diff --git a/src/security/vboot/secdata_tpm.c b/src/security/vboot/secdata_tpm.c index 0afd00d6cc..ef245552d5 100644 --- a/src/security/vboot/secdata_tpm.c +++ b/src/security/vboot/secdata_tpm.c @@ -188,7 +188,7 @@ static uint32_t set_space(const char *name, uint32_t index, const void *data, if (rv != TPM_SUCCESS) return rv; - return safe_write(index, data, length); + return write_secdata(index, data, length); } static uint32_t set_firmware_space(const void *firmware_blob) @@ -398,6 +398,11 @@ static uint32_t factory_initialize_tpm(struct vb2_context *ctx) if (result != TPM_SUCCESS) return result; + /* _factory_initialize_tpm() writes initial secdata values to TPM + immediately, so let vboot know that it's up to date now. */ + ctx->flags &= ~(VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED | + VB2_CONTEXT_SECDATA_KERNEL_CHANGED); + VBDEBUG("TPM: factory initialization successful\n"); return TPM_SUCCESS; @@ -410,14 +415,11 @@ uint32_t antirollback_read_space_firmware(struct vb2_context *ctx) /* Read the firmware space. */ rv = read_space_firmware(ctx); if (rv == TPM_E_BADINDEX) { - /* - * This seems the first time we've run. Initialize the TPM. - */ + /* This seems the first time we've run. Initialize the TPM. */ VBDEBUG("TPM: Not initialized yet.\n"); RETURN_ON_FAILURE(factory_initialize_tpm(ctx)); } else if (rv != TPM_SUCCESS) { VBDEBUG("TPM: Firmware space in a bad state; giving up.\n"); - //RETURN_ON_FAILURE(factory_initialize_tpm(ctx)); return TPM_E_CORRUPTED_STATE; } diff --git a/src/security/vboot/vboot_logic.c b/src/security/vboot/vboot_logic.c index ccce148882..6c4f8fd2a8 100644 --- a/src/security/vboot/vboot_logic.c +++ b/src/security/vboot/vboot_logic.c @@ -265,10 +265,10 @@ void vboot_save_nvdata_only(struct vb2_context *ctx) void vboot_save_data(struct vb2_context *ctx) { - if (ctx->flags & VB2_CONTEXT_SECDATA_CHANGED) { + if (ctx->flags & VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED) { printk(BIOS_INFO, "Saving secdata\n"); antirollback_write_space_firmware(ctx); - ctx->flags &= ~VB2_CONTEXT_SECDATA_CHANGED; + ctx->flags &= ~VB2_CONTEXT_SECDATA_FIRMWARE_CHANGED; } vboot_save_nvdata_only(ctx);