tpm2: use pcr0 dependent nvram space policy definitions

Hardware / Coreboot - Vadim Bendebury [chromium.org] - 13 July 2016 16:59 UTC

The TPM2 specification allows defining NV ram spaces in a manner that makes it impossible to remove the space until a certain PCR is in a certain state.

This comes in handy when defining spaces for rollback counters: make their removal depend on PCR0 being in the default state. Then extend PCR0 to any value. This guarantees that the spaces can not be deleted.

Also, there is no need t create firmware and kernel rollback spaces with different privileges: they both can be created with the same set of properties, the firmware space could be locked by the RO firmware, and the kernel space could be locked by the RW firmware thus providing necessary privilege levels.

BRANCH=none BUG=chrome-os-partner:50645, chrome-os-partner:55063 TEST=with the rest of the patches applied it is possible to boot into Chrome OS maintaining two rollback counter spaces in the TPM NV ram locked at different phases of the boot process.

Change-Id: I889b2c4c4831ae01c093f33c09b4d98a11d758da

7ee057c tpm2: use pcr0 dependent nvram space policy definitions
src/include/tpm_lite/tlcl.h | 19 +++----------
src/lib/tpm2_tlcl.c | 28 +++++++++++++++-----
.../google/chromeos/vboot2/antirollback.c | 2 --
3 files changed, 25 insertions(+), 24 deletions(-)

Upstream: review.coreboot.org

  • Share