[SeaBIOS] [PATCH 00/10] Some TPM simplifications
Kevin O'Connor
kevin at koconnor.net
Wed Jan 6 18:47:29 CET 2016
On Wed, Jan 06, 2016 at 11:55:19AM -0500, Stefan Berger wrote:
> "Kevin O'Connor" <kevin at koconnor.net> wrote on 01/05/2016 11:03:00 PM:
> > On Tue, Jan 05, 2016 at 10:07:54PM -0500, Stefan Berger wrote:
> > > "Kevin O'Connor" <kevin at koconnor.net> wrote on 01/05/2016 08:55:51 PM:
> > > > Then it sounds like the only time we need to call tpm_set_failure is
> > > > on a failure of a TPM_ORD_Extend command. It might also make sense
> to
> > > > deactivate the TPM if we detect the hardware but don't have the acpi
> > > > tables present.
> > >
> > > I would also deactivate it if it returned an error to
> > > TPM_ORD_Startup, TPM_ORD_SelfTestFull. Since the menu is written in
> > > such a way that the user only has the choices that are valid for the
> > > current state, also those commands have to work, unless the TPM is
> > > defective. Or is that too strict?
> >
> > Attempting to deactivate if TPM_ORD_Startup or TPM_ORD_SelfTestFull
> > fail makes sense.
> >
> > I wonder if the code could attempt to assert physical presence in
> > tpm_startup() and only enable the tpm menu if that succeeds.
>
> There are two ways to assert physical presence, one is via software, the
> other via hardware.
I should have said, "I wonder if the code could check if software
physical presence has been enabled in tpm_startup() and only enable
the tpm menu if that succeeds". That is, could we issue a
TPM_ORD_PhysicalPresence(NOT_PRESENT) and if it succeeds then we
enable the menu and make sure we always issue a LOCK before booting.
If the command fails then the code assumes it has no requirements wrt
physical presence.
If that's too restrictive, could the startup code query if either
CMD_ENABLE has already been set or if LifetimeLock has not been set?
> For hardware assertion there's a PIN on the chip that indicates the
> state of a dip switch for example. Problem is, this assertion cannot
> easily be read as a flag. We have to infer this via a command. So
> the trick seems to be to send TPM_PhysicalEnable/TPM_PhysicalDisable
> with the value that's already there.
Is there any BIOS requirements when hardware physical presence is in
use though? If the hardware physical presence is set, then the BIOS
can't limit the owner/activate/enable commands. So, why bother with
the tpm menu - the user could just administer those settings from the
OS.
-Kevin
More information about the SeaBIOS
mailing list