From 245d4577d507c0b45067d2e520ae94b283a91567 Mon Sep 17 00:00:00 2001 From: Vadim Bendebury Date: Tue, 5 Apr 2016 16:01:57 -0700 Subject: tpm2: implement tlcl layer This is the first approximation of implementing TPM2 support in coreboot. It is very clearly incomplete, some of the larger missing pieces being: - PCR(s) modification - protection NVRAM spaces from unauthorized deletion/modification. - resume handling - cr50 specific factory initialization The existing TPM1.2 firmware API is being implemented for TPM2. Some functions are not required at all, some do not map fully, but the API is not yet being changed, many functions are just stubs. An addition to the API is the new tlcl_define_space() function. It abstracts TMP internals allowing the caller to specify the privilege level of the space to be defined. Two privilege levels are defined, higher for the RO firmware and lower for RW firmware, they determine who can write into the spaces. BRANCH=none BUG=chrome-os-partner:50645 TEST=with the rest of the patches applied Kevin/Gru devices can initialize and use firmware and kernel spaces Change-Id: Ife3301cf161ce38d61f11e4b60f1b43cab9a4eba Signed-off-by: Martin Roth Original-Commit-Id: bcc8e62604c705798ca106e7995a0960b92b3f35 Original-Change-Id: Ib340fa8e7db51c10e5080973c16a19b0ebbb61e6 Original-Signed-off-by: Vadim Bendebury Original-Reviewed-on: https://chromium-review.googlesource.com/353914 Original-Commit-Ready: Martin Roth Original-Reviewed-by: Duncan Laurie Reviewed-on: https://review.coreboot.org/15569 Tested-by: build bot (Jenkins) Reviewed-by: Furquan Shaikh Reviewed-by: Philipp Deppenwiese --- src/include/tpm_lite/tlcl.h | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'src/include') diff --git a/src/include/tpm_lite/tlcl.h b/src/include/tpm_lite/tlcl.h index 77245922c9..c777ff997c 100644 --- a/src/include/tpm_lite/tlcl.h +++ b/src/include/tpm_lite/tlcl.h @@ -12,6 +12,7 @@ #ifndef TPM_LITE_TLCL_H_ #define TPM_LITE_TLCL_H_ #include +#include #include "tss_constants.h" @@ -56,12 +57,34 @@ uint32_t tlcl_self_test_full(void); */ uint32_t tlcl_continue_self_test(void); +#if IS_ENABLED(CONFIG_TPM) /** * Define a space with permission [perm]. [index] is the index for the space, * [size] the usable data size. The TPM error code is returned. */ uint32_t tlcl_define_space(uint32_t index, uint32_t perm, uint32_t size); +#elif IS_ENABLED(CONFIG_TPM2) + +/* + * This enum allows to communicate firmware privilege levels to the TPM layer, + * which can map them into its own attributes. + */ +enum privilege_level { + high_privilege = 1, + low_privilege +}; + +/* + * Define a TPM space. Privilege level describes who can modify the space + * (high_privilege - the RO code only, low_privilege - ether RO or RW. The + * privilege level needs to be dropped below low_privilege before starting the + * kernel. + */ +uint32_t tlcl_define_space(uint32_t space_index, + enum privilege_level priv_level, size_t space_size); +#endif + /** * Write [length] bytes of [data] to space at [index]. The TPM error code is * returned. -- cgit v1.2.3