@@ -64,7 +64,7 @@ void secvar_set_update_status(uint64_t val)
dt_add_property_u64(secvar_node, "update-status", val);
}
-bool secvar_check_physical_presence(void)
+bool secvar_check_clear_keys(void)
{
struct dt_node *secureboot;
@@ -79,3 +79,19 @@ bool secvar_check_physical_presence(void)
return false;
}
+
+bool secvar_check_reset_default_keys(void)
+{
+ struct dt_node *secureboot;
+
+ /* Only bother checking if this image was built with default keys */
+ secureboot = dt_find_by_path(dt_root, "ibm,secureboot");
+ if (!secureboot)
+ return false;
+
+
+ if (dt_find_property(secureboot, "reset-default-keys"))
+ return true;
+
+ return false;
+}
@@ -10,6 +10,7 @@ void secvar_init_devnode(const char *compatible);
void secvar_set_status(const char *status);
void secvar_set_update_status(uint64_t val);
-bool secvar_check_physical_presence(void);
+bool secvar_check_clear_keys(void);
+bool secvar_check_reset_default_keys(void);
#endif
@@ -598,7 +598,7 @@ static int secboot_tpm_store_init(void)
free(indices);
/* Undefine the NV indices if physical presence has been asserted */
- if (secvar_check_physical_presence()) {
+ if (secvar_check_clear_keys()) {
prlog(PR_INFO, "Physical presence asserted, redefining NV indices, and resetting keystore\n");
rc = secboot_tpm_undefine_indices(&vars_defined, &control_defined);
if (rc)
@@ -32,7 +32,7 @@ int flash_secboot_info(uint32_t *total_size)
/* Toggle this to test the physical presence resetting */
bool phys_presence = false;
-bool secvar_check_physical_presence(void)
+bool secvar_check_clear_keys(void)
{
return phys_presence;
}
Currently, the secboot_tpm driver utilizes the physical presence detection function to determine when it should (re)define the TPM indices -- either to recover from a faulty state or forcibly disable OS secure boot. As this is a complete escape-hatch solution, it is not viable to use this method in conjunction with a driver that utilizing compile-time built-in variables. Thus, a new physical presence method is introduced specifically for resetting to default, built-in keys for future driver use (ideally, with OS secure boot now enabled). The previous physical presence function has been renamed to more actually reflect the physical presence mode it is detecting (clear-os-keys). Signed-off-by: Eric Richter <erichte@linux.ibm.com> --- libstb/secvar/secvar_devtree.c | 18 +++++++++++++++++- libstb/secvar/secvar_devtree.h | 3 ++- libstb/secvar/storage/secboot_tpm.c | 2 +- libstb/secvar/test/secvar-test-secboot-tpm.c | 2 +- 4 files changed, 21 insertions(+), 4 deletions(-)