diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2016-07-21 07:14:12 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-07-21 17:32:22 -0700 |
| commit | 9b752cbcd41be2d6cf6c8dbbe655aac3e53f146a (patch) | |
| tree | 6da677fc5931026510be188c75879a11fce18fda | |
| parent | 68244c3f4e67a5dd620ac186c9ad72ab712cc6e7 (diff) | |
| download | chrome-ec-9b752cbcd41be2d6cf6c8dbbe655aac3e53f146a.tar.gz | |
tpm: add manufacturing status check
For now the presence of both RSA and EC certificates at fixed NVRAM
indices is considered evidence of TPM being through manufacturing.
BRANCH=none
BUG=chrome-os-partner:50645
TEST=with the rest of the patches applied TPM manufacturing status is
properly detected at startup.
Change-Id: Iff3861603272cdfb58ebc523458c114685b2429f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362351
Reviewed-by: Marius Schilder <mschilder@chromium.org>
| -rw-r--r-- | board/cr50/build.mk | 1 | ||||
| -rw-r--r-- | board/cr50/tpm2/manufacture.c | 43 | ||||
| -rw-r--r-- | include/tpm_manufacture.h | 17 |
3 files changed, 61 insertions, 0 deletions
diff --git a/board/cr50/build.mk b/board/cr50/build.mk index a5023f1e0c..f1b1b18998 100644 --- a/board/cr50/build.mk +++ b/board/cr50/build.mk @@ -42,6 +42,7 @@ board-y += tpm2/ecies.o board-y += tpm2/hash.o board-y += tpm2/hash_data.o board-y += tpm2/hkdf.o +board-y += tpm2/manufacture.o board-y += tpm2/platform.o board-y += tpm2/rsa.o board-y += tpm2/stubs.o diff --git a/board/cr50/tpm2/manufacture.c b/board/cr50/tpm2/manufacture.c new file mode 100644 index 0000000000..b2c214c38e --- /dev/null +++ b/board/cr50/tpm2/manufacture.c @@ -0,0 +1,43 @@ +/* Copyright 2016 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "console.h" +#include "tpm_manufacture.h" + +#include "Global.h" +#include "NV_fp.h" +#include "Platform.h" +#include "TPM_Types.h" +#include "TpmBuildSwitches.h" +#include "tpm_types.h" + +#define CPRINTF(format, args...) cprintf(CC_EXTENSION, format, ## args) + +#define EK_CERT_NV_START_INDEX 0x01C00000 + +int tpm_manufactured(void) +{ + uint32_t nv_ram_index; + const uint32_t rsa_ek_nv_index = EK_CERT_NV_START_INDEX; + const uint32_t ecc_ek_nv_index = EK_CERT_NV_START_INDEX + 1; + + /* + * If nvram_index (value written at NV RAM offset of zero) is all + * ones, or either endorsement certificate is not installed, consider + * the chip un-manufactured. + * + * Thus, wiping flash NV ram allows to re-manufacture the chip. + */ + _plat__NvMemoryRead(0, sizeof(nv_ram_index), &nv_ram_index); + if ((nv_ram_index == ~0) || + (NvIsUndefinedIndex(rsa_ek_nv_index) == TPM_RC_SUCCESS) || + (NvIsUndefinedIndex(ecc_ek_nv_index) == TPM_RC_SUCCESS)) { + CPRINTF("%s: NOT manufactured\n", __func__); + return 0; + } + + CPRINTF("%s: manufactured\n", __func__); + return 1; +} diff --git a/include/tpm_manufacture.h b/include/tpm_manufacture.h new file mode 100644 index 0000000000..57eba367f6 --- /dev/null +++ b/include/tpm_manufacture.h @@ -0,0 +1,17 @@ +/* Copyright 2016 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +/* + * This header declares the TPM manufacture related interface. + * Individual boards are expected to provide implementations. + */ + +#ifndef __CROS_EC_TPM_MANUFACTURE_H +#define __CROS_EC_TPM_MANUFACTURE_H + +/* Returns non-zero if the TPM manufacture steps have been completed. */ +int tpm_manufactured(void); + +#endif /* __CROS_EC_TPM_MANUFACTURE_H */ |