diff options
| author | Namyoon Woo <namyoon@google.com> | 2018-06-14 18:17:35 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-06-21 01:05:47 -0700 |
| commit | 47eb2d5fe7c7ff3bed6f5a33836ec19182d17941 (patch) | |
| tree | 7c9b147c62cd0991129351221cc2431585a5e5d7 /board/cr50/tpm2 | |
| parent | 725b337a61b6250f72f392e7a6df330b7c7bcae6 (diff) | |
| download | chrome-ec-47eb2d5fe7c7ff3bed6f5a33836ec19182d17941.tar.gz | |
cr50: Disabling TPM or enabling TPM.
This patch introduces a new firmware status, TPM mode along with
a new TPM vendor command VENDOR_CC_TPM_MODE. TPM mode indicates whether
TPM is enabled or disabled. Initially, this value shall be
TPM_MODE_ENABLED_TENTATIVE, which means TPM is enabled but can be
changed. VENDOR_CC_TPM_MODE changes this value either as
TPM_MODE_ENABLED or TPM_MODE_DISABLED. This is for one time use only until
next TPM reset event.
Once TPM is disabled, any subsequent TPM commands shall fail.
TPM_MODE_TPM_MODE command may be issued with input size as zero, which
would not change TPM mode value. Either with the valid input value or
without any input value, it returns the current TPM mode value in uint8_t
type.
This adds 160 bytes in binary.
BUG=b:77543596
BRANCH=cr50
TEST=manually
(chroot) ./extra/usb_updater/gsctool -h
Usage: gsctool [options] [<binary image>]
Options:
-m,--tpm_mode [enable|disable]
Query or control tpm mode
(dut) gsctool -a -i
Board ID space: XXXXXXXX:XXXXXXXX:XXXXXXXX
(chroot) ./extra/usb_updater/gsctool -m enable
(dut) gsctool -a -i
Board ID space: XXXXXXXX:XXXXXXXX:XXXXXXXX
(chroot) gsctool -m enable
Error 7 in enabling TPM.
(dut) gsctool -a -i
Board ID space: XXXXXXXX:XXXXXXXX:XXXXXXXX
(dut) reboot
(chroot) ./extra/usb_updater/gsctool -m disable
(dut) gsctool -a -i
Problems reading from TPM, got 10 bytes
Error: Failed to send vendor command 25
(dut) tpm_version
[ERROR:... TRUNKS_RC_WRITE_ERROR
(dut) tpm-manager
[INFO:tpm_manager_v2.cc(51)] Initializing TPM.
[tpm_manager.TakeOwnershipReply] {
status:STATUS_NOT_AVAILABLE
}
(dut) reboot
(chroot) ./extra/usb_updater/gsctool -m
TPM Mode: enabled (0)
(dut) gsctool -a -i
Board ID space: XXXXXXXX:XXXXXXXX:XXXXXXXX
(dut) tpm_version
TPM2.0 Version Info:
...
(dut) tpm-manager
[INFO:tpm_manager_v2.cc(51)] Initializing TPM.
[INFO:tpm_manager_v2.cc(66)] TPM initialization successful (21 ms).
Change-Id: I1453d1a8d03f13cc7fc203863cbc50bf84c9dd8c
Signed-off-by: Namyoon Woo <namyoon@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1105614
Commit-Ready: Namyoon Woo <namyoon@chromium.org>
Tested-by: Namyoon Woo <namyoon@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Diffstat (limited to 'board/cr50/tpm2')
| -rw-r--r-- | board/cr50/tpm2/tpm_mode.c | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/board/cr50/tpm2/tpm_mode.c b/board/cr50/tpm2/tpm_mode.c new file mode 100644 index 0000000000..269e2feb5f --- /dev/null +++ b/board/cr50/tpm2/tpm_mode.c @@ -0,0 +1,60 @@ +/* + * Copyright 2018 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "config.h" +#include "Global.h" +#include "console.h" +#include "extension.h" +#include "hooks.h" +#include "timer.h" +#include "tpm_registers.h" +#include "tpm_vendor_cmds.h" + +#define CPRINTS(format, args...) cprints(CC_EXTENSION, format, ## args) + +DECLARE_DEFERRED(tpm_stop); + +/* + * On TPM reset event, tpm_reset_now() in tpm_registers.c clears TPM2 BSS memory + * area. By placing s_tpm_mode in TPM2 BSS area, TPM mode value shall be + * "TPM_MODE_ENABLED_TENTATIVE" on every TPM reset events. + */ +static enum tpm_modes s_tpm_mode __attribute__((section(".bss.Tpm2_common"))); + +static enum vendor_cmd_rc set_tpm_mode(struct vendor_cmd_params *p) +{ + uint8_t mode_val; + uint8_t *buffer; + + p->out_size = 0; + + if (p->in_size > sizeof(uint8_t)) + return VENDOR_RC_NOT_ALLOWED; + + buffer = (uint8_t *)p->buffer; + if (p->in_size == sizeof(uint8_t)) { + if (s_tpm_mode != TPM_MODE_ENABLED_TENTATIVE) + return VENDOR_RC_NOT_ALLOWED; + mode_val = buffer[0]; + if (mode_val == TPM_MODE_DISABLED) + hook_call_deferred(&tpm_stop_data, 10 * MSEC); + else if (mode_val != TPM_MODE_ENABLED) + return VENDOR_RC_NOT_ALLOWED; + s_tpm_mode = mode_val; + } + + p->out_size = sizeof(uint8_t); + buffer[0] = (uint8_t) s_tpm_mode; + + return VENDOR_RC_SUCCESS; +} +DECLARE_VENDOR_COMMAND_P(VENDOR_CC_TPM_MODE, set_tpm_mode); + +enum tpm_modes get_tpm_mode(void) +{ + return s_tpm_mode; +} + |