Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 1 | /* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. |
| 2 | * Use of this source code is governed by a BSD-style license that can be |
| 3 | * found in the LICENSE file. |
| 4 | * |
| 5 | * Functions for querying, manipulating and locking rollback indices |
| 6 | * stored in the TPM NVRAM. |
| 7 | */ |
| 8 | |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 9 | #ifndef ANTIROLLBACK_H_ |
| 10 | #define ANTIROLLBACK_H_ |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 11 | |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 12 | #include "2sysincludes.h" |
| 13 | #include <2api.h> |
| 14 | #include "tpm_lite/tss_constants.h" |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 15 | |
| 16 | /* TPM NVRAM location indices. */ |
| 17 | #define FIRMWARE_NV_INDEX 0x1007 |
Daisuke Nojiri | 97ea9c0 | 2014-09-29 13:02:29 -0700 | [diff] [blame] | 18 | #define KERNEL_NV_INDEX 0x1008 |
| 19 | /* This is just an opaque space for backup purposes */ |
| 20 | #define BACKUP_NV_INDEX 0x1009 |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 21 | |
| 22 | /* Structure definitions for TPM spaces */ |
| 23 | |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 24 | /* Flags for firmware space */ |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 25 | |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 26 | /* |
| 27 | * Last boot was developer mode. TPM ownership is cleared when transitioning |
| 28 | * to/from developer mode. |
| 29 | */ |
| 30 | #define FLAG_LAST_BOOT_DEVELOPER 0x01 |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 31 | |
| 32 | /* All functions return TPM_SUCCESS (zero) if successful, non-zero if error */ |
| 33 | |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 34 | uint32_t antirollback_read_space_firmware(struct vb2_context *ctx); |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 35 | |
| 36 | /** |
| 37 | * Write may be called if the versions change. |
| 38 | */ |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 39 | uint32_t antirollback_write_space_firmware(struct vb2_context *ctx); |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 40 | |
| 41 | /** |
| 42 | * Lock must be called. |
| 43 | */ |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 44 | uint32_t antirollback_lock_space_firmware(void); |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 45 | |
| 46 | /****************************************************************************/ |
| 47 | |
| 48 | /* |
| 49 | * The following functions are internal apis, listed here for use by unit tests |
| 50 | * only. |
| 51 | */ |
| 52 | |
| 53 | /** |
| 54 | * Issue a TPM_Clear and reenable/reactivate the TPM. |
| 55 | */ |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 56 | uint32_t tpm_clear_and_reenable(void); |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 57 | |
| 58 | /** |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 59 | * Like tlcl_write(), but checks for write errors due to hitting the 64-write |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 60 | * limit and clears the TPM when that happens. This can only happen when the |
| 61 | * TPM is unowned, so it is OK to clear it (and we really have no choice). |
| 62 | * This is not expected to happen frequently, but it could happen. |
| 63 | */ |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 64 | uint32_t safe_write(uint32_t index, const void *data, uint32_t length); |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 65 | |
| 66 | /** |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 67 | * Similarly to safe_write(), this ensures we don't fail a DefineSpace because |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 68 | * we hit the TPM write limit. This is even less likely to happen than with |
| 69 | * writes because we only define spaces once at initialization, but we'd rather |
| 70 | * be paranoid about this. |
| 71 | */ |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 72 | uint32_t safe_define_space(uint32_t index, uint32_t perm, uint32_t size); |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 73 | |
| 74 | /** |
| 75 | * Perform one-time initializations. |
| 76 | * |
| 77 | * Create the NVRAM spaces, and set their initial values as needed. Sets the |
| 78 | * nvLocked bit and ensures the physical presence command is enabled and |
| 79 | * locked. |
| 80 | */ |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 81 | uint32_t factory_initialize_tpm(struct vb2_context *ctx); |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 82 | |
| 83 | /** |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 84 | * Start the TPM and establish the root of trust for the antirollback mechanism. |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 85 | */ |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 86 | uint32_t setup_tpm(struct vb2_context *ctx); |
Daisuke Nojiri | efb5cde | 2014-07-02 08:37:23 -0700 | [diff] [blame] | 87 | |
Daisuke Nojiri | 5799097 | 2014-07-15 19:47:32 -0700 | [diff] [blame] | 88 | #endif /* ANTIROLLBACK_H_ */ |