From 4c0851cc37f42ed88d62b876357b71cfdaac480f Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@chromium.org>
Date: Sun, 3 Jul 2016 17:08:10 -0700
Subject: tpm2: implement locking firmware rollback counter

TPM1.2 is using the somewhat misnamed tlcl_set_global_lock() command
function to lock the hardware rollback counter. For TPM2 let's
implement and use the TPM2 command to lock an NV Ram location
(TPM2_NV_WriteLock).

BRANCH=none
BUG=chrome-os-partner:50645
TEST=verified that TPM2_NV_WriteLock command is invoked before RO
     firmware starts RW, and succeeds.

Change-Id: I52aa8db95b908488ec4cf0843afeb6310dc7f38b
Signed-off-by: Martin Roth <martinroth@chromium.org>
Original-Commit-Id: 2f859335dfccfeea900f15bbb8c6cb3fd5ec8c77
Original-Change-Id: I62f22b9991522d4309cccc44180a5ebd4dca488d
Original-Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Original-Reviewed-on: https://chromium-review.googlesource.com/358097
Original-Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Original-Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-on: https://review.coreboot.org/15638
Tested-by: build bot (Jenkins)
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
---
 src/vendorcode/google/chromeos/vboot2/antirollback.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'src/vendorcode')

diff --git a/src/vendorcode/google/chromeos/vboot2/antirollback.c b/src/vendorcode/google/chromeos/vboot2/antirollback.c
index 5b738c4897..a51e5d6d55 100644
--- a/src/vendorcode/google/chromeos/vboot2/antirollback.c
+++ b/src/vendorcode/google/chromeos/vboot2/antirollback.c
@@ -157,6 +157,11 @@ uint32_t tpm_clear_and_reenable(void)
 	return TPM_SUCCESS;
 }
 
+uint32_t antirollback_lock_space_firmware(void)
+{
+	return tlcl_lock_nv_write(FIRMWARE_NV_INDEX);
+}
+
 #else
 
 uint32_t tpm_clear_and_reenable(void)
@@ -263,6 +268,11 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
 					VB2_SECDATA_SIZE));
 	return TPM_SUCCESS;
 }
+
+uint32_t antirollback_lock_space_firmware(void)
+{
+	return tlcl_set_global_lock();
+}
 #endif
 
 uint32_t factory_initialize_tpm(struct vb2_context *ctx)
@@ -424,8 +434,3 @@ uint32_t antirollback_write_space_firmware(struct vb2_context *ctx)
 {
 	return write_secdata(FIRMWARE_NV_INDEX, ctx->secdata, VB2_SECDATA_SIZE);
 }
-
-uint32_t antirollback_lock_space_firmware()
-{
-	return tlcl_set_global_lock();
-}
-- 
cgit v1.2.3