[SeaBIOS] [PATCH 5/5] Give up physical presence when setting TPM into failure mode
Kevin O'Connor
kevin at koconnor.net
Wed Jan 6 21:27:56 CET 2016
On Wed, Jan 06, 2016 at 01:15:57PM -0500, Stefan Berger wrote:
> From: Stefan Berger <stefanb at linux.vnet.ibm.com>
>
> After temporarily deactivating the TPM, also give up physical
> presence to disable more commands.
>
> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
> ---
> src/tcgbios.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/src/tcgbios.c b/src/tcgbios.c
> index 7bcbdde..685075f 100644
> --- a/src/tcgbios.c
> +++ b/src/tcgbios.c
> @@ -227,6 +227,16 @@ tpm_set_failure(void)
> tpm_send_cmd(0, TPM_ORD_SetTempDeactivated,
> NULL, 0, TPM_DURATION_TYPE_SHORT);
>
> + tpm_send_cmd(0, TPM_ORD_PhysicalPresence,
> + PhysicalPresence_CMD_ENABLE,
> + sizeof(PhysicalPresence_CMD_ENABLE),
> + TPM_DURATION_TYPE_SHORT);
I don't think this extra CMD_ENABLE makes sense here. Actually, can't
we remove both the CMD_ENABLE and PRESENT from tpm_set_failure() now
that it's always done during setup?
> + tpm_send_cmd(0, TPM_ORD_PhysicalPresence,
> + PhysicalPresence_NOT_PRESENT_LOCK,
> + sizeof(PhysicalPresence_NOT_PRESENT_LOCK),
> + TPM_DURATION_TYPE_SHORT);
Instead of issuing NOT_PRESENT_LOCK in both prepboot and
tpm_set_failure(), couldn't we just make sure prepboot issues
NOT_PRESENT_LOCK whenever TPM_can_show_menu is true. Maybe rename
TPM_can_show_menu to TPM_has_physical_presence.
-Kevin
More information about the SeaBIOS
mailing list