cr50: Clear pairing secret upon TPM clear

The pairing secret (Pk) used for biometrics PinWeaver protocol needs to
be cleared during TPM clear.

BUG=b:262040869
TEST=(with depended CL) pinweaver_client biometrics_selftest

Cq-Depend: chromium:4337481
Change-Id: Ie07869f75aea64a7950d04693722b74c11a913ca
Signed-off-by: Howard Yang <hcyang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4344442
Reviewed-by: Vadim Sukhomlinov <sukhomlinov@chromium.org>
(cherry picked from commit faa0d9248bf6e7fbdaf441a6b76723455f707c4f)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4482196
Reviewed-by: Jett Rink <jettrink@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Commit-Queue: Mary Ruthven <mruthven@chromium.org>
Auto-Submit: Mary Ruthven <mruthven@chromium.org>
(cherry picked from commit c8e6f60c715031e8ac52d04161ece6ae9fca98a7)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/4503726
Reviewed-by: Andrey Pronin <apronin@chromium.org>

1 files changed, 8 insertions, 1 deletions

diff --git a/board/cr50/tpm2/platform.c b/board/cr50/tpm2/platform.c
index 5bbc927f08..e65dd44a1f 100644
--- a/board/cr50/tpm2/platform.c
+++ b/board/cr50/tpm2/platform.c
@@ -8,7 +8,9 @@
 
 #include "ccd_config.h"
 #include "console.h"
-#include "pinweaver_cr50.h"
+#include "nvmem_vars.h"
+#include "pinweaver.h"
+#include "pinweaver_eal.h"
 #include "tpm_nvmem.h"
 #include "tpm_nvmem_ops.h"
 #include "dcrypto.h"
@@ -133,8 +135,13 @@ BOOL _plat__ShallSurviveOwnerClear(uint32_t  index)
 
 void _plat__OwnerClearCallback(void)
 {
+	int result;
 	enum ec_error_list rv;
 
+	/* Invalidate existing biometrics pairing secrets. */
+	result = setvar(PW_FP_PK, sizeof(PW_FP_PK) - 1, NULL, 0);
+	if (result)
+		CPRINTF("%s: failed (%d)\n", __func__, result);
 	/* Invalidate existing u2f registrations. */
 	rv = u2f_gen_kek_seed();
 	if (rv != EC_SUCCESS)