crossystem: support driver-level TPM2.0 simulator
After implemented the driver-level TPM2.0 simulator on VM boards, the
mount-encrypted would use the vTPM to encrypted the file system.
We would need to remove the TPM simulator NVChip when we want to
hard reset the TPM on VM.
And we don't need to remove the mount-encrypted key after we landed
the driver-level TPM simulator on all VM boards.
BUG=b:174807059
BRANCH=none
TEST=crossystem clear_tpm_owner_request=1
TEST=crossystem clear_tpm_owner_request // showing the right value
Cq-Depend: chromium:2576865, chromium:2638953
Signed-off-by: Yi Chou <yich@google.com>
Change-Id: Iba2c9b93ed9e558a9163542dfc1fbcb738c1d83d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2576867
Reviewed-by: Joel Kitching <kitching@chromium.org>
diff --git a/Makefile b/Makefile
index 0c82cc6..5f5132c 100644
--- a/Makefile
+++ b/Makefile
@@ -213,6 +213,15 @@
CFLAGS += -DTPM2_SIMULATOR=0
endif
+# VTPM_PROXY indicates whether the TPM driver simulator feature
+# is enable or not.
+# This flag only takes effect when TPM2_SIMULATOR is enabled.
+ifneq ($(filter-out 0,${VTPM_PROXY}),)
+CFLAGS += -DVTPM_PROXY=1
+else
+CFLAGS += -DVTPM_PROXY=0
+endif
+
# DETACHABLE indicates whether the device is a detachable or not.
ifneq ($(filter-out 0,${DETACHABLE}),)
CFLAGS += -DDETACHABLE=1
diff --git a/host/lib/crossystem.c b/host/lib/crossystem.c
index bb10c39..67149e5 100644
--- a/host/lib/crossystem.c
+++ b/host/lib/crossystem.c
@@ -25,8 +25,14 @@
#define KERNEL_CMDLINE_PATH "/proc/cmdline"
/* Filename for the mount-encrypted key */
+/* TODO(b/174807059): Remove this after we land driver-level TPM simulator on
+ * all VM boards */
#define MOUNT_ENCRYPTED_KEY_PATH "/mnt/stateful_partition/encrypted.key"
+/* Filename for the TPM simulator NV data */
+#define TPM_SIMULATOR_NVCHIP_PATH \
+ "/mnt/stateful_partition/unencrypted/tpm2-simulator/NVChip"
+
/* Fields that GetVdatString() can get */
typedef enum VdatStringField {
VDAT_STRING_DEPRECATED_TIMERS = 0, /* Timer values */
@@ -374,7 +380,10 @@
} else if (!strcasecmp(name,"disable_dev_request")) {
value = vb2_get_nv_storage(VB2_NV_DISABLE_DEV_REQUEST);
} else if (!strcasecmp(name,"clear_tpm_owner_request")) {
- if (TPM2_SIMULATOR)
+ if (TPM2_SIMULATOR && VTPM_PROXY)
+ /* Check TPM simulator NVChip status */
+ value = access(TPM_SIMULATOR_NVCHIP_PATH, F_OK) != 0;
+ else if (TPM2_SIMULATOR)
/* Check mount-encrypted key status */
value = access(MOUNT_ENCRYPTED_KEY_PATH, F_OK) != 0;
else
@@ -556,12 +565,13 @@
* on simulator */
if (value == 0)
return -1;
- /* Check mount-encrypted key status */
- if (!access(MOUNT_ENCRYPTED_KEY_PATH, F_OK)) {
- /* Remove the mount_encrypted key, and it would
- * also clear the TPM2.0 simulator NV space on
- * it. */
- return remove(MOUNT_ENCRYPTED_KEY_PATH);
+ const char *tpm_path =
+ VTPM_PROXY ? TPM_SIMULATOR_NVCHIP_PATH
+ : MOUNT_ENCRYPTED_KEY_PATH;
+ /* Check TPM simulator data status */
+ if (!access(tpm_path, F_OK)) {
+ /* Remove the TPM2.0 simulator data */
+ return remove(tpm_path);
} else {
/* Return success when the file is already
* removed */
