diff --git a/src/include/tpm_lite/tlcl.h b/src/include/tpm_lite/tlcl.h
index 8ea5564..95bae77 100644
--- a/src/include/tpm_lite/tlcl.h
+++ b/src/include/tpm_lite/tlcl.h
@@ -151,4 +151,9 @@
  */
 uint32_t tlcl_get_permanent_flags(TPM_PERMANENT_FLAGS *pflags);
 
+/**
+ * Disable platform hierarchy. Specific to TPM2. The TPM error code is returned.
+ */
+uint32_t tlcl_disable_platform_hierarchy(void);
+
 #endif  /* TPM_LITE_TLCL_H_ */
diff --git a/src/lib/Makefile.inc b/src/lib/Makefile.inc
index 2d5aa57..9a9ddc8 100644
--- a/src/lib/Makefile.inc
+++ b/src/lib/Makefile.inc
@@ -144,6 +144,8 @@
 ramstage-$(CONFIG_GENERIC_UDELAY) += timer.c
 ramstage-y += b64_decode.c
 ramstage-$(CONFIG_ACPI_NHLT) += nhlt.c
+ramstage-$(CONFIG_TPM2) += tpm2_marshaling.c
+ramstage-$(CONFIG_TPM2) += tpm2_tlcl.c
 
 romstage-y += cbmem_common.c
 romstage-y += imd_cbmem.c
diff --git a/src/lib/tpm2_marshaling.c b/src/lib/tpm2_marshaling.c
index 1edc690..38c8d2f 100644
--- a/src/lib/tpm2_marshaling.c
+++ b/src/lib/tpm2_marshaling.c
@@ -373,6 +373,23 @@
 	marshal_u8(buffer, command_body->yes_no, buffer_space);
 }
 
+static void marshal_hierarchy_control(void **buffer,
+			struct tpm2_hierarchy_control_cmd *command_body,
+			size_t *buffer_space)
+{
+	struct tpm2_session_header session_header;
+
+	car_set_var(tpm_tag, TPM_ST_SESSIONS);
+
+	marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space);
+	memset(&session_header, 0, sizeof(session_header));
+	session_header.session_handle = TPM_RS_PW;
+	marshal_session_header(buffer, &session_header, buffer_space);
+
+	marshal_TPM_HANDLE(buffer, command_body->enable, buffer_space);
+	marshal_u8(buffer, command_body->state, buffer_space);
+}
+
 int tpm_marshal_command(TPM_CC command, void *tpm_command_body,
 			void *buffer, size_t buffer_size)
 {
@@ -414,6 +431,11 @@
 		marshal_selftest(&cmd_body, tpm_command_body, &body_size);
 		break;
 
+	case TPM2_Hierarchy_Control:
+		marshal_hierarchy_control(&cmd_body, tpm_command_body,
+						&body_size);
+		break;
+
 	case TPM2_Clear:
 		marshal_clear(&cmd_body, &body_size);
 		break;
@@ -583,6 +605,7 @@
 				  &tpm2_resp->nvr);
 		break;
 
+	case TPM2_Hierarchy_Control:
 	case TPM2_Clear:
 	case TPM2_NV_DefineSpace:
 	case TPM2_NV_Write:
diff --git a/src/lib/tpm2_tlcl.c b/src/lib/tpm2_tlcl.c
index 6f5243e..6c0cd6e 100644
--- a/src/lib/tpm2_tlcl.c
+++ b/src/lib/tpm2_tlcl.c
@@ -369,3 +369,19 @@
 		return TPM_E_INTERNAL_INCONSISTENCY;
 	}
 }
+
+uint32_t tlcl_disable_platform_hierarchy(void)
+{
+	struct tpm2_response *response;
+	struct tpm2_hierarchy_control_cmd hc = {
+		.enable = TPM_RH_PLATFORM,
+		.state = 0,
+	};
+
+	response = tpm_process_command(TPM2_Hierarchy_Control, &hc);
+
+	if (!response || response->hdr.tpm_code)
+		return TPM_E_INTERNAL_INCONSISTENCY;
+
+	return TPM_SUCCESS;
+}
diff --git a/src/lib/tpm2_tlcl_structures.h b/src/lib/tpm2_tlcl_structures.h
index 36a3e8b..c5c6d87 100644
--- a/src/lib/tpm2_tlcl_structures.h
+++ b/src/lib/tpm2_tlcl_structures.h
@@ -28,7 +28,7 @@
 typedef TPM_ALG_ID TPMI_ALG_HASH;
 typedef TPM_HANDLE TPMI_DH_PCR;
 typedef TPM_HANDLE TPMI_RH_NV_INDEX;
-typedef TPM_HANDLE TPMI_RH_PROVISION;
+typedef TPM_HANDLE TPMI_RH_ENABLES;
 typedef TPM_HANDLE TPMI_SH_AUTH_SESSION;
 typedef TPM_HANDLE TPM_RH;
 
@@ -59,15 +59,16 @@
 } __attribute__((packed));
 
