tpm2: add nvram lock and hierarchy control commands
authorVadim Bendebury <vbendeb@chromium.org>
Wed, 6 Jul 2016 16:07:54 +0000 (09:07 -0700)
committerchrome-bot <chrome-bot@chromium.org>
Sat, 9 Jul 2016 18:25:24 +0000 (11:25 -0700)
commitae703f681965ffdbe676fa291d445f765f93e2ab
tree086909c7ba02eb7a3172ec00268e5e03bfe5cff9
parenteb4f39d3db535109959cacc9a6066ec8400c0875
tpm2: add nvram lock and hierarchy control commands

The firmware needs to lock the kernel rollback index before starting
up the kernel. The TPM2_NV_WriteLock command is used for that.

We also want to limit the amount of control the user space apps have
over TPM. With TPM1.2 it was achieved by deasserting physical
presence. TPM2 specification allows to achieve the same goal by
disabling Platform Hierarchy, which is active out of reset.

BRANCH=none
BUG=chrome-os-partner:50465
TEST=verified that all commands succeed and chrome OS boots up fine.

Change-Id: Ia5893460e0b29f1945cb2aae45a5f10b08fe1ed1
Reviewed-on: https://chromium-review.googlesource.com/358351
Commit-Ready: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
firmware/include/tpm2_tss_constants.h
firmware/lib/tpm2_lite/marshaling.c
firmware/lib/tpm2_lite/tlcl.c