Add clear TPM owner request
This adds two new flags to crossystem:
clear_tpm_owner_request
clear_tpm_owner_done
The first one requests that the firmware clear the TPM owner on the
next boot. When the firmware does this, it will set
clear_tpm_owner_request=0, and set clear_tpm_owner_done=1. The OS can
use the done-flag as a hint that trusted things guarded by the TPM are
no longer trustable.
BUG=chromium-os:31974
TEST=manual
crossystem
// both flags initially 0
crossystem clear_tpm_owner_request=1
crossystem clear_tpm_owner_done=1
// request=1, done=0; done can be cleared but not set by crossystem
reboot
tpmc getownership
// owned=no
crossystem
// request=0, done=1
crossystem clear_tpm_owner_done=0
crossystem
// both flags 0 again
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Change-Id: I49f83f3c39c3efc3945116c51a241d255c2e42cd
Reviewed-on: https://gerrit.chromium.org/gerrit/25646
diff --git a/utility/crossystem_main.c b/utility/crossystem_main.c
index ecd1e4f..1b92665 100644
--- a/utility/crossystem_main.c
+++ b/utility/crossystem_main.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*
@@ -35,6 +35,8 @@
/* List of parameters, terminated with a param with NULL name */
const Param sys_param_list[] = {
{"arch", IS_STRING, "Platform architecture"},
+ {"clear_tpm_owner_request", CAN_WRITE, "Clear TPM owner on next boot"},
+ {"clear_tpm_owner_done", CAN_WRITE, "Clear TPM owner done"},
{"cros_debug", 0, "OS should allow debug features"},
{"dbg_reset", CAN_WRITE, "Debug reset mode request (writable)"},
{"ddr_type", IS_STRING, "Type of DDR RAM"},