diff --git a/Android.mk b/Android.mk index 806c68ea..f12e51d7 100644 --- a/Android.mk +++ b/Android.mk @@ -34,10 +34,6 @@ ifeq ($(TARGET_USE_TRUSTY),true) KERNELFLINGER_CFLAGS += -DUSE_TRUSTY endif -ifeq ($(TARGET_USE_IVSHMEM),true) - KERNELFLINGER_CFLAGS += -DUSE_IVSHMEM -endif - ifeq ($(TARGET_USE_MULTIBOOT),true) KERNELFLINGER_CFLAGS += -DUSE_MULTIBOOT endif @@ -154,9 +150,7 @@ SHARED_STATIC_LIBRARIES := \ $(KERNELFLINGER_STATIC_LIBRARIES) \ libkernelflinger-$(TARGET_BUILD_VARIANT) -ifeq ($(TARGET_USE_TPM),true) - SHARED_STATIC_LIBRARIES += libedk2_tpm -endif +SHARED_STATIC_LIBRARIES += libedk2_tpm include $(CLEAR_VARS) LOCAL_MODULE := kernelflinger-$(TARGET_BUILD_VARIANT) @@ -255,9 +249,7 @@ LOCAL_STATIC_LIBRARIES := \ libxbc-$(TARGET_BUILD_VARIANT) -ifeq ($(TARGET_USE_TPM),true) - SHARED_STATIC_LIBRARIES += libedk2_tpm -endif +SHARED_STATIC_LIBRARIES += libedk2_tpm LOCAL_CFLAGS := $(SHARED_CFLAGS) LOCAL_SRC_FILES := installer.c diff --git a/avb/libavb_user/uefi_avb_ops.c b/avb/libavb_user/uefi_avb_ops.c index 729aed83..e19dacf9 100644 --- a/avb/libavb_user/uefi_avb_ops.c +++ b/avb/libavb_user/uefi_avb_ops.c @@ -31,9 +31,7 @@ #include "lib.h" #include "log.h" #include "security.h" -#ifdef USE_TPM #include "tpm2_security.h" -#endif extern char _binary_avb_pk_start; extern char _binary_avb_pk_end; @@ -257,11 +255,12 @@ static AvbIOResult read_rollback_index(__attribute__((unused)) AvbOps* ops, if (is_live_boot()) ret = EFI_NOT_FOUND; else { -#ifdef USE_TPM - ret = read_rollback_index_tpm2(rollback_index_slot, out_rollback_index); -#else - ret = read_efi_rollback_index(rollback_index_slot, out_rollback_index); -#endif + if (tee_tpm) + ret = tee_read_rollback_index_tpm2(rollback_index_slot, out_rollback_index); + else if (andr_tpm) + ret = read_rollback_index_tpm2(rollback_index_slot, out_rollback_index); + else + ret = read_efi_rollback_index(rollback_index_slot, out_rollback_index); } if (ret == EFI_NOT_FOUND) { @@ -287,11 +286,12 @@ static AvbIOResult write_rollback_index(__attribute__((unused)) AvbOps* ops, if (is_live_boot()) ret = EFI_SUCCESS; else { -#ifdef USE_TPM - ret = write_rollback_index_tpm2(rollback_index_slot, rollback_index); -#else - ret = write_efi_rollback_index(rollback_index_slot, rollback_index); -#endif + if (tee_tpm) + ret = tee_write_rollback_index_tpm2(rollback_index_slot, rollback_index); + else if (andr_tpm) + ret = write_rollback_index_tpm2(rollback_index_slot, rollback_index); + else + ret = write_efi_rollback_index(rollback_index_slot, rollback_index); } if (EFI_ERROR(ret)) { efi_perror(ret, L"Couldn't write rollback index"); diff --git a/include/security.h b/include/security.h index 92f40d97..02f6bf03 100644 --- a/include/security.h +++ b/include/security.h @@ -98,10 +98,8 @@ EFI_STATUS init_rot_data( /* Return rot data instance pointer*/ struct rot_data_t *get_rot_data(); -#ifdef USE_IVSHMEM EFI_STATUS ivsh_send_rot_data(IN VOID *bootimage, IN UINT8 boot_state, IN VBDATA *vb_data); -#endif EFI_STATUS raw_pub_key_sha256( IN const UINT8 *pub_key, diff --git a/include/tpm2_security.h b/include/tpm2_security.h index 2647dffe..10c8c467 100644 --- a/include/tpm2_security.h +++ b/include/tpm2_security.h @@ -38,14 +38,14 @@ #include #define TRUSTY_SEED_SIZE 32 +extern BOOLEAN tee_tpm; +extern BOOLEAN andr_tpm; EFI_STATUS tpm2_init(void); EFI_STATUS tpm2_end(void); -#ifndef USE_IVSHMEM EFI_STATUS tpm2_fuse_trusty_seed(void); EFI_STATUS tpm2_read_trusty_seed(UINT8 seed[TRUSTY_SEED_SIZE]); -#endif EFI_STATUS tpm2_fuse_perm_attr(void *data, uint32_t size); @@ -66,4 +66,22 @@ EFI_STATUS tpm2_delete_index(UINT32 index); EFI_STATUS tpm2_fuse_lock_owner(void); EFI_STATUS tpm2_fuse_provision_seed(void); + +EFI_STATUS tee_tpm2_init(void); +EFI_STATUS tee_tpm2_end(void); + +EFI_STATUS tee_read_device_state_tpm2(UINT8 *state); +EFI_STATUS tee_write_device_state_tpm2(UINT8 state); +EFI_STATUS tee_read_rollback_index_tpm2(size_t rollback_index_slot, uint64_t *out_rollback_index); +EFI_STATUS tee_write_rollback_index_tpm2(size_t rollback_index_slot, uint64_t rollback_index); +BOOLEAN tee_tpm2_bootloader_need_init(void); + +#ifndef USER +EFI_STATUS tee_tpm2_show_index(UINT32 index, uint8_t *out_buffer, UINTN out_buffer_size); +EFI_STATUS tee_tpm2_delete_index(UINT32 index); +#endif + +EFI_STATUS tee_tpm2_fuse_lock_owner(void); +EFI_STATUS tee_tpm2_fuse_provision_seed(void); + #endif /* _TPM2_SECURITY_H_ */ diff --git a/kernelflinger.c b/kernelflinger.c index 52ad84f0..06bc652c 100644 --- a/kernelflinger.c +++ b/kernelflinger.c @@ -69,11 +69,15 @@ #include "uefi_utils.h" #include "security_interface.h" #include "security_efi.h" -#ifdef USE_TPM #include "tpm2_security.h" -#endif -#ifdef USE_IVSHMEM #include "ivshmem.h" + +BOOLEAN tee_tpm = false; + +#ifdef USE_TPM +BOOLEAN andr_tpm = true; +#else +BOOLEAN andr_tpm = false; #endif /* Ensure this is embedded in the EFI binary somewhere */ @@ -537,6 +541,8 @@ static enum boot_target check_command_line() FIRMWARE_BOOTTIME, BOOTREASON, FIRMWARE_STATUS, + OPTEE, + TPM }; struct Cmdline @@ -592,6 +598,17 @@ static enum boot_target check_command_line() strlen((CHAR8 *)"fw.status="), FIRMWARE_STATUS }, + { + (CHAR8 *)"tee=", + strlen((CHAR8 *)"tee="), + OPTEE + }, + { + (CHAR8 *)"tpm=", + strlen((CHAR8 *)"tpm="), + TPM + }, + }; CHAR8 *nptr = NULL; @@ -711,7 +728,29 @@ static enum boot_target check_command_line() /* Parse "androidboot.bootreason=xxxxx " */ case BOOTREASON: continue; + case OPTEE: { + UINT8 val; + nptr = (CHAR8 *)(arg8 + CmdlineArray[j].length); + val = (UINT8)strtoul((char *)nptr, 0, 10); + debug(L"optee TPM = %u\n", val); + if (val) + tee_tpm = true; + else + tee_tpm = false; + continue; + } + case TPM: { + UINT8 val; + nptr = (CHAR8 *)(arg8 + CmdlineArray[j].length); + val = (UINT8)strtoul((char *)nptr, 0, 10); + debug(L"Android TPM = %u\n", val); + if (val) + andr_tpm = true; + else + andr_tpm = false; + continue; + } default: continue; } @@ -1230,10 +1269,11 @@ static EFI_STATUS load_image(VOID *bootimage, VOID *vendorbootimage, UINT8 boot_ } #endif -#ifdef USE_TPM // Make sure the TPM2 is ended - tpm2_end(); -#endif + if (tee_tpm) + tee_tpm2_end(); + else if (andr_tpm) + tpm2_end(); debug(L"chainloading boot image, boot state is %s", boot_state_to_string(boot_state)); @@ -1508,38 +1548,6 