1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
|
/* Copyright 2017 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*
* Case Closed Debug configuration
*/
#include "common.h"
#include "byteorder.h"
#include "ccd_config.h"
#include "console.h"
#include "dcrypto.h"
#include "extension.h"
#include "hooks.h"
#include "nvmem_vars.h"
#include "physical_presence.h"
#include "system.h"
#include "system_chip.h"
#include "task.h"
#include "timer.h"
#include "tpm_registers.h"
#include "tpm_vendor_cmds.h"
#include "trng.h"
#include "wp.h"
#define CPRINTS(format, args...) cprints(CC_CCD, format, ## args)
#define CPRINTF(format, args...) cprintf(CC_CCD, format, ## args)
/* Let's make sure that CCD capability state enum fits into two bits. */
BUILD_ASSERT(CCD_CAP_STATE_COUNT <= 4);
/* Restriction state for ccdunlock when no password is set */
enum ccd_unlock_restrict {
/* Unrestricted */
CCD_UNLOCK_UNRESTRICTED = 0,
/* Physical presence required for unlock unless disabled by config */
CCD_UNLOCK_NEED_PP,
/* Unlock not allowed */
CCD_UNLOCK_DISABLED
};
/* Minimum time between password attempts */
#define PASSWORD_RATE_LIMIT_US (3 * SECOND)
/* Current version of case-closed debugging configuration struct */
#define CCD_CONFIG_VERSION 0x10
/*
* CCD command header; including the subcommand code used to demultiplex
* various CCD commands over the same TPM vendor command.
*/
struct ccd_vendor_cmd_header {
struct tpm_cmd_header tpm_header;
/* On input, the subcommand. On output, may contain EC return code */
uint8_t ccd_subcommand;
} __packed;
/* Size of password salt and digest in bytes */
#define CCD_PASSWORD_SALT_SIZE 4
#define CCD_PASSWORD_DIGEST_SIZE 16
/* Way longer than practical. */
#define CCD_MAX_PASSWORD_SIZE 40
struct ccd_config {
/* Version (CCD_CONFIG_VERSION) */
uint8_t version;
/*
* Flags. These MUST immediately follow version, so that the test
* lab flag is always the LSBit of the first flags byte.
*/
uint8_t flags[3];
/* Capabilities */
uint8_t capabilities[8];
/* Password salt (random) */
uint8_t password_salt[CCD_PASSWORD_SALT_SIZE];
/*
* Password digest = truncated
* SHA256_digest(password_salt+device_id+password)
*/
uint8_t password_digest[CCD_PASSWORD_DIGEST_SIZE];
};
/* Nvmem variable name for CCD config */
static const uint8_t k_ccd_config = NVMEM_VAR_CCD_CONFIG;
/* Flags which can be set via ccd_set_flag() */
static const uint32_t k_public_flags =
CCD_FLAG_RDDKEEPALIVE_AT_BOOT |
CCD_FLAG_OVERRIDE_WP_AT_BOOT |
CCD_FLAG_OVERRIDE_WP_STATE_ENABLED |
CCD_FLAG_OVERRIDE_BATT_AT_BOOT |
CCD_FLAG_OVERRIDE_BATT_STATE_CONNECT;
/* List of CCD capability info; must be in same order as enum ccd_capability */
static const struct ccd_capability_info cap_info[CCD_CAP_COUNT] = CAP_INFO_DATA;
static const char *ccd_state_names[CCD_STATE_COUNT] = CCD_STATE_NAMES;
static const char *ccd_cap_state_names[CCD_CAP_STATE_COUNT] =
CCD_CAP_STATE_NAMES;
static enum ccd_state ccd_state = CCD_STATE_LOCKED;
static struct ccd_config config;
static uint8_t ccd_config_loaded;
static uint8_t force_disabled;
static struct mutex ccd_config_mutex;
static uint8_t ccd_console_active; /* CCD console command is in progress. */
/******************************************************************************/
/* Raw config accessors */
/**
* Get CCD flags.
*
* @return the current flags mask.
*/
static uint32_t raw_get_flags(void)
{
return (uint32_t)(config.flags[0] << 0)
| ((uint32_t)config.flags[1] << 8)
| ((uint32_t)config.flags[2] << 16);
}
/**
* Set a single CCD flag.
*
* This does NOT call ccd_save_config() or lock the mutex. Caller must do
* those.
*
* @param flag Flag to set
* @param value New value for flag (0=clear, non-zero=set)
*/
static void raw_set_flag(enum ccd_flag flag, int value)
{
uint32_t f;
f = raw_get_flags();
if (value)
f |= flag;
else
f &= ~flag;
config.flags[0] = (uint8_t)(f >> 0);
config.flags[1] = (uint8_t)(f >> 8);
config.flags[2] = (uint8_t)(f >> 16);
}
/**
* Get a raw capability state from the config
*
* @param cap Capability to check
* @param translate_default If non-zero, translate CCD_CAP_STATE_DEFAULT
* to the actual default for that config
* @return The capability state.
*/
static enum ccd_capability_state raw_get_cap(enum ccd_capability cap,
int translate_default)
{
const uint32_t index = cap / CCD_CAPS_PER_BYTE;
const uint32_t shift = (cap % CCD_CAPS_PER_BYTE) * CCD_CAP_BITS;
int c = (config.capabilities[index] >> shift) & CCD_CAP_BITMASK;
if (c == CCD_CAP_STATE_DEFAULT && translate_default)
c = cap_info[cap].default_state;
return c;
}
/**
* Set a raw capability to the config.
*
* This does NOT call ccd_save_config() or lock the mutex. Caller must do
* those.
*
* @param cap Capability to set
* @param state New state for capability
*/
static void raw_set_cap(enum ccd_capability cap,
enum ccd_capability_state state)
{
const uint32_t index = cap / CCD_CAPS_PER_BYTE;
const uint32_t shift = (cap % CCD_CAPS_PER_BYTE) * CCD_CAP_BITS;
config.capabilities[index] &= ~(CCD_CAP_BITMASK << shift);
config.capabilities[index] |= (state & CCD_CAP_BITMASK) << shift;
}
/**
* Check CCD configuration is reset to default value.
