-1.2/tss.c
-ramstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss_marshaling.c
-ramstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss.c
+verstage-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
+postcar-$(CONFIG_VBOOT) += tss/tcg-1.2/tss.c
+
+## TSPI
+
+ramstage-y += tspi/tspi.c
+romstage-y += tspi/tspi.c
+
+verstage-$(CONFIG_VBOOT) += tspi/tspi.c
+postcar-$(CONFIG_VBOOT) += tspi/tspi.c
+
+endif # CONFIG_TPM1
+
+ifeq ($(CONFIG_TPM2),y)
+
+ramstage-y += tss/tcg-2.0/tss_marshaling.c
+ramstage-y += tss/tcg-2.0/tss.c
+
+romstage-y += tss/tcg-2.0/tss_marshaling.c
+romstage-y += tss/tcg-2.0/tss.c
+
+verstage-$(CONFIG_VBOOT) += tss/tcg-2.0/tss_marshaling.c
+verstage-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
+
+postcar-$(CONFIG_VBOOT) += tss/tcg-2.0/tss_marshaling.c
+postcar-$(CONFIG_VBOOT) += tss/tcg-2.0/tss.c
+
+## TSPI
+
+ramstage-y += tspi/tspi.c
+romstage-y += tspi/tspi.c
+
+verstage-$(CONFIG_VBOOT) += tspi/tspi.c
+postcar-$(CONFIG_VBOOT) += tspi/tspi.c
+
+endif # CONFIG_TPM2
+
+ifeq ($(CONFIG_TPM_CR50),y)
+
+ramstage-y += tss/vendor/cr50/tss.c
+romstage-y += tss/vendor/cr50/tss.c
+
+verstage-$(CONFIG_VBOOT) += tss/vendor/cr50/tss.c
+postcar-$(CONFIG_VBOOT) += tss/vendor/cr50/tss.c
+
+endif # CONFIG_TPM_CR50
diff --git a/src/security/tpm/tis.h b/src/security/tpm/tis.h
index 6906ce3..c410838 100644
--- a/src/security/tpm/tis.h
+++ b/src/security/tpm/tis.h
@@ -88,8 +88,6 @@
int tis_sendrecv(const u8 *sendbuf, size_t send_size, u8 *recvbuf,
size_t *recv_len);
-void init_tpm(int s3resume);
-
/*
* tis_plat_irq_status()
*
diff --git a/src/security/tpm/tspi.h b/src/security/tpm/tspi.h
new file mode 100644
index 0000000..f591ca8
--- /dev/null
+++ b/src/security/tpm/tspi.h
@@ -0,0 +1,37 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef TSPI_H_
+#define TSPI_H_
+
+#include <security/tpm/tss.h>
+
+/**
+ * Ask vboot for a digest and extend a TPM PCR with it.
+ */
+uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest);
+
+/**
+ * Issue a TPM_Clear and reenable/reactivate the TPM.
+ */
+uint32_t tpm_clear_and_reenable(void);
+
+/**
+ * Start the TPM and establish the root of trust.
+ */
+uint32_t tpm_setup(int s3flag);
+
+
+#endif /* TSPI_H_ */
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
new file mode 100644
index 0000000..7d2ac37
--- /dev/null
+++ b/src/security/tpm/tspi/tspi.c
@@ -0,0 +1,189 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#include <console/cbmem_console.h>
+#include <console/console.h>
+#include <reset.h>
+#include <security/tpm/tspi.h>
+#include <security/tpm/tss.h>
+#include <stdlib.h>
+#include <string.h>
+
+#if IS_ENABLED(CONFIG_TPM1)
+static uint32_t tpm1_invoke_state_machine(void)
+{
+ uint8_t disable;
+ uint8_t deactivated;
+ uint32_t result = TPM_SUCCESS;
+
+ /* Check that the TPM is enabled and activated. */
+ result = tlcl_get_flags(&disable, &deactivated, NULL);
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't read capabilities.\n");
+ return result;
+ }
+
+ if (!!deactivated != IS_ENABLED(CONFIG_TPM_DEACTIVATE)) {
+ printk(BIOS_INFO,
+ "TPM: Unexpected TPM deactivated state. Toggling...\n");
+ result = tlcl_set_deactivated(!deactivated);
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR,
+ "TPM: Can't toggle deactivated state.\n");
+ return result;
+ }
+
+ result = TPM_E_MUST_REBOOT;
+ }
+
+ if (disable && !deactivated) {
+ printk(BIOS_INFO, "TPM: disabled (%d). Enabling...\n", disable);
+
+ result = tlcl_set_enable();
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
+ return result;
+ }
+
+ printk(BIOS_INFO, "TPM: Must reboot to re-enable\n");
+ result = TPM_E_MUST_REBOOT;
+ }
+
+ return result;
+}
+#endif
+
+/*
+ * tpm_setup starts the TPM and establishes the root of trust for the
+ * anti-rollback mechanism. SetupTPM can fail for three reasons. 1 A bug. 2 a
+ * TPM hardware failure. 3 An unexpected TPM state due to some attack. In
+ * general we cannot easily distinguish the kind of failure, so our strategy is
+ * to reboot in recovery mode in all cases. The recovery mode calls SetupTPM
+ * again, which executes (almost) the same sequence of operations. There is a
+ * good chance that, if recovery mode was entered because of a TPM failure, the
+ * failure will repeat itself. (In general this is impossible to guarantee
+ * because we have no way of creating the exact TPM initial state at the
+ * previous boot.) In recovery mode, we ignore the failure and continue, thus
+ * giving the recovery kernel a chance to fix things (that's why we don't set
+ * bGlobalLock). The choice is between a knowingly insecure device and a
+ * bricked device.
+ *
+ * As a side note, observe that we go through considerable hoops to avoid using
+ * the STCLEAR permissions for the index spaces. We do this to avoid writing
+ * to the TPM flashram at every reboot or wake-up, because of concerns about
+ * the durability of the NVRAM.
+ */
+uint32_t tpm_setup(int s3flag)
+{
+ uint32_t result;
+
+ result = tlcl_lib_init();
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't initialize.\n");
+ goto out;
+ }
+
+ /* Handle special init for S3 resume path */
+ if (s3flag) {
+ result = tlcl_resume();
+ if (result == TPM_E_INVALID_POSTINIT)
+ printk(BIOS_INFO, "TPM: Already initialized.\n");
+
+ return TPM_SUCCESS;
+ }
+
+ result = tlcl_startup();
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't run startup command.\n");
+ goto out;
+ }
+
+ result = tlcl_assert_physical_presence();
+ if (result != TPM_SUCCESS) {
+ /*
+ * It is possible that the TPM was delivered with the physical
+ * presence command disabled. This tries enabling it, then
+ * tries asserting PP again.
+ */
+ result = tlcl_physical_presence_cmd_enable();
+ if (result != TPM_SUCCESS) {
+ printk(
+ BIOS_ERR,
+ "TPM: Can't enable physical presence command.\n");
+ goto out;
+ }
+
+ result = tlcl_assert_physical_presence();
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR,
+ "TPM: Can't assert physical presence.\n");
+ goto out;
+ }
+ }
+
+#if IS_ENABLED(CONFIG_TPM1)
+ result = tpm1_invoke_state_machine();
+ if (result != TPM_SUCCESS)
+ return result;
+#endif
+
+out:
+ if (result != TPM_SUCCESS)
+ post_code(POST_TPM_FAILURE);
+ else
+ printk(BIOS_INFO, "TPM: setup succeeded\n");
+
+ return result;
+}
+
+uint32_t tpm_clear_and_reenable(void)
+{
+ uint32_t result;
+
+ printk(BIOS_INFO, "TPM: Clear and re-enable\n");
+ result = tlcl_force_clear();
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't initiate a force clear.\n");
+ return result;
+ }
+
+#if IS_ENABLED(CONFIG_TPM1)
+ result = tlcl_set_enable();
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
+ return result;
+ }
+
+ result = tlcl_set_deactivated(0);
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't set deactivated state.\n");
+ return result;
+ }
+#endif
+
+ return TPM_SUCCESS;
+}
+
+uint32_t tpm_extend_pcr(int pcr, uint8_t *digest, uint8_t *out_digest)
+{
+ if (!digest)
+ return TPM_E_IOERROR;
+
+ if (out_digest)
+ return tlcl_extend(pcr, digest, out_digest);
+
+ return tlcl_extend(pcr, digest, NULL);
+}
diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h
index 8f3f1cb..151d450 100644
--- a/src/security/tpm/tss.h
+++ b/src/security/tpm/tss.h
@@ -11,13 +11,59 @@
#ifndef TSS_H_
#define TSS_H_
+
#include <stdint.h>
#include <types.h>
-#include "tss_constants.h"
+#include <security/tpm/tss/common/tss_common.h>
+#include <security/tpm/tss_errors.h>
+
+#if IS_ENABLED(CONFIG_TPM1)
+
+#include <security/tpm/tss/tcg-1.2/tss_structures.h>
+
+/**
+ * Define a space with permission [perm]. [index] is the index for the space,
+ * [size] the usable data size. The TPM error code is returned.
