| Message ID | 20220505202829.31466-6-eajames@linux.ibm.com |
|---|---|
| State | New |
| Headers | show |
| Series | ast2600: Add I2C TPMv2 driver | expand |
On Thu, 5 May 2022 at 20:28, Eddie James <eajames@linux.ibm.com> wrote: > > If there is a TPM in the devicetree, use board_late_init to > extend PCR0 with some invalid digest. The purpose of this is to > prevent later undesired usage of the TPM. > > Signed-off-by: Eddie James <eajames@linux.ibm.com> I think we will need a board_late_init for our platform, as others may use the TPM and not want to poison it. > --- > board/aspeed/evb_ast2600/evb_ast2600.c | 34 ++++++++++++++++++++++ > configs/ast2600_openbmc_spl_emmc_defconfig | 1 + > 2 files changed, 35 insertions(+) > > diff --git a/board/aspeed/evb_ast2600/evb_ast2600.c b/board/aspeed/evb_ast2600/evb_ast2600.c > index 72ecb18c15..e11fc6973d 100644 > --- a/board/aspeed/evb_ast2600/evb_ast2600.c > +++ b/board/aspeed/evb_ast2600/evb_ast2600.c > @@ -3,6 +3,11 @@ > * Copyright (C) ASPEED Technology Inc. > */ > #include <common.h> > +#if defined(CONFIG_TPM_V2) > +#include <dm/uclass.h> > +#include <tpm-common.h> > +#include <tpm-v2.h> > +#endif > #include <asm/io.h> > > #define SCU_BASE 0x1e6e2000 > @@ -122,6 +127,35 @@ static void __maybe_unused espi_init(void) > writel(reg, ESPI_BASE + 0x000); > } > > +__weak int board_late_init(void) > +{ > +#if defined(CONFIG_TPM_V2) > + int rc; > + struct udevice *dev; > + unsigned char digest[32] = { > + 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, > + 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, > + 0xa0, 0xb1, 0xc2, 0xd3, 0xe4, 0xf5, 0x06, 0x17, > + 0x28, 0x39, 0x4a, 0x5b, 0x6c, 0x7d, 0x8e, 0x9f > + }; Add a comment for how this was created. > + > + rc = uclass_first_device_err(UCLASS_TPM, &dev); > + if (rc) > + return 0; > + > + rc = tpm_init(dev); > + if (rc) > + return 0; > + > + rc = tpm2_startup(dev, TPM2_SU_CLEAR); > + if (rc) > + return 0; > + > + tpm2_pcr_extend(dev, 0, digest); > +#endif > + return 0; > +} > + > int board_early_init_f(void) > { > #if 0 > diff --git a/configs/ast2600_openbmc_spl_emmc_defconfig b/configs/ast2600_openbmc_spl_emmc_defconfig > index 3bb44280c7..b506bc5e55 100644 > --- a/configs/ast2600_openbmc_spl_emmc_defconfig > +++ b/configs/ast2600_openbmc_spl_emmc_defconfig > @@ -39,6 +39,7 @@ CONFIG_SYS_CONSOLE_ENV_OVERWRITE=y > CONFIG_DISPLAY_BOARDINFO_LATE=y > CONFIG_ARCH_EARLY_INIT_R=y > CONFIG_BOARD_EARLY_INIT_F=y > +CONFIG_BOARD_LATE_INIT=y > CONFIG_SPL_BOARD_INIT=y > # CONFIG_SPL_LEGACY_IMAGE_SUPPORT is not set > CONFIG_SPL_SYS_MALLOC_SIMPLE=y > -- > 2.27.0 >
On 5/9/22 21:44, Joel Stanley wrote: > On Thu, 5 May 2022 at 20:28, Eddie James <eajames@linux.ibm.com> wrote: >> If there is a TPM in the devicetree, use board_late_init to >> extend PCR0 with some invalid digest. The purpose of this is to >> prevent later undesired usage of the TPM. >> >> Signed-off-by: Eddie James <eajames@linux.ibm.com> > I think we will need a board_late_init for our platform, as others may > use the TPM and not want to poison it. Yea I'll give that a go. I tried it and I had a brief fight with the config and build and gave up :) > >> --- >> board/aspeed/evb_ast2600/evb_ast2600.c | 34 ++++++++++++++++++++++ >> configs/ast2600_openbmc_spl_emmc_defconfig | 1 + >> 2 files changed, 35 insertions(+) >> >> diff --git a/board/aspeed/evb_ast2600/evb_ast2600.c b/board/aspeed/evb_ast2600/evb_ast2600.c >> index 72ecb18c15..e11fc6973d 100644 >> --- a/board/aspeed/evb_ast2600/evb_ast2600.c >> +++ b/board/aspeed/evb_ast2600/evb_ast2600.c >> @@ -3,6 +3,11 @@ >> * Copyright (C) ASPEED Technology Inc. >> */ >> #include <common.h> >> +#if