tpm: Rework the assertion of physical presence

author Stefan Berger <stefanb@linux.vnet.ibm.com>

Thu, 7 Jan 2016 17:02:49 +0000 (12:02 -0500)

committer Kevin O'Connor <kevin@koconnor.net>

Thu, 7 Jan 2016 17:13:07 +0000 (12:13 -0500)
author Stefan Berger <stefanb@linux.vnet.ibm.com>
Thu, 7 Jan 2016 17:02:49 +0000 (12:02 -0500)
committer Kevin O'Connor <kevin@koconnor.net>
Thu, 7 Jan 2016 17:13:07 +0000 (12:13 -0500)
diff --git a/src/boot.c b/src/boot.c

index a251eb4938f70b9c46958d66698e6d2d51b4b211..a045a8e18c5a0605b908b4b858b797c85b506015 100644 (file)
--- a/src/boot.c
+++ b/src/boot.c
@@ -486,7 +486,7 @@ interactive_bootmenu(void)
          printf("%d. %s\n", maxmenu
                 , strtcpy(desc, pos->description, ARRAY_SIZE(desc)));
      }
-    if (tpm_is_working()) {
+    if (tpm_can_show_menu()) {
          printf("\nt. TPM Configuration\n");
      }
  
@@ -499,7 +499,7 @@ interactive_bootmenu(void)
          scan_code = get_keystroke(1000);
          if (scan_code == 1 && !irqtimer_check(esc_accepted_time))
              continue;
-        if (tpm_is_working() && scan_code == 20 /* t */) {
+        if (tpm_can_show_menu() && scan_code == 20 /* t */) {
              printf("\n");
              tpm_menu();
          }
diff --git a/src/tcgbios.c b/src/tcgbios.c

index 545e9b63c7f494bccfa6b4b85d94e155405af0dd..ceeb5fbdcb48c58427d4762b0d7311dce3a2a0bb 100644 (file)
--- a/src/tcgbios.c
+++ b/src/tcgbios.c
@@ -60,6 +60,8 @@ struct {
      u8 *          log_area_last_entry;
  } tpm_state VARLOW;
  
+static int TPM_has_physical_presence;
+
  static struct tcpa_descriptor_rev2 *
  find_tcpa_by_rsdp(struct rsdp_descriptor *rsdp)
  {
@@ -158,12 +160,18 @@ tpm_log_event(struct pcpes *pcpes, const void *event)
  
  u8 TPM_working VARLOW;
  
-int
+static int
  tpm_is_working(void)
  {
      return CONFIG_TCGBIOS && TPM_working;
  }
  
+int
+tpm_can_show_menu(void)
+{
+    return tpm_is_working() && TPM_has_physical_presence;
+}
+
  /*
   * Send a TPM command with the given ordinal. Append the given buffer
   * containing all data in network byte order to the command (this is
@@ -462,6 +470,11 @@ tpm_startup(void)
      if (ret)
          goto err_exit;
  
+    /* assertion of physical presence is only possible after startup */
+    ret = assert_physical_presence();
+    if (!ret)
+        TPM_has_physical_presence = 1;
+
      ret = determine_timeouts();
      if (ret)
          return -1;
@@ -957,10 +970,6 @@ enable_tpm(int enable, int verbose)
      if (pf.flags[PERM_FLAG_IDX_DISABLE] && !enable)
          return 0;
  
-    ret = assert_physical_presence();
-    if (ret)
-        return -1;
-
      ret = build_and_send_cmd(0, enable ? TPM_ORD_PhysicalEnable
                                         : TPM_ORD_PhysicalDisable,
                               NULL, 0, TPM_DURATION_TYPE_SHORT);
@@ -995,10 +1004,6 @@ activate_tpm(int activate, int allow_reset, int verbose)
      if (pf.flags[PERM_FLAG_IDX_DISABLE])
          return 0;
  
-    ret = assert_physical_presence();
-    if (ret)
-        return -1;
-
      ret = build_and_send_cmd(0, TPM_ORD_PhysicalSetDeactivated,
                               activate ? CommandFlag_FALSE
                                        : CommandFlag_TRUE,
@@ -1058,10 +1063,6 @@ force_clear(int enable_activate_before, int enable_activate_after, int verbose)
          }
      }
  
-    ret = assert_physical_presence();
-    if (ret)
-        return -1;
-
      ret = build_and_send_cmd(0, TPM_ORD_ForceClear,
                               NULL, 0, TPM_DURATION_TYPE_SHORT);
      if (ret)
@@ -1107,10 +1108,6 @@ set_owner_install(int allow, int verbose)
          return 0;
      }
  
-    ret = assert_physical_presence();
-    if (ret)
-        return -1;
-
      ret = build_and_send_cmd(0, TPM_ORD_SetOwnerInstall,
                               (allow) ? CommandFlag_TRUE
                                       : CommandFlag_FALSE,
diff --git a/src/tcgbios.h b/src/tcgbios.h

index 6040b0c4e29e8b8d30297affe3fa70f1d2825509..32fb941711a8bb9096d62d86afa09e2b99219112 100644 (file)
--- a/src/tcgbios.h
+++ b/src/tcgbios.h
@@ -13,7 +13,7 @@ void tpm_add_bcv(u32 bootdrv, const u8 *addr, u32 length);
  void tpm_add_cdrom(u32 bootdrv, const u8 *addr, u32 length);
  void tpm_add_cdrom_catalog(const u8 *addr, u32 length);
  void tpm_option_rom(const void *addr, u32 len);
-int tpm_is_working(void);
+int tpm_can_show_menu(void);
  void tpm_menu(void);
  
  #endif /* TCGBIOS_H */
author	Stefan Berger <stefanb@linux.vnet.ibm.com>
	Thu, 7 Jan 2016 17:02:49 +0000 (12:02 -0500)
committer	Kevin O'Connor <kevin@koconnor.net>
	Thu, 7 Jan 2016 17:13:07 +0000 (12:13 -0500)
src/boot.c		patch \| blob \| blame \| history
src/tcgbios.c		patch \| blob \| blame \| history
src/tcgbios.h		patch \| blob \| blame \| history