+ */
+uint32_t tlcl_define_space(uint32_t index, uint32_t perm, uint32_t size);
+
+/**
+ * Issue a PhysicalEnable. The TPM error code is returned.
+ */
+uint32_t tlcl_set_enable(void);
+
+/**
+ * Issue a SetDeactivated. Pass 0 to activate. Returns result code.
+ */
+uint32_t tlcl_set_deactivated(uint8_t flag);
+
+/**
+ * Get flags of interest. Pointers for flags you aren't interested in may
+ * be NULL. The TPM error code is returned.
+ */
+uint32_t tlcl_get_flags(uint8_t *disable, uint8_t *deactivated,
+ uint8_t *nvlocked);
+
+#endif
+
+#if IS_ENABLED(CONFIG_TPM2)
+
+#include <security/tpm/tss/tcg-2.0/tss_structures.h>
+
+/*
+ * Define a TPM2 space. The define space command TPM command used by the tlcl
+ * layer is enforcing the policy which would not allow to delete the created
+ * space after any PCR0 change from its initial value.
+ */
+uint32_t tlcl_define_space(uint32_t space_index, size_t space_size,
+ const TPMA_NV nv_attributes,
+ const uint8_t *nv_policy, size_t nv_policy_size);
+
+#endif
/*****************************************************************************/
-/* Functions implemented in tlcl.c */
+/* Generic Functions implemented in tlcl.c */
/**
* Call this first. Returns 0 if success, nonzero if error.
@@ -57,23 +103,6 @@
*/
uint32_t tlcl_continue_self_test(void);
-#if IS_ENABLED(CONFIG_TPM)
-/**
- * Define a space with permission [perm]. [index] is the index for the space,
- * [size] the usable data size. The TPM error code is returned.
- */
-uint32_t tlcl_define_space(uint32_t index, uint32_t perm, uint32_t size);
-
-#elif IS_ENABLED(CONFIG_TPM2)
-
-/*
- * Define a TPM space. The define space command TPM command used by the tlcl
- * layer is enforcing the policy which would not allow to delete the created
- * space after any PCR0 change from its initial value.
- */
-uint32_t tlcl_define_space(uint32_t space_index, size_t space_size);
-#endif
-
/**
* Write [length] bytes of [data] to space at [index]. The TPM error code is
* returned.
@@ -113,23 +142,6 @@
uint32_t tlcl_force_clear(void);
/**
- * Issue a PhysicalEnable. The TPM error code is returned.
- */
-uint32_t tlcl_set_enable(void);
-
-/**
- * Issue a SetDeactivated. Pass 0 to activate. Returns result code.
- */
-uint32_t tlcl_set_deactivated(uint8_t flag);
-
-/**
- * Get flags of interest. Pointers for flags you aren't interested in may
- * be NULL. The TPM error code is returned.
- */
-uint32_t tlcl_get_flags(uint8_t *disable, uint8_t *deactivated,
- uint8_t *nvlocked);
-
-/**
* Set the bGlobalLock flag, which only a reboot can clear. The TPM error
* code is returned.
*/
@@ -174,4 +186,8 @@
uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms,
uint8_t *num_restored_headers);
-#endif /* TSS_H_ */
+/******************VENDOR INTERNAL COMMANDS******************/
+
+void *tpm_process_command(TPM_CC command, void *command_body);
+
+#endif /* TSS_H_ */
diff --git a/src/security/tpm/tss/common/tss_common.h b/src/security/tpm/tss/common/tss_common.h
new file mode 100644
index 0000000..f87d1e0
--- /dev/null
+++ b/src/security/tpm/tss/common/tss_common.h
@@ -0,0 +1,51 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef TCG_TSS_COMMON_H_
+#define TCG_TSS_COMMON_H_
+
+#define TPM_PCR_DIGEST_SIZE 20
+
+typedef uint8_t TSS_BOOL;
+typedef uint16_t TPM_STRUCTURE_TAG;
+typedef uint32_t TPM_CC;
+
+#define TPM_SUCCESS ((uint32_t)0x00000000)
+
+typedef struct tdTPM_PERMANENT_FLAGS {
+ TPM_STRUCTURE_TAG tag;
+ TSS_BOOL disable : 1;
+ TSS_BOOL ownership : 1;
+ TSS_BOOL deactivated : 1;
+ TSS_BOOL readPubek : 1;
+ TSS_BOOL disableOwnerClear : 1;
+ TSS_BOOL allowMaintenance : 1;
+ TSS_BOOL physicalPresenceLifetimeLock : 1;
+ TSS_BOOL physicalPresenceHWEnable : 1;
+ TSS_BOOL physicalPresenceCMDEnable : 1;
+ TSS_BOOL CEKPUsed : 1;
+ TSS_BOOL TPMpost : 1;
+ TSS_BOOL TPMpostLock : 1;
+ TSS_BOOL FIPS : 1;
+ TSS_BOOL Operator : 1;
+ TSS_BOOL enableRevokeEK : 1;
+ TSS_BOOL nvLocked : 1;
+ TSS_BOOL readSRKPub : 1;
+ TSS_BOOL tpmEstablished : 1;
+ TSS_BOOL maintenanceDone : 1;
+ TSS_BOOL disableFullDALogicInfo : 1;
+} TPM_PERMANENT_FLAGS;
+
+#endif /* TCG_TSS_COMMON_H_ */
diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c
index 161d29f..0cb7eaa 100644
--- a/src/security/tpm/tss/tcg-1.2/tss.c
+++ b/src/security/tpm/tss/tcg-1.2/tss.c
@@ -20,8 +20,9 @@
#include <security/tpm/tis.h>
#include <vb2_api.h>
#include <security/tpm/tss.h>
+
#include "tss_internal.h"
-#include "tss_structures.h"
+#include "tss_commands.h"
#ifdef FOR_TEST
#include <stdio.h>
diff --git a/src/security/tpm/tss/tcg-1.2/tss_commands.h b/src/security/tpm/tss/tcg-1.2/tss_commands.h
new file mode 100644
index 0000000..f245664
--- /dev/null
+++ b/src/security/tpm/tss/tcg-1.2/tss_commands.h
@@ -0,0 +1,177 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+
+const struct s_tpm_extend_cmd{
+ uint8_t buffer[34];
+ uint16_t pcrNum;
+ uint16_t inDigest;
+} tpm_extend_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14, },
+10, 14, };
+
+const struct s_tpm_get_random_cmd{
+ uint8_t buffer[14];
+ uint16_t bytesRequested;
+} tpm_get_random_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x46, },
+10, };
+
+const struct s_tpm_getownership_cmd{
+ uint8_t buffer[22];
+} tpm_getownership_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+ 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x11, },
+};
+
+const struct s_tpm_getpermissions_cmd{
+ uint8_t buffer[22];
+ uint16_t index;
+} tpm_getpermissions_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+ 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x4, },
+18, };
+
+const struct s_tpm_getstclearflags_cmd{
+ uint8_t buffer[22];
+} tpm_getstclearflags_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+ 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x9, },
+};
+
+const struct s_tpm_getflags_cmd{
+ uint8_t buffer[22];
+} tpm_getflags_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+ 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x8, },
+};
+
+const struct s_tpm_physicalsetdeactivated_cmd{
+ uint8_t buffer[11];
+ uint16_t deactivated;
+} tpm_physicalsetdeactivated_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72, },
+10, };
+
+const struct s_tpm_physicalenable_cmd{
+ uint8_t buffer[10];
+} tpm_physicalenable_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f, },
+};
+
+const struct s_tpm_physicaldisable_cmd{
+ uint8_t buffer[10];
+} tpm_physicaldisable_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70, },
+};
+
+const struct s_tpm_forceclear_cmd{
+ uint8_t buffer[10];
+} tpm_forceclear_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d, },
+};
+
+const struct s_tpm_readpubek_cmd{
+ uint8_t buffer[30];
+} tpm_readpubek_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c, },
+};
+
+const struct s_tpm_continueselftest_cmd{
+ uint8_t buffer[10];
+} tpm_continueselftest_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53, },
+};
+
+const struct s_tpm_selftestfull_cmd{
+ uint8_t buffer[10];
+} tpm_selftestfull_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50, },
+};
+
+const struct s_tpm_resume_cmd{
+ uint8_t buffer[12];
+} tpm_resume_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x2, },
+};
+
+const struct s_tpm_savestate_cmd{
+ uint8_t buffer[10];
+} tpm_savestate_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x98, },
+};
+
+const struct s_tpm_startup_cmd{
+ uint8_t buffer[12];
+} tpm_startup_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x1, },
+};
+
+const struct s_tpm_finalizepp_cmd{
+ uint8_t buffer[12];
+} tpm_finalizepp_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0, },
+};
+
+const struct s_tpm_pplock_cmd{
+ uint8_t buffer[12];
+} tpm_pplock_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x4, },
+};
+
+const struct s_tpm_ppenable_cmd{
+ uint8_t buffer[12];
+} tpm_ppenable_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x20, },
+};
+
+const struct s_tpm_ppassert_cmd{
+ uint8_t buffer[12];
+} tpm_ppassert_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x8, },
+};
+
+const struct s_tpm_pcr_read_cmd{
+ uint8_t buffer[14];
+ uint16_t pcrNum;
+} tpm_pcr_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15, },
+10, };
+
+const struct s_tpm_nv_read_cmd{
