b9d94ecd78
It can be nice to update the TPM firmware without having to clear the TPM owner. However, in order to do so would require platformHierarchy to be enabled which would leave the kernel antirollback space a bit vulnerable. To protect the kernel antirollback space from being written to by the OS, we can use the WriteLock command. In order to do so we need to add the WRITE_STCLEAR TPM attribute. This commit adds the WRITE_STCLEAR TPM attribute to the rw antirollback spaces. This includes the kernel antirollback space along with the MRC space. When an STCLEAR attribute is set, this indicates that the TPM object will need to be reloaded after any TPM Startup (CLEAR). BUG=b:186029006 BRANCH=None TEST=Build and flash a chromebook with no kernel antirollback space set up, boot to Chrome OS, run `tpm_manager_client get_space_info --index=0x1007` and verify that the WRITE_STCLEAR attribute is present. Signed-off-by: Aseda Aboagye <aaboagye@google.com> Change-Id: I3181b4c18acd908e924ad858b677e891312423fe Reviewed-on: https://review.coreboot.org/c/coreboot/+/56358 Reviewed-by: Julius Werner <jwerner@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile.inc | ||
| antirollback.h | ||
| bootmode.c | ||
| common.c | ||
| ec_sync.c | ||
| misc.h | ||
| mrc_cache_hash_tpm.c | ||
| mrc_cache_hash_tpm.h | ||
| secdata_mock.c | ||
| secdata_tpm.c | ||
| symbols.h | ||
| tpm_common.c | ||
| tpm_common.h | ||
| vbnv.c | ||
| vbnv.h | ||
| vbnv_cmos.c | ||
| vbnv_ec.c | ||
| vbnv_flash.c | ||
| vbnv_layout.h | ||
| vboot_common.c | ||
| vboot_common.h | ||
| vboot_lib.c | ||
| vboot_loader.c | ||
| vboot_logic.c | ||
| verstage.c | ||