*
* @return 1 if it is in default mode.
* 0 otherwise.
*/
static int raw_check_all_caps_default(void)
{
uint32_t i;
for (i = 0; i < CCD_CAP_COUNT; i++)
if (raw_get_cap(i, 0) != CCD_CAP_STATE_DEFAULT)
return 0;
return 1;
}
/**
* Check if a password is set.
* @return 1 if password is set, 0 if it's not
*/
static int raw_has_password(void)
{
uint8_t set = 0;
int i;
/* Password is set unless salt and digest are all zero */
for (i = 0; i < sizeof(config.password_salt); i++)
set |= config.password_salt[i];
for (i = 0; i < sizeof(config.password_digest); i++)
set |= config.password_digest[i];
return !!set;
}
/**
* Calculate the expected digest for a password.
*
* Uses the unique device ID and the salt from the config.
*
* @param digest Pointer to a CCD_PASSWORD_DIGEST_SIZE buffer
* @param password The password to digest
*/
static void ccd_password_digest(uint8_t *digest, const char *password)
{
struct sha256_ctx sha;
uint8_t *unique_id;
int unique_id_len;
unique_id_len = system_get_chip_unique_id(&unique_id);
SHA256_hw_init(&sha);
SHA256_update(&sha, config.password_salt, sizeof(config.password_salt));
SHA256_update(&sha, unique_id, unique_id_len);
SHA256_update(&sha, password, strlen(password));
memcpy(digest, SHA256_final(&sha)->b8, CCD_PASSWORD_DIGEST_SIZE);
}
/**
* Check the password.
*
* @param password The password to check
* @return EC_SUCCESS, EC_ERROR_BUSY if too soon since last attempt, or
* EC_ERROR_ACCESS_DENIED if mismatch.
*/
static int raw_check_password(const char *password)
{
/*
* Time of last password attempt; initialized to 0 at boot. Yes, we're
* only keeping the bottom 32 bits of the timer here, so on a
* wraparound (every ~4000 seconds) it's possible for an attacker to
* get one extra attempt. But it still behaves properly at boot,
* requiring the system to be up PASSWORD_RATE_LIMIT_US before allowing
* the first attempt.
*/
static uint32_t last_password_time;
uint8_t digest[CCD_PASSWORD_DIGEST_SIZE];
uint32_t t;
/* If no password is set, match only an empty password */
if (!raw_has_password())
return *password ? EC_ERROR_ACCESS_DENIED : EC_SUCCESS;
/* Rate limit password attempts */
t = get_time().le.lo;
if (t - last_password_time < PASSWORD_RATE_LIMIT_US)
return EC_ERROR_BUSY;
last_password_time = t;
/* Calculate the digest of the password */
ccd_password_digest(digest, password);
if (safe_memcmp(digest, config.password_digest,
sizeof(config.password_digest)))
return EC_ERROR_ACCESS_DENIED;
return EC_SUCCESS;
}
/**
* Clear the password.
*
* This does NOT call ccd_save_config() or lock the mutex. Caller must do
* those.
*/
static void raw_reset_password(void)
{
memset(config.password_salt, 0, sizeof(config.password_salt));
memset(config.password_digest, 0, sizeof(config.password_digest));
raw_set_flag(CCD_FLAG_PASSWORD_SET_WHEN_UNLOCKED, 0);
}
/**
* Set the password.
*
* @param password New password; must be non-empty
*/
static void raw_set_password(const char *password)
{
/* Get a new salt */
rand_bytes(config.password_salt, sizeof(config.password_salt));
/* Update the password digest */
ccd_password_digest(config.password_digest, password);
/* Track whether we were opened when we set the password */
raw_set_flag(CCD_FLAG_PASSWORD_SET_WHEN_UNLOCKED,
ccd_state == CCD_STATE_UNLOCKED);
}
/******************************************************************************/
/* Internal methods */
/**
* Set the CCD state.
*
* @param state New CCD state
*/
static void ccd_set_state(enum ccd_state state)
{
if (state == ccd_state)
return;
ccd_state = state;
/* Notify CCD users of configuration change */
hook_notify(HOOK_CCD_CHANGE);
}
/**
* Load CCD config from nvmem_vars
*
* @return EC_SUCCESS or non-zero error code.
*/
static void ccd_load_config(void)
{
const struct tuple *t;
/* Don't reload if we're already loaded */
if (ccd_config_loaded)
return;
/* Load config data from nvmem */
t = getvar(&k_ccd_config, sizeof(k_ccd_config));
/* Use defaults if config data is not present */
if (!t) {
if (board_is_first_factory_boot()) {
/* Give factory/RMA access */
CPRINTS("CCD using factory config");
ccd_reset_config(CCD_RESET_FACTORY);
} else {
/* Somehow we lost our config; normal defaults */
CPRINTS("CCD using default config");
ccd_reset_config(CCD_RESET_TEST_LAB);
}
goto ccd_is_loaded;
}
/* Copy the tuple data */
memcpy(&config, tuple_val(t), MIN(sizeof(config), t->val_len));
/* If version or size is wrong, reset to defaults */
if (config.version != CCD_CONFIG_VERSION ||
t->val_len != sizeof(config)) {
CPRINTS("CCD config mismatch; using defaults");
/*
* If the config data was big enough to hold the test lab bit,
* preserve it. That's guaranteed to be in the same place for
* all data versions.
*/
ccd_reset_config(t->val_len < 2 ? CCD_RESET_TEST_LAB : 0);
}
freevar(t);
ccd_is_loaded:
ccd_config_loaded = 1;
/* Notify CCD users of configuration change */
hook_notify(HOOK_CCD_CHANGE);
}
/**
* Save CCD config to nvmem_vars
*
* @return EC_SUCCESS or non-zero error code.
