4 files changed, 57 insertions, 10 deletions

diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc
index 2d5aa57fe7..9a9ddc865e 100644
--- a/src/lib/Makefile.inc
+++ b/src/lib/Makefile.inc
@@ -144,6 +144,8 @@ ramstage-$(CONFIG_GENERIC_GPIO_LIB) += gpio.c
 ramstage-$(CONFIG_GENERIC_UDELAY) += timer.c
 ramstage-y += b64_decode.c
 ramstage-$(CONFIG_ACPI_NHLT) += nhlt.c
+ramstage-$(CONFIG_TPM2) += tpm2_marshaling.c
+ramstage-$(CONFIG_TPM2) += tpm2_tlcl.c
 
 romstage-y += cbmem_common.c
 romstage-y += imd_cbmem.c
diff --git a/src/lib/tpm2_marshaling.c b/src/lib/tpm2_marshaling.c
index 1edc69007a..38c8d2f05c 100644
--- a/src/lib/tpm2_marshaling.c
+++ b/src/lib/tpm2_marshaling.c
@@ -373,6 +373,23 @@ static void marshal_selftest(void **buffer,
 	marshal_u8(buffer, command_body->yes_no, buffer_space);
 }
 
+static void marshal_hierarchy_control(void **buffer,
+			struct tpm2_hierarchy_control_cmd *command_body,
+			size_t *buffer_space)
+{
+	struct tpm2_session_header session_header;
+
+	car_set_var(tpm_tag, TPM_ST_SESSIONS);
+
+	marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space);
+	memset(&session_header, 0, sizeof(session_header));
+	session_header.session_handle = TPM_RS_PW;
+	marshal_session_header(buffer, &session_header, buffer_space);
+
+	marshal_TPM_HANDLE(buffer, command_body->enable, buffer_space);
+	marshal_u8(buffer, command_body->state, buffer_space);
+}
+
 int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
 			void *buffer, size_t buffer_size)
 {
@@ -414,6 +431,11 @@ int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
 		marshal_selftest(&cmd_body, tpm_command_body, &body_size);
 		break;
 
+	case TPM2_Hierarchy_Control:
+		marshal_hierarchy_control(&cmd_body, tpm_command_body,
+						&body_size);
+		break;
+
 	case TPM2_Clear:
 		marshal_clear(&cmd_body, &body_size);
 		break;
@@ -583,6 +605,7 @@ struct tpm2_response *tpm_unmarshal_response(TPM_CC command,
 				  &tpm2_resp->nvr);
 		break;
 
+	case TPM2_Hierarchy_Control:
 	case TPM2_Clear:
 	case TPM2_NV_DefineSpace:
 	case TPM2_NV_Write:
diff --git a/src/lib/tpm2_tlcl.c b/src/lib/tpm2_tlcl.c
index 6f5243e160..6c0cd6e2b2 100644
--- a/src/lib/tpm2_tlcl.c
+++ b/src/lib/tpm2_tlcl.c
@@ -369,3 +369,19 @@ uint32_t tlcl_define_space(uint32_t space_index, size_t space_size)
 		return TPM_E_INTERNAL_INCONSISTENCY;
 	}
 }
+
+uint32_t tlcl_disable_platform_hierarchy(void)
+{
+	struct tpm2_response *response;
+	struct tpm2_hierarchy_control_cmd hc = {
+		.enable = TPM_RH_PLATFORM,
+		.state = 0,
+	};
+
+	response = tpm_process_command(TPM2_Hierarchy_Control, &hc);
+
+	if (!response || response->hdr.tpm_code)
+		return TPM_E_INTERNAL_INCONSISTENCY;
+
+	return TPM_SUCCESS;
+}
diff --git a/src/lib/tpm2_tlcl_structures.h b/src/lib/tpm2_tlcl_structures.h
index 36a3e8b253..c5c6d87985 100644
--- a/src/lib/tpm2_tlcl_structures.h
+++ b/src/lib/tpm2_tlcl_structures.h
@@ -28,7 +28,7 @@ typedef uint8_t TPMI_YES_NO;
 typedef TPM_ALG_ID TPMI_ALG_HASH;
 typedef TPM_HANDLE TPMI_DH_PCR;
 typedef TPM_HANDLE TPMI_RH_NV_INDEX;
-typedef TPM_HANDLE TPMI_RH_PROVISION;
+typedef TPM_HANDLE TPMI_RH_ENABLES;
 typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
 typedef TPM_HANDLE TPM_RH;
 
@@ -59,15 +59,16 @@ struct tpm_header {
 } __attribute__((packed));
 
 /* TPM command codes. */
-#define TPM2_Clear          ((TPM_CC)0x00000126)
-#define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A)
-#define TPM2_NV_Write       ((TPM_CC)0x00000137)
-#define TPM2_NV_WriteLock   ((TPM_CC)0x00000138)
-#define TPM2_SelfTest       ((TPM_CC)0x00000143)
-#define TPM2_Startup        ((TPM_CC)0x00000144)
-#define TPM2_NV_Read        ((TPM_CC)0x0000014E)
-#define TPM2_GetCapability  ((TPM_CC)0x0000017A)
-#define TPM2_PCR_Extend     ((TPM_CC)0x00000182)
+#define TPM2_Hierarchy_Control ((TPM_CC)0x00000121)
+#define TPM2_Clear             ((TPM_CC)0x00000126)
+#define TPM2_NV_DefineSpace    ((TPM_CC)0x0000012A)
+#define TPM2_NV_Write          ((TPM_CC)0x00000137)
+#define TPM2_NV_WriteLock      ((TPM_CC)0x00000138)
+#define TPM2_SelfTest          ((TPM_CC)0x00000143)
+#define TPM2_Startup           ((TPM_CC)0x00000144)
+#define TPM2_NV_Read           ((TPM_CC)0x0000014E)
+#define TPM2_GetCapability     ((TPM_CC)0x0000017A)
+#define TPM2_PCR_Extend        ((TPM_CC)0x00000182)
 
 /* Startup values. */
 #define TPM_SU_CLEAR 0
@@ -334,4 +335,9 @@ struct tpm2_pcr_extend_cmd {
 	TPML_DIGEST_VALUES digests;
 };
 
+struct tpm2_hierarchy_control_cmd {
+	TPMI_RH_ENABLES enable;
+	TPMI_YES_NO state;
+};
+
 #endif // __SRC_LIB_TPM2_TLCL_STRUCTURES_H