coreboot-kgpe-d16/src/security
Aseda Aboagye b9d94ecd78 vboot/secdata_tpm: Add WRITE_STCLEAR attr to RW ARB spaces
It can be nice to update the TPM firmware without having to clear the
TPM owner.  However, in order to do so would require platformHierarchy
to be enabled which would leave the kernel antirollback space a bit
vulnerable.  To protect the kernel antirollback space from being written
to by the OS, we can use the WriteLock command.  In order to do so we
need to add the WRITE_STCLEAR TPM attribute.

This commit adds the WRITE_STCLEAR TPM attribute to the rw antirollback
spaces.  This includes the kernel antirollback space along with the MRC
space.  When an STCLEAR attribute is set, this indicates that the TPM
object will need to be reloaded after any TPM Startup (CLEAR).

BUG=b:186029006
BRANCH=None
TEST=Build and flash a chromebook with no kernel antirollback space set
up, boot to Chrome OS, run `tpm_manager_client get_space_info
--index=0x1007` and verify that the WRITE_STCLEAR attribute is present.
Signed-off-by: Aseda Aboagye <aaboagye@google.com>
Change-Id: I3181b4c18acd908e924ad858b677e891312423fe
Reviewed-on: https://review.coreboot.org/c/coreboot/+/56358
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2021-07-26 07:27:48 +00:00
..
intel include/cpu/x86/msr: introduce IA32_MC_*(x) macros 2021-07-14 02:24:39 +00:00
lockdown security/intel: Add option to enable SMM flash access only 2021-06-21 08:11:11 +00:00
memory
tpm security/tpm/tspi/crtm.c: Fix early init 2021-06-21 05:30:55 +00:00
vboot vboot/secdata_tpm: Add WRITE_STCLEAR attr to RW ARB spaces 2021-07-26 07:27:48 +00:00
Kconfig cbfs: Add verification for RO CBFS metadata hash 2020-12-03 00:11:08 +00:00
Makefile.inc