*/
static int ccd_save_config(void)
{
int rv;
rv = setvar(&k_ccd_config, sizeof(k_ccd_config),
(const uint8_t *)&config, sizeof(config));
if (rv)
return rv;
/*
* Notify CCD users of configuration change.
* Protect this notify with the ccd_config_loaded flag so recipients of
* HOOK_CCD_CHANGE don't call ccd_get/ccd_set before the CCD
* initialization is complete.
*/
if (ccd_config_loaded)
hook_notify(HOOK_CCD_CHANGE);
return rv;
}
/**
* Set a CCD capability to a new state.
*
* @param cap Capability to set
* @param state New state for capability
* @return EC_SUCCESS or non-zero error code.
*/
static int ccd_set_cap(enum ccd_capability cap, enum ccd_capability_state state)
{
if (!ccd_config_loaded)
return EC_ERROR_BUSY;
if (state == raw_get_cap(cap, 0))
return EC_SUCCESS; /* Capability not changed */
mutex_lock(&ccd_config_mutex);
raw_set_cap(cap, state);
mutex_unlock(&ccd_config_mutex);
return ccd_save_config();
}
int ccd_reset_config(unsigned int flags)
{
int old_lab = ccd_get_flag(CCD_FLAG_TEST_LAB);
mutex_lock(&ccd_config_mutex);
if (flags & CCD_RESET_UNLOCKED_ONLY) {
/* Only set config options that are mutable when unlocked */
int i;
/* Reset the password if it was set when unlocked */
if (ccd_get_flag(CCD_FLAG_PASSWORD_SET_WHEN_UNLOCKED))
raw_reset_password();
/* Reset all capabilities that aren't IfOpened */
for (i = 0; i < CCD_CAP_COUNT; i++) {
if (raw_get_cap(i, 1) == CCD_CAP_STATE_IF_OPENED)
continue;
raw_set_cap(i, CCD_CAP_STATE_DEFAULT);
}
/* Flags all require IfOpened, so don't touch those */
} else {
/* Reset the entire config */
memset(&config, 0, sizeof(config));
config.version = CCD_CONFIG_VERSION;
/* Update write protect after resetting the config */
board_wp_follow_ccd_config();
}
if (flags & CCD_RESET_FACTORY) {
/* Force factory mode settings */
int i;
/* Allow all capabilities all the time */
for (i = 0; i < CCD_CAP_COUNT; i++)
raw_set_cap(i, CCD_CAP_STATE_ALWAYS);
raw_set_flag(CCD_FLAG_FACTORY_MODE_ENABLED, 1);
/* Force WP disabled at boot */
raw_set_flag(CCD_FLAG_OVERRIDE_WP_AT_BOOT, 1);
raw_set_flag(CCD_FLAG_OVERRIDE_WP_STATE_ENABLED, 0);
board_wp_follow_ccd_config();
}
/* Restore test lab flag unless explicitly resetting it */
if (!(flags & CCD_RESET_TEST_LAB))
raw_set_flag(CCD_FLAG_TEST_LAB, old_lab);
mutex_unlock(&ccd_config_mutex);
return ccd_save_config();
}
/**
* Convert a string to a capability index.
*
* @param name Capability name to find
* @return The capability index, or CCD_CAP_COUNT if error
*/
static enum ccd_capability ccd_cap_from_name(const char *name)
{
int i;
for (i = 0; i < CCD_CAP_COUNT; i++) {
if (!strcasecmp(name, cap_info[i].name))
return i;
}
return CCD_CAP_COUNT;
}
/**
* Reset the password.
*
* @return EC_SUCCESS or non-zero error code.
*/
static int ccd_reset_password(void)
{
mutex_lock(&ccd_config_mutex);
raw_reset_password();
mutex_unlock(&ccd_config_mutex);
return ccd_save_config();
}
/**
* Set the password.
*
* @param password New password; must be non-empty
* @return EC_SUCCESS or non-zero error code.
*/
static int ccd_set_password(const char *password)
{
mutex_lock(&ccd_config_mutex);
raw_set_password(password);
mutex_unlock(&ccd_config_mutex);
return ccd_save_config();
}
/******************************************************************************/
/* Handlers for state changes requiring physical presence */
/*
* Could be invoked synchronously on the TPM task context, or asynchronously,
* after physical presence is established, on the hooks task context.
*
* The appropriate TPM reset entry point needs to be invoked. Also, make sure
* that the board is always rebooted when TPM is reset.
*
* @param sync Non-zero to invoke synchronously.
*/
static void ccd_open_done(int sync)
{
int rv;
/*
* Wiping the TPM may take a while. Delay sleep long enough for the
* open process to finish.
