tpm: Allow committing non-volatile data
authorSimon Glass <sjg@chromium.org>
Wed, 31 Aug 2022 03:05:38 +0000 (21:05 -0600)
committerIlias Apalodimas <ilias.apalodimas@linaro.org>
Sat, 3 Sep 2022 13:59:05 +0000 (16:59 +0300)
Add an option to tell the TPM to commit non-volatile data immediately it
is changed, rather than waiting until later. This is needed in some
situations, since if the device reboots it may not write the data.

Add definitions for the rest of the Cr50 commands while we are here.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
include/tpm-v2.h
lib/tpm-v2.c

index 36c6ac0be6ee7b2c6538dc3a751e9df7e66b4597..737e57551d738cd6aa741756a99dbc6409c5d3dc 100644 (file)
@@ -671,4 +671,21 @@ u32 tpm2_submit_command(struct udevice *dev, const u8 *sendbuf,
 u32 tpm2_report_state(struct udevice *dev, uint vendor_cmd, uint vendor_subcmd,
                      u8 *recvbuf, size_t *recv_size);
 
+/**
+ * tpm2_enable_nvcommits() - Tell TPM to commit NV data immediately
+ *
+ * For Chromium OS verified boot, we may reboot or reset at different times,
+ * possibly leaving non-volatile data unwritten by the TPM.
+ *
+ * This vendor command is used to indicate that non-volatile data should be
+ * written to its store immediately.
+ *
+ * @dev                TPM device
+ * @vendor_cmd:        Vendor command number to send
+ * @vendor_subcmd: Vendor sub-command number to send
+ * Return: result of the operation
+ */
+u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
+                         uint vendor_subcmd);
+
 #endif /* __TPM_V2_H */
index edee9854a7c1040a356c2e735446ad79df4dedff..697b982e079fbdc4f4ebf1ed8daa953ef9647f5f 100644 (file)
@@ -704,3 +704,24 @@ u32 tpm2_report_state(struct udevice *dev, uint vendor_cmd, uint vendor_subcmd,
 
        return 0;
 }
+
+u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
+                         uint vendor_subcmd)
+{
+       u8 command_v2[COMMAND_BUFFER_SIZE] = {
+               /* header 10 bytes */
+               tpm_u16(TPM2_ST_NO_SESSIONS),           /* TAG */
+               tpm_u32(10 + 2),                        /* Length */
+               tpm_u32(vendor_cmd),    /* Command code */
+
+               tpm_u16(vendor_subcmd),
+       };
+       int ret;
+
+       ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+       log_debug("ret=%s, %x\n", dev->name, ret);
+       if (ret)
+               return ret;
+
+       return 0;
+}