Read NVRAM with proper authorization for tpm2
authorAndrey Pronin <apronin@google.com>
Tue, 19 Jul 2016 20:41:11 +0000 (13:41 -0700)
committerchrome-bot <chrome-bot@chromium.org>
Thu, 21 Jul 2016 10:15:24 +0000 (03:15 -0700)
In TPM2 case, NVRAM must be read with empty password
authorization in tpmc, since platform hierarchy is
disabled by firmware or trunksd for rollback prevention.

Since all NVRAM indices are now defined with
AUTHREAD, switch to empty password authorization from
platform authorization for all NVRAM reads in Tlcl.

BRANCH=none
BUG=chrome-os-partner:55210
BUG=chrome-os-partner:55251
TEST=Run 'initctl stop trunksd; tpmc read 0x1008 0xd" on
     kevin, verify that it returns the right output.

Change-Id: Ifb72ff5080a4ac5f8d63b5c0713e5bb184f176ca
Reviewed-on: https://chromium-review.googlesource.com/360944
Commit-Ready: Dan Shi <dshi@google.com>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
firmware/lib/tpm2_lite/marshaling.c

index 29746cd..febbc81 100644 (file)
@@ -263,7 +263,7 @@ static void marshal_nv_read(void **buffer,
 {
        struct tpm2_session_header session_header;
 
-       marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space);
+       marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space);
        marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space);
        Memset(&session_header, 0, sizeof(session_header));
        session_header.session_handle = TPM_RS_PW;