diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2017-12-08 14:05:56 -0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2017-12-08 18:45:08 -0800 |
commit | c456225bd529067d237dc7242c954e22479b1fea (patch) | |
tree | 1d414422fa96a00507d2da1e59bf92f9f22e3180 | |
parent | 0f114d2d7eb1950faab02fe479864da5e5d50414 (diff) | |
download | tpm2-c456225bd529067d237dc7242c954e22479b1fea.tar.gz |
NV: allow reading FWMP before startup
This kludge makes sure that FWMP contents can be read even before
TPM2_Startup command is issued, which makes sure that even on bricked
protected Crhome OS devices CCD opening can be prevented.
BRANCH=Cr50
BUG=b:62537474
TEST=verified that FWMP could be read even before AP is powered up
Change-Id: I9693f7ff64ae86d8ed0d57c4079822ee56c464ee
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/817935
Reviewed-by: Andrey Pronin <apronin@chromium.org>
-rw-r--r-- | NV.c | 10 |
1 files changed, 9 insertions, 1 deletions
@@ -1045,7 +1045,15 @@ NvIndexIsAccessible( // indicated as present if(nvIndex.publicArea.attributes.TPMA_NV_PLATFORMCREATE == CLEAR) { - if(gc.shEnable == FALSE) + /* + * FWMP is a Chrome OS specific object saved at address 0x100a, it + * needs to be available for reading even before TPM2_Startup + * command is issued. + */ + UINT32 isFwmpRead = (handle == 0x100100a) && + IsReadOperation(commandCode); + + if((gc.shEnable == FALSE) && !isFwmpRead) return TPM_RC_HANDLE; } // if phEnableNV is CLEAR, a platform created Index should not |