tpm2: implement locking firmware rollback counter

TPM1.2 is using the somewhat misnamed tlcl_set_global_lock() command
function to lock the hardware rollback counter. For TPM2 let's
implement and use the TPM2 command to lock an NV Ram location
(TPM2_NV_WriteLock).

BRANCH=none
BUG=chrome-os-partner:50645
TEST=verified that TPM2_NV_WriteLock command is invoked before RO
     firmware starts RW, and succeeds.

Change-Id: I52aa8db95b908488ec4cf0843afeb6310dc7f38b
Signed-off-by: Martin Roth <martinroth@chromium.org>
Original-Commit-Id: 2f859335dfccfeea900f15bbb8c6cb3fd5ec8c77
Original-Change-Id: I62f22b9991522d4309cccc44180a5ebd4dca488d
Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/358097
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-on: https://review.coreboot.org/15638
Tested-by: build bot (Jenkins)
Reviewed-by: Patrick Georgi <pgeorgi@google.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/src/lib/tpm2_tlcl_structures.h b/src/lib/tpm2_tlcl_structures.h
index 8e518583bc..1e7fcf05fa 100644
--- a/src/lib/tpm2_tlcl_structures.h
+++ b/src/lib/tpm2_tlcl_structures.h
@@ -59,6 +59,7 @@ struct tpm_header {
 #define TPM2_Clear          ((TPM_CC)0x00000126)
 #define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A)
 #define TPM2_NV_Write       ((TPM_CC)0x00000137)
+#define TPM2_NV_WriteLock   ((TPM_CC)0x00000138)
 #define TPM2_SelfTest       ((TPM_CC)0x00000143)
 #define TPM2_Startup        ((TPM_CC)0x00000144)
 #define TPM2_NV_Read        ((TPM_CC)0x0000014E)
@@ -301,4 +302,8 @@ struct tpm2_nv_read_cmd {
 	uint16_t offset;
 };
 
+struct tpm2_nv_write_lock_cmd {
+	TPMI_RH_NV_INDEX nvIndex;
+};
+
 #endif // __SRC_LIB_TPM2_TLCL_STRUCTURES_H