mirror of
https://github.com/u-boot/u-boot.git
synced 2024-12-01 00:23:29 +08:00
57c601cd7b
Instead of displaying what looks like an error message if a gpio-reset dt prop is missing for a TPM display a warning that having a gpio reset on a TPM should not be used for a secure production device. TCG TIS spec [1] says: "The TPM_Init (LRESET#/SPI_RST#) signal MUST be connected to the platform CPU Reset signal such that it complies with the requirements specified in section 1.2.7 HOST Platform Reset in the PC Client Implementation Specification for Conventional BIOS." The reasoning is that you should not be able to toggle a GPIO and reset the TPM without resetting the CPU as well because if an attacker can break into your OS via an OS level security flaw they can then reset the TPM via GPIO and replay the measurements required to unseal keys that you have otherwise protected. Additionally restructure the code for improved readability allowing for removal of the init label. Before: - board with no reset gpio u-boot=> tpm init && tpm info tpm_tis_spi_probe: missing reset GPIO tpm@1 v2.0: VendorID 0x1114, DeviceID 0x3205, RevisionID 0x01 [open] - board with a reset gpio u-boot=> tpm init && tpm info tpm@1 v2.0: VendorID 0x1114, DeviceID 0x3205, RevisionID 0x01 [open] After: - board with no reset gpio u-boot=> tpm init && tpm info tpm@1 v2.0: VendorID 0x1114, DeviceID 0x3205, RevisionID 0x01 [open] - board with a reset gpio u-boot=> tpm init && tpm info tpm@1: TPM gpio reset should not be used on secure production devices tpm@1 v2.0: VendorID 0x1114, DeviceID 0x3205, RevisionID 0x01 [open] [1] https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClientTPMInterfaceSpecification_TIS__1-3_27_03212013.pdf Signed-off-by: Tim Harvey <tharvey@gateworks.com> Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org> |
||
|---|---|---|
| .. | ||
| cr50_i2c.c | ||
| Kconfig | ||
| Makefile | ||
| sandbox_common.c | ||
| sandbox_common.h | ||
| tpm2_ftpm_tee.c | ||
| tpm2_ftpm_tee.h | ||
| tpm2_tis_core.c | ||
| tpm2_tis_i2c.c | ||
| tpm2_tis_mmio.c | ||
| tpm2_tis_sandbox.c | ||
| tpm2_tis_spi.c | ||
| tpm_atmel_twi.c | ||
| tpm_internal.h | ||
| tpm_tis_infineon.c | ||
| tpm_tis_lpc.c | ||
| tpm_tis_sandbox.c | ||
| tpm_tis_st33zp24_i2c.c | ||
| tpm_tis_st33zp24_spi.c | ||
| tpm_tis.h | ||
| tpm-uclass.c | ||