*/
delay_sleep_by(DISABLE_SLEEP_TIME_TPM_WIPE);
if (!ccd_is_cap_enabled(CCD_CAP_OPEN_WITHOUT_TPM_WIPE)) {
/* Can't open unless wipe succeeds */
if (sync)
rv = tpm_sync_reset(1);
else
rv = board_wipe_tpm(1);
if (rv != EC_SUCCESS) {
CPRINTS("CCD open TPM wipe failed");
return;
}
}
if (!ccd_is_cap_enabled(CCD_CAP_UNLOCK_WITHOUT_AP_REBOOT) ||
(!ccd_is_cap_enabled(CCD_CAP_OPEN_WITHOUT_TPM_WIPE) && sync))
board_reboot_ap();
CPRINTS("CCD opened");
ccd_set_state(CCD_STATE_OPENED);
}
static void ccd_open_done_async(void)
{
ccd_open_done(0);
}
static void ccd_unlock_done(void)
{
if (!ccd_is_cap_enabled(CCD_CAP_UNLOCK_WITHOUT_AP_REBOOT))
board_reboot_ap();
CPRINTS("CCD unlocked");
ccd_set_state(CCD_STATE_UNLOCKED);
}
static void ccd_testlab_toggle(void)
{
int v = !ccd_get_flag(CCD_FLAG_TEST_LAB);
/* Use raw_set_flag() because the test lab flag is internal */
mutex_lock(&ccd_config_mutex);
raw_set_flag(CCD_FLAG_TEST_LAB, v);
mutex_unlock(&ccd_config_mutex);
if (ccd_save_config() == EC_SUCCESS)
CPRINTS("CCD test lab mode %sbled", v ? "ena" : "disa");
else
CPRINTS("Error setting CCD test lab mode!");
}
/******************************************************************************/
/* External interface */
int ccd_has_password(void)
{
return raw_has_password();
}
void ccd_config_init(enum ccd_state state)
{
/* Set initial state, after making sure it's a valid one */
if (state != CCD_STATE_UNLOCKED && state != CCD_STATE_OPENED)
state = CCD_STATE_LOCKED;
ccd_state = state;
ccd_load_config();
}
int ccd_get_flag(enum ccd_flag flag)
{
uint32_t f = raw_get_flags();
if (!ccd_config_loaded || force_disabled)
return 0;
return !!(f & flag);
}
int ccd_set_flag(enum ccd_flag flag, int value)
{
if (force_disabled)
return EC_ERROR_ACCESS_DENIED;
/* Fail if trying to set a private flag */
if (flag & ~k_public_flags)
return EC_ERROR_ACCESS_DENIED;
if (!ccd_config_loaded)
return EC_ERROR_BUSY;
if (ccd_get_flag(flag) == !!value)
return EC_SUCCESS;
mutex_lock(&ccd_config_mutex);
raw_set_flag(flag, value);
mutex_unlock(&ccd_config_mutex);
return ccd_save_config();
}
int ccd_is_cap_enabled(enum ccd_capability cap)
{
if (!ccd_config_loaded || force_disabled)
return 0;
switch (raw_get_cap(cap, 1)) {
case CCD_CAP_STATE_ALWAYS:
return 1;
case CCD_CAP_STATE_UNLESS_LOCKED:
return ccd_state != CCD_STATE_LOCKED;
case CCD_CAP_STATE_IF_OPENED:
default:
return ccd_state == CCD_STATE_OPENED;
}
}
enum ccd_state ccd_get_state(void)
{
return ccd_state;
}
void ccd_disable(void)
{
CPRINTS("CCD disabled");
force_disabled = 1;
ccd_set_state(CCD_STATE_LOCKED);
}
int ccd_get_factory_mode(void)
{
return ccd_get_flag(CCD_FLAG_FACTORY_MODE_ENABLED);
}
/******************************************************************************/
/* Console commands */
static int command_ccd_info(void)
{
int i;
ccprintf("State: %s%s\n", ccd_state_names[ccd_state],
force_disabled ? " (Disabled)" : "");
ccprintf("Password: %s\n", raw_has_password() ? "set" : "none");
ccprintf("Flags: 0x%06x\n", raw_get_flags());
ccprintf("Capabilities: %ph\n", HEX_BUF(config.capabilities, 8));
for (i = 0; i < CCD_CAP_COUNT; i++) {
int c = raw_get_cap(i, 0);
ccprintf(" %-15s %c %d=%s",
cap_info[i].name,
ccd_is_cap_enabled(i) ? 'Y' : '-',
c, ccd_cap_state_names[c]);
if (c == CCD_CAP_STATE_DEFAULT)
ccprintf(" (%s)",
ccd_cap_state_names[cap_info[i].default_state]);
ccprintf("\n");
cflush();
}
ccprintf("TPM:%s%s\n",
board_fwmp_allows_unlock() ? "" : " fwmp_lock",
board_vboot_dev_mode_enabled() ? " dev_mode" : "");
ccprintf("Capabilities are %s.\n", raw_check_all_caps_default() ?
"default" : "modified");
ccputs("Use 'ccd help' to print subcommands\n");
return EC_SUCCESS;
}
static int command_ccd_reset(int argc, char **argv)
{
int flags = 0;
if (argc > 1) {
if (!strcasecmp(argv[1], "factory"))
flags = CCD_RESET_FACTORY;
else
return EC_ERROR_PARAM1;
}
switch (ccd_state) {
case CCD_STATE_OPENED:
ccprintf("%s settings.\n", flags & CCD_RESET_FACTORY ?
"Opening factory " : "Resetting all");
/* Note that this does not reset the testlab flag */
return ccd_reset_config(flags);
case CCD_STATE_UNLOCKED:
ccprintf("Resetting unlocked settings.\n");
return ccd_reset_config(CCD_RESET_UNLOCKED_ONLY);
default:
return EC_ERROR_ACCESS_DENIED;
}
}
static int command_ccd_set(int argc, char **argv)
{
enum ccd_capability cap;
enum ccd_capability_state old;
enum ccd_capability_state new;
/* Only works if unlocked or opened */
if (ccd_state == CCD_STATE_LOCKED)
return EC_ERROR_ACCESS_DENIED;
if (argc < 3)
return EC_ERROR_PARAM_COUNT;
/* Get capability to set */
cap = ccd_cap_from_name(argv[1]);
if (cap == CCD_CAP_COUNT)
return EC_ERROR_PARAM1;
/* Get new state */
for (new = CCD_CAP_STATE_DEFAULT; new < CCD_CAP_STATE_COUNT; new++) {
if (!strcasecmp(argv[2], ccd_cap_state_names[new]))
break;
}
if (new == CCD_CAP_STATE_COUNT)
return EC_ERROR_PARAM2;
/* Get current state */
old = raw_get_cap(cap, 1);
/* If we're only unlocked, can't change to/from IfOpened */
if (ccd_state == CCD_STATE_UNLOCKED &&
(new == CCD_CAP_STATE_IF_OPENED || old == CCD_CAP_STATE_IF_OPENED))
return EC_ERROR_ACCESS_DENIED;
/* Set new state */
return ccd_set_cap(cap, new);
}
static int do_ccd_password(char *password)
{
/* Only works if unlocked or opened */
if (ccd_state == CCD_STATE_LOCKED)
return EC_ERROR_ACCESS_DENIED;
if (raw_has_password()) {
const char clear_prefix[] = {'c', 'l', 'e', 'a', 'r', ':'};
/*
* The only allowed action at this point is to clear the
* password. To do it the user is supposed to enter
* 'clear:<passwd>'
*/
if (strncasecmp(password, clear_prefix, sizeof(clear_prefix)))
return EC_ERROR_ACCESS_DENIED;
if (raw_check_password(password + sizeof(clear_prefix)) !=
EC_SUCCESS)
return EC_ERROR_ACCESS_DENIED;
return ccd_reset_password();
}
/* Set new password */
return ccd_set_password(password);
}
/*
* Common wrapper for CCD commands which are passed through the TPM task
* context.
