tpm: add manufacturing status check

For now the presence of both RSA and EC certificates at fixed NVRAM indices is considered evidence of TPM being through manufacturing. BRANCH=none BUG=chrome-os-partner:50645 TEST=with the rest of the patches applied TPM manufacturing status is properly detected at startup. Change-Id: Iff3861603272cdfb58ebc523458c114685b2429f Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/362351 Reviewed-by: Marius Schilder <mschilder@chromium.org>
2025-12-29 01:50:53 +00:00 · 2016-07-21 07:14:12 -07:00
parent 68244c3f4e
commit 9b752cbcd4
3 changed files with 61 additions and 0 deletions
--- a/board/cr50/build.mk
+++ b/board/cr50/build.mk
@@ -42,6 +42,7 @@ board-y += tpm2/ecies.o
 board-y += tpm2/hash.o
 board-y += tpm2/hash_data.o
 board-y += tpm2/hkdf.o
+board-y += tpm2/manufacture.o
 board-y += tpm2/platform.o
 board-y += tpm2/rsa.o
 board-y += tpm2/stubs.o
--- a/board/cr50/tpm2/manufacture.c
+++ b/board/cr50/tpm2/manufacture.c
@@ -0,0 +1,43 @@
+/* Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "console.h"
+#include "tpm_manufacture.h"
+
+#include "Global.h"
+#include "NV_fp.h"
+#include "Platform.h"
+#include "TPM_Types.h"
+#include "TpmBuildSwitches.h"
+#include "tpm_types.h"
+
+#define CPRINTF(format, args...) cprintf(CC_EXTENSION, format, ## args)
+
+#define EK_CERT_NV_START_INDEX  0x01C00000
+
+int tpm_manufactured(void)
+{
+	uint32_t nv_ram_index;
+	const uint32_t rsa_ek_nv_index = EK_CERT_NV_START_INDEX;
+	const uint32_t ecc_ek_nv_index = EK_CERT_NV_START_INDEX + 1;
+
+	/*
+	 * If nvram_index (value written at NV RAM offset of zero) is all
+	 * ones, or either endorsement certificate is not installed, consider
+	 * the chip un-manufactured.
+	 *
+	 * Thus, wiping flash NV ram allows to re-manufacture the chip.
+	 */
+	_plat__NvMemoryRead(0, sizeof(nv_ram_index), &nv_ram_index);
+	if ((nv_ram_index == ~0) ||
+	    (NvIsUndefinedIndex(rsa_ek_nv_index) == TPM_RC_SUCCESS) ||
+	    (NvIsUndefinedIndex(ecc_ek_nv_index) == TPM_RC_SUCCESS)) {
+		CPRINTF("%s: NOT manufactured\n", __func__);
+		return 0;
+	}
+
+	CPRINTF("%s: manufactured\n", __func__);
+	return 1;
+}
--- a/include/tpm_manufacture.h
+++ b/include/tpm_manufacture.h
@@ -0,0 +1,17 @@
+/* Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/*
+ * This header declares the TPM manufacture related interface.
+ * Individual boards are expected to provide implementations.
+ */
+
+#ifndef __CROS_EC_TPM_MANUFACTURE_H
+#define __CROS_EC_TPM_MANUFACTURE_H
+
+/* Returns non-zero if the TPM manufacture steps have been completed. */
+int tpm_manufactured(void);
+
+#endif	/* __CROS_EC_TPM_MANUFACTURE_H */