diff options
author | Howard Yang <hcyang@google.com> | 2023-03-16 14:10:45 +0800 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2023-04-27 21:40:32 +0000 |
commit | c8e6f60c715031e8ac52d04161ece6ae9fca98a7 (patch) | |
tree | 76b8910d0cdcf68ff9a2a09f61e580d5efbe53bc | |
parent | c341055675bf25f232e4fb673d819adbd77ec69c (diff) | |
download | chrome-ec-c8e6f60c715031e8ac52d04161ece6ae9fca98a7.tar.gz |
cr50: Clear pairing secret upon TPM clear
The pairing secret (Pk) used for biometrics PinWeaver protocol needs to
be cleared during TPM clear.
BUG=b:262040869
TEST=(with depended CL) pinweaver_client biometrics_selftest
Cq-Depend: chromium:4337481
Change-Id: Ie07869f75aea64a7950d04693722b74c11a913ca
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4344442
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
(cherry picked from commit faa0d9248bf6e7fbdaf441a6b76723455f707c4f)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4482196
Reviewed-by: Jett Rink <jettrink@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Mary Ruthven <mruthven@chromium.org>
Auto-Submit: Mary Ruthven <mruthven@chromium.org>
-rw-r--r-- | board/cr50/tpm2/platform.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/board/cr50/tpm2/platform.c b/board/cr50/tpm2/platform.c index 5bbc927f08..e65dd44a1f 100644 --- a/board/cr50/tpm2/platform.c +++ b/board/cr50/tpm2/platform.c @@ -8,7 +8,9 @@ #include "ccd_config.h" #include "console.h" -#include "pinweaver_cr50.h" +#include "nvmem_vars.h" +#include "pinweaver.h" +#include "pinweaver_eal.h" #include "tpm_nvmem.h" #include "tpm_nvmem_ops.h" #include "dcrypto.h" @@ -133,8 +135,13 @@ BOOL _plat__ShallSurviveOwnerClear(uint32_t index) void _plat__OwnerClearCallback(void) { + int result; enum ec_error_list rv; + /* Invalidate existing biometrics pairing secrets. */ + result = setvar(PW_FP_PK, sizeof(PW_FP_PK) - 1, NULL, 0); + if (result) + CPRINTF("%s: failed (%d)\n", __func__, result); /* Invalidate existing u2f registrations. */ rv = u2f_gen_kek_seed(); if (rv != EC_SUCCESS) |