+ uint8_t buffer[22];
+ uint16_t index;
+ uint16_t length;
+} tpm_nv_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf, },
+10, 18, };
+
+const struct s_tpm_nv_write_cmd{
+ uint8_t buffer[256];
+ uint16_t index;
+ uint16_t length;
+ uint16_t data;
+} tpm_nv_write_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd, },
+10, 18, 22, };
+
+const struct s_tpm_nv_definespace_cmd{
+ uint8_t buffer[101];
+ uint16_t index;
+ uint16_t perm;
+ uint16_t size;
+} tpm_nv_definespace_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x65, 0x0, 0x0, 0x0, 0xcc,
+ 0x0, 0x18, 0, 0, 0, 0, 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x0, 0x17,
+ },
+ 12, 70, 77,
+};
+
+const int kWriteInfoLength = 12;
+const int kNvDataPublicPermissionsOffset = 60;
diff --git a/src/security/tpm/tss/tcg-1.2/tss_structures.h b/src/security/tpm/tss/tcg-1.2/tss_structures.h
index 880864e..9429b79 100644
--- a/src/security/tpm/tss/tcg-1.2/tss_structures.h
+++ b/src/security/tpm/tss/tcg-1.2/tss_structures.h
@@ -1,164 +1,42 @@
-/* This file is automatically generated */
+/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * Some TPM constants and type definitions for standalone compilation for use
+ * in the firmware
+ */
+#ifndef TCG1_TSS_STRUCTURES_H_
+#define TCG1_TSS_STRUCTURES_H_
-const struct s_tpm_extend_cmd{
- uint8_t buffer[34];
- uint16_t pcrNum;
- uint16_t inDigest;
-} tpm_extend_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14, },
-10, 14, };
+#include <stdint.h>
+#include "../common/tss_common.h"
-const struct s_tpm_get_random_cmd{
- uint8_t buffer[14];
- uint16_t bytesRequested;
-} tpm_get_random_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x46, },
-10, };
+#define TPM_MAX_COMMAND_SIZE 4096
+#define TPM_LARGE_ENOUGH_COMMAND_SIZE 256 /* saves space in the firmware */
+#define TPM_PUBEK_SIZE 256
-const struct s_tpm_getownership_cmd{
- uint8_t buffer[22];
-} tpm_getownership_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
- 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x11, },
-};
+#define TPM_NV_INDEX0 ((uint32_t)0x00000000)
+#define TPM_NV_INDEX_LOCK ((uint32_t)0xffffffff)
+#define TPM_NV_PER_GLOBALLOCK (((uint32_t)1)<<15)
+#define TPM_NV_PER_PPWRITE (((uint32_t)1)<<0)
+#define TPM_NV_PER_READ_STCLEAR (((uint32_t)1)<<31)
+#define TPM_NV_PER_WRITE_STCLEAR (((uint32_t)1)<<14)
-const struct s_tpm_getpermissions_cmd{
- uint8_t buffer[22];
- uint16_t index;
-} tpm_getpermissions_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
- 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x4, },
-18, };
+#define TPM_TAG_RQU_COMMAND ((uint16_t) 0xc1)
+#define TPM_TAG_RQU_AUTH1_COMMAND ((uint16_t) 0xc2)
+#define TPM_TAG_RQU_AUTH2_COMMAND ((uint16_t) 0xc3)
-const struct s_tpm_getstclearflags_cmd{
- uint8_t buffer[22];
-} tpm_getstclearflags_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
- 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x9, },
-};
+#define TPM_TAG_RSP_COMMAND ((uint16_t) 0xc4)
+#define TPM_TAG_RSP_AUTH1_COMMAND ((uint16_t) 0xc5)
+#define TPM_TAG_RSP_AUTH2_COMMAND ((uint16_t) 0xc6)
-const struct s_tpm_getflags_cmd{
- uint8_t buffer[22];
-} tpm_getflags_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
- 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x8, },
-};
+typedef struct tdTPM_STCLEAR_FLAGS {
+ TPM_STRUCTURE_TAG tag;
+ TSS_BOOL deactivated;
+ TSS_BOOL disableForceClear;
+ TSS_BOOL physicalPresence;
+ TSS_BOOL physicalPresenceLock;
+ TSS_BOOL bGlobalLock;
+} TPM_STCLEAR_FLAGS;
-const struct s_tpm_physicalsetdeactivated_cmd{
- uint8_t buffer[11];
- uint16_t deactivated;
-} tpm_physicalsetdeactivated_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72, },
-10, };
-
-const struct s_tpm_physicalenable_cmd{
- uint8_t buffer[10];
-} tpm_physicalenable_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f, },
-};
-
-const struct s_tpm_physicaldisable_cmd{
- uint8_t buffer[10];
-} tpm_physicaldisable_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70, },
-};
-
-const struct s_tpm_forceclear_cmd{
- uint8_t buffer[10];
-} tpm_forceclear_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d, },
-};
-
-const struct s_tpm_readpubek_cmd{
- uint8_t buffer[30];
-} tpm_readpubek_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c, },
-};
-
-const struct s_tpm_continueselftest_cmd{
- uint8_t buffer[10];
-} tpm_continueselftest_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53, },
-};
-
-const struct s_tpm_selftestfull_cmd{
- uint8_t buffer[10];
-} tpm_selftestfull_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50, },
-};
-
-const struct s_tpm_resume_cmd{
- uint8_t buffer[12];
-} tpm_resume_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x2, },
-};
-
-const struct s_tpm_savestate_cmd{
- uint8_t buffer[10];
-} tpm_savestate_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x98, },
-};
-
-const struct s_tpm_startup_cmd{
- uint8_t buffer[12];
-} tpm_startup_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x1, },
-};
-
-const struct s_tpm_finalizepp_cmd{
- uint8_t buffer[12];
-} tpm_finalizepp_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0, },
-};
-
-const struct s_tpm_pplock_cmd{
- uint8_t buffer[12];
-} tpm_pplock_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x4, },
-};
-
-const struct s_tpm_ppenable_cmd{
- uint8_t buffer[12];
-} tpm_ppenable_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x20, },
-};
-
-const struct s_tpm_ppassert_cmd{
- uint8_t buffer[12];
-} tpm_ppassert_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x8, },
-};
-
-const struct s_tpm_pcr_read_cmd{
- uint8_t buffer[14];
- uint16_t pcrNum;
-} tpm_pcr_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15, },
-10, };
-
-const struct s_tpm_nv_read_cmd{
- uint8_t buffer[22];
- uint16_t index;
- uint16_t length;
-} tpm_nv_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf, },
-10, 18, };
-
-const struct s_tpm_nv_write_cmd{
- uint8_t buffer[256];
- uint16_t index;
- uint16_t length;
- uint16_t data;
-} tpm_nv_write_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd, },
-10, 18, 22, };
-
-const struct s_tpm_nv_definespace_cmd{
- uint8_t buffer[101];
- uint16_t index;
- uint16_t perm;
- uint16_t size;
-} tpm_nv_definespace_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x65, 0x0, 0x0, 0x0, 0xcc,
- 0x0, 0x18, 0, 0, 0, 0, 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x0, 0x17,
- },
- 12, 70, 77,
-};
-
-const int kWriteInfoLength = 12;
-const int kNvDataPublicPermissionsOffset = 60;
+#endif /* TCG1_TSS_STRUCTURES_H_ */
diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c
index cde9ea2..21e41f9 100644
--- a/src/security/tpm/tss/tcg-2.0/tss.c
+++ b/src/security/tpm/tss/tcg-2.0/tss.c
@@ -7,13 +7,13 @@
#include <arch/early_variables.h>
#include <console/console.h>
#include <endian.h>
+#include <security/tpm/tis.h>
+#include <security/tpm/tss.h>
#include <string.h>
#include <vb2_api.h>
-#include <security/tpm/tis.h>
-#include <security/tpm/antirollback.h>
-#include "tss_structures.h"
#include "tss_marshaling.h"
+#include "tss_structures.h"
/*
* This file provides interface between firmware and TPM2 device. The TPM1.2
@@ -21,7 +21,7 @@
* TPM2 specification.
*/
-static void *tpm_process_command(TPM_CC command, void *command_body)
+void *tpm_process_command(TPM_CC command, void *command_body)
{
struct obuf ob;
struct ibuf ib;
@@ -53,7 +53,6 @@
return tpm_unmarshal_response(command, &ib);
}
-
uint32_t tlcl_get_permanent_flags(TPM_PERMANENT_FLAGS *pflags)
{
printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__);
@@ -68,14 +67,13 @@
startup.startup_type = type;
response = tpm_process_command(TPM2_Startup, &startup);
- if (response && response->hdr.tpm_code &&
- (response->hdr.tpm_code != TPM_RC_INITIALIZE)) {
- printk(BIOS_INFO, "%s: Startup return code is %x\n",
- __func__, response->hdr.tpm_code);
+ if (response && response->hdr.tpm_code
+ && (response->hdr.tpm_code != TPM_RC_INITIALIZE)) {
+ printk(BIOS_INFO, "%s: Startup return code is %x\n", __func__,
+ response->hdr.tpm_code);
return TPM_E_IOERROR;
}
return TPM_SUCCESS;
-
}
uint32_t tlcl_resume(void)
@@ -96,8 +94,7 @@
* The caller will provide the digest in a 32 byte buffer, let's consider it a
* sha256 digest.
