Re: [PATCH v2] tpm: Allow committing non-volatile data

[Ilias Apalodimas <ilias.apalodimas@linaro.org>]

Hi Simon,

On Mon, Feb 20, 2023 at 09:31:24AM -0700, Simon Glass wrote:
> Add an option to tell the TPM to commit non-volatile data immediately it
> is changed, rather than waiting until later. This is needed in some
> situations, since if the device reboots it may not write the data.
>
> Add definitions for the rest of the Cr50 commands while we are here.

This defines a function that's unused. IIRC you said U-Boot doesn't use it,
but some code that run for that laptop does right?
In any case the function declaration doesn't belong to the TPMv2 library.
I think we are better off adding it to the cr50 driver itself.  I also
assume you compile u-boot in a 'special' way so the linker doesn't get rid
of the emitted code?  Does t hat mean we can define it as __unused as well?

Thanks
/Ilias
>
> Signed-off-by: Simon Glass <sjg@chromium.org>
> ---
> I am resending this as I think it got lost.
>
> Changes in v2:
> - Rebase to master
>
>  include/tpm-v2.h | 14 ++++++++++++++
>  lib/tpm-v2.c     | 20 ++++++++++++++++++++
>  2 files changed, 34 insertions(+)
>
> diff --git a/include/tpm-v2.h b/include/tpm-v2.h
> index 8e90a616220..0a03994740d 100644
> --- a/include/tpm-v2.h
> +++ b/include/tpm-v2.h
> @@ -712,4 +712,18 @@ u32 tpm2_submit_command(struct udevice *dev, const u8 *sendbuf,
>   */
>  u32 tpm2_cr50_report_state(struct udevice *dev, u8 *recvbuf, size_t *recv_size);
>
> +/*
> + * tpm2_cr50_enable_nvcommits() - Tell Cr50 to commit NV data immediately
> + *
> + * For Chromium OS verified boot, we may reboot or reset at different times,
> + * possibly leaving non-volatile data unwritten by the TPM.
> + *
> + * This vendor command is used to indicate that non-volatile data should be
> + * written to its store immediately.
> + *
> + * @dev		TPM device
> + * Return: result of the operation
> + */
> +u32 tpm2_cr50_enable_nvcommits(struct udevice *dev);
> +
>  #endif /* __TPM_V2_H */
> diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
> index bdf019b0f93..5fcd3649b74 100644
> --- a/lib/tpm-v2.c
> +++ b/lib/tpm-v2.c
> @@ -699,3 +699,23 @@ u32 tpm2_cr50_report_state(struct udevice *dev, u8 *recvbuf, size_t *recv_size)
>
>  	return 0;
>  }
> +
> +u32 tpm2_cr50_enable_nvcommits(struct udevice *dev)
> +{
> +	u8 command_v2[COMMAND_BUFFER_SIZE] = {
> +		/* header 10 bytes */
> +		tpm_u16(TPM2_ST_NO_SESSIONS),		/* TAG */
> +		tpm_u32(10 + 2),			/* Length */
> +		tpm_u32(TPM2_CR50_VENDOR_COMMAND),	/* Command code */
> +
> +		tpm_u16(TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS),
> +	};
> +	int ret;
> +
> +	ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
> +	log_debug("ret=%s, %x\n", dev->name, ret);
> +	if (ret)
> +		return ret;
> +
> +	return 0;
> +}
> --
> 2.39.2.637.g21b0678d19-goog
>