2 files changed, 36 insertions, 0 deletions

diff --git a/src/security/vboot/antirollback.h b/src/security/vboot/antirollback.h
index 75bfcdc7c7..10a9e21e37 100644
--- a/src/security/vboot/antirollback.h
+++ b/src/security/vboot/antirollback.h
@@ -28,6 +28,7 @@ enum vb2_pcr_digest;
 /* 0x100d: Hash of MRC_CACHE training data for non-recovery boot */
 #define MRC_RW_HASH_NV_INDEX            0x100d
 #define HASH_NV_SIZE                    VB2_SHA256_DIGEST_SIZE
+#define ENT_ROLLBACK_SPACE_INDEX        0x100e
 /* Widevine Secure Counter space */
 #define WIDEVINE_COUNTER_NV_INDEX(n)	(0x3000 + (n))
 #define NUM_WIDEVINE_COUNTERS		4
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index 3ad7fc8a75..78850696c4 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -116,6 +116,17 @@ static const TPMA_NV rw_space_attributes = {
 	.TPMA_NV_WRITE_STCLEAR = 1,
 };
 
+static const TPMA_NV rw_auth_space_attributes = {
+	.TPMA_NV_AUTHWRITE = 1,
+	.TPMA_NV_AUTHREAD = 1,
+	.TPMA_NV_NO_DA = 1,
+	.TPMA_NV_PPREAD = 1,
+	.TPMA_NV_PPWRITE = 1,
+	.TPMA_NV_PLATFORMCREATE = 1,
+	.TPMA_NV_WRITE_STCLEAR = 1,
+	.TPMA_NV_POLICY_DELETE = 1,
+};
+
 static const TPMA_NV fwmp_attr = {
 	.TPMA_NV_PLATFORMCREATE = 1,
 	.TPMA_NV_OWNERWRITE = 1,
@@ -342,6 +353,22 @@ static uint32_t setup_zte_spaces(void)
 	return rv;
 }
 
+/*
+ * Set up enterprise rollback space.
+ *
+ * This space is not used by firmware but needs to survive owner clear. Thus, it
+ * needs to be created here.
+ */
+static uint32_t enterprise_rollback_create_space(void)
+{
+	uint8_t rollback_space_default[32] = {0};
+
+	return setup_space("Enterprise Rollback Space",
+			   ENT_ROLLBACK_SPACE_INDEX, rollback_space_default,
+			   sizeof(rollback_space_default), rw_auth_space_attributes,
+			   unsatisfiable_policy, sizeof(unsatisfiable_policy));
+}
+
 static uint32_t setup_widevine_counter_spaces(void)
 {
 	uint32_t index, rv;
@@ -387,6 +414,14 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
 	if (CONFIG(CHROMEOS) && !(CONFIG(TPM_GOOGLE)))
 		RETURN_ON_FAILURE(setup_zte_spaces());
 
+	/*
+	 * On TPM 2.0, create a space that survives TPM clear. This allows to
+	 * securely lock data during enterprise rollback by binding to this
+	 * space's value.
+	 */
+	if (CONFIG(CHROMEOS))
+		RETURN_ON_FAILURE(enterprise_rollback_create_space());
+
 	/* Define widevine counter space. No need to increment/write to the secure counters
 	   and are expected to be incremented during the first use. */
 	if (CONFIG(VBOOT_DEFINE_WIDEVINE_COUNTERS))