*/
-uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest,
- uint8_t *out_digest)
+uint32_t tlcl_extend(int pcr_num, const uint8_t *in_digest, uint8_t *out_digest)
{
struct tpm2_pcr_extend_cmd pcr_ext_cmd;
struct tpm2_response *response;
@@ -110,8 +107,8 @@
response = tpm_process_command(TPM2_PCR_Extend, &pcr_ext_cmd);
- printk(BIOS_INFO, "%s: response is %x\n",
- __func__, response ? response->hdr.tpm_code : -1);
+ printk(BIOS_INFO, "%s: response is %x\n", __func__,
+ response ? response->hdr.tpm_code : -1);
if (!response || response->hdr.tpm_code)
return TPM_E_IOERROR;
@@ -130,8 +127,8 @@
struct tpm2_response *response;
response = tpm_process_command(TPM2_Clear, NULL);
- printk(BIOS_INFO, "%s: response is %x\n",
- __func__, response ? response->hdr.tpm_code : -1);
+ printk(BIOS_INFO, "%s: response is %x\n", __func__,
+ response ? response->hdr.tpm_code : -1);
if (!response || response->hdr.tpm_code)
return TPM_E_IOERROR;
@@ -139,30 +136,6 @@
return TPM_SUCCESS;
}
-uint32_t tlcl_get_flags(uint8_t *disable, uint8_t *deactivated,
- uint8_t *nvlocked)
-{
- /*
- * TPM2 does not map directly into these flags TPM1.2 based firmware
- * expects to be able to retrieve.
- *
- * In any case, if any of these conditions are present, the following
- * firmware flow would be interrupted and will have a chance to report
- * an error. Let's just hardcode an "All OK" response for now.
- */
-
- if (disable)
- *disable = 0;
-
- if (nvlocked)
- *nvlocked = 1;
-
- if (deactivated)
- *deactivated = 0;
-
- return TPM_SUCCESS;
-}
-
static uint8_t tlcl_init_done CAR_GLOBAL;
/* This function is called directly by vboot, uses vboot return types. */
@@ -204,8 +177,8 @@
if (!response)
return TPM_E_READ_FAILURE;
- printk(BIOS_INFO, "%s:%d index %#x return code %x\n",
- __FILE__, __LINE__, index, response->hdr.tpm_code);
+ printk(BIOS_INFO, "%s:%d index %#x return code %x\n", __FILE__,
+ __LINE__, index, response->hdr.tpm_code);
switch (response->hdr.tpm_code) {
case 0:
break;
@@ -242,20 +215,8 @@
st.yes_no = 1;
response = tpm_process_command(TPM2_SelfTest, &st);
- printk(BIOS_INFO, "%s: response is %x\n",
- __func__, response ? response->hdr.tpm_code : -1);
- return TPM_SUCCESS;
-}
-
-uint32_t tlcl_set_deactivated(uint8_t flag)
-{
- printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__);
- return TPM_SUCCESS;
-}
-
-uint32_t tlcl_set_enable(void)
-{
- printk(BIOS_INFO, "%s:%s:%d\n", __FILE__, __func__, __LINE__);
+ printk(BIOS_INFO, "%s: response is %x\n", __func__,
+ response ? response->hdr.tpm_code : -1);
return TPM_SUCCESS;
}
@@ -269,8 +230,8 @@
response = tpm_process_command(TPM2_NV_WriteLock, &nv_wl);
- printk(BIOS_INFO, "%s: response is %x\n",
- __func__, response ? response->hdr.tpm_code : -1);
+ printk(BIOS_INFO, "%s: response is %x\n", __func__,
+ response ? response->hdr.tpm_code : -1);
if (!response || response->hdr.tpm_code)
return TPM_E_IOERROR;
@@ -296,8 +257,8 @@
response = tpm_process_command(TPM2_NV_Write, &nv_writec);
- printk(BIOS_INFO, "%s: response is %x\n",
- __func__, response ? response->hdr.tpm_code : -1);
+ printk(BIOS_INFO, "%s: response is %x\n", __func__,
+ response ? response->hdr.tpm_code : -1);
/* Need to map tpm error codes into internal values. */
if (!response || response->hdr.tpm_code)
@@ -306,29 +267,12 @@
return TPM_SUCCESS;
}
-uint32_t tlcl_define_space(uint32_t space_index, size_t space_size)
+uint32_t tlcl_define_space(uint32_t space_index, size_t space_size,
+ const TPMA_NV nv_attributes,
+ const uint8_t *nv_policy, size_t nv_policy_size)
{
struct tpm2_nv_define_space_cmd nvds_cmd;
struct tpm2_response *response;
- /*
- * Different sets of NVRAM space attributes apply to the "ro" spaces,
- * i.e. those which should not be possible to delete or modify once
- * the RO exits, and the rest of the NVRAM spaces.
- */
- const TPMA_NV ro_space_attributes = {
- .TPMA_NV_PPWRITE = 1,
- .TPMA_NV_AUTHREAD = 1,
- .TPMA_NV_PPREAD = 1,
- .TPMA_NV_PLATFORMCREATE = 1,
- .TPMA_NV_WRITE_STCLEAR = 1,
- .TPMA_NV_POLICY_DELETE = 1,
- };
- const TPMA_NV default_space_attributes = {
- .TPMA_NV_PPWRITE = 1,
- .TPMA_NV_AUTHREAD = 1,
- .TPMA_NV_PPREAD = 1,
- .TPMA_NV_PLATFORMCREATE = 1,
- };
/* Prepare the define space command structure. */
memset(&nvds_cmd, 0, sizeof(nvds_cmd));
@@ -338,35 +282,21 @@
nvds_cmd.publicInfo.nameAlg = TPM_ALG_SHA256;
/* RO only NV spaces should be impossible to destroy. */
- if ((space_index == FIRMWARE_NV_INDEX) ||
- (space_index == REC_HASH_NV_INDEX)) {
- /*
- * This policy digest was obtained using TPM2_PolicyPCR
- * selecting only PCR_0 with a value of all zeros.
- */
- const uint8_t pcr0_unchanged_policy[] = {
- 0x09, 0x93, 0x3C, 0xCE, 0xEB, 0xB4, 0x41, 0x11,
- 0x18, 0x81, 0x1D, 0xD4, 0x47, 0x78, 0x80, 0x08,
- 0x88, 0x86, 0x62, 0x2D, 0xD7, 0x79, 0x94, 0x46,
- 0x62, 0x26, 0x68, 0x8E, 0xEE, 0xE6, 0x6A, 0xA1
- };
+ nvds_cmd.publicInfo.attributes = nv_attributes;
- nvds_cmd.publicInfo.attributes = ro_space_attributes;
- /*
- * Use policy digest based on default pcr0 value. This makes
- * sure that the space can not be deleted as soon as PCR0
- * value has been extended from default.
- */
- nvds_cmd.publicInfo.authPolicy.t.buffer = pcr0_unchanged_policy;
- nvds_cmd.publicInfo.authPolicy.t.size =
- sizeof(pcr0_unchanged_policy);
- } else {
- nvds_cmd.publicInfo.attributes = default_space_attributes;
+ /*
+ * Use policy digest based on default pcr0 value. This makes
+ * sure that the space can not be deleted as soon as PCR0
+ * value has been extended from default.
