cr50: add command for factory reset

The factory reset command can be used to enable ccd factory mode. The
command can open ccd if write protect is removed and ccd hasn't been
restricted. Right now we check FWMP and the ccd password before allowing
factory reset. Factory reset cannot be used to get around anything that
disables ccd.

This adds 72 bytes.

BUG=b:77543904
BRANCH=cr50
TEST=Try enabling factory mode using factory reset. Verify setting write
protect, setting the FWMP disable ccd bit, or setting a ccd password
prevents factory reset from enabling factory mode.

Change-Id: I6e203bf6068250f009881aa95c13bc56cb2aa9e7
Signed-off-by: Mary Ruthven <mruthven@google.com>
Reviewed-on: https://chromium-review.googlesource.com/1069369
Commit-Ready: Mary Ruthven <mruthven@chromium.org>
Tested-by: Mary Ruthven <mruthven@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>

1 files changed, 8 insertions, 0 deletions

diff --git a/include/tpm_vendor_cmds.h b/include/tpm_vendor_cmds.h
index 58bb669d4a..b6b32c3ef7 100644
--- a/include/tpm_vendor_cmds.h
+++ b/include/tpm_vendor_cmds.h
@@ -55,6 +55,14 @@ enum vendor_cmd_cc {
 	VENDOR_CC_GET_ALERTS_DATA = 35,
 	VENDOR_CC_SPI_HASH = 36,
 	VENDOR_CC_PINWEAVER = 37,
+	/*
+	 * Check the factory reset settings. If they're all set correctly, do a
+	 * factory reset to enable ccd factory mode. All capabilities will be
+	 * set to Always and write protect will be permanently disabled. This
+	 * mode can't be reset unless VENDOR_CC_DISABLE_FACTORY is called or
+	 * the 'ccd reset' console command is run.
+	 */
+	VENDOR_CC_RESET_FACTORY = 38,
 
 	LAST_VENDOR_COMMAND = 65535,
 };