vboot: use vboot2 API to set initial secdatak value
Previously, the initial value for secdatak was embedded
in secdata_tpm.c as a uint8_t array. Switch to using
vb2api_secdatak_create instead, and write the value in
ctx->secdatak.
Remove an unnecessary call to vb2api_secdata_create in
_factory_initialize_tpm.
BUG=b:124141368, chromium:972956
TEST=make clean && make test-abuild
BRANCH=none
TEST=Check that size and value of initial secdatak
has not changed. Apply the patch below and
check for this output:
_factory_initialize_tpm():266: _factory_initialize_tpm: secdatak sizes are identical? 1
_factory_initialize_tpm():269: _factory_initialize_tpm: secdatak values are identical? 1
diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c
index ff62185107..c1818b482f 100644
--- a/src/security/vboot/secdata_tpm.c
+++ b/src/security/vboot/secdata_tpm.c
@@ -148,6 +148,18 @@ static uint32_t write_secdata(uint32_t index,
return TPM_E_CORRUPTED_STATE;
}
+/*
+ * This is derived from rollback_index.h of vboot_reference. see struct
+ * RollbackSpaceKernel for details.
+ */
+static const uint8_t secdata_kernel[] = {
+ 0x02,
+ 0x4C, 0x57, 0x52, 0x47,
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00,
+ 0xE8,
+};
+
/*
* This is used to initialize the TPM space for recovery hash after defining
* it. Since there is no data available to calculate hash at the point where TPM
@@ -250,6 +262,11 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
* indication that TPM factory initialization was successfully
* completed.
*/
+ VBDEBUG("%s: secdatak sizes are identical? %d\n", __func__,
+ sizeof(secdata_kernel) == sizeof(ctx->secdatak));
+ VBDEBUG("%s: secdatak values are identical? %d\n", __func__,
+ memcmp(secdata_kernel, ctx->secdatak,
+ sizeof(secdata_kernel)) == 0);
RETURN_ON_FAILURE(set_kernel_space(ctx->secdatak));
if (CONFIG(VBOOT_HAS_REC_HASH_SPACE))
@@ -452,7 +469,7 @@ uint32_t antirollback_read_space_firmware(struct vb2_context *ctx)
/* Read the firmware space. */
rv = read_space_firmware(ctx);
- if (rv == TPM_E_BADINDEX) {
+ if (true) {
/*
* This seems the first time we've run. Initialize the TPM.
*/
Change-Id: I74261453df6cc55ef3f38d8fb922bcc604084c0a
Signed-off-by: Joel Kitching <kitching@google.com>
Cq-Depend: chromium:1652874, chromium:1655049
Reviewed-on: https://review.coreboot.org/c/coreboot/+/33386
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
Joel Kitching
parent
f1f2367b80
commit
544b572c07
1 changed files with 9 additions and 21 deletions
|
|
@ -124,18 +124,6 @@ static uint32_t write_secdata(uint32_t index,
|
|||
return TPM_E_CORRUPTED_STATE;
|
||||
}
|
||||
|
||||
/*
|
||||
* This is derived from rollback_index.h of vboot_reference. see struct
|
||||
* RollbackSpaceKernel for details.
|
||||
*/
|
||||
static const uint8_t secdata_kernel[] = {
|
||||
0x02,
|
||||
0x4C, 0x57, 0x52, 0x47,
|
||||
0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00,
|
||||
0xE8,
|
||||
};
|
||||
|
||||
/*
|
||||
* This is used to initialize the TPM space for recovery hash after defining
|
||||
* it. Since there is no data available to calculate hash at the point where TPM
|
||||
|
|
@ -217,7 +205,7 @@ static uint32_t set_firmware_space(const void *firmware_blob)
|
|||
static uint32_t set_kernel_space(const void *kernel_blob)
|
||||
{
|
||||
return set_space("kernel", KERNEL_NV_INDEX, kernel_blob,
|
||||
sizeof(secdata_kernel), rw_space_attributes, NULL, 0);
|
||||
VB2_SECDATAK_SIZE, rw_space_attributes, NULL, 0);
|
||||
}
|
||||
|
||||
static uint32_t set_rec_hash_space(const uint8_t *data)
|
||||
|
|
@ -238,7 +226,7 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
|
|||
* indication that TPM factory initialization was successfully
|
||||
* completed.
|
||||
*/
|
||||
RETURN_ON_FAILURE(set_kernel_space(secdata_kernel));
|
||||
RETURN_ON_FAILURE(set_kernel_space(ctx->secdatak));
|
||||
|
||||
if (CONFIG(VBOOT_HAS_REC_HASH_SPACE))
|
||||
RETURN_ON_FAILURE(set_rec_hash_space(rec_hash_data));
|
||||
|
|
@ -342,16 +330,15 @@ static uint32_t _factory_initialize_tpm(struct vb2_context *ctx)
|
|||
VBDEBUG("TPM: Clearing owner\n");
|
||||
RETURN_ON_FAILURE(tpm_clear_and_reenable());
|
||||
|
||||
/* Define and initialize the kernel space */
|
||||
/* Define and write secdatak kernel space. */
|
||||
RETURN_ON_FAILURE(safe_define_space(KERNEL_NV_INDEX,
|
||||
TPM_NV_PER_PPWRITE,
|
||||
sizeof(secdata_kernel)));
|
||||
VB2_SECDATAK_SIZE));
|
||||
RETURN_ON_FAILURE(write_secdata(KERNEL_NV_INDEX,
|
||||
secdata_kernel,
|
||||
sizeof(secdata_kernel)));
|
||||
ctx->secdatak,
|
||||
VB2_SECDATAK_SIZE));
|
||||
|
||||
/* Defines and sets vb2 secdata space */
|
||||
vb2api_secdata_create(ctx);
|
||||
/* Define and write secdata firmware space. */
|
||||
RETURN_ON_FAILURE(safe_define_space(FIRMWARE_NV_INDEX,
|
||||
TPM_NV_PER_GLOBALLOCK |
|
||||
TPM_NV_PER_PPWRITE,
|
||||
|
|
@ -393,8 +380,9 @@ static uint32_t factory_initialize_tpm(struct vb2_context *ctx)
|
|||
{
|
||||
uint32_t result;
|
||||
|
||||
/* Defines and sets vb2 secdata space */
|
||||
/* Set initial values of secdata and secdatak spaces. */
|
||||
vb2api_secdata_create(ctx);
|
||||
vb2api_secdatak_create(ctx);
|
||||
|
||||
VBDEBUG("TPM: factory initialization\n");
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue