[PATCH v2] tpm: Allow committing non-volatile data

Ilias Apalodimas ilias.apalodimas at linaro.org
Tue Feb 21 15:18:20 CET 2023


Hi Simon,

We had that discussion in the past.


On Tue, 21 Feb 2023 at 16:09, Simon Glass <sjg at chromium.org> wrote:
>
> Hi Ilias,
>
> On Tue, 21 Feb 2023 at 06:58, Ilias Apalodimas
> <ilias.apalodimas at linaro.org> wrote:
> >
> > Hi Simon,
> >
> > On Mon, Feb 20, 2023 at 09:31:24AM -0700, Simon Glass wrote:
> > > Add an option to tell the TPM to commit non-volatile data immediately it
> > > is changed, rather than waiting until later. This is needed in some
> > > situations, since if the device reboots it may not write the data.
> > >
> > > Add definitions for the rest of the Cr50 commands while we are here.
> >
> > This defines a function that's unused. IIRC you said U-Boot doesn't use it,
> > but some code that run for that laptop does right?
>
> Yes it is used by ChromeOS code which is not upstream at present.
>
> > In any case the function declaration doesn't belong to the TPMv2 library.
> > I think we are better off adding it to the cr50 driver itself.  I also
>
> We cannot call tpm_sendrecv_command() from a TPM driver..it is in lib/
> and that would be a violation of the software layers. This is a TPM2
> command, even if it is specific to cr50.
>
> > assume you compile u-boot in a 'special' way so the linker doesn't get rid
> > of the emitted code?  Does t hat mean we can define it as __unused as well?
>
> Nothing special, but this allows the ChromeOS code to build correctly.
> I could also add a command to use it, if that helps?

5208ed187cb6 ("tpm: Allow committing non-volatile data") is what you
need.  That uses a generic name and takes the command as an argument.
IOW calling tpm2_enable_nvcommits(dev,
TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS) will do the right thing for
you.

Regards
/Ilias
>
> Regards,
> Simon
>
> >
> > Thanks
> > /Ilias
> > >
> > > Signed-off-by: Simon Glass <sjg at chromium.org>
> > > ---
> > > I am resending this as I think it got lost.
> > >
> > > Changes in v2:
> > > - Rebase to master
> > >
> > >  include/tpm-v2.h | 14 ++++++++++++++
> > >  lib/tpm-v2.c     | 20 ++++++++++++++++++++
> > >  2 files changed, 34 insertions(+)
> > >
> > > diff --git a/include/tpm-v2.h b/include/tpm-v2.h
> > > index 8e90a616220..0a03994740d 100644
> > > --- a/include/tpm-v2.h
> > > +++ b/include/tpm-v2.h
> > > @@ -712,4 +712,18 @@ u32 tpm2_submit_command(struct udevice *dev, const u8 *sendbuf,
> > >   */
> > >  u32 tpm2_cr50_report_state(struct udevice *dev, u8 *recvbuf, size_t *recv_size);
> > >
> > > +/*
> > > + * tpm2_cr50_enable_nvcommits() - Tell Cr50 to commit NV data immediately
> > > + *
> > > + * For Chromium OS verified boot, we may reboot or reset at different times,
> > > + * possibly leaving non-volatile data unwritten by the TPM.
> > > + *
> > > + * This vendor command is used to indicate that non-volatile data should be
> > > + * written to its store immediately.
> > > + *
> > > + * @dev              TPM device
> > > + * Return: result of the operation
> > > + */
> > > +u32 tpm2_cr50_enable_nvcommits(struct udevice *dev);
> > > +
> > >  #endif /* __TPM_V2_H */
> > > diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> > > index bdf019b0f93..5fcd3649b74 100644
> > > --- a/lib/tpm-v2.c
> > > +++ b/lib/tpm-v2.c
> > > @@ -699,3 +699,23 @@ u32 tpm2_cr50_report_state(struct udevice *dev, u8 *recvbuf, size_t *recv_size)
> > >
> > >       return 0;
> > >  }
> > > +
> > > +u32 tpm2_cr50_enable_nvcommits(struct udevice *dev)
> > > +{
> > > +     u8 command_v2[COMMAND_BUFFER_SIZE] = {
> > > +             /* header 10 bytes */
> > > +             tpm_u16(TPM2_ST_NO_SESSIONS),           /* TAG */
> > > +             tpm_u32(10 + 2),                        /* Length */
> > > +             tpm_u32(TPM2_CR50_VENDOR_COMMAND),      /* Command code */
> > > +
> > > +             tpm_u16(TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS),
> > > +     };
> > > +     int ret;
> > > +
> > > +     ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
> > > +     log_debug("ret=%s, %x\n", dev->name, ret);
> > > +     if (ret)
> > > +             return ret;
> > > +
> > > +     return 0;
> > > +}
> > > --
> > > 2.39.2.637.g21b0678d19-goog
> > >


More information about the U-Boot mailing list