+ */
+ if (nv_policy && nv_policy_size) {
+ nvds_cmd.publicInfo.authPolicy.t.buffer = nv_policy;
+ nvds_cmd.publicInfo.authPolicy.t.size = nv_policy_size;
}
response = tpm_process_command(TPM2_NV_DefineSpace, &nvds_cmd);
- printk(BIOS_INFO, "%s: response is %x\n",
- __func__, response ? response->hdr.tpm_code : -1);
+ printk(BIOS_INFO, "%s: response is %x\n", __func__,
+ response ? response->hdr.tpm_code : -1);
if (!response)
return TPM_E_NO_DEVICE;
@@ -397,42 +327,3 @@
return TPM_SUCCESS;
}
-
-uint32_t tlcl_cr50_enable_nvcommits(void)
-{
- uint16_t sub_command = TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS;
- struct tpm2_response *response;
-
- printk(BIOS_INFO, "Enabling cr50 nvmem commmits\n");
-
- response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &sub_command);
-
- if (response == NULL || (response && response->hdr.tpm_code)) {
- if (response)
- printk(BIOS_INFO, "%s: failed %x\n", __func__,
- response->hdr.tpm_code);
- else
- printk(BIOS_INFO, "%s: failed\n", __func__);
- return TPM_E_IOERROR;
- }
- return TPM_SUCCESS;
-}
-
-uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms,
- uint8_t *num_restored_headers)
-{
- struct tpm2_response *response;
- uint16_t command_body[] = {
- TPM2_CR50_SUB_CMD_TURN_UPDATE_ON, timeout_ms
- };
-
- printk(BIOS_INFO, "Checking cr50 for pending updates\n");
-
- response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, command_body);
-
- if (!response || response->hdr.tpm_code)
- return TPM_E_INTERNAL_INCONSISTENCY;
-
- *num_restored_headers = response->vcr.num_restored_headers;
- return TPM_SUCCESS;
-}
diff --git a/src/security/tpm/tss/tcg-2.0/tss_marshaling.h b/src/security/tpm/tss/tcg-2.0/tss_marshaling.h
index d34756d..c94c895 100644
--- a/src/security/tpm/tss/tcg-2.0/tss_marshaling.h
+++ b/src/security/tpm/tss/tcg-2.0/tss_marshaling.h
@@ -8,6 +8,7 @@
#include <commonlib/iobuf.h>
#include "tss_structures.h"
+#include <security/tpm/tss/vendor/cr50/tss_structures.h>
/* The below functions are used to serialize/deserialize TPM2 commands. */
diff --git a/src/security/tpm/tss/tcg-2.0/tss_structures.h b/src/security/tpm/tss/tcg-2.0/tss_structures.h
index 962e20c..28d49ed 100644
--- a/src/security/tpm/tss/tcg-2.0/tss_structures.h
+++ b/src/security/tpm/tss/tcg-2.0/tss_structures.h
@@ -14,16 +14,18 @@
#include <stdint.h>
#include <compiler.h>
#include <types.h>
-
-#include <security/tpm/tss.h>
+#include "../common/tss_common.h"
/* This should be plenty for what firmware needs. */
#define TPM_BUFFER_SIZE 256
+/* Some TPM2 return codes used in this library. */
+#define TPM2_RC_SUCCESS 0
+#define TPM2_RC_NV_DEFINED 0x14c
+
/* Basic TPM2 types. */
typedef uint16_t TPM_SU;
typedef uint16_t TPM_ALG_ID;
-typedef uint32_t TPM_CC;
typedef uint32_t TPM_HANDLE;
typedef uint32_t TPM_RC;
typedef uint8_t TPMI_YES_NO;
@@ -74,13 +76,6 @@
/* TPM2 specifies vendor commands need to have this bit set. Vendor command
space is defined by the lower 16 bits. */
#define TPM_CC_VENDOR_BIT_MASK 0x20000000
-/* FIXME: below is not enough to differentiate between vendors commands
- of numerous devices. However, the current tpm2 APIs aren't very amenable
- to extending generically because the marshaling code is assuming all
- knowledge of all commands. */
-#define TPM2_CR50_VENDOR_COMMAND ((TPM_CC)(TPM_CC_VENDOR_BIT_MASK | 0))
-#define TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS (21)
-#define TPM2_CR50_SUB_CMD_TURN_UPDATE_ON (24)
/* Startup values. */
#define TPM_SU_CLEAR 0
diff --git a/src/security/tpm/tss/vendor/cr50/Kconfig b/src/security/tpm/tss/vendor/cr50/Kconfig
new file mode 100644
index 0000000..2e34d2c
--- /dev/null
+++ b/src/security/tpm/tss/vendor/cr50/Kconfig
@@ -0,0 +1,29 @@
+## This file is part of the coreboot project.
+##
+## Copyright (C) 2018 Facebook, Inc.
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; version 2 of the License.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+## GNU General Public License for more details.
+##
+
+config TPM_CR50
+ bool
+ default y
+ depends on MAINBOARD_HAS_I2C_TPM_CR50 || MAINBOARD_HAS_SPI_TPM_CR50
+ depends on TPM2
+ select POWER_OFF_ON_CR50_UPDATE if ARCH_X86
+
+if TPM_CR50
+
+config POWER_OFF_ON_CR50_UPDATE
+ bool
+ help
+ Power off machine while waiting for CR50 update to take effect.
+
+endif
diff --git a/src/security/tpm/tss/vendor/cr50/Makefile.inc b/src/security/tpm/tss/vendor/cr50/Makefile.inc
new file mode 100644
index 0000000..25a629c
--- /dev/null
+++ b/src/security/tpm/tss/vendor/cr50/Makefile.inc
@@ -0,0 +1,5 @@
+ramstage-y += tss/vendor/cr50/tss.c
+romstage-y += tss/vendor/cr50/tss.c
+
+verstage-$(CONFIG_VBOOT) += tss/vendor/cr50/tss.c
+postcar-$(CONFIG_VBOOT) += tss/vendor/cr50/tss.c
diff --git a/src/security/tpm/tss/vendor/cr50/tss.c b/src/security/tpm/tss/vendor/cr50/tss.c
new file mode 100644
index 0000000..90f7963
--- /dev/null
+++ b/src/security/tpm/tss/vendor/cr50/tss.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include <arch/early_variables.h>
+#include <console/console.h>
+#include <endian.h>
+#include <string.h>
+#include <vb2_api.h>
+#include <security/tpm/tis.h>
+#include <security/tpm/tss.h>
+
+#include "../../tcg-2.0/tss_marshaling.h"
+
+uint32_t tlcl_cr50_enable_nvcommits(void)
+{
+ uint16_t sub_command = TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS;
+ struct tpm2_response *response;
+
+ printk(BIOS_INFO, "Enabling cr50 nvmem commmits\n");
+
+ response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &sub_command);
+
+ if (response == NULL || (response && response->hdr.tpm_code)) {
+ if (response)
+ printk(BIOS_INFO, "%s: failed %x\n", __func__,
+ response->hdr.tpm_code);
+ else
+ printk(BIOS_INFO, "%s: failed\n", __func__);
+ return TPM_E_IOERROR;
+ }
+ return TPM_SUCCESS;
+}
+
+uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms,
+ uint8_t *num_restored_headers)
+{
+ struct tpm2_response *response;
+ uint16_t command_body[] = {
+ TPM2_CR50_SUB_CMD_TURN_UPDATE_ON, timeout_ms
+ };
+
+ printk(BIOS_INFO, "Checking cr50 for pending updates\n");
+
+ response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, command_body);
+
+ if (!response || response->hdr.tpm_code)
+ return TPM_E_INTERNAL_INCONSISTENCY;
+
+ *num_restored_headers = response->vcr.num_restored_headers;
+ return TPM_SUCCESS;
+}
diff --git a/src/security/tpm/tss/vendor/cr50/tss_structures.h b/src/security/tpm/tss/vendor/cr50/tss_structures.h
new file mode 100644
index 0000000..bc0600f
--- /dev/null
+++ b/src/security/tpm/tss/vendor/cr50/tss_structures.h
@@ -0,0 +1,28 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Facebook Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ */
+ #ifndef CR50_TSS_STRUCTURES_H_
+ #define CR50_TSS_STRUCTURES_H_
+
+ #include <stdint.h>
+
+ /* FIXME: below is not enough to differentiate between vendors commands
+ of numerous devices. However, the current tpm2 APIs aren't very amenable
+ to extending generically because the marshaling code is assuming all
+ knowledge of all commands. */
+ #define TPM2_CR50_VENDOR_COMMAND ((TPM_CC)(TPM_CC_VENDOR_BIT_MASK | 0))
+ #define TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS (21)
+ #define TPM2_CR50_SUB_CMD_TURN_UPDATE_ON (24)
+
+ #endif /* CR50_TSS_STRUCTURES_H_ */
diff --git a/src/security/tpm/tss_constants.h b/src/security/tpm/tss_constants.h
deleted file mode 100644
index 937e553..0000000
--- a/src/security/tpm/tss_constants.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Some TPM constants and type definitions for standalone compilation for use
