diff options
author | Namyoon Woo <namyoon@chromium.org> | 2018-12-11 13:41:54 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-12-18 00:42:43 -0800 |
commit | ae966f6cf0b82bd65074599d71a753a7375dc327 (patch) | |
tree | b6f063bb111f430fb313aa6a37dc74ecd75b67e1 /board/cr50/tpm2 | |
parent | c0f7b510be978963eef81af927655a5743e89fd7 (diff) | |
download | chrome-ec-ae966f6cf0b82bd65074599d71a753a7375dc327.tar.gz |
cr50: clear confidential TPM Data on TPM disabling
On TPM disabling, AUTH/SEED/PROOF data in TPM persistent data set
and the loaded objects shall be cleared for better security.
CQ-DEPEND=CL:1362203
BRANCH=cr50
BUG=b:119221935
TEST=Tested manually on eve-campfire dual boot dut.
Checked S3 resume from short|long suspend on Windows.
Checked Warm reboot from Windows to Chrome OS.
Checked Warm reboot from Windows to Windows.
Checked Chrome OS login info preserving.
Change-Id: I8e03f6242cf04e7c824ee54cca99413eb809edea
Signed-off-by: Namyoon Woo <namyoon@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1372029
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Diffstat (limited to 'board/cr50/tpm2')
-rw-r--r-- | board/cr50/tpm2/nvmem_ops.c | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/board/cr50/tpm2/nvmem_ops.c b/board/cr50/tpm2/nvmem_ops.c index 0f2e977967..048b852732 100644 --- a/board/cr50/tpm2/nvmem_ops.c +++ b/board/cr50/tpm2/nvmem_ops.c @@ -5,6 +5,7 @@ #include "Global.h" #include "NV_fp.h" +#include "util.h" void nvmem_wipe_cache(void) { @@ -15,4 +16,27 @@ void nvmem_wipe_cache(void) const uint16_t whitelist_range[] = { 0x1007, 0x100b }; NvSelectivelyInvalidateCache(whitelist_range); + + /* + * Wipe some confidential persistent data + */ + memset(&gp.ownerAuth, 0, sizeof(gp.ownerAuth)); + memset(&gp.endorsementAuth, 0, sizeof(gp.endorsementAuth)); + memset(&gp.lockoutAuth, 0, sizeof(gp.lockoutAuth)); + memset(&gp.EPSeed, 0, sizeof(gp.EPSeed)); + memset(&gp.SPSeed, 0, sizeof(gp.SPSeed)); + memset(&gp.PPSeed, 0, sizeof(gp.PPSeed)); + memset(&gp.phProof, 0, sizeof(gp.phProof)); + memset(&gp.shProof, 0, sizeof(gp.shProof)); + memset(&gp.ehProof, 0, sizeof(gp.ehProof)); + + NvWriteReserved(NV_OWNER_AUTH, &gp.ownerAuth); + NvWriteReserved(NV_ENDORSEMENT_AUTH, &gp.endorsementAuth); + NvWriteReserved(NV_LOCKOUT_AUTH, &gp.lockoutAuth); + NvWriteReserved(NV_EP_SEED, &gp.EPSeed); + NvWriteReserved(NV_SP_SEED, &gp.SPSeed); + NvWriteReserved(NV_PP_SEED, &gp.PPSeed); + NvWriteReserved(NV_PH_PROOF, &gp.phProof); + NvWriteReserved(NV_SH_PROOF, &gp.shProof); + NvWriteReserved(NV_EH_PROOF, &gp.ehProof); } |