diff options
author | Aseda Aboagye <aaboagye@google.com> | 2021-07-15 16:19:04 -0700 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2021-07-26 07:27:48 +0000 |
commit | b9d94ecd78c4c85aa27e8b6a692f413eff2ed9a3 (patch) | |
tree | cd1f2051200fe87241c0f1cfbd624d21cdccb96d /src/lib | |
parent | ce79ceec86a38145b3a27aa4c78cf83a76cd51d0 (diff) |
vboot/secdata_tpm: Add WRITE_STCLEAR attr to RW ARB spaces
It can be nice to update the TPM firmware without having to clear the
TPM owner. However, in order to do so would require platformHierarchy
to be enabled which would leave the kernel antirollback space a bit
vulnerable. To protect the kernel antirollback space from being written
to by the OS, we can use the WriteLock command. In order to do so we
need to add the WRITE_STCLEAR TPM attribute.
This commit adds the WRITE_STCLEAR TPM attribute to the rw antirollback
spaces. This includes the kernel antirollback space along with the MRC
space. When an STCLEAR attribute is set, this indicates that the TPM
object will need to be reloaded after any TPM Startup (CLEAR).
BUG=b:186029006
BRANCH=None
TEST=Build and flash a chromebook with no kernel antirollback space set
up, boot to Chrome OS, run `tpm_manager_client get_space_info
--index=0x1007` and verify that the WRITE_STCLEAR attribute is present.
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Change-Id: I3181b4c18acd908e924ad858b677e891312423fe
Reviewed-on: https://review.coreboot.org/c/coreboot/+/56358
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'src/lib')
0 files changed, 0 insertions, 0 deletions