diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2017-02-21 18:41:42 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-05-31 00:24:01 -0700 |
commit | fb5a05ab223b56b22a3e0978333586ec13604374 (patch) | |
tree | a8c04844e8051a08ffc55f851cd19ba77f21848f /common/tpm_registers.c | |
parent | bff0a8093402790f3f58af80eb09509c27cafdaf (diff) | |
download | chrome-ec-fb5a05ab223b56b22a3e0978333586ec13604374.tar.gz |
cr50: read fwmp and act on it when controlling console restrictions
It needs to be possible to prevent unlocking of CCD on enterprise
enrolled devices, in particular to prevent users from moving into dev
mode.
A bit in the FWMP structure flags field was allocated for the purposes
of preventing console unlock in those cases.
This patch adds code to read the FWMP structure from the TPM NVMEM,
verify it and determine if it should be possible to unlock the
console. The restriction is not honored by Cr50 DBG images.
The FWMP value is read only once per TPM reset, this means each time
the admin console changes the relevant flag bit, the Chrome OS device
has to be rebooted to pick up the new flag value.
BRANCH=cr50
BUG=b:35587387,b:35587053
TEST=verified that FWMP is properly read and acted upon.
Change-Id: I17e15ea2b2293a0c096858fba3ccc389452caede
Reviewed-on: https://chromium-review.googlesource.com/457824
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
Diffstat (limited to 'common/tpm_registers.c')
-rw-r--r-- | common/tpm_registers.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/common/tpm_registers.c b/common/tpm_registers.c index 6a914aabb0..c4353dd566 100644 --- a/common/tpm_registers.c +++ b/common/tpm_registers.c @@ -24,6 +24,7 @@ #include "tpm_registers.h" #include "util.h" #include "watchdog.h" +#include "wp.h" /* TPM2 library includes. */ #include "ExecCommand_fp.h" @@ -864,6 +865,10 @@ void tpm_task(void) */ if (command_code == TPM2_PCR_Read) system_process_retry_counter(); + + else if (command_code == TPM2_Startup) + read_fwmp(); + #ifdef CONFIG_EXTENSION_COMMAND if (!IS_CUSTOM_CODE(command_code)) #endif |