diff options
| author | Vadim Bendebury <vbendeb@chromium.org> | 2017-12-01 09:25:14 -0800 |
|---|---|---|
| committer | Vadim Bendebury <vbendeb@chromium.org> | 2019-09-21 13:46:38 -0700 |
| commit | 50618d8c6f53c997428f4384f5a3d5aee05d4789 (patch) | |
| tree | 15d5caf110349dcc797be7fead2106ad9cfd1e58 /include/tpm_vendor_cmds.h | |
| parent | d3c877875bf16ff520175db7e0e84bf2df177e48 (diff) | |
| download | chrome-ec-50618d8c6f53c997428f4384f5a3d5aee05d4789.tar.gz | |
ccd: restrict password setting to allowed states
Setting password should be allowed only after the owner logged in for
the first time and before they log out or someone else logs in.
Once any other user but the owner logs in, it should become impossible
to set password until the device is reset.
As proposed here, this would apply to both attempts to set password
through crosh and Cr50 console.
Password handling on Cr50 passes the following states:
- password setting is not allowed after Cr50 reset until an upstart
(as opposed to resume) TPM startup happens, as signalled by the TPM
callback. After the proper TPM reset the state changes to
'POST_RESET_STATE' which means that the device was just
reset/rebooted (not resumed) and no user logged in yet.
- if the owner logs in in this state, the state changes to
'PASSWORD_ALLOWED_STATE'. The owner can open crosh session and set
the password.
- when the owner logs out or any user but the owner logs in, the state
changes to PASSWORD_NOT_ALLOWED_STATE and does not change until TPM
is reset. This makes sure that password can be set only by the owner
and only before anybody else logged in.
Separate changes to the TPM library code make sure that TPM reset is
reported through the platform layer, so that POST_RESET_STATE is
entered.
BRANCH=cr50
BUG=b:67007578
TEST=with the rest of the infrastructure in place verified that
password can be set only when the owner logged in for the first
time before anybody else logs in or the owner logs out.
Change-Id: Ieaa3dc8ff9d2e43ae11151eb31173220f5c75b58
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/804141
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
(cherry picked from commit 91c1b0abab0889359a1e1cfc6e764266536e18f2)
Reviewed-on: https://chromium-review.googlesource.com/820564
(cherry picked from commit 9c8c0497f92fda6590b00204781aa4956dbefb8b)
Diffstat (limited to 'include/tpm_vendor_cmds.h')
| -rw-r--r-- | include/tpm_vendor_cmds.h | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/include/tpm_vendor_cmds.h b/include/tpm_vendor_cmds.h index 1a9682be69..830678ee0c 100644 --- a/include/tpm_vendor_cmds.h +++ b/include/tpm_vendor_cmds.h @@ -46,6 +46,7 @@ enum vendor_cmd_cc { VENDOR_CC_RMA_CHALLENGE_RESPONSE = 30, VENDOR_CC_CCD_PASSWORD = 31, VENDOR_CC_DISABLE_RMA = 32, + VENDOR_CC_MANAGE_CCD_PWD = 33, LAST_VENDOR_COMMAND = 65535, }; @@ -67,6 +68,7 @@ enum vendor_cmd_rc { VENDOR_RC_REQUEST_TOO_BIG = 4, VENDOR_RC_RESPONSE_TOO_BIG = 5, VENDOR_RC_INTERNAL_ERROR = 6, + VENDOR_RC_NOT_ALLOWED = 7, /* Only 7 bits available; max is 127 */ VENDOR_RC_NO_SUCH_COMMAND = 127, }; |