- * in the firmware
- */
-#ifndef VBOOT_REFERENCE_TSS_CONSTANTS_H_
-#define VBOOT_REFERENCE_TSS_CONSTANTS_H_
-#include <stdint.h>
-
-#define TPM_MAX_COMMAND_SIZE 4096
-#define TPM_LARGE_ENOUGH_COMMAND_SIZE 256 /* saves space in the firmware */
-#define TPM_PUBEK_SIZE 256
-#define TPM_PCR_DIGEST 20
-
-#define TPM_E_NON_FATAL 0x800
-
-#define TPM_SUCCESS ((uint32_t)0x00000000)
-
-#define TPM_E_AREA_LOCKED ((uint32_t)0x0000003c)
-#define TPM_E_BADINDEX ((uint32_t)0x00000002)
-#define TPM_E_BAD_PRESENCE ((uint32_t)0x0000002d)
-#define TPM_E_IOERROR ((uint32_t)0x0000001f)
-#define TPM_E_INVALID_POSTINIT ((uint32_t)0x00000026)
-#define TPM_E_MAXNVWRITES ((uint32_t)0x00000048)
-#define TPM_E_OWNER_SET ((uint32_t)0x00000014)
-
-#define TPM_E_NEEDS_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 1))
-#define TPM_E_DOING_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 2))
-
-#define TPM_E_ALREADY_INITIALIZED ((uint32_t)0x00005000) /* vboot local */
-#define TPM_E_INTERNAL_INCONSISTENCY ((uint32_t)0x00005001) /* vboot local */
-#define TPM_E_MUST_REBOOT ((uint32_t)0x00005002) /* vboot local */
-#define TPM_E_CORRUPTED_STATE ((uint32_t)0x00005003) /* vboot local */
-#define TPM_E_COMMUNICATION_ERROR ((uint32_t)0x00005004) /* vboot local */
-#define TPM_E_RESPONSE_TOO_LARGE ((uint32_t)0x00005005) /* vboot local */
-#define TPM_E_NO_DEVICE ((uint32_t)0x00005006) /* vboot local */
-#define TPM_E_INPUT_TOO_SMALL ((uint32_t)0x00005007) /* vboot local */
-#define TPM_E_WRITE_FAILURE ((uint32_t)0x00005008) /* vboot local */
-#define TPM_E_READ_EMPTY ((uint32_t)0x00005009) /* vboot local */
-#define TPM_E_READ_FAILURE ((uint32_t)0x0000500a) /* vboot local */
-#define TPM_E_NV_DEFINED ((uint32_t)0x0000500b) /* vboot local */
-
-#define TPM_NV_INDEX0 ((uint32_t)0x00000000)
-#define TPM_NV_INDEX_LOCK ((uint32_t)0xffffffff)
-#define TPM_NV_PER_GLOBALLOCK (((uint32_t)1)<<15)
-#define TPM_NV_PER_PPWRITE (((uint32_t)1)<<0)
-#define TPM_NV_PER_READ_STCLEAR (((uint32_t)1)<<31)
-#define TPM_NV_PER_WRITE_STCLEAR (((uint32_t)1)<<14)
-
-#define TPM_TAG_RQU_COMMAND ((uint16_t) 0xc1)
-#define TPM_TAG_RQU_AUTH1_COMMAND ((uint16_t) 0xc2)
-#define TPM_TAG_RQU_AUTH2_COMMAND ((uint16_t) 0xc3)
-
-#define TPM_TAG_RSP_COMMAND ((uint16_t) 0xc4)
-#define TPM_TAG_RSP_AUTH1_COMMAND ((uint16_t) 0xc5)
-#define TPM_TAG_RSP_AUTH2_COMMAND ((uint16_t) 0xc6)
-
-/* Some TPM2 return codes used in this library. */
-#define TPM2_RC_SUCCESS 0
-#define TPM2_RC_NV_DEFINED 0x14c
-
-typedef uint8_t TSS_BOOL;
-typedef uint16_t TPM_STRUCTURE_TAG;
-
-typedef struct tdTPM_PERMANENT_FLAGS {
- TPM_STRUCTURE_TAG tag;
- TSS_BOOL disable;
- TSS_BOOL ownership;
- TSS_BOOL deactivated;
- TSS_BOOL readPubek;
- TSS_BOOL disableOwnerClear;
- TSS_BOOL allowMaintenance;
- TSS_BOOL physicalPresenceLifetimeLock;
- TSS_BOOL physicalPresenceHWEnable;
- TSS_BOOL physicalPresenceCMDEnable;
- TSS_BOOL CEKPUsed;
- TSS_BOOL TPMpost;
- TSS_BOOL TPMpostLock;
- TSS_BOOL FIPS;
- TSS_BOOL Operator;
- TSS_BOOL enableRevokeEK;
- TSS_BOOL nvLocked;
- TSS_BOOL readSRKPub;
- TSS_BOOL tpmEstablished;
- TSS_BOOL maintenanceDone;
- TSS_BOOL disableFullDALogicInfo;
-} TPM_PERMANENT_FLAGS;
-
-typedef struct tdTPM_STCLEAR_FLAGS {
- TPM_STRUCTURE_TAG tag;
- TSS_BOOL deactivated;
- TSS_BOOL disableForceClear;
- TSS_BOOL physicalPresence;
- TSS_BOOL physicalPresenceLock;
- TSS_BOOL bGlobalLock;
-} TPM_STCLEAR_FLAGS;
-
-#endif /* VBOOT_REFERENCE_TSS_CONSTANTS_H_ */
diff --git a/src/security/tpm/tss_error_messages.h b/src/security/tpm/tss_error_messages.h
deleted file mode 100644
index d597860..0000000
--- a/src/security/tpm/tss_error_messages.h
+++ /dev/null
@@ -1,255 +0,0 @@
-/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- */
-
-/* TPM error codes.
- *
- * Copy-pasted and lightly edited from TCG TPM Main Part 2 TPM Structures
- * Version 1.2 Level 2 Revision 103 26 October 2006 Draft.
- */
-
-#ifndef TSS_ERROR_MESSAGES_H_
-#define TSS_ERROR_MESSAGES_H_
-
-#define TPM_E_BASE 0x0
-#define TPM_E_NON_FATAL 0x800
-
-typedef struct tpm_error_info {
- const char *name;
- uint32_t code;
- const char *description;
-} tpm_error_info;
-
-tpm_error_info tpm_error_table[] = {
- {"TPM_AUTHFAIL", TPM_E_BASE + 1,
- "Authentication failed"},
- {"TPM_BADINDEX", TPM_E_BASE + 2,
- "The index to a PCR, DIR or other register is incorrect"},
- {"TPM_BAD_PARAMETER", TPM_E_BASE + 3,
- "One or more parameter is bad"},
- {"TPM_AUDITFAILURE", TPM_E_BASE + 4,
- "An operation completed successfully\n\
-but the auditing of that operation failed"},
- {"TPM_CLEAR_DISABLED", TPM_E_BASE + 5,
- "The clear disable flag is set and all clear operations now require\n\
-physical access"},
- {"TPM_DEACTIVATED", TPM_E_BASE + 6,
- "The TPM is deactivated"},
- {"TPM_DISABLED", TPM_E_BASE + 7,
- "The TPM is disabled"},
- {"TPM_DISABLED_CMD", TPM_E_BASE + 8,
- "The target command has been disabled"},
- {"TPM_FAIL", TPM_E_BASE + 9,
- "The operation failed"},
- {"TPM_BAD_ORDINAL", TPM_E_BASE + 10,
- "The ordinal was unknown or inconsistent"},
- {"TPM_INSTALL_DISABLED", TPM_E_BASE + 11,
- "The ability to install an owner is disabled"},
- {"TPM_INVALID_KEYHANDLE", TPM_E_BASE + 12,
- "The key handle can not be interpreted"},
- {"TPM_KEYNOTFOUND", TPM_E_BASE + 13,
- "The key handle points to an invalid key"},
- {"TPM_INAPPROPRIATE_ENC", TPM_E_BASE + 14,
- "Unacceptable encryption scheme"},
- {"TPM_MIGRATEFAIL", TPM_E_BASE + 15,
- "Migration authorization failed"},
- {"TPM_INVALID_PCR_INFO", TPM_E_BASE + 16,
- "PCR information could not be interpreted"},
- {"TPM_NOSPACE", TPM_E_BASE + 17,
- "No room to load key"},
- {"TPM_NOSRK", TPM_E_BASE + 18,
- "There is no SRK set"},
- {"TPM_NOTSEALED_BLOB", TPM_E_BASE + 19,
- "An encrypted blob is invalid or was not created by this TPM"},
- {"TPM_OWNER_SET", TPM_E_BASE + 20,
- "There is already an Owner"},
- {"TPM_RESOURCES", TPM_E_BASE + 21,
- "The TPM has insufficient internal resources to perform the requested \
-action"},
- {"TPM_SHORTRANDOM", TPM_E_BASE + 22,
- "A random string was too short"},
- {"TPM_SIZE", TPM_E_BASE + 23,
- "The TPM does not have the space to perform the operation"},
- {"TPM_WRONGPCRVAL", TPM_E_BASE + 24,
- "The named PCR value does not match the current PCR value"},
- {"TPM_BAD_PARAM_SIZE", TPM_E_BASE + 25,
- "The paramSize argument to the command has the incorrect value"},
- {"TPM_SHA_THREAD", TPM_E_BASE + 26,
- "There is no existing SHA-1 thread"},
- {"TPM_SHA_ERROR", TPM_E_BASE + 27,
- "The calculation is unable to proceed because the existing SHA-1\n\
-thread has already encountered an error"},
- {"TPM_FAILEDSELFTEST", TPM_E_BASE + 28,
- "Self-test has failed and the TPM has shutdown"},
- {"TPM_AUTH2FAIL", TPM_E_BASE + 29,
- "The authorization for the second key in a 2 key function\n\
-failed authorization"},
- {"TPM_BADTAG", TPM_E_BASE + 30,
- "The tag value sent to for a command is invalid"},
- {"TPM_IOERROR", TPM_E_BASE + 31,
- "An IO error occurred transmitting information to the TPM"},
- {"TPM_ENCRYPT_ERROR", TPM_E_BASE + 32,
- "The encryption process had a problem"},
- {"TPM_DECRYPT_ERROR", TPM_E_BASE + 33,
- "The decryption process did not complete"},
- {"TPM_INVALID_AUTHHANDLE", TPM_E_BASE + 34,
- "An invalid handle was used"},
- {"TPM_NO_ENDORSEMENT", TPM_E_BASE + 35,
- "The TPM does not a EK installed"},
- {"TPM_INVALID_KEYUSAGE", TPM_E_BASE + 36,
- "The usage of a key is not allowed"},
- {"TPM_WRONG_ENTITYTYPE", TPM_E_BASE + 37,