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) uefi_check_upgrade(g_loaded_image, BOOTLOADER_LABEL, KFUPDATE_FILE, BOOTLOADER_FILE, BOOTLOADER_FILE_BAK, KFSELF_FILE, KFBACKUP_FILE); -#ifdef USE_IVSHMEM - ret = ivshmem_init(); - if (EFI_ERROR(ret) && ret != EFI_NOT_FOUND) { - efi_perror(ret, L"Failed to init ivshmem, enter fastboot mode"); - boot_target = FASTBOOT; - } -#endif - -#ifdef USE_TPM - if (!is_live_boot()) { - ret = tpm2_init(); - if (EFI_ERROR(ret) && ret != EFI_NOT_FOUND) { - efi_perror(ret, L"Failed to init TPM, enter fastboot mode"); - boot_target = FASTBOOT; - } - } -#endif - - need_lock = device_need_locked(); - -#ifndef USER - /* WA patch to set device as unlocked by default for userdebug build - */ - set_current_state(UNLOCKED); -#else - /* For civ, flash images to disk is not MUST. So set device to LOCKED - * state by default on the first boot. - */ - if (need_lock) - set_current_state(LOCKED); -#endif - ret = set_device_security_info(NULL); if (EFI_ERROR(ret)) { efi_perror(ret, L"Failed to init security info, enter fastboot mode"); @@ -1585,6 +1593,40 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) #endif } + if (tee_tpm) { + debug(L"tee tpm enable, ivshmem_init#############"); + ret = ivshmem_init(); + if (EFI_ERROR(ret) && ret != EFI_NOT_FOUND) { + efi_perror(ret, L"Failed to init ivshmem, enter fastboot mode"); + boot_target = FASTBOOT; + } + } + + if (!is_live_boot() && (tee_tpm || andr_tpm)) { + if (tee_tpm) + ret = tee_tpm2_init(); + else if (andr_tpm) + ret = tpm2_init(); + if (EFI_ERROR(ret) && ret != EFI_NOT_FOUND) { + efi_perror(ret, L"Failed to init TPM, enter fastboot mode"); + boot_target = FASTBOOT; + } + } + + need_lock = device_need_locked(); + +#ifndef USER + /* WA patch to set device as unlocked by default for userdebug build + */ + set_current_state(UNLOCKED); +#else + /* For civ, flash images to disk is not MUST. So set device to LOCKED + * state by default on the first boot. + */ + if (need_lock) + set_current_state(LOCKED); +#endif + if (boot_target == POWER_OFF) halt_system(); diff --git a/libfastboot/Android.mk b/libfastboot/Android.mk index d31dc011..42b7bd3c 100644 --- a/libfastboot/Android.mk +++ b/libfastboot/Android.mk @@ -16,9 +16,7 @@ SHARED_STATIC_LIBRARIES := \ libkernelflinger-$(TARGET_BUILD_VARIANT) \ libavb_kernelflinger-$(TARGET_BUILD_VARIANT) -ifeq ($(TARGET_USE_TPM),true) - SHARED_STATIC_LIBRARIES += libedk2_tpm -endif +SHARED_STATIC_LIBRARIES += libedk2_tpm SHARED_SRC_FILES := \ fastboot.c \ diff --git a/libfastboot/fastboot_flashing.c b/libfastboot/fastboot_flashing.c index b1b6fcd4..3719b9c9 100644 --- a/libfastboot/fastboot_flashing.c +++ b/libfastboot/fastboot_flashing.c @@ -124,21 +124,28 @@ EFI_STATUS change_device_state(enum device_state new_state, BOOLEAN interactive) */ for (int slot = 0; slot < 2; slot++) { uint64_t idx; -#ifdef USE_TPM - ret = read_rollback_index_tpm2(slot, &idx); - if (EFI_SUCCESS == ret) { - ret = write_rollback_index_tpm2(slot, 0); - if (EFI_ERROR(ret)) - return ret; + if (tee_tpm) { + ret = tee_read_rollback_index_tpm2(slot, &idx); + if (EFI_SUCCESS == ret) { + ret = tee_write_rollback_index_tpm2(slot, 