defined(CONFIG_TPM_V2) >> +#include <dm/uclass.h> >> +#include <tpm-common.h> >> +#include <tpm-v2.h> >> +#endif >> #include <asm/io.h> >> >> #define SCU_BASE 0x1e6e2000 >> @@ -122,6 +127,35 @@ static void __maybe_unused espi_init(void) >> writel(reg, ESPI_BASE + 0x000); >> } >> >> +__weak int board_late_init(void) >> +{ >> +#if defined(CONFIG_TPM_V2) >> + int rc; >> + struct udevice *dev; >> + unsigned char digest[32] = { >> + 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, >> + 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, >> + 0xa0, 0xb1, 0xc2, 0xd3, 0xe4, 0xf5, 0x06, 0x17, >> + 0x28, 0x39, 0x4a, 0x5b, 0x6c, 0x7d, 0x8e, 0x9f >> + }; > Add a comment for how this was created. > >> + >> + rc = uclass_first_device_err(UCLASS_TPM, &dev); >> + if (rc) >> + return 0; >> + >> + rc = tpm_init(dev); >> + if (rc) >> + return 0; >> + >> + rc = tpm2_startup(dev, TPM2_SU_CLEAR); >> + if (rc) >> + return 0; >> + >> + tpm2_pcr_extend(dev, 0, digest); >> +#endif >> + return 0; >> +} >> + >> int board_early_init_f(void) >> { >> #if 0 >> diff --git a/configs/ast2600_openbmc_spl_emmc_defconfig b/configs/ast2600_openbmc_spl_emmc_defconfig >> index 3bb44280c7..b506bc5e55 100644 >> --- a/configs/ast2600_openbmc_spl_emmc_defconfig >> +++ b/configs/ast2600_openbmc_spl_emmc_defconfig >> @@ -39,6 +39,7 @@ CONFIG_SYS_CONSOLE_ENV_OVERWRITE=y >> CONFIG_DISPLAY_BOARDINFO_LATE=y >> CONFIG_ARCH_EARLY_INIT_R=y >> CONFIG_BOARD_EARLY_INIT_F=y >> +CONFIG_BOARD_LATE_INIT=y >> CONFIG_SPL_BOARD_INIT=y >> # CONFIG_SPL_LEGACY_IMAGE_SUPPORT is not set >> CONFIG_SPL_SYS_MALLOC_SIMPLE=y >> -- >> 2.27.0 >>
diff --git a/board/aspeed/evb_ast2600/evb_ast2600.c b/board/aspeed/evb_ast2600/evb_ast2600.c index 72ecb18c15..e11fc6973d 100644 --- a/board/aspeed/evb_ast2600/evb_ast2600.c +++ b/board/aspeed/evb_ast2600/evb_ast2600.c @@ -3,6 +3,11 @@ * Copyright (C) ASPEED Technology Inc. */ #include <common.h> +#if defined(CONFIG_TPM_V2) +#include <dm/uclass.h> +#include <tpm-common.h> +#include <tpm-v2.h> +#endif #include <asm/io.h> #define SCU_BASE 0x1e6e2000 @@ -122,6 +127,35 @@ static void __maybe_unused espi_init(void) writel(reg, ESPI_BASE + 0x000); } +__weak int board_late_init(void) +{ +#if defined(CONFIG_TPM_V2) + int rc; + struct udevice *dev; + unsigned char digest[32] = { + 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x00, 0x01, + 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, + 0xa0, 0xb1, 0xc2, 0xd3, 0xe4, 0xf5, 0x06, 0x17, + 0x28, 0x39, 0x4a, 0x5b, 0x6c, 0x7d, 0x8e, 0x9f + }; + + rc = uclass_first_device_err(UCLASS_TPM, &dev); + if (rc) + return 0; + + rc = tpm_init(dev); + if (rc) + return 0; + + rc = tpm2_startup(dev, TPM2_SU_CLEAR); + if (rc) + return 0; + + tpm2_pcr_extend(dev, 0, digest); +#endif + return 0; +} + int board_early_init_f(void) { #if 0 diff --git a/configs/ast2600_openbmc_spl_emmc_defconfig b/configs/ast2600_openbmc_spl_emmc_defconfig index 3bb44280c7..b506bc5e55 100644 --- a/configs/ast2600_openbmc_spl_emmc_defconfig +++ b/configs/ast2600_openbmc_spl_emmc_defconfig @@ -39,6 +39,7 @@ CONFIG_SYS_CONSOLE_ENV_OVERWRITE=y CONFIG_DISPLAY_BOARDINFO_LATE=y CONFIG_ARCH_EARLY_INIT_R=y CONFIG_BOARD_EARLY_INIT_F=y +CONFIG_BOARD_LATE_INIT=y CONFIG_SPL_BOARD_INIT=y # CONFIG_SPL_LEGACY_IMAGE_SUPPORT is not set CONFIG_SPL_SYS_MALLOC_SIMPLE=y
If there is a TPM in the devicetree, use board_late_init to extend PCR0 with some invalid digest. The purpose of this is to prevent later undesired usage of the TPM. Signed-off-by: Eddie James <eajames@linux.ibm.com> --- board/aspeed/evb_ast2600/evb_ast2600.c | 34 ++++++++++++++++++++++ configs/ast2600_openbmc_spl_emmc_defconfig | 1 + 2 files changed, 35 insertions(+)