*
* All commands could have a single parameter, which is the password (to be
* set, cleared, or entered to open/unlock). If argc value exceeds 1, the
* pointer to password is set, it is checked not to exceed maximum size.
*
* If the check succeeds, prepare a message containing a TPM vendor command,
* have the TPM task process the message and report the result to the caller.
*
* Message header is always the same, the payload is the password, if
* supplied.
*
* Expected output is nothing on success, or a single byte EC return code.
*/
static int ccd_command_wrapper(int argc, char *password,
enum ccd_vendor_subcommands subcmd)
{
uint8_t buf[sizeof(struct ccd_vendor_cmd_header) +
CCD_MAX_PASSWORD_SIZE];
struct ccd_vendor_cmd_header *vch = (struct ccd_vendor_cmd_header *)buf;
size_t password_size = 0;
uint32_t return_code;
if (argc > 1) {
password_size = strlen(password);
if (password_size > CCD_MAX_PASSWORD_SIZE)
return EC_ERROR_PARAM1;
}
/* Build the extension command to set/clear CCD password. */
vch->tpm_header.tag = htobe16(0x8001); /* TPM_ST_NO_SESSIONS */
vch->tpm_header.size = htobe32(sizeof(*vch) + password_size);
vch->tpm_header.command_code = htobe32(TPM_CC_VENDOR_BIT_MASK);
vch->tpm_header.subcommand_code = htobe16(VENDOR_CC_CCD);
vch->ccd_subcommand = subcmd;
memcpy(vch + 1, password, password_size);
tpm_alt_extension(&vch->tpm_header, sizeof(buf));
/*
* Return status in the command code field now, in case of error,
* error code is the first byte after the header.
*/
return_code = be32toh(vch->tpm_header.command_code);
if ((return_code != VENDOR_RC_SUCCESS) &&
(return_code != (VENDOR_RC_IN_PROGRESS|VENDOR_RC_ERR))) {
return vch->ccd_subcommand;
}
return EC_SUCCESS;
}
static enum vendor_cmd_rc ccd_open(struct vendor_cmd_params *p)
{
int is_long = 1;
int need_pp = 1;
int rv;
char *buffer = p->buffer;
const char *why_denied = "forced";
if (force_disabled)
goto denied;
if (ccd_state == CCD_STATE_OPENED)
return VENDOR_RC_SUCCESS;
/* FWMP blocks open even if a password is set */
if (!board_fwmp_allows_unlock()) {
why_denied = "fwmp";
goto denied;
}
/* Make sure open is allowed */
if (raw_has_password()) {
/* Open allowed if correct password is specified */
if (!p->in_size) {
/* ...which it wasn't */
p->out_size = 1;
buffer[0] = EC_ERROR_PARAM_COUNT;
return VENDOR_RC_PASSWORD_REQUIRED;
}
/*
* We know there is plenty of room in the TPM buffer this is
* stored in.
*/
buffer[p->in_size] = '\0';
rv = raw_check_password(buffer);
if (rv) {
p->out_size = 1;
buffer[0] = rv;
return VENDOR_RC_INTERNAL_ERROR;
}
} else if (!board_battery_is_present()) {
/* Open allowed with no password if battery is removed */
} else if ((ccd_is_cap_enabled(CCD_CAP_OPEN_WITHOUT_DEV_MODE) ||
(board_vboot_dev_mode_enabled())) &&
(ccd_is_cap_enabled(CCD_CAP_OPEN_FROM_USB) ||
!(p->flags & VENDOR_CMD_FROM_USB))) {
/*
* Open allowed with no password if dev mode enabled and
* command came from the AP. CCD capabilities can be used to
* bypass these checks.
*/
} else {
/*
* - Battery is present
* - Either not in developer mode or the command came from USB
*/
why_denied = "open from AP in devmode or remove batt";
goto denied;
}
/* Fail and abort if already checking physical presence */
if (physical_detect_busy()) {
physical_detect_abort();
p->out_size = 1;
buffer[0] = EC_ERROR_BUSY;
return VENDOR_RC_INTERNAL_ERROR;
}
/* Reduce physical presence if enabled via config */
if (ccd_is_cap_enabled(CCD_CAP_OPEN_WITHOUT_LONG_PP))
is_long = 0;
if (!is_long && ccd_is_cap_enabled(CCD_CAP_UNLOCK_WITHOUT_SHORT_PP))
need_pp = 0;
/* Bypass physical presence check entirely if battery is removed */
if (ccd_is_cap_enabled(CCD_CAP_REMOVE_BATTERY_BYPASSES_PP) &&
!board_battery_is_present()) {
need_pp = 0;
}
if (need_pp) {
/* Start physical presence detect */
ccprintf("Starting CCD open...\n");
rv = physical_detect_start(is_long, ccd_open_done_async);
if (rv != EC_SUCCESS) {
p->out_size = 1;
buffer[0] = rv;
return VENDOR_RC_INTERNAL_ERROR;
}
return VENDOR_RC_IN_PROGRESS;
}
/* No physical presence required; go straight to done */
ccd_open_done(1);
return VENDOR_RC_SUCCESS;
denied:
/* Open not allowed for some reason */
CPRINTS("%s denied: %s", __func__, why_denied);
p->out_size = 1;
buffer[0] = EC_ERROR_ACCESS_DENIED;
return VENDOR_RC_NOT_ALLOWED;
}
static enum vendor_cmd_rc ccd_unlock(struct vendor_cmd_params *p)
{
int need_pp = 1;
int rv;
char *buffer = p->buffer;
if (force_disabled) {
p->out_size = 1;
buffer[0] = EC_ERROR_ACCESS_DENIED;
return VENDOR_RC_NOT_ALLOWED;
}
if (ccd_state == CCD_STATE_UNLOCKED)
return VENDOR_RC_SUCCESS;
/* Can go from opened to unlocked with no delay or password */
if (ccd_state == CCD_STATE_OPENED) {
ccd_unlock_done();
return VENDOR_RC_SUCCESS;
}
/* Only allowed if password is already set, and not blocked by FWMP */
if (!raw_has_password() || !board_fwmp_allows_unlock()) {
p->out_size = 1;
buffer[0] = EC_ERROR_ACCESS_DENIED;
return VENDOR_RC_NOT_ALLOWED;
}
/* Make sure password was specified */
if (!p->in_size) {
p->out_size = 1;
buffer[0] = EC_ERROR_PARAM_COUNT;
return VENDOR_RC_PASSWORD_REQUIRED;
}
/*
* Check the password. We know there is plenty of room in the TPM
* buffer this is stored in.