0); + if (EFI_ERROR(ret)) + return ret; + } + } else if (andr_tpm) { + ret = read_rollback_index_tpm2(slot, &idx); + if (EFI_SUCCESS == ret) { + ret = write_rollback_index_tpm2(slot, 0); + if (EFI_ERROR(ret)) + return ret; + } + } else { + ret = read_efi_rollback_index(slot, &idx); + if (EFI_SUCCESS == ret) { + ret = write_efi_rollback_index(slot, 0); + if (EFI_ERROR(ret)) + return ret; + } } -#else - ret = read_efi_rollback_index(slot, &idx); - if (EFI_SUCCESS == ret) { - ret = write_efi_rollback_index(slot, 0); - if (EFI_ERROR(ret)) - return ret; - } -#endif } } diff --git a/libfastboot/fastboot_oem.c b/libfastboot/fastboot_oem.c index 2308df17..82237df9 100644 --- a/libfastboot/fastboot_oem.c +++ b/libfastboot/fastboot_oem.c @@ -51,9 +51,7 @@ #include "text_parser.h" #include "libavb/libavb.h" #include "libavb_user/uefi_avb_ops.h" -#ifdef USE_TPM #include "tpm2_security.h" -#endif #include "security.h" #include "vars.h" #include "security_interface.h" @@ -63,9 +61,7 @@ #define SLOT_FALLBACK "slot-fallback" static cmdlist_t cmdlist; -#ifdef USE_TPM static cmdlist_t cmdlist_fuse; -#endif static EFI_STATUS fastboot_oem_publish(void) { @@ -443,10 +439,12 @@ static void cmd_oem_set_storage(INTN argc, CHAR8 **argv) set_device_security_info(NULL); -#ifdef USE_TPM - if (!is_live_boot()) - tpm2_init(); -#endif + if (!is_live_boot() && (tee_tpm || andr_tpm)) { + if (tee_tpm) + tee_tpm2_init(); + else if (andr_tpm) + tpm2_init(); + } ret = gpt_refresh(); if (EFI_ERROR(ret)) { @@ -622,7 +620,6 @@ static void cmd_oem(INTN argc, CHAR8 **argv) fastboot_run_cmd(cmdlist, (char *)argv[1], argc - 1, argv + 1); } -#ifdef USE_TPM #ifndef USER static void cmd_oem_tpm_show_index(INTN argc, __attribute__((__unused__)) CHAR8 **argv) { @@ -753,8 +750,6 @@ static void cmd_fuse_tpm2_provision_trusty_seed(INTN argc, __attribute__((__unus fastboot_okay(""); } -#endif - static CHAR16 *saved_vm_label; static void cmd_oem_set_vm(INTN argc, CHAR8 **argv) { @@ -814,23 +809,19 @@ static struct fastboot_cmd COMMANDS[] = { { "get-provisioning-logs", LOCKED, cmd_oem_get_logs }, { "setvm", LOCKED, cmd_oem_set_vm }, { "unsetvm", LOCKED, cmd_oem_unset_vm }, -#ifdef USE_TPM #ifndef USER { "tpm-show-index", LOCKED, cmd_oem_tpm_show_index }, { "tpm-delete-index", LOCKED, cmd_oem_tpm_delete_index }, #endif // USER { "fuse", LOCKED, cmd_fuse } -#endif }; -#ifdef USE_TPM static struct fastboot_cmd COMMANDS_FUSE[] = { { "vbmeta-key-hash", UNLOCKED, cmd_fuse_vbmeta_key_hash }, { "bootloader-policy", UNLOCKED, cmd_fuse_bootloader_policy }, { "lock-tpm2-owner", UNLOCKED, cmd_fuse_tpm2_lock_owner }, { "provision-trusty-seed", UNLOCKED, cmd_fuse_tpm2_provision_trusty_seed } }; -#endif static struct fastboot_cmd oem = { "oem", LOCKED, cmd_oem }; @@ -849,13 +840,13 @@ EFI_STATUS fastboot_oem_init(void) return ret; } -#ifdef USE_TPM - for (i = 0; i < ARRAY_SIZE(COMMANDS_FUSE); i++) { - ret = fastboot_register_into(&cmdlist_fuse, &COMMANDS_FUSE[i]); - if (EFI_ERROR(ret)) - return ret; + if (andr_tpm) { + for (i = 0; i < ARRAY_SIZE(COMMANDS_FUSE); i++) { + ret = fastboot_register_into(&cmdlist_fuse, &COMMANDS_FUSE[i]); + if (EFI_ERROR(ret)) + return ret; + } } -#endif fastboot_register(&oem); @@ -865,9 +856,7 @@ EFI_STATUS fastboot_oem_init(void) void fastboot_oem_free(void) { fastboot_cmdlist_unregister(&cmdlist); - -#ifdef USE_TPM - fastboot_cmdlist_unregister(&cmdlist_fuse); -#endif + if (andr_tpm) + fastboot_cmdlist_unregister(&cmdlist_fuse); } diff --git a/libkernelflinger/Android.mk b/libkernelflinger/Android.mk index b0a9b325..584638e4 100755 --- a/libkernelflinger/Android.mk +++ b/libkernelflinger/Android.mk @@ -66,9 +66,7 @@ LOCAL_CFLAGS := $(KERNELFLINGER_CFLAGS) \ -DTARGET_BOOTLOADER_BOARD_NAME=\"$(TARGET_BOOTLOADER_BOARD_NAME)\" LOCAL_STATIC_LIBRARIES := $(KERNELFLINGER_STATIC_LIBRARIES) -ifeq ($(TARGET_USE_TPM),true) - LOCAL_STATIC_LIBRARIES += libedk2_tpm -endif +LOCAL_STATIC_LIBRARIES += libedk2_tpm ifeq ($(KERNELFLINGER_ALLOW_UNSUPPORTED_ACPI_TABLE),true) LOCAL_CFLAGS += -DALLOW_UNSUPPORTED_ACPI_TABLE @@ -167,9 +165,7 @@ else LOCAL_SRC_FILES += slot.c endif -ifeq ($(TARGET_USE_TPM),true) - LOCAL_SRC_FILES += tpm2_security.c -endif +LOCAL_SRC_FILES += tpm2_security.c ifneq ($(strip $(KERNELFLINGER_USE_UI)),false) LOCAL_SRC_FILES += \ diff --git a/libkernelflinger/security.c b/libkernelflinger/security.c index ce3d3a8f..823004dd 100644 --- a/libkernelflinger/security.c +++ b/libkernelflinger/security.c @@ -48,11 +48,9 @@ #include "life_cycle.h" #include "uefi_utils.h" -#ifdef USE_IVSHMEM #include "ivshmem.h" extern UINT64 g_ivshmem_rot_addr; -#endif /* OsSecureBoot is *not* a standard EFI_GLOBAL variable * @@ -200,7 +198,6 @@ EFI_STATUS update_rot_data(IN VOID *bootimage, IN UINT8 boot_state, return ret; } -#ifdef USE_IVSHMEM EFI_STATUS ivsh_send_rot_data(IN VOID *bootimage, IN UINT8 boot_state, IN VBDATA *vb_data) { @@ -223,7 +220,6 @@ EFI_STATUS ivsh_send_rot_data(IN VOID *bootimage, IN UINT8 boot_state, return ret; } -#endif /* initialize the struct rot_data for startup_information */ EFI_STATUS init_rot_data(UINT32 boot_state) diff --git a/libkernelflinger/security_efi.c b/libkernelflinger/security_efi.c index 1498611c..0602c2ce 100755 --- a/libkernelflinger/security_efi.c +++ b/libkernelflinger/security_efi.c @@ -34,9 +34,7 @@ #include "storage.h" #include "security_efi.h" #include "protocol/BootloaderSeedProtocol.h" -#ifdef USE_TPM #include "tpm2_security.h" -#endif #define BOOTLOADER_SEED_MAX_ENTRIES 10 @@ -197,7 +195,6 @@ static EFI_STATUS bls_get_seed(VOID *seed) return ret; } -#ifdef USE_TPM static EFI_STATUS tpm2_get_seed(VOID *seed) { EFI_STATUS ret = EFI_SUCCESS; @@ -214,7 +211,6 @@ static EFI_STATUS tpm2_get_seed(VOID *seed) return ret; } -#endif EFI_STATUS get_seed(OUT VOID *seed) { @@ -225,11 +221,10 @@ EFI_STATUS get_seed(OUT VOID *seed) memset_s(seed, SECURITY_EFI_TRUSTY_SEED_LEN, 0, SECURITY_EFI_TRUSTY_SEED_LEN); -#ifdef USE_TPM - ret = tpm2_get_seed(seed); -#else - ret = bls_get_seed(seed); -#endif + if (andr_tpm) + ret = tpm2_get_seed(seed); + else + ret = bls_get_seed(seed); if (EFI_ERROR(ret)) { efi_perror(ret, L"Failed to read trusty seed"); diff --git a/libkernelflinger/tpm2_security.c b/libkernelflinger/tpm2_security.c index 77415003..7108d266 100644 --- a/libkernelflinger/tpm2_security.c +++ b/libkernelflinger/tpm2_security.c @@ -54,8 +54,6 @@ EFI_STATUS tpm2_fuse_bootloader_policy( return EFI_UNSUPPORTED; } -#ifndef USE_IVSHMEM - enum NV_INDEX { NV_INDEX_TRUSTYOS_SEED = 0x01500080, NV_INDEX_OPTEEOS_SEED = 0x01500081, @@ -832,9 +830,9 @@ EFI_STATUS tpm2_init(void) return ret; if (is_platform_secure_boot_enabled()) - debug(L"TPM init OK. Secure boot ENABLED."); + debug(L"Android TPM init OK. Secure boot ENABLED."); else - debug(L"TPM init OK. Secure boot DISABLED."); + debug(L"Android TPM init OK. Secure boot DISABLED."); return ret; } @@ -849,10 +847,9 @@ EFI_STATUS tpm2_end(void) return EFI_SUCCESS; } -#else //USE_IVSHMEM ////////////////////////////TPM Requests are forwared to OPTEE///////////////////////////// -EFI_STATUS tpm2_init(void) +EFI_STATUS tee_tpm2_init(void) { struct tpm2_int_req req = {0}; req.cmd = TEE_TPM2_INIT; @@ -864,14 +861,14 @@ EFI_STATUS tpm2_init(void) } if (is_platform_secure_boot_enabled()) - debug(L"TPM init OK. Secure boot ENABLED."); + debug(L"TEE TPM init OK. Secure boot ENABLED."); else - debug(L"TPM init OK. Secure boot DISABLED."); + debug(L"TEE TPM init OK. Secure boot DISABLED."); return req.ret; } -EFI_STATUS tpm2_end(void) +EFI_STATUS tee_tpm2_end(void) { struct tpm2_int_req req = {0}; req.cmd = TEE_TPM2_END; @@ -880,7 +877,7 @@ EFI_STATUS tpm2_end(void) return req.ret; } -EFI_STATUS read_device_state_tpm2(UINT8 *state) +EFI_STATUS tee_read_device_state_tpm2(UINT8 *state) { struct tpm2_int_req *req = (struct tpm2_int_req *)AllocateZeroPool(sizeof(struct tpm2_int_req) + sizeof(state)); if (!req) @@ -898,7 +895,7 @@ EFI_STATUS read_device_state_tpm2(UINT8 *state) return ret; } -EFI_STATUS write_device_state_tpm2(UINT8 state) +EFI_STATUS tee_write_device_state_tpm2(UINT8 state) { struct tpm2_int_req *req = (struct tpm2_int_req *)AllocateZeroPool(sizeof(struct tpm2_int_req) + sizeof(state)); if (!req) @@ -915,7 +912,7 @@ EFI_STATUS write_device_state_tpm2(UINT8 state) return ret; } -EFI_STATUS read_rollback_index_tpm2(size_t rollback_index_slot, uint64_t *out_rollback_index) +EFI_STATUS tee_read_rollback_index_tpm2(size_t rollback_index_slot, uint64_t *out_rollback_index) { uint32_t payload_len = sizeof(rollback_index_slot) + sizeof(*out_rollback_index); struct tpm2_int_req *req = (struct tpm2_int_req *)AllocateZeroPool(sizeof(struct tpm2_int_req) + payload_len); @@ -936,7 +933,7 @@ EFI_STATUS read_rollback_index_tpm2(size_t rollback_index_slot, uint64_t *out_ro return ret; } -EFI_STATUS write_rollback_index_tpm2(size_t rollback_index_slot, uint64_t rollback_index) +EFI_STATUS tee_write_rollback_index_tpm2(size_t rollback_index_slot, uint64_t rollback_index) { uint32_t payload_len = sizeof(rollback_index_slot) + sizeof(rollback_index); struct tpm2_int_req *req = (struct tpm2_int_req *)AllocateZeroPool(sizeof(struct tpm2_int_req) + payload_len); @@ -955,7 +952,7 @@ EFI_STATUS write_rollback_index_tpm2(size_t rollback_index_slot, uint64_t rollba return ret; } -BOOLEAN tpm2_bootloader_need_init(void) +BOOLEAN tee_tpm2_bootloader_need_init(void) { struct tpm2_int_req req = {0}; req.cmd = TEE_TPM2_BOOTLOADER_NEED_INIT; @@ -965,19 +962,19 @@ BOOLEAN tpm2_bootloader_need_init(void) } #ifndef USER -EFI_STATUS tpm2_show_index(__attribute__((unused)) UINT32 index, __attribute__((unused)) uint8_t *out_buffer, __attribute__((unused)) UINTN out_buffer_size) +EFI_STATUS tee_tpm2_show_index(__attribute__((unused)) UINT32 index, __attribute__((unused)) uint8_t *out_buffer, __attribute__((unused)) UINTN out_buffer_size) { return EFI_UNSUPPORTED; } -EFI_STATUS tpm2_delete_index(__attribute__((unused)) UINT32 index) +EFI_STATUS tee_tpm2_delete_index(__attribute__((unused)) UINT32 index) { return EFI_UNSUPPORTED; } #endif // USER -EFI_STATUS tpm2_fuse_lock_owner(void) +EFI_STATUS tee_tpm2_fuse_lock_owner(void) { struct tpm2_int_req req = {0}; req.cmd = TEE_TPM2_FUSE_LOCK_OWNER; @@ -986,10 +983,7 @@ EFI_STATUS tpm2_fuse_lock_owner(void) return req.ret; } -EFI_STATUS tpm2_fuse_provision_seed(void) +EFI_STATUS tee_tpm2_fuse_provision_seed(void) { return EFI_UNSUPPORTED; } - - -#endif //USE_IVSHMEM diff --git a/libkernelflinger/vars.c b/libkernelflinger/vars.c index c1315c6f..bbcf07d2 100644 --- a/libkernelflinger/vars.c +++ b/libkernelflinger/vars.c @@ -41,9 +41,7 @@ #include "life_cycle.h" #include "storage.h" #include "security.h" -#ifdef USE_TPM #include "tpm2_security.h" -#endif #define OFF_MODE_CHARGE L"off-mode-charge" #define OEM_LOCK L"OEMLock" @@ -295,11 +293,14 @@ enum device_state get_current_state(void) current_state = UNLOCKED; goto exit; } -#ifdef USE_TPM - ret = read_device_state_tpm2(&stored_state); -#else - ret = read_device_state_efi(&stored_state); -#endif + + if (tee_tpm) + ret = tee_read_device_state_tpm2(&stored_state); + else if (andr_tpm) + ret = read_device_state_tpm2(&stored_state); + else + ret = read_device_state_efi(&stored_state); + if (ret == EFI_NOT_FOUND && !is_boot_device_virtual()) { set_provisioning_mode(FALSE); @@ -362,11 +363,12 @@ EFI_STATUS set_current_state(enum device_state state) } if (!is_live_boot()) { -#ifdef USE_TPM - ret = write_device_state_tpm2(stored_state); -#else - ret = write_device_state_efi(stored_state); -#endif + if (tee_tpm) + ret = tee_write_device_state_tpm2(stored_state); + else if (andr_tpm) + ret = write_device_state_tpm2(stored_state); + else + ret = write_device_state_efi(stored_state); } if (EFI_ERROR(ret)) { efi_perror(ret, L"Failed to set device state to %d", stored_state); @@ -388,28 +390,28 @@ EFI_STATUS refresh_current_state(void) BOOLEAN device_need_locked(void) { -#ifndef USE_TPM UINT8 stored_state; EFI_STATUS ret = EFI_SUCCESS; -#endif if (is_live_boot()) return FALSE; -#ifdef USE_TPM - return tpm2_bootloader_need_init(); -#else + if (tee_tpm) + return tee_tpm2_bootloader_need_init(); + if (andr_tpm) + return tpm2_bootloader_need_init(); + else { - ret = read_device_state_efi(&stored_state); - if (EFI_NOT_FOUND == ret) - return TRUE; + ret = read_device_state_efi(&stored_state); + if (EFI_NOT_FOUND == ret) + return TRUE; - if (EFI_ERROR(ret)) { - efi_perror(ret, L"Read device state failed, assuming locked"); - } + if (EFI_ERROR(ret)) { + efi_perror(ret, L"Read device state failed, assuming locked"); + } - return FALSE; -#endif + return FALSE; + } } #ifndef USER