Add clear TPM owner request

This adds two new flags to crossystem: clear_tpm_owner_request clear_tpm_owner_done The first one requests that the firmware clear the TPM owner on the next boot. When the firmware does this, it will set clear_tpm_owner_request=0, and set clear_tpm_owner_done=1. The OS can use the done-flag as a hint that trusted things guarded by the TPM are no longer trustable. BUG=chromium-os:31974 TEST=manual crossystem // both flags initially 0 crossystem clear_tpm_owner_request=1 crossystem clear_tpm_owner_done=1 // request=1, done=0; done can be cleared but not set by crossystem reboot tpmc getownership // owned=no crossystem // request=0, done=1 crossystem clear_tpm_owner_done=0 crossystem // both flags 0 again Signed-off-by: Randall Spangler <rspangler@chromium.org> Change-Id: I49f83f3c39c3efc3945116c51a241d255c2e42cd Reviewed-on: https://gerrit.chromium.org/gerrit/25646
2012-06-19 10:03:53 -07:00 · 2012-06-19 10:03:53 -07:00 · 29e8807ea0
parent 59576e11e5
commit 29e8807ea0
12 changed files with 122 additions and 26 deletions
--- a/firmware/include/vboot_nvstorage.h
+++ b/firmware/include/vboot_nvstorage.h
@ -57,6 +57,10 @@ typedef enum VbNvParam {
  /* Set and cleared by vboot to request that the video Option ROM be loaded at
   * boot time, so that BIOS screens can be displayed. 0=no, 1=yes. */
  VBNV_OPROM_NEEDED,
+  /* Request that the firmware clear the TPM owner on the next boot. */
+  VBNV_CLEAR_TPM_OWNER_REQUEST,
+  /* Flag that TPM owner was cleared on request. */
+  VBNV_CLEAR_TPM_OWNER_DONE,
 } VbNvParam;


--- a/firmware/lib/include/rollback_index.h
+++ b/firmware/lib/include/rollback_index.h
@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 *
@ -70,6 +70,7 @@ uint32_t RollbackS3Resume(void);
 /* This must be called. */
 uint32_t RollbackFirmwareSetup(int recovery_mode, int is_hw_dev,
                               int disable_dev_request,
+                               int clear_tpm_owner_request,
                               /* two outputs on success */
                               int *is_virt_dev, uint32_t *tpm_version);

@ -118,7 +119,8 @@ uint32_t OneTimeInitializeTPM(RollbackSpaceFirmware* rsf,
 /* SetupTPM starts the TPM and establishes the root of trust for the
 * anti-rollback mechanism. */
 uint32_t SetupTPM(int recovery_mode, int developer_mode,
-                  int disable_dev_request, RollbackSpaceFirmware* rsf);
+                  int disable_dev_request, int clear_tpm_owner_request,
+                  RollbackSpaceFirmware* rsf);

 /* Utility function to turn the virtual dev-mode flag on or off. 0=off, 1=on */
 uint32_t SetVirtualDevMode(int val);
--- a/firmware/lib/mocked_rollback_index.c
+++ b/firmware/lib/mocked_rollback_index.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2010-2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 *
@ -22,7 +22,8 @@ uint32_t TPMClearAndReenable(void) {


 uint32_t SetupTPM(int recovery_mode, int developer_mode,
-                  int disable_dev_request, RollbackSpaceFirmware* rsf) {
+                  int disable_dev_request, int clear_tpm_owner_request,
+                  RollbackSpaceFirmware* rsf) {
  return TPM_SUCCESS;
 }

@ -34,6 +35,7 @@ uint32_t RollbackS3Resume(void) {

 uint32_t RollbackFirmwareSetup(int recovery_mode, int is_hw_dev,
                               int disable_dev_request,
+                               int clear_tpm_owner_request,
                               int *is_virt_dev, uint32_t *version) {
  *version = 0;
  return TPM_SUCCESS;
--- a/firmware/lib/rollback_index.c
+++ b/firmware/lib/rollback_index.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 *
@ -298,7 +298,8 @@ uint32_t OneTimeInitializeTPM(RollbackSpaceFirmware* rsf,
 * the durability of the NVRAM.
 */
 uint32_t SetupTPM(int recovery_mode, int developer_mode,
-                  int disable_dev_request, RollbackSpaceFirmware* rsf) {
+                  int disable_dev_request, int clear_tpm_owner_request,
+                  RollbackSpaceFirmware* rsf) {

  uint8_t in_flags;
  uint8_t disable;
@ -398,11 +399,15 @@ uint32_t SetupTPM(int recovery_mode, int developer_mode,
  if (rsf->flags & FLAG_VIRTUAL_DEV_MODE_ON)
    developer_mode = 1;