 /* TPM command codes. */
-#define TPM2_Clear          ((TPM_CC)0x00000126)
-#define TPM2_NV_DefineSpace ((TPM_CC)0x0000012A)
-#define TPM2_NV_Write       ((TPM_CC)0x00000137)
-#define TPM2_NV_WriteLock   ((TPM_CC)0x00000138)
-#define TPM2_SelfTest       ((TPM_CC)0x00000143)
-#define TPM2_Startup        ((TPM_CC)0x00000144)
-#define TPM2_NV_Read        ((TPM_CC)0x0000014E)
-#define TPM2_GetCapability  ((TPM_CC)0x0000017A)
-#define TPM2_PCR_Extend     ((TPM_CC)0x00000182)
+#define TPM2_Hierarchy_Control ((TPM_CC)0x00000121)
+#define TPM2_Clear             ((TPM_CC)0x00000126)
+#define TPM2_NV_DefineSpace    ((TPM_CC)0x0000012A)
+#define TPM2_NV_Write          ((TPM_CC)0x00000137)
+#define TPM2_NV_WriteLock      ((TPM_CC)0x00000138)
+#define TPM2_SelfTest          ((TPM_CC)0x00000143)
+#define TPM2_Startup           ((TPM_CC)0x00000144)
+#define TPM2_NV_Read           ((TPM_CC)0x0000014E)
+#define TPM2_GetCapability     ((TPM_CC)0x0000017A)
+#define TPM2_PCR_Extend        ((TPM_CC)0x00000182)
 
 /* Startup values. */
 #define TPM_SU_CLEAR 0
@@ -334,4 +335,9 @@
 	TPML_DIGEST_VALUES digests;
 };
 
+struct tpm2_hierarchy_control_cmd {
+	TPMI_RH_ENABLES enable;
+	TPMI_YES_NO state;
+};
+
 #endif // __SRC_LIB_TPM2_TLCL_STRUCTURES_H
diff --git a/src/vendorcode/google/chromeos/Kconfig b/src/vendorcode/google/chromeos/Kconfig
index 238b4e5..97dfc60 100644
--- a/src/vendorcode/google/chromeos/Kconfig
+++ b/src/vendorcode/google/chromeos/Kconfig
@@ -127,6 +127,20 @@
 	  This is the second part of the FWID written to various regions of a
 	  Chrome OS firmware image to identify its version.
 
+config CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME
+	bool
+	default y
+	depends on TPM2 && RESUME_PATH_SAME_AS_BOOT
+	help
+	  Disable the platform heirarchy on resume path if the firmware
+	  is involved in resume. The hierarchy is disabled prior to jumping
+	  to the OS.  Note that this option is sepcific to TPM2 boards.
+	  This option is auto selected if CHROMEOS because it matches with
+	  vboot_reference model which disables the platform hierarchy in
+	  the boot loader. However, those operations need to be symmetric
+	  on normal boot as well as resume and coreboot is only involved
+	  in the resume piece w.r.t. the platform hierarchy.
+
 menu "GBB configuration"
 
 config GBB_HWID
diff --git a/src/vendorcode/google/chromeos/Makefile.inc b/src/vendorcode/google/chromeos/Makefile.inc
index 878b068..f0762bc 100644
--- a/src/vendorcode/google/chromeos/Makefile.inc
+++ b/src/vendorcode/google/chromeos/Makefile.inc
@@ -24,6 +24,7 @@
 ramstage-$(CONFIG_CHROMEOS_RAMOOPS) += ramoops.c
 romstage-y += vpd_decode.c
 ramstage-y += vpd_decode.c cros_vpd.c vpd_mac.c vpd_serialno.c vpd_calibration.c
+ramstage-$(CONFIG_CHROMEOS_DISABLE_PLATFORM_HIERARCHY_ON_RESUME) += tpm2.c
 ramstage-$(CONFIG_HAVE_REGULATORY_DOMAIN) += wrdd.c
 ramstage-$(CONFIG_USE_SAR) += sar.c
 ifeq ($(CONFIG_ARCH_MIPS),)
diff --git a/src/vendorcode/google/chromeos/tpm2.c b/src/vendorcode/google/chromeos/tpm2.c
new file mode 100644
index 0000000..fd1dac9
--- /dev/null
+++ b/src/vendorcode/google/chromeos/tpm2.c
@@ -0,0 +1,45 @@
+/*
+ * This file is part of the coreboot project.
+ *
+ * Copyright 2017 Google Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; version 2 of the License.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <bootstate.h>
+#include <console/console.h>
+#include <tpm_lite/tlcl.h>
+#include <vb2_api.h>
+
+static void disable_platform_hierarchy(void *unused)
+{
+	int ret;
+
+	if (!IS_ENABLED(CONFIG_TPM2))
+		return;
+
+	if (!IS_ENABLED(CONFIG_RESUME_PATH_SAME_AS_BOOT))
+		return;
+
+	ret = tlcl_lib_init();
+
+	if (ret != VB2_SUCCESS) {
+		printk(BIOS_ERR, "tlcl_lib_init() failed: %x\n", ret);
+		return;
+	}
+
+	ret = tlcl_disable_platform_hierarchy();
+	if (ret != TPM_SUCCESS)
+		printk(BIOS_ERR, "Platform hierarchy disablement failed: %x\n",
+			ret);
+}
+
+BOOT_STATE_INIT_ENTRY(BS_OS_RESUME, BS_ON_ENTRY, disable_platform_hierarchy,
+			NULL);