From b9d94ecd78c4c85aa27e8b6a692f413eff2ed9a3 Mon Sep 17 00:00:00 2001 From: Aseda Aboagye Date: Thu, 15 Jul 2021 16:19:04 -0700 Subject: vboot/secdata_tpm: Add WRITE_STCLEAR attr to RW ARB spaces It can be nice to update the TPM firmware without having to clear the TPM owner. However, in order to do so would require platformHierarchy to be enabled which would leave the kernel antirollback space a bit vulnerable. To protect the kernel antirollback space from being written to by the OS, we can use the WriteLock command. In order to do so we need to add the WRITE_STCLEAR TPM attribute. This commit adds the WRITE_STCLEAR TPM attribute to the rw antirollback spaces. This includes the kernel antirollback space along with the MRC space. When an STCLEAR attribute is set, this indicates that the TPM object will need to be reloaded after any TPM Startup (CLEAR). BUG=b:186029006 BRANCH=None TEST=Build and flash a chromebook with no kernel antirollback space set up, boot to Chrome OS, run `tpm_manager_client get_space_info --index=0x1007` and verify that the WRITE_STCLEAR attribute is present. Signed-off-by: Aseda Aboagye Change-Id: I3181b4c18acd908e924ad858b677e891312423fe Reviewed-on: https://review.coreboot.org/c/coreboot/+/56358 Reviewed-by: Julius Werner Tested-by: build bot (Jenkins) --- src/security/vboot/secdata_tpm.c | 1 + 1 file changed, 1 insertion(+) (limited to 'src/security') diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index bedead7a81..a95e7d10a5 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -107,6 +107,7 @@ static const TPMA_NV rw_space_attributes = { .TPMA_NV_AUTHREAD = 1, .TPMA_NV_PPREAD = 1, .TPMA_NV_PLATFORMCREATE = 1, + .TPMA_NV_WRITE_STCLEAR = 1, }; static const TPMA_NV fwmp_attr = { -- cgit v1.2.3