From: Simon Glass <sjg@chromium.org>
To: u-boot@lists.denx.de
Subject: [PATCH v4 11/11] tpm: Allow disabling platform hierarchy with TPM2
Date: Sat, 6 Feb 2021 14:23:42 -0700 [thread overview]
Message-ID: <20210206142327.v4.11.I151cb828b53c98409ab85c3ea82c774fc6cb88f7@changeid> (raw)
In-Reply-To: <20210206212343.3567308-1-sjg@chromium.org>
With TPM2 we don't actually lock the TPM once verified boot is finished.
Instead we disable the platform hierarchy which serves the same purpose.
Add an implementation of this so we can safely boot into the kernel.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
(no changes since v2)
Changes in v2:
- Add definition of TPM2_RC_NV_DEFINED return code
include/tpm-v2.h | 13 +++++++++++++
lib/tpm-v2.c | 35 +++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index 1ca1e7e2011..e18c8b1ccca 100644
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -235,6 +235,7 @@ enum tpm2_handles {
enum tpm2_command_codes {
TPM2_CC_STARTUP = 0x0144,
TPM2_CC_SELF_TEST = 0x0143,
+ TPM2_CC_HIER_CONTROL = 0x0121,
TPM2_CC_CLEAR = 0x0126,
TPM2_CC_CLEARCONTROL = 0x0127,
TPM2_CC_HIERCHANGEAUTH = 0x0129,
@@ -272,6 +273,7 @@ enum tpm2_return_codes {
TPM2_RC_COMMAND_CODE = TPM2_RC_VER1 + 0x0043,
TPM2_RC_AUTHSIZE = TPM2_RC_VER1 + 0x0044,
TPM2_RC_AUTH_CONTEXT = TPM2_RC_VER1 + 0x0045,
+ TPM2_RC_NV_DEFINED = TPM2_RC_VER1 + 0x004c,
TPM2_RC_NEEDS_TEST = TPM2_RC_VER1 + 0x0053,
TPM2_RC_WARN = 0x0900,
TPM2_RC_TESTING = TPM2_RC_WARN + 0x000A,
@@ -582,4 +584,15 @@ u32 tpm2_get_random(struct udevice *dev, void *data, u32 count);
*/
u32 tpm2_write_lock(struct udevice *dev, u32 index);
+/**
+ * Disable access to any platform data
+ *
+ * This can be called to close off access to the firmware data in the data,
+ * before calling the kernel.
+ *
+ * @dev TPM device
+ * @return code of the operation
+ */
+u32 tpm2_disable_platform_hierarchy(struct udevice *dev);
+
#endif /* __TPM_V2_H */
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index b796004930e..235f8c20d43 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -624,3 +624,38 @@ u32 tpm2_write_lock(struct udevice *dev, u32 index)
return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}
+
+u32 tpm2_disable_platform_hierarchy(struct udevice *dev)
+{
+ struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
+ u8 command_v2[COMMAND_BUFFER_SIZE] = {
+ /* header 10 bytes */
+ tpm_u16(TPM2_ST_SESSIONS), /* TAG */
+ tpm_u32(10 + 4 + 13 + 5), /* Length */
+ tpm_u32(TPM2_CC_HIER_CONTROL), /* Command code */
+
+ /* 4 bytes */
+ tpm_u32(TPM2_RH_PLATFORM), /* Primary platform seed */
+
+ /* session header 9 bytes */
+ tpm_u32(9), /* Header size */
+ tpm_u32(TPM2_RS_PW), /* Password authorisation */
+ tpm_u16(0), /* nonce_size */
+ 0, /* session_attrs */
+ tpm_u16(0), /* auth_size */
+
+ /* payload 5 bytes */
+ tpm_u32(TPM2_RH_PLATFORM), /* Hierarchy to disable */
+ 0, /* 0=disable */
+ };
+ int ret;
+
+ ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+ log_info("ret=%s, %x\n", dev->name, ret);
+ if (ret)
+ return ret;
+
+ priv->plat_hier_disabled = true;
+
+ return 0;
+}
--
2.30.0.478.g8a0d178c01-goog
next prev parent reply other threads:[~2021-02-06 21:23 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-06 21:23 [PATCH v4 00/11] tpm: Support using TPM1 and TPM2 from a single API Simon Glass
2021-02-06 21:23 ` [PATCH v4 01/11] tpm: Don't include cr50 in TPL/SPL Simon Glass
2021-03-03 19:10 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 02/11] tpm: Use logging in the uclass Simon Glass
2021-03-03 19:10 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 03/11] tpm: Add debugging of request in tpm_sendrecv_command() Simon Glass
2021-03-03 19:10 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 04/11] tpm: Add an API that can support v1.2 and v2 Simon Glass
2021-03-03 19:10 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 05/11] tpm: Switch TPMv1 over to use the new API Simon Glass
2021-02-07 11:44 ` Ilias Apalodimas
2021-03-03 19:11 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 06/11] tpm: Add a basic API implementation for TPMv2 Simon Glass
2021-03-03 19:11 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 07/11] tpm: Reduce duplication in a few functions Simon Glass
2021-03-03 19:11 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 08/11] tpm: Add an implementation of define_space Simon Glass
2021-02-07 11:44 ` Ilias Apalodimas
2021-03-03 19:11 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 09/11] tpm: Add TPM2 support for read/write values Simon Glass
2021-03-03 19:11 ` Tom Rini
2021-02-06 21:23 ` [PATCH v4 10/11] tpm: Add TPM2 support for write_lock Simon Glass
2021-03-03 19:11 ` Tom Rini
2021-02-06 21:23 ` Simon Glass [this message]
2021-03-03 19:11 ` [PATCH v4 11/11] tpm: Allow disabling platform hierarchy with TPM2 Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210206142327.v4.11.I151cb828b53c98409ab85c3ea82c774fc6cb88f7@changeid \
--to=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.