-  /* Clears ownership if developer flag has toggled */
+  /* Clears ownership if developer flag has toggled, or if an owner-clear has
+   * been requested. */
  if ((developer_mode ? FLAG_LAST_BOOT_DEVELOPER : 0) !=
      (in_flags & FLAG_LAST_BOOT_DEVELOPER)) {
    VBDEBUG(("TPM: Developer flag changed; clearing owner.\n"));
    RETURN_ON_FAILURE(TPMClearAndReenable());
+  } else if (clear_tpm_owner_request) {
+    VBDEBUG(("TPM: Clearing owner as specifically requested.\n"));
+    RETURN_ON_FAILURE(TPMClearAndReenable());
  }

  if (developer_mode)
@ -441,6 +446,7 @@ uint32_t RollbackS3Resume(void) {

 uint32_t RollbackFirmwareSetup(int recovery_mode, int is_hw_dev,
                               int disable_dev_request,
+                               int clear_tpm_owner_request,
                               int *is_virt_dev, uint32_t *version) {
 #ifndef CHROMEOS_ENVIRONMENT
  /* Initialize the TPM, but ignores return codes.  In ChromeOS
@ -495,14 +501,15 @@ uint32_t RollbackS3Resume(void) {

 uint32_t RollbackFirmwareSetup(int recovery_mode, int is_hw_dev,
                               int disable_dev_request,
+                               int clear_tpm_owner_request,
                               int *is_virt_dev, uint32_t *version) {
  RollbackSpaceFirmware rsf;

  /* Set version to 0 in case we fail */
  *version = 0;

-  RETURN_ON_FAILURE(SetupTPM(recovery_mode, is_hw_dev,
-                             disable_dev_request, &rsf));
+  RETURN_ON_FAILURE(SetupTPM(recovery_mode, is_hw_dev, disable_dev_request,
+                             clear_tpm_owner_request, &rsf));
  *version = rsf.fw_versions;
  *is_virt_dev = (rsf.flags & FLAG_VIRTUAL_DEV_MODE_ON) ? 1 : 0;
  VBDEBUG(("TPM: RollbackFirmwareSetup %x\n", (int)rsf.fw_versions));
--- a/firmware/lib/vboot_api_init.c
+++ b/firmware/lib/vboot_api_init.c
@ -29,6 +29,7 @@ VbError_t VbInit(VbCommonParams* cparams, VbInitParams* iparams) {
  int is_hw_dev = 0;
  int is_virt_dev = 0;
  uint32_t disable_dev_request = 0;
+  uint32_t clear_tpm_owner_request = 0;
  int is_dev = 0;

  VBDEBUG(("VbInit() input flags 0x%x\n", iparams->flags));
@ -136,12 +137,16 @@ VbError_t VbInit(VbCommonParams* cparams, VbInitParams* iparams) {
    if (gbb->flags & GBB_FLAG_FORCE_DEV_SWITCH_ON)
      is_hw_dev = 1;

+    /* Check if we've been explicitly asked to clear the TPM owner */
+    VbNvGet(&vnc, VBNV_CLEAR_TPM_OWNER_REQUEST, &clear_tpm_owner_request);
+
    VBPERFSTART("VB_TPMI");
    /* Initialize the TPM. If the developer mode state has changed since the
     * last boot, we need to clear TPM ownership. If the TPM space is
     * initialized by this call, the virtual dev-switch will be disabled by
     * default) */
    tpm_status = RollbackFirmwareSetup(recovery, is_hw_dev, disable_dev_request,
+                                       clear_tpm_owner_request,
                                       /* two outputs on success */
                                       &is_virt_dev, &tpm_version);
    VBPERFEND("VB_TPMI");
@ -180,6 +185,10 @@ VbError_t VbInit(VbCommonParams* cparams, VbInitParams* iparams) {
    }
    if (disable_dev_request && !is_virt_dev)
      VbNvSet(&vnc, VBNV_DISABLE_DEV_REQUEST, 0);
+    if (clear_tpm_owner_request) {
+      VbNvSet(&vnc, VBNV_CLEAR_TPM_OWNER_REQUEST, 0);
+      VbNvSet(&vnc, VBNV_CLEAR_TPM_OWNER_DONE, 1);
+    }
  }

  /* Allow BIOS to load arbitrary option ROMs? */
--- a/firmware/lib/vboot_nvstorage.c
+++ b/firmware/lib/vboot_nvstorage.c
@ -33,6 +33,10 @@
 #define DEV_BOOT_USB_MASK               0x01
 #define DEV_BOOT_SIGNED_ONLY_MASK       0x02

+#define TPM_FLAGS_OFFSET             5
+#define TPM_CLEAR_OWNER_REQUEST         0x01
+#define TPM_CLEAR_OWNER_DONE            0x02
+
 #define KERNEL_FIELD_OFFSET         11
 #define CRC_OFFSET                  15

@ -124,6 +128,14 @@ int VbNvGet(VbNvContext* context, VbNvParam param, uint32_t* dest) {
      *dest = (raw[BOOT_OFFSET] & BOOT_OPROM_NEEDED ? 1 : 0);
      return 0;

+    case VBNV_CLEAR_TPM_OWNER_REQUEST:
+      *dest = (raw[TPM_FLAGS_OFFSET] & TPM_CLEAR_OWNER_REQUEST ? 1 : 0);
+      return 0;
+
+    case VBNV_CLEAR_TPM_OWNER_DONE:
+      *dest = (raw[TPM_FLAGS_OFFSET] & TPM_CLEAR_OWNER_DONE ? 1 : 0);
+      return 0;
+
    default:
      return 1;
  }
@ -219,6 +231,20 @@ int VbNvSet(VbNvContext* context, VbNvParam param, uint32_t value) {
        raw[BOOT_OFFSET] &= ~BOOT_OPROM_NEEDED;
      break;

+    case VBNV_CLEAR_TPM_OWNER_REQUEST:
+      if (value)
+        raw[TPM_FLAGS_OFFSET] |= TPM_CLEAR_OWNER_REQUEST;
+      else
+        raw[TPM_FLAGS_OFFSET] &= ~TPM_CLEAR_OWNER_REQUEST;
+      break;
+
+    case VBNV_CLEAR_TPM_OWNER_DONE:
+      if (value)
+        raw[TPM_FLAGS_OFFSET] |= TPM_CLEAR_OWNER_DONE;
+      else
+        raw[TPM_FLAGS_OFFSET] &= ~TPM_CLEAR_OWNER_DONE;
+      break;
+
    default:
      return 1;
  }
--- a/firmware/linktest/main.c
+++ b/firmware/linktest/main.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 */
@ -29,7 +29,7 @@ int main(void)

  /* rollback_index.h */
  RollbackS3Resume();
-  RollbackFirmwareSetup(0, 0, 0, 0, 0);
+  RollbackFirmwareSetup(0, 0, 0, 0, 0, 0);
  RollbackFirmwareWrite(0);
  RollbackFirmwareLock();
  RollbackKernelRead(0);
--- a/host/lib/crossystem.c
+++ b/host/lib/crossystem.c
@ -403,6 +403,10 @@ int VbGetSystemPropertyInt(const char* name) {
    value = VbGetNvStorage(VBNV_DEBUG_RESET_MODE);
  } else if (!strcasecmp(name,"disable_dev_request")) {
    value = VbGetNvStorage(VBNV_DISABLE_DEV_REQUEST);
+  } else if (!strcasecmp(name,"clear_tpm_owner_request")) {
+    value = VbGetNvStorage(VBNV_CLEAR_TPM_OWNER_REQUEST);
+  } else if (!strcasecmp(name,"clear_tpm_owner_done")) {
+    value = VbGetNvStorage(VBNV_CLEAR_TPM_OWNER_DONE);
  } else if (!strcasecmp(name,"fwb_tries")) {
    value = VbGetNvStorage(VBNV_TRY_B_COUNT);
  } else if (!strcasecmp(name,"fwupdate_tries")) {
@ -493,6 +497,11 @@ int VbSetSystemPropertyInt(const char* name, int value) {
    return VbSetNvStorage(VBNV_DEBUG_RESET_MODE, value);
  } else if (!strcasecmp(name,"disable_dev_request")) {
    return VbSetNvStorage(VBNV_DISABLE_DEV_REQUEST, value);
+  } else if (!strcasecmp(name,"clear_tpm_owner_request")) {
+    return VbSetNvStorage(VBNV_CLEAR_TPM_OWNER_REQUEST, value);
+  } else if (!strcasecmp(name,"clear_tpm_owner_done")) {
+    /* Can only clear this flag; it's set by firmware. */
+    return VbSetNvStorage(VBNV_CLEAR_TPM_OWNER_DONE, 0);
  } else if (!strcasecmp(name,"fwb_tries")) {
    return VbSetNvStorage(VBNV_TRY_B_COUNT, value);
  } else if (!strcasecmp(name,"fwupdate_tries")) {
--- a/tests/rollback_index2_tests.c
+++ b/tests/rollback_index2_tests.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 *
@ -558,7 +558,7 @@ static void SetupTpmTest(void) {

