commit c2e2fbeef92eb2391dbda5d4fca3eaf7bbfa9b1d
author Hung-Te Lin <hungte@chromium.org> Fri Nov 11 08:21:47 2016
committer chrome-bot <chrome-bot@chromium.org> Sat Nov 12 12:06:24 2016
tree 38776f074c1a7f3c6f8d12e8be5f0416ea9f83d4
parent bd19997b3eeba42b8272df4a53821b1ddcf1c539

factory_install: Call chromeos-tpm-recovery to reset TPM.

Factory Reset shim has to clear (wipe/zero) TPM NV spaces so devices
with wrong antirollback records can be recovered. However, the script
becomes more complicated due to (1) vboot changes (2) TPM2.

vboot_reference has an utility 'chromeos-tpm-recovery' that was has
more complete support of TPM recovery, although it does more (try to
re-create or even redefine the space) than what we need. To prevent
duplicating code, we should just run chromeos-tpm-recovery instead of
introducing our own implementation.

BUG=chromium:664390
TEST=./build_image factory_install; boot as recovery mode on Link+TPM1,
     enter menu, select item "r" (Reset) or "i" (Install). Also tried
     on Reef+TPM2.

Change-Id: I7b618946c55e24e775dc6972a23b6d271455ff06
Reviewed-on: https://chromium-review.googlesource.com/410523
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>

factory_install.sh

diff --git a/factory_install.sh b/factory_install.sh
index 97f14d6..1be49a3 100644
--- a/factory_install.sh
+++ b/factory_install.sh
@@ -198,38 +198,6 @@
     grep -q "write protect is enabled"
 }
 
-clear_tpm() {
-  log "Clearing TPM"
-
-  # Reset TPM. tcsd needs to have not been run because it locks the TPM.
-  tpmc ppon
-  tpmc clear
-  tpmc enable
-  tpmc activate
-
-  local firmware_index="0x1007"
-  local firmware_struct_version="2"
-  local firmware_flags="0"
-  local firmware_fw_versions="1 0 1 0"
-  local firmware_reserved="0 0 0"
-  local firmware_checksum="0x4f"
-
-  tpmc write ${firmware_index} ${firmware_struct_version} ${firmware_flags} \
-      ${firmware_fw_versions} ${firmware_reserved} ${firmware_checksum}
-
-  local kernel_index="0x1008"
-  local kernel_struct_version="2"
-  local kernel_uid="4c 57 52 47"
-  local kernel_kernel_versions="1 0 1 0"
-  local kernel_reserved="0 0 0"
-  local kernel_checksum="0x55"
-
-  tpmc write ${kernel_index} ${kernel_struct_version} ${kernel_uid} \
-      ${kernel_kernel_versions} ${kernel_reserved} ${kernel_checksum}
-
-  log "Done clearing TPM"
-}
-
 set_time() {
   log "Setting time from:"
   # Extract only the server and port.
@@ -296,11 +264,22 @@
   # release image won't start with unknown ownership.
   crossystem clear_tpm_owner_request=1 || true
 
-  log "Checking if TPM should be cleared (for version and owner)"
+  log "Checking if TPM should be recovered (for version and owner)"
   # To clear TPM, we need it unlocked (only in recovery boot).
   # Booting with USB in developer mode (Ctrl-U) does not work.
   if crossystem "mainfw_type?recovery"; then
-    clear_tpm
+    if ! chromeos-tpm-recovery; then
+      colorize yellow
+      log " - TPM recovery failed.
+
+      This is usually not a problem for devices on manufacturing line,
+      but if you are using factory shim to reset TPM (for antirollback issue),
+      there's something wrong.
+      "
+      sleep 3
+    else
+      log "TPM recovered."
+    fi
   else
     mainfw_type="$(crossystem mainfw_type)"
     colorize yellow