*/
buffer[p->in_size] = '\0';
rv = raw_check_password(buffer);
if (rv) {
p->out_size = 1;
buffer[0] = rv;
return VENDOR_RC_INTERNAL_ERROR;
}
/* Fail and abort if already checking physical presence */
if (physical_detect_busy()) {
physical_detect_abort();
p->out_size = 1;
buffer[0] = EC_ERROR_BUSY;
return VENDOR_RC_INTERNAL_ERROR;
}
/* Bypass physical presence check if configured to do so */
if (ccd_is_cap_enabled(CCD_CAP_UNLOCK_WITHOUT_SHORT_PP))
need_pp = 0;
/* Bypass physical presence check entirely if battery is removed */
if (ccd_is_cap_enabled(CCD_CAP_REMOVE_BATTERY_BYPASSES_PP) &&
!board_battery_is_present()) {
need_pp = 0;
}
if (need_pp) {
/* Start physical presence detect */
ccprintf("Starting CCD unlock...\n");
rv = physical_detect_start(0, ccd_unlock_done);
if (rv != EC_SUCCESS) {
p->out_size = 1;
buffer[0] = rv;
return VENDOR_RC_INTERNAL_ERROR;
}
return VENDOR_RC_IN_PROGRESS;
}
/* Unlock immediately */
ccd_unlock_done();
return VENDOR_RC_SUCCESS;
}
static enum vendor_cmd_rc ccd_lock(struct vendor_cmd_params *p)
{
/* Lock always works */
ccprintf("CCD locked.\n");
ccd_set_state(CCD_STATE_LOCKED);
return VENDOR_RC_SUCCESS;
}
/* NOTE: Testlab command is console-only; no TPM vendor command for this */
static int command_ccd_testlab(int argc, char **argv)
{
int newflag = 0;
if (force_disabled)
return EC_ERROR_ACCESS_DENIED;
if (argc < 2) {
ccprintf("CCD test lab mode %sbled\n",
ccd_get_flag(CCD_FLAG_TEST_LAB) ? "ena" : "disa");
return EC_SUCCESS;
}
if (!strcasecmp(argv[1], "open")) {
if (!ccd_get_flag(CCD_FLAG_TEST_LAB))
return EC_ERROR_ACCESS_DENIED;
/* Go directly to open state without wiping TPM or rebooting */
ccd_set_state(CCD_STATE_OPENED);
return EC_SUCCESS;
}
/* All other commands require CCD opened */
if (ccd_state != CCD_STATE_OPENED)
return EC_ERROR_ACCESS_DENIED;
if (!parse_bool(argv[1], &newflag))
return EC_ERROR_PARAM1;
if (newflag == ccd_get_flag(CCD_FLAG_TEST_LAB))
return EC_SUCCESS; /* No change */
/* If we're still here, need to toggle test lab flag */
ccprintf("Requesting change of test lab flag.\n");
if (newflag)
ccprintf("NOTE: THIS WILL MAKE THIS DEVICE INSECURE!!!\n");
return physical_detect_start(0, ccd_testlab_toggle);
}
#ifdef CONFIG_CASE_CLOSED_DEBUG_V1_UNSAFE
/**
* Test command to forcibly reset CCD config
*/
static int command_ccd_oops(void)
{
/* Completely reset CCD config and go to opened state */
force_disabled = 0;
ccprintf("Aborting physical detect...\n");
physical_detect_abort();
ccprintf("Resetting CCD config...\n");
ccd_reset_config(CCD_RESET_TEST_LAB);
ccprintf("Opening CCD...\n");
ccd_set_state(CCD_STATE_OPENED);
return EC_SUCCESS;
}
#endif /* CONFIG_CASE_CLOSED_DEBUG_V1_UNSAFE */
#ifdef CONFIG_CMD_CCD_DISABLE
static int command_ccd_disable(void)
{
ccd_disable();
return EC_SUCCESS;
}
#endif /* CONFIG_CMD_CCD_DISABLE */
static int command_ccd_help(void)
{
int i;
ccputs("usage: ccd [cmd [args]]\n\n"
"get (or just 'ccd')\n"
"\tPrint current config\n\n"
"lock\n"
"unlock [password]\n"
"open [password]\n"
"\tSet CCD state\n\n"
"set <capability> [");
cflush();
for (i = 0; i < CCD_CAP_STATE_COUNT; i++)
ccprintf("%s%s", i ? " | " : "", ccd_cap_state_names[i]);
ccputs("]\n"
"\tSet capability to state\n\n"
"password [<new password> | clear]\n"
"\tSet or clear CCD password\n\n"
"reset [factory]\n"
"\tReset CCD config\n\n"
"testlab [enable | disable | open]\n"
"\tToggle testlab mode or force CCD open\n\n");
cflush();
#ifdef CONFIG_CASE_CLOSED_DEBUG_V1_UNSAFE
ccputs("oops\n"
"\tForce-reset CCD config\n\n");
#endif
#ifdef CONFIG_CMD_CCD_DISABLE
ccputs("disable\n"
"\tTemporarily disable CCD\n\n");
#endif
return EC_SUCCESS;
}
/**
* Case closed debugging config command.
