tpm2_lite: use null password authorization for ReadLock
Most of the indexes used in practice, have AUTHREAD set with null
password authentication. The only index, for which READ_STCLEAR is
set and TlclReadLock() is called is the one used by mount-encrypted.
It has AUTHREAD with empty password and should be lockable after
platform hierarchy is disabled. So, use null password authorization
instead of platform authorization in TlclReadLock().
BUG=chrome-os-partner:54708
BRANCH=none
TEST=Start with OOBE, corporate enroll, reboot, verify that the system
doesn't go back to OOBE. Check mount-encrypted.log on start: it
should contain "Read-locking NVRAM area succeeded".
Change-Id: Iaac78ba4dd048edac992adfab6fb94b69b2e989a
Reviewed-on: https://chromium-review.googlesource.com/410780
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
diff --git a/firmware/lib/tpm2_lite/marshaling.c b/firmware/lib/tpm2_lite/marshaling.c
index 23a4655..97b20fe 100644
--- a/firmware/lib/tpm2_lite/marshaling.c
+++ b/firmware/lib/tpm2_lite/marshaling.c
@@ -542,7 +542,7 @@
struct tpm2_session_header session_header;
tpm_tag = TPM_ST_SESSIONS;
- marshal_TPM_HANDLE(buffer, TPM_RH_PLATFORM, buffer_space);
+ marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space);
marshal_TPM_HANDLE(buffer, command_body->nvIndex, buffer_space);
memset(&session_header, 0, sizeof(session_header));
session_header.session_handle = TPM_RS_PW;
@@ -764,6 +764,7 @@
case TPM2_Hierarchy_Control:
case TPM2_NV_Write:
case TPM2_NV_WriteLock:
+ case TPM2_NV_ReadLock:
case TPM2_Clear:
case TPM2_SelfTest:
case TPM2_Startup:
