summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/drivers/tpm/tpm.c6
-rw-r--r--src/security/tpm/tspi/tspi.c31
2 files changed, 18 insertions, 19 deletions
diff --git a/src/drivers/tpm/tpm.c b/src/drivers/tpm/tpm.c
index e4a81c3da4..77d3a8e81e 100644
--- a/src/drivers/tpm/tpm.c
+++ b/src/drivers/tpm/tpm.c
@@ -18,16 +18,18 @@
#include <bootstate.h>
#include <security/tpm/tspi.h>
-#if IS_ENABLED(CONFIG_ARCH_X86)
+#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)
#include <arch/acpi.h>
#endif
static void init_tpm_dev(void *unused)
{
-#if IS_ENABLED(CONFIG_ARCH_X86)
+#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)
int s3resume = acpi_is_wakeup_s3();
tpm_setup(s3resume);
#else
+ /* This can lead to PCR reset attacks but currently there
+ is no generic way to detect resume on other platforms. */
tpm_setup(false);
#endif
}
diff --git a/src/security/tpm/tspi/tspi.c b/src/security/tpm/tspi/tspi.c
index 950e930133..fccf224519 100644
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@@ -25,17 +25,27 @@
#if IS_ENABLED(CONFIG_TPM1)
static uint32_t tpm1_invoke_state_machine(void)
{
- uint8_t disable;
+ uint8_t disabled;
uint8_t deactivated;
uint32_t result = TPM_SUCCESS;
/* Check that the TPM is enabled and activated. */
- result = tlcl_get_flags(&disable, &deactivated, NULL);
+ result = tlcl_get_flags(&disabled, &deactivated, NULL);
if (result != TPM_SUCCESS) {
printk(BIOS_ERR, "TPM: Can't read capabilities.\n");
return result;
}
+ if (disabled) {
+ printk(BIOS_INFO, "TPM: is disabled. Enabling...\n");
+
+ result = tlcl_set_enable();
+ if (result != TPM_SUCCESS) {
+ printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
+ return result;
+ }
+ }
+
if (!!deactivated != IS_ENABLED(CONFIG_TPM_DEACTIVATE)) {
printk(BIOS_INFO,
"TPM: Unexpected TPM deactivated state. Toggling...\n");
@@ -50,19 +60,6 @@ static uint32_t tpm1_invoke_state_machine(void)
result = TPM_E_MUST_REBOOT;
}
- if (disable && !deactivated) {
- printk(BIOS_INFO, "TPM: disabled (%d). Enabling...\n", disable);
-
- result = tlcl_set_enable();
- if (result != TPM_SUCCESS) {
- printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
- return result;
- }
-
- printk(BIOS_INFO, "TPM: Must reboot to re-enable\n");
- result = TPM_E_MUST_REBOOT;
- }
-
return result;
}
#endif
@@ -122,8 +119,8 @@ uint32_t tpm_setup(int s3flag)
result = tlcl_physical_presence_cmd_enable();
if (result != TPM_SUCCESS) {
printk(
- BIOS_ERR,
- "TPM: Can't enable physical presence command.\n");
+ BIOS_ERR,
+ "TPM: Can't enable physical presence command.\n");
goto out;
}