The Secure Launch MLE environment uses PCRs that are only accessible from
the DRTM locality 2. By default the TPM drivers always initialize the
locality to 0. When a Secure Launch is in progress, initialize the
locality to 2.

Signed-off-by: Ross Philipson <ross.philipson@oracle.com>
---
 drivers/char/tpm/tpm-chip.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/char/tpm/tpm-chip.c b/drivers/char/tpm/tpm-chip.c
index 80aaa10..5dd2eed 100644
--- a/drivers/char/tpm/tpm-chip.c
+++ b/drivers/char/tpm/tpm-chip.c
@@ -23,6 +23,7 @@
 #include <linux/major.h>
 #include <linux/tpm_eventlog.h>
 #include <linux/hw_random.h>
+#include <linux/slaunch.h>
 #include "tpm.h"
 
 DEFINE_IDR(dev_nums_idr);
@@ -34,12 +35,18 @@
 
 static int tpm_request_locality(struct tpm_chip *chip)
 {
+	int locality;
 	int rc;
 
 	if (!chip->ops->request_locality)
 		return 0;
 
-	rc = chip->ops->request_locality(chip, 0);
+	if (slaunch_get_flags() & SL_FLAG_ACTIVE)
+		locality = 2;
+	else
+		locality = 0;
+
+	rc = chip->ops->request_locality(chip, locality);
 	if (rc < 0)
 		return rc;
 
-- 
1.8.3.1

On Thu, May 04, 2023 at 02:50:22PM +0000, Ross Philipson wrote:
> The Secure Launch MLE environment uses PCRs that are only accessible from
> the DRTM locality 2. By default the TPM drivers always initialize the
> locality to 0. When a Secure Launch is in progress, initialize the
> locality to 2.

This looks correct in itself, but looking at the CRB driver code I don't 
think locality support is actually implemented. Are there any SL systems 
using CRB?

On 5/12/23 07:43, Matthew Garrett wrote:
> On Thu, May 04, 2023 at 02:50:22PM +0000, Ross Philipson wrote:
>> The Secure Launch MLE environment uses PCRs that are only accessible from
>> the DRTM locality 2. By default the TPM drivers always initialize the
>> locality to 0. When a Secure Launch is in progress, initialize the
>> locality to 2.
> 
> This looks correct in itself, but looking at the CRB driver code I don't
> think locality support is actually implemented. Are there any SL systems
> using CRB?

We have never seen a system that supports CRB other than some firmware 
TPMs that don't work with TXT in the first place. CRB is unexplored 
territory at this point.

Thanks
Ross

On 5/12/23 12:22, Ross Philipson wrote:
> On 5/12/23 07:43, Matthew Garrett wrote:
>> On Thu, May 04, 2023 at 02:50:22PM +0000, Ross Philipson wrote:
>>> The Secure Launch MLE environment uses PCRs that are only accessible 
>>> from
>>> the DRTM locality 2. By default the TPM drivers always initialize the
>>> locality to 0. When a Secure Launch is in progress, initialize the
>>> locality to 2.
>>
>> This looks correct in itself, but looking at the CRB driver code I don't
>> think locality support is actually implemented. Are there any SL systems
>> using CRB?
> 
> We have never seen a system that supports CRB other than some firmware 
> TPMs that don't work with TXT in the first place. CRB is unexplored 
> territory at this point.

So there is often confusion over the CRB interface. If you ask an ARM 
person, they will describe a door-bell, general purpose memory interface 
that has no support for locality. That interface is described in the 
TCG's Mobile TPM interface. Though there is work in progress to address 
this. Now if you speak with an x86 person, they will describe a 
state-based command-response mechanism using MMIO registers which has 
locality support. That interface is described in the TCG PC Client 
specification.

As to whether there are devices with CRB and TXT. I have seen talk on 
the tboot mailing list that there exist an Intel client devices that has 
an Intel-PTT fTPM using the PC Client CRB interface and Intel-TXT. I 
myself have never seen one, so I could not point you at a SKU/Part No. 
for such a device. If someone has such a device and willing to help, 
drop me a line and I would be glad to work with them to get this tested.

v/r,
dps