Deactivate TPM

Just not exporting TPM isn't good enough as it can still be accessed.
You need to send it a deactivate command.

Change-Id: I3eb84660949c2d1e2b492d541e01d4ba78037630
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-on: http://review.coreboot.org/10270
Tested-by: build bot (Jenkins)
Reviewed-by: Patrick Georgi <pgeorgi@google.com>

src/drivers/pc80/tpm/Kconfig

@@ -37,3 +37,10 @@ config SKIP_TPM_STARTUP_ON_NORMAL_BOOT
 	depends on LPC_TPM
 	help
 	  Skip TPM init on normal boot. Useful if payload does TPM init.
+
+config TPM_DEACTIVATE
+	bool "Deactivate TPM"
+	default n
+	depends on LPC_TPM
+	help
+	  Deactivate TPM by issuing deactivate command.

src/drivers/pc80/tpm/acpi/tpm.asl

@@ -27,11 +27,11 @@ Device (TPM)
 
 	Method (_STA, 0)
 	{
-		If (CONFIG_LPC_TPM) {
-			Return (0xf)
-		} Else {
-			Return (0x0)
-		}
+#if CONFIG_LPC_TPM && !CONFIG_TPM_DEACTIVATE
+		Return (0xf)
+#else
+		Return (0x0)
+#endif
 	}
 
 	Name (IBUF, ResourceTemplate ()

src/drivers/pc80/tpm/romstage.c

@@ -50,6 +50,12 @@ static const struct {
 	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x1 }
 };
 
+static const struct {
+	u8 buffer[12];
+} tpm_deactivate_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x3 }
+};
+
 static const struct {
 	u8 buffer[10];
 } tpm_continueselftest_cmd = {
@@ -181,6 +187,19 @@ void init_tpm(int s3resume)
 	u32 result;
 	u8 response[TPM_LARGE_ENOUGH_COMMAND_SIZE];
 
+	if (CONFIG_TPM_DEACTIVATE) {
+		printk(BIOS_SPEW, "TPM: Deactivate\n");
+		result = TlclSendReceive(tpm_deactivate_cmd.buffer,
+					response, sizeof(response));
+		if (result == TPM_SUCCESS) {
+			printk(BIOS_SPEW, "TPM: OK.\n");
+			return;
+		}
+
+		printk(BIOS_ERR, "TPM: Error code 0x%x.\n", result);
+		return;
+	}
+
 	/* Doing TPM startup when we're not coming in on the S3 resume path
 	 * saves us roughly 20ms in boot time only. This does not seem to
 	 * be worth an API change to vboot_reference-firmware right now, so