diff options
| author | Randall Spangler <rspangler@chromium.org> | 2018-05-18 15:02:40 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2018-05-23 20:35:12 -0700 |
| commit | f07e300fe457575394c21d040cfc80e6dc2829f0 (patch) | |
| tree | 2957d7410b0fd17095ba46a9e9c3e809242aa99e /include/tpm_registers.h | |
| parent | 7784fba59d7eb7992c2f0e2df24a819fe06c2828 (diff) | |
| download | chrome-ec-f07e300fe457575394c21d040cfc80e6dc2829f0.tar.gz | |
cr50: tpm_alt_extension() specifies command origin is USB
Previously, calls to tpm_alt_extension() were treated as if they came
from the AP via the TPM interface, even though they actually
originated from the cr50 console, which is accessible via the USB
interface.
This affects the following console commands:
spi_hash - was already allowed as both a safe console command and via
the USB vendor command interface. No change.
rma_auth - was allowed as a safe console command, but not via the USB
vendor command interface. Now allowed from both. No change in
security, since anyone could already do it via the console.
Unfortunately, getting a challenge fails because commands issued via
the USB vendor command interface have a maximum payload of 32 bytes
and the challenge is bigger than that; that's tracked in b:80098603.
ccd - was already allowed as a safe console command. This directly
called ccd_command_wrapper() for lock, open, and password subcommands.
It made an extra check for password set for the unlock subcommand.
Moved the unlock check to the vendor command handler. Also changed
the order of checks so that FWMP disabling unlock and open supersedes
an existing password; this matches go/ccd-open-simple. (That has no
effect on existing systems, because CCD is disabled at a higher
level.)
Reduces code size by 8 bytes.
BUG=b:79983505
BRANCH=cr50
TEST=manual, on a CR50_DEV=1 build
Compile with DEBUG_EXTENSION defined to print extra debug output
'ccd lock' now shows as coming from USB
'ccd unlock' fails because no password is set
'ccd unlock' and 'ccd open' fail if FWMP disallows unlock
'rma_auth' prints a challenge
'gsctool -t -r' prints a challenge from AP root shell
'gsctool -r 12345678' returns error 6 (incorrect challenge), rather
than error 127 (no such command).
'gsctool -I' works from the host
'gsctool -t -I' still works from AP root shell
Change-Id: I2cd1027f5135b9c336df97ee4b1b1a15354728b4
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1068102
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
Diffstat (limited to 'include/tpm_registers.h')
| -rw-r--r-- | include/tpm_registers.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/include/tpm_registers.h b/include/tpm_registers.h index b82a355170..0cbcdca39d 100644 --- a/include/tpm_registers.h +++ b/include/tpm_registers.h @@ -91,6 +91,10 @@ struct tpm_cmd_header { * TPM task how much room there is to store the response. * * Command execution result is reported in the response body. + * + * The extension command handler will consider all these commands to come from + * the USB interface, since the only current users for this are console + * commands. */ void tpm_alt_extension(struct tpm_cmd_header *tpmh, size_t buffer_size); |