[SeaBIOS] [PATCH v2 3/3] tcgbios: extend Physical Presence interface with more functions
Stefan Berger
stefanb at linux.vnet.ibm.com
Tue Jan 16 21:24:37 CET 2018
On 01/16/2018 01:58 PM, Kevin O'Connor wrote:
> On Tue, Jan 16, 2018 at 11:41:03AM -0500, Stefan Berger wrote:
>> Implement more functions of the TPM Physical Presence interface.
>> Some of the added functions will automatically reboot the machine.
>> Thus we need to save the next step after the reboot in an additional
>> variable.
>>
>> Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
>> ---
>> src/std/tcg.h | 7 ++++++
>> src/tcgbios.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
>> 2 files changed, 71 insertions(+), 5 deletions(-)
>>
>> diff --git a/src/std/tcg.h b/src/std/tcg.h
>> index 22353a9..aeee689 100644
>> --- a/src/std/tcg.h
>> +++ b/src/std/tcg.h
>> @@ -548,8 +548,15 @@ struct pcctes_romex
>> #define TPM_PPI_OP_ACTIVATE 3
>> #define TPM_PPI_OP_DEACTIVATE 4
>> #define TPM_PPI_OP_CLEAR 5
>> +#define TPM_PPI_OP_ENABLE_ACTIVATE 6
>> +#define TPM_PPI_OP_DEACTIVATE_DISABLE 7
>> #define TPM_PPI_OP_SET_OWNERINSTALL_TRUE 8
>> #define TPM_PPI_OP_SET_OWNERINSTALL_FALSE 9
>> +#define TPM_PPI_OP_ENABLE_ACTIVATE_SET_OWNERINSTALL_TRUE 10
>> +#define TPM_PPI_OP_SET_OWNERINSTALL_FALSE_DEACTIVATE_DISABLE 11
>> +#define TPM_PPI_OP_CLEAR_ENABLE_ACTIVATE 14
>> +#define TPM_PPI_OP_ENABLE_ACTIVATE_CLEAR 21
>> +#define TPM_PPI_OP_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE 22
>>
>> struct tpm_ppi {
>> u8 ppin; /* 0: 1 = initialized */
>> diff --git a/src/tcgbios.c b/src/tcgbios.c
>> index c8e6ca2..e074d42 100644
>> --- a/src/tcgbios.c
>> +++ b/src/tcgbios.c
>> @@ -1655,7 +1655,8 @@ tpm12_set_owner_install(int allow, int verbose, u32 *returnCode)
>> }
>>
>> static int
>> -tpm12_process_cfg(tpm_ppi_code msgCode, int verbose, u32 *returnCode)
>> +tpm12_process_cfg(tpm_ppi_code msgCode, int verbose, u32 *returnCode,
>> + u8 *nextStep)
>> {
>> int ret = 0;
>>
>> @@ -1683,6 +1684,18 @@ tpm12_process_cfg(tpm_ppi_code msgCode, int verbose, u32 *returnCode)
>> ret = tpm12_force_clear(1, 0, verbose, returnCode);
>> break;
>>
>> + case TPM_PPI_OP_ENABLE_ACTIVATE:
>> + ret = tpm12_enable_tpm(1, verbose, returnCode);
>> + if (!ret)
>> + ret = tpm12_activate_tpm(1, 1, verbose, returnCode);
>> + break;
>> +
>> + case TPM_PPI_OP_DEACTIVATE_DISABLE:
>> + ret = tpm12_activate_tpm(0, 1, verbose, returnCode);
>> + if (!ret)
>> + ret = tpm12_enable_tpm(0, verbose, returnCode);
>> + break;
>> +
>> case TPM_PPI_OP_SET_OWNERINSTALL_TRUE:
>> ret = tpm12_set_owner_install(1, verbose, returnCode);
>> break;
>> @@ -1691,6 +1704,43 @@ tpm12_process_cfg(tpm_ppi_code msgCode, int verbose, u32 *returnCode)
>> ret = tpm12_set_owner_install(0, verbose, returnCode);
>> break;
>>
>> + case TPM_PPI_OP_ENABLE_ACTIVATE_SET_OWNERINSTALL_TRUE:
>> + *nextStep = TPM_PPI_OP_SET_OWNERINSTALL_TRUE;
>> + ret = tpm12_enable_activate(1, verbose, returnCode);
>> + if (!ret)
>> + ret = tpm12_set_owner_install(1, verbose, returnCode);
>> + break;
>> +
>> + case TPM_PPI_OP_SET_OWNERINSTALL_FALSE_DEACTIVATE_DISABLE:
>> + ret = tpm12_set_owner_install(0, verbose, returnCode);
>> + if (!ret)
>> + ret = tpm12_activate_tpm(0, 0, verbose, returnCode);
>> + if (!ret)
>> + ret = tpm12_enable_tpm(0, verbose, returnCode);
>> + break;
>> +
>> + case TPM_PPI_OP_CLEAR_ENABLE_ACTIVATE:
>> + ret = tpm12_force_clear(0, 1, verbose, returnCode);
>> + break;
>> +
>> + case TPM_PPI_OP_ENABLE_ACTIVATE_CLEAR:
>> + *nextStep = TPM_PPI_OP_CLEAR;
>> + ret = tpm12_enable_activate(1, verbose, returnCode);
>> + /* no reboot happened */
>> + if (!ret)
>> + ret = tpm12_force_clear(0, 0, verbose, returnCode);
>> + break;
>> +
>> + case TPM_PPI_OP_ENABLE_ACTIVATE_CLEAR_ENABLE_ACTIVATE:
>> + *nextStep = TPM_PPI_OP_CLEAR_ENABLE_ACTIVATE;
> I'm strugging to understand "nextStep". I think it would be clearer
> if the code could do a switch on the request and then execute all the
> details of that request without the need to set flags indicating the
> function should be rerun. tpm12_process_cfg() can call itself
> recursively if it needs to.
Some of the opcodes we are executing here need to do a reboot and then
execute more steps after the reboot. The last one of the above sequences
does this:
enable + activate -> reboot -> clear + enable + activate -> reboot
The post-reboot sequence clear + enable + activate exists with
TPM_PPI_OP_CLEAR_ENABLE_ACTIVATE, so we can execute that as the 2nd part.
Stefan
>
> -Kevin
>
More information about the SeaBIOS
mailing list