From 1e68e66a387c91b63a7a79324f3c828f7f0fed4b Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@chromium.org>
Date: Wed, 30 Jun 2021 11:52:35 -0700
Subject: tpm_mode: do not proceed if nvmem commits can not be enabled

NVMEM commits are disabled for a few seconds after every TPM reset.
Setting TPM mode to 'disabled' requires the commits to be enabled
first, so that the NVMEM updates would be saved immediately.

Re-enabling the commits must be done by the same task which disables
them, i.e. the TPM task. This patch moves the invocation of
'nvmem_enable_commits()' to the main processing thread of the TPM mode
vendor command handler. When invoked through TPM it will be able to
properly reenable NVMEM commits. When invoked through USB it will fail
if TPM reset happened less than 3 seconds ago.

BUG=b:187831914
TEST=verified that when the TPM disable command is sent immediately
     after TPM reset over USB it is rejected with error code 11, no
     lockup/watchdog reset is observed.

     Testing the AP sending the command will be done when debugging
     NBR.

Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I035cd5db2c55fe5c9dd3679153bf9a2ec49210b6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2998302
Reviewed-by: Mary Ruthven <mruthven@chromium.org>
---
 board/cr50/tpm2/tpm_mode.c | 4 +++-
 include/tpm_vendor_cmds.h  | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/board/cr50/tpm2/tpm_mode.c b/board/cr50/tpm2/tpm_mode.c
index 8282236caa..dea38abf02 100644
--- a/board/cr50/tpm2/tpm_mode.c
+++ b/board/cr50/tpm2/tpm_mode.c
@@ -22,7 +22,6 @@
 
 static void disable_tpm(void)
 {
-	nvmem_enable_commits();
 	tpm_stop();
 	DCRYPTO_ladder_revoke();
 	nvmem_clear_cache();
@@ -72,6 +71,9 @@ static enum vendor_cmd_rc process_tpm_mode(struct vendor_cmd_params *p)
 			 * so that this vendor command can be responded to
 			 * before TPM stops.
 			 */
+			if (nvmem_enable_commits() != EC_SUCCESS)
+				return VENDOR_RC_NVMEM_LOCKED;
+
 			hook_call_deferred(&disable_tpm_data, 10 * MSEC);
 			break;
 		default:
diff --git a/include/tpm_vendor_cmds.h b/include/tpm_vendor_cmds.h
index 83a0f700f5..b127a05082 100644
--- a/include/tpm_vendor_cmds.h
+++ b/include/tpm_vendor_cmds.h
@@ -194,6 +194,7 @@ enum vendor_cmd_rc {
 	VENDOR_RC_NO_SUCH_SUBCOMMAND = 8,
 	VENDOR_RC_IN_PROGRESS = 9,
 	VENDOR_RC_PASSWORD_REQUIRED = 10,
+	VENDOR_RC_NVMEM_LOCKED = 11,
 
 	/* Maximum possible failure reason. */
 	VENDOR_RC_NO_SUCH_COMMAND = 127,
-- 
cgit v1.2.1