- "The submitted entity type is not allowed"},
- {"TPM_INVALID_POSTINIT", TPM_E_BASE + 38,
- "The command was received in the wrong sequence relative to TPM_Init\n\
-and a subsequent TPM_Startup"},
- {"TPM_INAPPROPRIATE_SIG", TPM_E_BASE + 39,
- "Signed data cannot include additional DER information"},
- {"TPM_BAD_KEY_PROPERTY", TPM_E_BASE + 40,
- "The key properties in TPM_KEY_PARMs are not supported by this TPM"},
- {"TPM_BAD_MIGRATION", TPM_E_BASE + 41,
- "The migration properties of this key are incorrect"},
- {"TPM_BAD_SCHEME", TPM_E_BASE + 42,
- "The signature or encryption scheme for this key is incorrect or not\n\
-permitted in this situation"},
- {"TPM_BAD_DATASIZE", TPM_E_BASE + 43,
- "The size of the data (or blob) parameter is bad or inconsistent\n\
-with the referenced key"},
- {"TPM_BAD_MODE", TPM_E_BASE + 44,
- "A mode parameter is bad, such as capArea or subCapArea for\n\
-TPM_GetCapability, physicalPresence parameter for TPM_PhysicalPresence,\n\
-or migrationType for, TPM_CreateMigrationBlob"},
- {"TPM_BAD_PRESENCE", TPM_E_BASE + 45,
- "Either the physicalPresence or physicalPresenceLock bits\n\
-have the wrong value"},
- {"TPM_BAD_VERSION", TPM_E_BASE + 46,
- "The TPM cannot perform this version of the capability"},
- {"TPM_NO_WRAP_TRANSPORT", TPM_E_BASE + 47,
- "The TPM does not allow for wrapped transport sessions"},
- {"TPM_AUDITFAIL_UNSUCCESSFUL", TPM_E_BASE + 48,
- "TPM audit construction failed and the underlying command\n\
-was returning a failure code also"},
- {"TPM_AUDITFAIL_SUCCESSFUL", TPM_E_BASE + 49,
- "TPM audit construction failed and the underlying command\n\
-was returning success"},
- {"TPM_NOTRESETABLE", TPM_E_BASE + 50,
- "Attempt to reset a PCR register that does not have the resettable \
-attribute"},
- {"TPM_NOTLOCAL", TPM_E_BASE + 51,
- "Attempt to reset a PCR register that requires locality\n\
-and locality modifier not part of command transport"},
- {"TPM_BAD_TYPE", TPM_E_BASE + 52,
- "Make identity blob not properly typed"},
- {"TPM_INVALID_RESOURCE", TPM_E_BASE + 53,
- "When saving context identified resource type does not match actual \
-resource"},
- {"TPM_NOTFIPS", TPM_E_BASE + 54,
- "The TPM is attempting to execute a command only available when in \
-FIPS mode"},
- {"TPM_INVALID_FAMILY", TPM_E_BASE + 55,
- "The command is attempting to use an invalid family ID"},
- {"TPM_NO_NV_PERMISSION", TPM_E_BASE + 56,
- "The permission to manipulate the NV storage is not available"},
- {"TPM_REQUIRES_SIGN", TPM_E_BASE + 57,
- "The operation requires a signed command"},
- {"TPM_KEY_NOTSUPPORTED", TPM_E_BASE + 58,
- "Wrong operation to load an NV key"},
- {"TPM_AUTH_CONFLICT", TPM_E_BASE + 59,
- "NV_LoadKey blob requires both owner and blob authorization"},
- {"TPM_AREA_LOCKED", TPM_E_BASE + 60,
- "The NV area is locked and not writable"},
- {"TPM_BAD_LOCALITY", TPM_E_BASE + 61,
- "The locality is incorrect for the attempted operation"},
- {"TPM_READ_ONLY", TPM_E_BASE + 62,
- "The NV area is read only and can't be written to"},
- {"TPM_PER_NOWRITE", TPM_E_BASE + 63,
- "There is no protection on the write to the NV area"},
- {"TPM_FAMILYCOUNT", TPM_E_BASE + 64,
- "The family count value does not match"},
- {"TPM_WRITE_LOCKED", TPM_E_BASE + 65,
- "The NV area has already been written to"},
- {"TPM_BAD_ATTRIBUTES", TPM_E_BASE + 66,
- "The NV area attributes conflict"},
- {"TPM_INVALID_STRUCTURE", TPM_E_BASE + 67,
- "The structure tag and version are invalid or inconsistent"},
- {"TPM_KEY_OWNER_CONTROL", TPM_E_BASE + 68,
- "The key is under control of the TPM Owner and can only be evicted\n\
-by the TPM Owner"},
- {"TPM_BAD_COUNTER", TPM_E_BASE + 69,
- "The counter handle is incorrect"},
- {"TPM_NOT_FULLWRITE", TPM_E_BASE + 70,
- "The write is not a complete write of the area"},
- {"TPM_CONTEXT_GAP", TPM_E_BASE + 71,
- "The gap between saved context counts is too large"},
- {"TPM_MAXNVWRITES", TPM_E_BASE + 72,
- "The maximum number of NV writes without an owner has been exceeded"},
- {"TPM_NOOPERATOR", TPM_E_BASE + 73,
- "No operator AuthData value is set"},
- {"TPM_RESOURCEMISSING", TPM_E_BASE + 74,
- "The resource pointed to by context is not loaded"},
- {"TPM_DELEGATE_LOCK", TPM_E_BASE + 75,
- "The delegate administration is locked"},
- {"TPM_DELEGATE_FAMILY", TPM_E_BASE + 76,
- "Attempt to manage a family other then the delegated family"},
- {"TPM_DELEGATE_ADMIN", TPM_E_BASE + 77,
- "Delegation table management not enabled"},
- {"TPM_TRANSPORT_NOTEXCLUSIVE", TPM_E_BASE + 78,
- "There was a command executed outside of an exclusive transport \
-session"},
- {"TPM_OWNER_CONTROL", TPM_E_BASE + 79,
- "Attempt to context save a owner evict controlled key"},
- {"TPM_DAA_RESOURCES", TPM_E_BASE + 80,
- "The DAA command has no resources available to execute the command"},
- {"TPM_DAA_INPUT_DATA0", TPM_E_BASE + 81,
- "The consistency check on DAA parameter inputData0 has failed"},
- {"TPM_DAA_INPUT_DATA1", TPM_E_BASE + 82,
- "The consistency check on DAA parameter inputData1 has failed"},
- {"TPM_DAA_ISSUER_SETTINGS", TPM_E_BASE + 83,
- "The consistency check on DAA_issuerSettings has failed"},
- {"TPM_DAA_TPM_SETTINGS", TPM_E_BASE + 84,
- "The consistency check on DAA_tpmSpecific has failed"},
- {"TPM_DAA_STAGE", TPM_E_BASE + 85,
- "The atomic process indicated by the submitted DAA command is not\n\
-the expected process"},
- {"TPM_DAA_ISSUER_VALIDITY", TPM_E_BASE + 86,
- "The issuer's validity check has detected an inconsistency"},
- {"TPM_DAA_WRONG_W", TPM_E_BASE + 87,
- "The consistency check on w has failed"},
- {"TPM_BAD_HANDLE", TPM_E_BASE + 88,
- "The handle is incorrect"},
- {"TPM_BAD_DELEGATE", TPM_E_BASE + 89,
- "Delegation is not correct"},
- {"TPM_BADCONTEXT", TPM_E_BASE + 90,
- "The context blob is invalid"},
- {"TPM_TOOMANYCONTEXTS", TPM_E_BASE + 91,
- "Too many contexts held by the TPM"},
- {"TPM_MA_TICKET_SIGNATURE", TPM_E_BASE + 92,
- "Migration authority signature validation failure"},
- {"TPM_MA_DESTINATION", TPM_E_BASE + 93,
- "Migration destination not authenticated"},
- {"TPM_MA_SOURCE", TPM_E_BASE + 94,
- "Migration source incorrect"},
- {"TPM_MA_AUTHORITY", TPM_E_BASE + 95,
- "Incorrect migration authority"},
- {"TPM_PERMANENTEK", TPM_E_BASE + 97,
- "Attempt to revoke the EK and the EK is not revocable"},
- {"TPM_BAD_SIGNATURE", TPM_E_BASE + 98,
- "Bad signature of CMK ticket"},
- {"TPM_NOCONTEXTSPACE", TPM_E_BASE + 99,
- "There is no room in the context list for additional contexts"},
- {"TPM_RETRY", TPM_E_BASE + TPM_E_NON_FATAL,
- "The TPM is too busy to respond to the command immediately, but\n\
-the command could be resubmitted at a later time. The TPM MAY\n\
-return TPM_RETRY for any command at any time"},
- {"TPM_NEEDS_SELFTEST", TPM_E_BASE + TPM_E_NON_FATAL + 1,
- "TPM_ContinueSelfTest has not been run"},
- {"TPM_DOING_SELFTEST", TPM_E_BASE + TPM_E_NON_FATAL + 2,
- "The TPM is currently executing the actions of TPM_ContinueSelfTest\n\
-because the ordinal required resources that have not been tested"},
- {"TPM_DEFEND_LOCK_RUNNING", TPM_E_BASE + TPM_E_NON_FATAL + 3,
- "The TPM is defending against dictionary attacks and is in some\n\
-time-out period"},
-};
-
-#endif /* TSS_ERROR_MESSAGES_H_ */
diff --git a/src/security/tpm/tss_errors.h b/src/security/tpm/tss_errors.h
new file mode 100644
index 0000000..e2f1486
--- /dev/null
+++ b/src/security/tpm/tss_errors.h
@@ -0,0 +1,42 @@
+/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/* TPM error codes.