*/
static int command_ccd_body(int argc, char **argv)
{
/* If no args or 'get', print info */
if (argc < 2 || !strcasecmp(argv[1], "get"))
return command_ccd_info();
/* Check test lab command first */
if (!strcasecmp(argv[1], "testlab"))
return command_ccd_testlab(argc - 1, argv + 1);
/* Commands to set state */
if (!strcasecmp(argv[1], "lock"))
return ccd_command_wrapper(0, NULL, CCDV_LOCK);
if (!strcasecmp(argv[1], "unlock")) {
if (!raw_has_password()) {
ccprintf("Unlock only allowed after password is set\n");
return EC_ERROR_ACCESS_DENIED;
}
return ccd_command_wrapper(argc - 1, argv[2], CCDV_UNLOCK);
}
if (!strcasecmp(argv[1], "open"))
return ccd_command_wrapper(argc - 1, argv[2], CCDV_OPEN);
/* Commands to configure capabilities */
if (!strcasecmp(argv[1], "set"))
return command_ccd_set(argc - 1, argv + 1);
if (!strcasecmp(argv[1], "password")) {
if (argc != 3)
return EC_ERROR_PARAM_COUNT;
return ccd_command_wrapper(argc - 1, argv[2], CCDV_PASSWORD);
}
if (!strcasecmp(argv[1], "reset"))
return command_ccd_reset(argc - 1, argv + 1);
/* Optional commands */
#ifdef CONFIG_CASE_CLOSED_DEBUG_V1_UNSAFE
if (!strcasecmp(argv[1], "oops"))
return command_ccd_oops();
#endif
#ifdef CONFIG_CMD_CCD_DISABLE
if (!strcasecmp(argv[1], "disable"))
return command_ccd_disable();
#endif
/* Anything else (including "help") prints help */
return command_ccd_help();
}
static int command_ccd(int argc, char **argv)
{
int rv;
ccd_console_active = 1;
rv = command_ccd_body(argc, argv);
ccd_console_active = 0;
return rv;
}
DECLARE_SAFE_CONSOLE_COMMAND(ccd, command_ccd,
"[help | ...]",
"Configure case-closed debugging");
/*
* Handle the CCVD_PASSWORD subcommand.
*
* The payload of the command is a text string to use to set or clear the
* password.
*/
static enum vendor_cmd_rc ccd_password(struct vendor_cmd_params *p)
{
int rv = EC_SUCCESS;
char password[CCD_MAX_PASSWORD_SIZE + 1];
char *response = p->buffer;
/*
* Only allow setting a password from the AP, not USB. This increases
* the effort required for an attacker to set one externally, even if
* they have access to a system someone left in the opened state.
*
* An attacker can still set testlab mode or open up the CCD config,
* but those changes are reversible by the device owner.
*/
if (p->flags & VENDOR_CMD_FROM_USB) {
p->out_size = 1;
*response = EC_ERROR_ACCESS_DENIED;
return VENDOR_RC_NOT_ALLOWED;
}
if (!p->in_size || (p->in_size >= sizeof(password))) {
rv = EC_ERROR_PARAM1;
} else {
memcpy(password, p->buffer, p->in_size);
password[p->in_size] = '\0';
rv = do_ccd_password(password);
always_memset(password, 0, p->in_size);
}
if (rv != EC_SUCCESS) {
*response = rv;
p->out_size = 1;
return VENDOR_RC_INTERNAL_ERROR;
}
return VENDOR_RC_SUCCESS;
}
static enum vendor_cmd_rc ccd_pp_poll(struct vendor_cmd_params *p)
{
char *buffer = p->buffer;
if ((ccd_state == CCD_STATE_OPENED) ||
(ccd_state == CCD_STATE_UNLOCKED)) {
buffer[0] = CCD_PP_DONE;
} else {
switch (physical_presense_fsm_state()) {
case PP_AWAITING_PRESS:
buffer[0] = CCD_PP_AWAITING_PRESS;
break;
case PP_BETWEEN_PRESSES:
buffer[0] = CCD_PP_BETWEEN_PRESSES;
break;
default:
buffer[0] = CCD_PP_CLOSED;
break;
}
}
p->out_size = 1;
return VENDOR_RC_SUCCESS;
}
static enum vendor_cmd_rc ccd_pp_poll_unlock(struct vendor_cmd_params *p)
{
char *buffer = p->buffer;
if ((ccd_state != CCD_STATE_OPENED) &&
(ccd_state != CCD_STATE_UNLOCKED))
return ccd_pp_poll(p);
p->out_size = 1;
buffer[0] = CCD_PP_DONE;
return VENDOR_RC_SUCCESS;
}
static enum vendor_cmd_rc ccd_pp_poll_open(struct vendor_cmd_params *p)
{
char *buffer = p->buffer;
if (ccd_state != CCD_STATE_OPENED)
return ccd_pp_poll(p);
p->out_size = 1;
buffer[0] = CCD_PP_DONE;
return VENDOR_RC_SUCCESS;
}
static enum vendor_cmd_rc ccd_get_info(struct vendor_cmd_params *p)
{
int i;
struct ccd_info_response response = {};
for (i = 0; i < CCD_CAP_COUNT; i++) {
int index;
int shift;
/* Each capability takes 2 bits. */
index = i / (32 / CCD_CAP_BITS);
shift = (i % (32 / CCD_CAP_BITS)) * CCD_CAP_BITS;
response.ccd_caps_current[index] |= raw_get_cap(i, 1) << shift;
response.ccd_caps_defaults[index] |=
cap_info[i].default_state << shift;
}
response.ccd_flags = htobe32(raw_get_flags());
response.ccd_state = ccd_get_state();
response.ccd_indicator_bitmap = raw_has_password() ?
