vboot/secdata_tpm: Add WRITE_STCLEAR attr to RW ARB spaces - coreboot.git

diff options

author	Aseda Aboagye <aaboagye@google.com>	2021-07-15 16:19:04 -0700
committer	Patrick Georgi <pgeorgi@google.com>	2021-07-26 07:27:48 +0000
commit	b9d94ecd78c4c85aa27e8b6a692f413eff2ed9a3 (patch)
tree	cd1f2051200fe87241c0f1cfbd624d21cdccb96d /src/arch/x86
parent	ce79ceec86a38145b3a27aa4c78cf83a76cd51d0 (diff)

vboot/secdata_tpm: Add WRITE_STCLEAR attr to RW ARB spaces

It can be nice to update the TPM firmware without having to clear the TPM owner. However, in order to do so would require platformHierarchy to be enabled which would leave the kernel antirollback space a bit vulnerable. To protect the kernel antirollback space from being written to by the OS, we can use the WriteLock command. In order to do so we need to add the WRITE_STCLEAR TPM attribute. This commit adds the WRITE_STCLEAR TPM attribute to the rw antirollback spaces. This includes the kernel antirollback space along with the MRC space. When an STCLEAR attribute is set, this indicates that the TPM object will need to be reloaded after any TPM Startup (CLEAR). BUG=b:186029006 BRANCH=None TEST=Build and flash a chromebook with no kernel antirollback space set up, boot to Chrome OS, run `tpm_manager_client get_space_info --index=0x1007` and verify that the WRITE_STCLEAR attribute is present. Signed-off-by: Aseda Aboagye <aaboagye@google.com> Change-Id: I3181b4c18acd908e924ad858b677e891312423fe Reviewed-on: https://review.coreboot.org/c/coreboot/+/56358 Reviewed-by: Julius Werner <jwerner@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

Diffstat (limited to 'src/arch/x86')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: