Replace TlclDefineSpace with SafeDefineSpace for extra paranoia.

firmware/lib/rollback_index.c

 /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
  * Use of this source code is governed by a BSD-style license that can be
  * found in the LICENSE file.
  *
  * Functions for querying, manipulating and locking rollback indices
  * stored in the TPM NVRAM.
  */
 
 #include "rollback_index.h"
 
@@ skipping 29 matching lines @@
 static uint32_t SafeWrite(uint32_t index, uint8_t* data, uint32_t length) {
   uint32_t result = TlclWrite(index, data, length);
   if (result == TPM_E_MAXNVWRITES) {
     RETURN_ON_FAILURE(TPMClearAndReenable());
     return TlclWrite(index, data, length);
   } else {
     return result;
   }
 }
 
+/* Similarly to SafeWrite(), this ensures we don't fail a DefineSpace because
+ * we hit the TPM write limit.  This is even less likely to happen than with
+ * writes because we only define spaces once at initialization, but we'd rather
+ * be paranoid about this.
+ */
+static uint32_t SafeDefineSpace(uint32_t index, uint32_t perm, uint32_t size) {
+  uint32_t result = TlclDefineSpace(index, perm, size);
+  if (result == TPM_E_MAXNVWRITES) {
+    RETURN_ON_FAILURE(TPMClearAndReenable());
+    return TlclDefineSpace(index, perm, size);
+  } else {
+    return result;
+  }
+}
+
 static uint32_t InitializeKernelVersionsSpaces(void) {
-  RETURN_ON_FAILURE(TlclDefineSpace(KERNEL_VERSIONS_NV_INDEX,
+  RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_NV_INDEX,
                                     TPM_NV_PER_PPWRITE, KERNEL_SPACE_SIZE));
   RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_NV_INDEX, KERNEL_SPACE_INIT_DATA,
                               KERNEL_SPACE_SIZE));
   return TPM_SUCCESS;
 }
 
 /* When the return value is TPM_SUCCESS, this function sets *|initialized| to 1
  * if the spaces have been fully initialized, to 0 if not.  Otherwise
  * *|initialized| is not changed.
  */
@@ skipping 17 matching lines @@
 /* Creates the NVRAM spaces, and sets their initial values as needed.
  */
 static uint32_t InitializeSpaces(void) {
   uint32_t zero = 0;
   uint32_t firmware_perm = TPM_NV_PER_GLOBALLOCK | TPM_NV_PER_PPWRITE;
 
   VBDEBUG(("Initializing spaces\n"));
 
   RETURN_ON_FAILURE(TlclSetNvLocked());
 
-  RETURN_ON_FAILURE(TlclDefineSpace(FIRMWARE_VERSIONS_NV_INDEX,
+  RETURN_ON_FAILURE(SafeDefineSpace(FIRMWARE_VERSIONS_NV_INDEX,
                                     firmware_perm, sizeof(uint32_t)));
   RETURN_ON_FAILURE(SafeWrite(FIRMWARE_VERSIONS_NV_INDEX,
                               (uint8_t*) &zero, sizeof(uint32_t)));
 
   RETURN_ON_FAILURE(InitializeKernelVersionsSpaces());
 
   /* The space KERNEL_VERSIONS_BACKUP_NV_INDEX is used to protect the kernel
    * versions.  The content of space KERNEL_MUST_USE_BACKUP determines whether
    * only the backup value should be trusted.
    */
-  RETURN_ON_FAILURE(TlclDefineSpace(KERNEL_VERSIONS_BACKUP_NV_INDEX,
+  RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_VERSIONS_BACKUP_NV_INDEX,
                                     firmware_perm, sizeof(uint32_t)));
   RETURN_ON_FAILURE(SafeWrite(KERNEL_VERSIONS_BACKUP_NV_INDEX,
                               (uint8_t*) &zero, sizeof(uint32_t)));
-  RETURN_ON_FAILURE(TlclDefineSpace(KERNEL_MUST_USE_BACKUP_NV_INDEX,
+  RETURN_ON_FAILURE(SafeDefineSpace(KERNEL_MUST_USE_BACKUP_NV_INDEX,
                                     firmware_perm, sizeof(uint32_t)));
   RETURN_ON_FAILURE(SafeWrite(KERNEL_MUST_USE_BACKUP_NV_INDEX,
                               (uint8_t*) &zero, sizeof(uint32_t)));
-  RETURN_ON_FAILURE(TlclDefineSpace(DEVELOPER_MODE_NV_INDEX,
+  RETURN_ON_FAILURE(SafeDefineSpace(DEVELOPER_MODE_NV_INDEX,
                                     firmware_perm, sizeof(uint32_t)));
   RETURN_ON_FAILURE(SafeWrite(DEVELOPER_MODE_NV_INDEX,
                               (uint8_t*) &zero, sizeof(uint32_t)));
 
   /* The space TPM_IS_INITIALIZED_NV_INDEX is used to indicate that the TPM
    * initialization has completed.  Without it we cannot be sure that the last
    * space to be created was also initialized (power could have been lost right
    * after its creation).
    */
-  RETURN_ON_FAILURE(TlclDefineSpace(TPM_IS_INITIALIZED_NV_INDEX,
+  RETURN_ON_FAILURE(SafeDefineSpace(TPM_IS_INITIALIZED_NV_INDEX,
                                     firmware_perm, sizeof(uint32_t)));
   return TPM_SUCCESS;
 }
 
 static uint32_t SetDistrustKernelSpaceAtNextBoot(uint32_t distrust) {
   uint32_t must_use_backup;
   RETURN_ON_FAILURE(TlclRead(KERNEL_MUST_USE_BACKUP_NV_INDEX,
                              (uint8_t*) &must_use_backup, sizeof(uint32_t)));
   if (must_use_backup != distrust) {
      RETURN_ON_FAILURE(SafeWrite(KERNEL_MUST_USE_BACKUP_NV_INDEX,
@@ skipping 214 matching lines @@
   return TPM_SUCCESS;
 }
 
 uint32_t RollbackKernelLock(void) {
   if (!g_rollback_recovery_mode) {
     return TlclLockPhysicalPresence();
   } else {
     return TPM_SUCCESS;
   }
 }