security/tpm: replace CONFIG(TPMx) checks with runtime check

This prepares the code for enabling both CONFIG_TPM1 and CONFIG_TPM2
during compilation, in which case actual TPM family in use can be
determined at runtime.

In some places both compile-time and runtime checks are necessary.
Yet in places like probe functions runtime state checks don't make sense
as runtime state is defined by results of probing.

Change-Id: Id9cc25aad8d1d7bfad12b7a92059b1b3641bbfa9
Ticket: https://ticket.coreboot.org/issues/433
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/69161
Reviewed-by: Jérémy Compostella <jeremy.compostella@intel.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>

3 files changed, 39 insertions, 23 deletions

diff --git a/src/security/tpm/tspi/crtm.h b/src/security/tpm/tspi/crtm.h
index 6f5eb2e716..69043e233a 100644
--- a/src/security/tpm/tspi/crtm.h
+++ b/src/security/tpm/tspi/crtm.h
@@ -9,10 +9,8 @@
 #include <types.h>
 #include <vb2_sha.h>
 
-#if CONFIG(TPM_LOG_CB) && CONFIG(TPM1)
-#  define TPM_MEASURE_ALGO VB2_HASH_SHA1
-#elif CONFIG(TPM_LOG_CB) && CONFIG(TPM2)
-#  define TPM_MEASURE_ALGO VB2_HASH_SHA256
+#if CONFIG(TPM_LOG_CB)
+#  define TPM_MEASURE_ALGO (tlcl_get_family() == TPM_1 ? VB2_HASH_SHA1 : VB2_HASH_SHA256)
 #elif CONFIG(TPM_LOG_TPM1)
 #  define TPM_MEASURE_ALGO VB2_HASH_SHA1
 #elif CONFIG(TPM_LOG_TPM2)
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 1a0f1d5c88..56b8fa8ede 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -17,6 +17,9 @@ static tpm_result_t tpm1_invoke_state_machine(void)
 	uint8_t deactivated;
 	tpm_result_t rc = TPM_SUCCESS;
 
+	if (tlcl_get_family() != TPM_1)
+		return rc;
+
 	/* Check that the TPM is enabled and activated. */
 	rc = tlcl1_get_flags(&disabled, &deactivated, NULL);
 	if (rc != TPM_SUCCESS) {
@@ -199,19 +202,19 @@ tpm_result_t tpm_clear_and_reenable(void)
 		return rc;
 	}
 
-#if CONFIG(TPM1)
-	rc = tlcl1_set_enable();
-	if (rc != TPM_SUCCESS) {
-		printk(BIOS_ERR, "TPM Error (%#x): Can't set enabled state.\n", rc);
-		return rc;
-	}
+	if (tlcl_get_family() == TPM_1) {
+		rc = tlcl1_set_enable();
+		if (rc != TPM_SUCCESS) {
+			printk(BIOS_ERR, "TPM Error (%#x): Can't set enabled state.\n", rc);
+			return rc;
+		}
 
-	rc = tlcl1_set_deactivated(0);
-	if (rc != TPM_SUCCESS) {
-		printk(BIOS_ERR, "TPM Error (%#x): Can't set deactivated state.\n", rc);
-		return rc;
+		rc = tlcl1_set_deactivated(0);
+		if (rc != TPM_SUCCESS) {
+			printk(BIOS_ERR, "TPM Error (%#x): Can't set deactivated state.\n", rc);
+			return rc;
+		}
 	}
-#endif
 
 	return TPM_SUCCESS;
 }
diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h
index 3a019ead32..c9aec08262 100644
--- a/src/security/tpm/tss.h
+++ b/src/security/tpm/tss.h
@@ -33,16 +33,31 @@
  */
 tpm_result_t tlcl_lib_init(void);
 
-/* Commands */
+/**
+ * Query active TPM family.  Returns TPM_UNKNOWN if uninitialized and TPM_1 or TPM_2 otherwise.
+ */
+static inline enum tpm_family tlcl_get_family(void)
+{
+	/* Defined in tss/tss.c */
+	extern enum tpm_family tlcl_tpm_family;
+
+	if (CONFIG(TPM1) && CONFIG(TPM2))
+		return tlcl_tpm_family;
+	if (CONFIG(TPM1))
+		return TPM_1;
+	if (CONFIG(TPM2))
+		return TPM_2;
+	return TPM_UNKNOWN;
+}
 
-extern enum tpm_family tlcl_tpm_family;
+/* Commands */
 
-#define TLCL_CALL(name, ...) do {                                                \
-		if (CONFIG(TPM1) && (!CONFIG(TPM2) || tlcl_tpm_family == TPM_1)) \
-			return tlcl1_##name(__VA_ARGS__);                        \
-		if (CONFIG(TPM2) && (!CONFIG(TPM1) || tlcl_tpm_family == TPM_2)) \
-			return tlcl2_##name(__VA_ARGS__);                        \
-		return TPM_CB_INTERNAL_INCONSISTENCY;                            \
+#define TLCL_CALL(name, ...) do {                         \
+		if (tlcl_get_family() == TPM_1)           \
+			return tlcl1_##name(__VA_ARGS__); \
+		if (tlcl_get_family() == TPM_2)           \
+			return tlcl2_##name(__VA_ARGS__); \
+		return TPM_CB_INTERNAL_INCONSISTENCY;     \
 	} while (0)
 
 /**