security/tpm: Fix TPM 1.2 state machine issues

* Fix ACPI resume path compilation for TPM ramstage driver * Move enabling of the TPM prior activation and remove reboot return status from TPM enable. More information can be found via the TCG specification v1.2 Tested=Elgon Change-Id: Ided110e0c1889b302e29acac6d8d2341f97eb10b Signed-off-by: Philipp Deppenwiese <zaolin@das-labor.org> Reviewed-on: https://review.coreboot.org/28085 Reviewed-by: Patrick Rudolph <patrick.rudolph@9elements.com> Reviewed-by: Philipp Deppenwiese <zaolin.daisuki@gmail.com> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2018-08-14 09:46:55 -07:00 · 2018-08-14 09:46:55 -07:00 · 4d2af9df7c
parent e155e78a47
commit 4d2af9df7c
2 changed files with 18 additions and 19 deletions
--- a/src/drivers/tpm/tpm.c
+++ b/src/drivers/tpm/tpm.c
@ -18,16 +18,18 @@
 #include <bootstate.h>
 #include <security/tpm/tspi.h>

-#if IS_ENABLED(CONFIG_ARCH_X86)
+#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)
 #include <arch/acpi.h>
 #endif

 static void init_tpm_dev(void *unused)
 {
-#if IS_ENABLED(CONFIG_ARCH_X86)
+#if IS_ENABLED(CONFIG_HAVE_ACPI_RESUME)
 	int s3resume = acpi_is_wakeup_s3();
 	tpm_setup(s3resume);
 #else
+	/* This can lead to PCR reset attacks but currently there
+	   is no generic way to detect resume on other platforms. */
 	tpm_setup(false);
 #endif
 }
--- a/src/security/tpm/tspi/tspi.c
+++ b/src/security/tpm/tspi/tspi.c
@ -25,17 +25,27 @@
 #if IS_ENABLED(CONFIG_TPM1)
 static uint32_t tpm1_invoke_state_machine(void)
 {
-	uint8_t disable;
+	uint8_t disabled;
 	uint8_t deactivated;
 	uint32_t result = TPM_SUCCESS;

 	/* Check that the TPM is enabled and activated. */
-	result = tlcl_get_flags(&disable, &deactivated, NULL);
+	result = tlcl_get_flags(&disabled, &deactivated, NULL);
 	if (result != TPM_SUCCESS) {
 		printk(BIOS_ERR, "TPM: Can't read capabilities.\n");
 		return result;
 	}

+	if (disabled) {
+		printk(BIOS_INFO, "TPM: is disabled. Enabling...\n");
+
+		result = tlcl_set_enable();
+		if (result != TPM_SUCCESS) {
+			printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
+			return result;
+		}
+	}
+
 	if (!!deactivated != IS_ENABLED(CONFIG_TPM_DEACTIVATE)) {
 		printk(BIOS_INFO,
 		       "TPM: Unexpected TPM deactivated state. Toggling...\n");
@ -50,19 +60,6 @@ static uint32_t tpm1_invoke_state_machine(void)
 		result = TPM_E_MUST_REBOOT;
 	}

-	if (disable && !deactivated) {
-		printk(BIOS_INFO, "TPM: disabled (%d). Enabling...\n", disable);
-
-		result = tlcl_set_enable();
-		if (result != TPM_SUCCESS) {
-			printk(BIOS_ERR, "TPM: Can't set enabled state.\n");
-			return result;
-		}
-
-		printk(BIOS_INFO, "TPM: Must reboot to re-enable\n");
-		result = TPM_E_MUST_REBOOT;
-	}
-
 	return result;
 }
 #endif
@ -122,8 +119,8 @@ uint32_t tpm_setup(int s3flag)
 		result = tlcl_physical_presence_cmd_enable();
 		if (result != TPM_SUCCESS) {
 			printk(
-			    BIOS_ERR,
-			    "TPM: Can't enable physical presence command.\n");
+				BIOS_ERR,
+				"TPM: Can't enable physical presence command.\n");
 			goto out;
 		}