+ *
+ * Copy-pasted and lightly edited from TCG TPM Main Part 2 TPM Structures
+ * Version 1.2 Level 2 Revision 103 26 October 2006 Draft.
+ */
+
+#ifndef TSS_ERRORS_H_
+#define TSS_ERRORS_H_
+
+#define TPM_E_BASE 0x0
+#define TPM_E_NON_FATAL 0x800
+
+#define TPM_E_AREA_LOCKED ((uint32_t)0x0000003c)
+#define TPM_E_BADINDEX ((uint32_t)0x00000002)
+#define TPM_E_BAD_PRESENCE ((uint32_t)0x0000002d)
+#define TPM_E_IOERROR ((uint32_t)0x0000001f)
+#define TPM_E_INVALID_POSTINIT ((uint32_t)0x00000026)
+#define TPM_E_MAXNVWRITES ((uint32_t)0x00000048)
+#define TPM_E_OWNER_SET ((uint32_t)0x00000014)
+
+#define TPM_E_NEEDS_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 1))
+#define TPM_E_DOING_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 2))
+
+#define TPM_E_ALREADY_INITIALIZED ((uint32_t)0x00005000) /* vboot local */
+#define TPM_E_INTERNAL_INCONSISTENCY ((uint32_t)0x00005001) /* vboot local */
+#define TPM_E_MUST_REBOOT ((uint32_t)0x00005002) /* vboot local */
+#define TPM_E_CORRUPTED_STATE ((uint32_t)0x00005003) /* vboot local */
+#define TPM_E_COMMUNICATION_ERROR ((uint32_t)0x00005004) /* vboot local */
+#define TPM_E_RESPONSE_TOO_LARGE ((uint32_t)0x00005005) /* vboot local */
+#define TPM_E_NO_DEVICE ((uint32_t)0x00005006) /* vboot local */
+#define TPM_E_INPUT_TOO_SMALL ((uint32_t)0x00005007) /* vboot local */
+#define TPM_E_WRITE_FAILURE ((uint32_t)0x00005008) /* vboot local */
+#define TPM_E_READ_EMPTY ((uint32_t)0x00005009) /* vboot local */
+#define TPM_E_READ_FAILURE ((uint32_t)0x0000500a) /* vboot local */
+#define TPM_E_NV_DEFINED ((uint32_t)0x0000500b) /* vboot local */
+
+#endif /* TSS_ERRORS_H_ */
diff --git a/src/soc/intel/apollolake/Kconfig b/src/soc/intel/apollolake/Kconfig
index 8cac151..9161297 100644
--- a/src/soc/intel/apollolake/Kconfig
+++ b/src/soc/intel/apollolake/Kconfig
@@ -124,7 +124,6 @@
config TPM_ON_FAST_SPI
bool
default n
- select LPC_TPM
help
TPM part is conntected on Fast SPI interface, but the LPC MMIO
TPM transactions are decoded and serialized over the SPI interface.
diff --git a/src/soc/intel/baytrail/romstage/romstage.c b/src/soc/intel/baytrail/romstage/romstage.c
index 980064c..e38957e 100644
--- a/src/soc/intel/baytrail/romstage/romstage.c
+++ b/src/soc/intel/baytrail/romstage/romstage.c
@@ -30,7 +30,7 @@
#include <stage_cache.h>
#include <string.h>
#include <timestamp.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include <vendorcode/google/chromeos/chromeos.h>
#include <soc/gpio.h>
#include <soc/iomap.h>
@@ -229,9 +229,8 @@
romstage_handoff_init(prev_sleep_state == ACPI_S3);
- if (IS_ENABLED(CONFIG_LPC_TPM)) {
- init_tpm(prev_sleep_state == ACPI_S3);
- }
+ if (IS_ENABLED(CONFIG_TPM1) || IS_ENABLED(CONFIG_TPM2))
+ tpm_setup(prev_sleep_state == ACPI_S3);
}
void asmlinkage romstage_after_car(void)
diff --git a/src/soc/intel/braswell/romstage/romstage.c b/src/soc/intel/braswell/romstage/romstage.c
index 7cedf90..2fbe406 100644
--- a/src/soc/intel/braswell/romstage/romstage.c
+++ b/src/soc/intel/braswell/romstage/romstage.c
@@ -43,7 +43,7 @@
#include <soc/romstage.h>
#include <soc/smm.h>
#include <soc/spi.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
void program_base_addresses(void)
{
diff --git a/src/soc/intel/broadwell/romstage/romstage.c b/src/soc/intel/broadwell/romstage/romstage.c
index 8a3f291..1e2aa22 100644
--- a/src/soc/intel/broadwell/romstage/romstage.c
+++ b/src/soc/intel/broadwell/romstage/romstage.c
@@ -26,7 +26,7 @@
#include <cbmem.h>
#include <cpu/x86/mtrr.h>
#include <elog.h>
-#include <security/tpm/tis.h>
+#include <security/tpm/tspi.h>
#include <program_loading.h>
#include <romstage_handoff.h>
#include <stage_cache.h>
@@ -111,9 +111,8 @@
romstage_handoff_init(params->power_state->prev_sleep_state == ACPI_S3);
-#if IS_ENABLED(CONFIG_LPC_TPM)
- init_tpm(params->power_state->prev_sleep_state == ACPI_S3);
-#endif
+ if (IS_ENABLED(CONFIG_TPM1) || IS_ENABLED(CONFIG_TPM2))
+ tpm_setup(params->power_state->prev_sleep_state == ACPI_S3);
}
asmlinkage void romstage_after_car(void)
diff --git a/src/soc/intel/common/Makefile.inc b/src/soc/intel/common/Makefile.inc
index bfd6a77..def7d24 100644
--- a/src/soc/intel/common/Makefile.inc
+++ b/src/soc/intel/common/Makefile.inc
@@ -25,10 +25,10 @@
ramstage-y += vbt.c
ramstage-$(CONFIG_SOC_INTEL_COMMON_NHLT) += nhlt.c
-bootblock-$(CONFIG_MAINBOARD_HAS_TPM_CR50) += tpm_tis.c
-verstage-$(CONFIG_MAINBOARD_HAS_TPM_CR50) += tpm_tis.c
-romstage-$(CONFIG_MAINBOARD_HAS_TPM_CR50) += tpm_tis.c
-ramstage-$(CONFIG_MAINBOARD_HAS_TPM_CR50) += tpm_tis.c
+bootblock-$(CONFIG_TPM_CR50) += tpm_tis.c
+verstage-$(CONFIG_TPM_CR50) += tpm_tis.c
+romstage-$(CONFIG_TPM_CR50) += tpm_tis.c
+ramstage-$(CONFIG_TPM_CR50) += tpm_tis.c
ifeq ($(CONFIG_MMA),y)
MMA_BLOBS_PATH = $(call strip_quotes,$(CONFIG_MMA_BLOBS_PATH))
diff --git a/src/vendorcode/google/chromeos/Kconfig b/src/vendorcode/google/chromeos/Kconfig
index 1a4ac4f..4f1fad9 100644
--- a/src/vendorcode/google/chromeos/Kconfig
+++ b/src/vendorcode/google/chromeos/Kconfig
@@ -33,7 +33,7 @@
config CR50_IMMEDIATELY_COMMIT_FW_SECDATA
bool
- default y if MAINBOARD_HAS_TPM_CR50
+ default y if TPM_CR50
config CHROMEOS_RAMOOPS
bool "Reserve space for Chrome OS ramoops"
diff --git a/src/vendorcode/google/chromeos/Makefile.inc b/src/vendorcode/google/chromeos/Makefile.inc
index 9d87f6e..e833e0d 100644
--- a/src/vendorcode/google/chromeos/Makefile.inc
+++ b/src/vendorcode/google/chromeos/Makefile.inc
@@ -22,7 +22,7 @@
ramstage-$(CONFIG_CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME) += tpm2.c
ramstage-$(CONFIG_HAVE_REGULATORY_DOMAIN) += wrdd.c
ramstage-$(CONFIG_USE_SAR) += sar.c
-ramstage-$(CONFIG_MAINBOARD_HAS_TPM_CR50) += cr50_enable_update.c
+ramstage-$(CONFIG_TPM_CR50) += cr50_enable_update.c
ifeq ($(CONFIG_ARCH_MIPS),)
bootblock-y += watchdog.c
ramstage-y += watchdog.c
--
To view, visit https://review.coreboot.org/25988
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I2d818d9e1b5c3ad7ebc4f2cdb1e3070f843fb2aa
Gerrit-Change-Number: 25988
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20180502/10d6063c/attachment-0001.html>
More information about the coreboot-gerrit
mailing list