tpm: Allow disabling platform hierarchy with TPM2

With TPM2 we don't actually lock the TPM once verified boot is finished.
Instead we disable the platform hierarchy which serves the same purpose.
Add an implementation of this so we can safely boot into the kernel.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index fa3296a7b0e47e38959c97482c29cd8608730fc8..df67a196cf32d1ffac938bda4cad7085f6c84b64 100644 (file)
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -237,6 +237,7 @@ enum tpm2_handles {
 enum tpm2_command_codes {
        TPM2_CC_STARTUP         = 0x0144,
        TPM2_CC_SELF_TEST       = 0x0143,
+       TPM2_CC_HIER_CONTROL    = 0x0121,
        TPM2_CC_CLEAR           = 0x0126,
        TPM2_CC_CLEARCONTROL    = 0x0127,
        TPM2_CC_HIERCHANGEAUTH  = 0x0129,
@@ -274,6 +275,7 @@ enum tpm2_return_codes {
        TPM2_RC_COMMAND_CODE    = TPM2_RC_VER1 + 0x0043,
        TPM2_RC_AUTHSIZE        = TPM2_RC_VER1 + 0x0044,
        TPM2_RC_AUTH_CONTEXT    = TPM2_RC_VER1 + 0x0045,
+       TPM2_RC_NV_DEFINED      = TPM2_RC_VER1 + 0x004c,
        TPM2_RC_NEEDS_TEST      = TPM2_RC_VER1 + 0x0053,
        TPM2_RC_WARN            = 0x0900,
        TPM2_RC_TESTING         = TPM2_RC_WARN + 0x000A,
@@ -584,4 +586,15 @@ u32 tpm2_get_random(struct udevice *dev, void *data, u32 count);
  */
 u32 tpm2_write_lock(struct udevice *dev, u32 index);
 
+/**
+ * Disable access to any platform data
+ *
+ * This can be called to close off access to the firmware data in the data,
+ * before calling the kernel.
+ *
+ * @dev                TPM device
+ * @return code of the operation
+ */
+u32 tpm2_disable_platform_hierarchy(struct udevice *dev);
+
 #endif /* __TPM_V2_H */

diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index b796004930e870d1ba12ce95b69d8fb19b70f076..235f8c20d4349b1ac5ea783d79369945456c4869 100644 (file)
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -624,3 +624,38 @@ u32 tpm2_write_lock(struct udevice *dev, u32 index)
 
        return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 }
+
+u32 tpm2_disable_platform_hierarchy(struct udevice *dev)
+{
+       struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
+       u8 command_v2[COMMAND_BUFFER_SIZE] = {
+               /* header 10 bytes */
+               tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
+               tpm_u32(10 + 4 + 13 + 5),       /* Length */
+               tpm_u32(TPM2_CC_HIER_CONTROL),  /* Command code */
+
+               /* 4 bytes */
+               tpm_u32(TPM2_RH_PLATFORM),      /* Primary platform seed */
+
+               /* session header 9 bytes */
+               tpm_u32(9),                     /* Header size */
+               tpm_u32(TPM2_RS_PW),            /* Password authorisation */
+               tpm_u16(0),                     /* nonce_size */
+               0,                              /* session_attrs */
+               tpm_u16(0),                     /* auth_size */
+
+               /* payload 5 bytes */
+               tpm_u32(TPM2_RH_PLATFORM),      /* Hierarchy to disable */
+               0,                              /* 0=disable */
+       };
+       int ret;
+
+       ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+       log_info("ret=%s, %x\n", dev->name, ret);
+       if (ret)
+               return ret;
+
+       priv->plat_hier_disabled = true;
+
+       return 0;
+}