CCD_INDICATOR_BIT_HAS_PASSWORD : 0;
response.ccd_indicator_bitmap |= raw_check_all_caps_default() ?
CCD_INDICATOR_BIT_ALL_CAPS_DEFAULT : 0;
response.ccd_force_disabled = force_disabled;
for (i = 0; i < ARRAY_SIZE(response.ccd_caps_current); i++) {
response.ccd_caps_current[i] =
htobe32(response.ccd_caps_current[i]);
response.ccd_caps_defaults[i] =
htobe32(response.ccd_caps_defaults[i]);
}
p->out_size = sizeof(response);
memcpy(p->buffer, &response, sizeof(response));
return VENDOR_RC_SUCCESS;
}
/*
* Common TPM Vendor command handler used to demultiplex various CCD commands
* which need to be available both throuh CLI and over /dev/tpm0.
*/
static enum vendor_cmd_rc ccd_vendor(struct vendor_cmd_params *p)
{
enum vendor_cmd_rc (*handler)(struct vendor_cmd_params *p);
enum vendor_cmd_rc rc;
/*
* The command buffer points to the next byte after tpm header, i.e. to
* the CCD subcommand. Cache the pointer to make it easier to access
* and manipulate.
*/
char *buffer = p->buffer;
/*
* Make sure the buffer is large enough to accommodate any CCD
* subcommand response (plus one byte, since the response is shifted),
* so we can skip size checks in the processing functions.
*/
if (p->out_size < sizeof(struct ccd_info_response) + 1) {
p->out_size = 0;
return VENDOR_RC_RESPONSE_TOO_BIG;
}
/* Now we can assume no output data unless proven otherwise */
p->out_size = 0;
/* Pick what to do based on subcommand. */
switch (buffer[0]) {
case CCDV_PASSWORD:
handler = ccd_password;
break;
case CCDV_OPEN:
handler = ccd_open;
break;
case CCDV_UNLOCK:
handler = ccd_unlock;
break;
case CCDV_LOCK:
handler = ccd_lock;
break;
case CCDV_PP_POLL_UNLOCK:
handler = ccd_pp_poll_unlock;
break;
case CCDV_PP_POLL_OPEN:
handler = ccd_pp_poll_open;
break;
case CCDV_GET_INFO:
handler = ccd_get_info;
break;
default:
CPRINTS("%s:%d - unknown subcommand", __func__, __LINE__);
return VENDOR_RC_NO_SUCH_SUBCOMMAND;
}
/* Shift buffer past the subcommand when calling the handler */
p->buffer = buffer + 1;
p->in_size--;
rc = handler(p);
p->buffer = buffer;
p->in_size++;
/*
* Move response up for the controller to see it in the right
* place in the response buffer. We have to do this because the
* first byte of the buffer on input was the subcommand, so we
* passed buffer + 1 in the handler call above.
*/
memmove(buffer, buffer + 1, p->out_size);
return rc;
}
DECLARE_VENDOR_COMMAND_P(VENDOR_CC_CCD, ccd_vendor);
static enum vendor_cmd_rc ccd_disable_factory_mode(enum vendor_cmd_cc code,
void *buf,
size_t input_size,
size_t *response_size)
{
int rv = EC_SUCCESS;
int error_line;
do {
if (raw_has_password()) {
error_line = __LINE__;
rv = EC_ERROR_ACCESS_DENIED;
break;
}
/* Check if physical presence is required to unlock. */
if (!ccd_is_cap_enabled(CCD_CAP_REMOVE_BATTERY_BYPASSES_PP) ||
board_battery_is_present()) {
const uint8_t required_capabilities[] = {
CCD_CAP_OPEN_WITHOUT_TPM_WIPE,
CCD_CAP_UNLOCK_WITHOUT_AP_REBOOT,
CCD_CAP_OPEN_WITHOUT_LONG_PP,
CCD_CAP_UNLOCK_WITHOUT_SHORT_PP
};
unsigned int i;
for (i = 0;
i < ARRAY_SIZE(required_capabilities);
i++) {
if (!ccd_is_cap_enabled
(required_capabilities[i]))
break;
}
if (i < ARRAY_SIZE(required_capabilities)) {
CPRINTF("Capability %d is not present\n",
required_capabilities[i]);
error_line = __LINE__;
rv = EC_ERROR_ACCESS_DENIED;
break;
}
}
ccd_set_state(CCD_STATE_OPENED);
rv = command_ccd_reset(0, NULL);
if (rv != EC_SUCCESS) {
error_line = __LINE__;
break;
}
ccd_lock(NULL);
/*
* We do it here to make sure that the device comes out of
* factory mode with WP enabled, but in general CCD reset needs
* to enforce WP state.
*
* TODO(rspangler): sort out CCD state and WP correlation,
* b/73075443.
*/
board_wp_follow_ccd_config();
/*
* Use raw_set_flag() because the factory mode flag is internal
*/
mutex_lock(&ccd_config_mutex);
raw_set_flag(CCD_FLAG_FACTORY_MODE_ENABLED, 0);
mutex_unlock(&ccd_config_mutex);
*response_size = 0;
return VENDOR_RC_SUCCESS;
} while (0);
CPRINTF("%s: error in line %d\n", __func__, error_line);
((uint8_t *)buf)[0] = (uint8_t)rv;
*response_size = 1;
return VENDOR_RC_INTERNAL_ERROR;
}
DECLARE_VENDOR_COMMAND(VENDOR_CC_DISABLE_FACTORY, ccd_disable_factory_mode);
|