From 9b752cbcd41be2d6cf6c8dbbe655aac3e53f146a Mon Sep 17 00:00:00 2001
From: Vadim Bendebury <vbendeb@chromium.org>
Date: Thu, 21 Jul 2016 07:14:12 -0700
Subject: [PATCH] tpm: add manufacturing status check

For now the presence of both RSA and EC certificates at fixed NVRAM
indices is considered evidence of TPM being through manufacturing.

BRANCH=none
BUG=chrome-os-partner:50645
TEST=with the rest of the patches applied TPM manufacturing status is
     properly detected at startup.

Change-Id: Iff3861603272cdfb58ebc523458c114685b2429f
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/362351
Reviewed-by: Marius Schilder <mschilder@chromium.org>
---
 board/cr50/build.mk           |  1 +
 board/cr50/tpm2/manufacture.c | 43 +++++++++++++++++++++++++++++++++++
 include/tpm_manufacture.h     | 17 ++++++++++++++
 3 files changed, 61 insertions(+)
 create mode 100644 board/cr50/tpm2/manufacture.c
 create mode 100644 include/tpm_manufacture.h

diff --git a/board/cr50/build.mk b/board/cr50/build.mk
index a5023f1e0c..f1b1b18998 100644
--- a/board/cr50/build.mk
+++ b/board/cr50/build.mk
@@ -42,6 +42,7 @@ board-y += tpm2/ecies.o
 board-y += tpm2/hash.o
 board-y += tpm2/hash_data.o
 board-y += tpm2/hkdf.o
+board-y += tpm2/manufacture.o
 board-y += tpm2/platform.o
 board-y += tpm2/rsa.o
 board-y += tpm2/stubs.o
diff --git a/board/cr50/tpm2/manufacture.c b/board/cr50/tpm2/manufacture.c
new file mode 100644
index 0000000000..b2c214c38e
--- /dev/null
+++ b/board/cr50/tpm2/manufacture.c
@@ -0,0 +1,43 @@
+/* Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include "console.h"
+#include "tpm_manufacture.h"
+
+#include "Global.h"
+#include "NV_fp.h"
+#include "Platform.h"
+#include "TPM_Types.h"
+#include "TpmBuildSwitches.h"
+#include "tpm_types.h"
+
+#define CPRINTF(format, args...) cprintf(CC_EXTENSION, format, ## args)
+
+#define EK_CERT_NV_START_INDEX  0x01C00000
+
+int tpm_manufactured(void)
+{
+	uint32_t nv_ram_index;
+	const uint32_t rsa_ek_nv_index = EK_CERT_NV_START_INDEX;
+	const uint32_t ecc_ek_nv_index = EK_CERT_NV_START_INDEX + 1;
+
+	/*
+	 * If nvram_index (value written at NV RAM offset of zero) is all
+	 * ones, or either endorsement certificate is not installed, consider
+	 * the chip un-manufactured.
+	 *
+	 * Thus, wiping flash NV ram allows to re-manufacture the chip.
+	 */
+	_plat__NvMemoryRead(0, sizeof(nv_ram_index), &nv_ram_index);
+	if ((nv_ram_index == ~0) ||
+	    (NvIsUndefinedIndex(rsa_ek_nv_index) == TPM_RC_SUCCESS) ||
+	    (NvIsUndefinedIndex(ecc_ek_nv_index) == TPM_RC_SUCCESS)) {
+		CPRINTF("%s: NOT manufactured\n", __func__);
+		return 0;
+	}
+
+	CPRINTF("%s: manufactured\n", __func__);
+	return 1;
+}
diff --git a/include/tpm_manufacture.h b/include/tpm_manufacture.h
new file mode 100644
index 0000000000..57eba367f6
--- /dev/null
+++ b/include/tpm_manufacture.h
@@ -0,0 +1,17 @@
+/* Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/*
+ * This header declares the TPM manufacture related interface.
+ * Individual boards are expected to provide implementations.
+ */
+
+#ifndef __CROS_EC_TPM_MANUFACTURE_H
+#define __CROS_EC_TPM_MANUFACTURE_H
+
+/* Returns non-zero if the TPM manufacture steps have been completed. */
+int tpm_manufactured(void);
+
+#endif	/* __CROS_EC_TPM_MANUFACTURE_H */