  /* Complete setup */
  ResetMocks(0, 0);
-  TEST_EQ(SetupTPM(0, 0, 0, &rsf), 0, "SetupTPM()");
+  TEST_EQ(SetupTPM(0, 0, 0, 0, &rsf), 0, "SetupTPM()");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
              "TlclStartup()\n"
@ -570,7 +570,7 @@ static void SetupTpmTest(void) {
  /* If TPM is disabled or deactivated, must enable it */
  ResetMocks(0, 0);
  mock_pflags.disable = 1;
-  TEST_EQ(SetupTPM(0, 0, 0, &rsf), TPM_E_MUST_REBOOT, "SetupTPM() disabled");
+  TEST_EQ(SetupTPM(0, 0, 0, 0, &rsf), TPM_E_MUST_REBOOT, "SetupTPM() disabled");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
              "TlclStartup()\n"
@ -582,7 +582,8 @@ static void SetupTpmTest(void) {

  ResetMocks(0, 0);
  mock_pflags.deactivated = 1;
-  TEST_EQ(SetupTPM(0, 0, 0, &rsf), TPM_E_MUST_REBOOT, "SetupTPM() deactivated");
+  TEST_EQ(SetupTPM(0, 0, 0, 0, &rsf), TPM_E_MUST_REBOOT,
+          "SetupTPM() deactivated");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
              "TlclStartup()\n"
@ -594,7 +595,7 @@ static void SetupTpmTest(void) {

  /* If physical presence command isn't enabled, should try to enable it */
  ResetMocks(3, TPM_E_IOERROR);
-  TEST_EQ(SetupTPM(0, 0, 0, &rsf), 0, "SetupTPM() pp cmd");
+  TEST_EQ(SetupTPM(0, 0, 0, 0, &rsf), 0, "SetupTPM() pp cmd");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
              "TlclStartup()\n"
@ -609,7 +610,7 @@ static void SetupTpmTest(void) {
  ResetMocks(5, TPM_E_BADINDEX);
  mock_pflags.physicalPresenceLifetimeLock = 1;
  mock_pflags.nvLocked = 1;
-  TEST_EQ(SetupTPM(0, 0, 0, &rsf), 0, "SetupTPM() no firmware space");
+  TEST_EQ(SetupTPM(0, 0, 0, 0, &rsf), 0, "SetupTPM() no firmware space");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
              "TlclStartup()\n"
@ -632,7 +633,7 @@ static void SetupTpmTest(void) {

  /* Other firmware space error is passed through */
  ResetMocks(5, TPM_E_IOERROR);
-  TEST_EQ(SetupTPM(0, 0, 0, &rsf), TPM_E_CORRUPTED_STATE,
+  TEST_EQ(SetupTPM(0, 0, 0, 0, &rsf), TPM_E_CORRUPTED_STATE,
          "SetupTPM() bad firmware space");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
@ -644,7 +645,7 @@ static void SetupTpmTest(void) {

  /* If developer flag has toggled, clear ownership and write new flag */
  ResetMocks(0, 0);
-  TEST_EQ(SetupTPM(0, 1, 0, &rsf), 0, "SetupTPM() to dev");
+  TEST_EQ(SetupTPM(0, 1, 0, 0, &rsf), 0, "SetupTPM() to dev");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
              "TlclStartup()\n"
@ -661,7 +662,7 @@ static void SetupTpmTest(void) {

  ResetMocks(0, 0);
  mock_rsf.flags = FLAG_LAST_BOOT_DEVELOPER;
-  TEST_EQ(SetupTPM(0, 0, 0, &rsf), 0, "SetupTPM() from dev");
+  TEST_EQ(SetupTPM(0, 0, 0, 0, &rsf), 0, "SetupTPM() from dev");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
              "TlclStartup()\n"
@ -676,6 +677,20 @@ static void SetupTpmTest(void) {
              "tlcl calls");
  TEST_EQ(mock_rsf.flags, 0, "fw space flags from dev 1");

+  /* If TPM clear request, clear ownership also */
+  ResetMocks(0, 0);
+  TEST_EQ(SetupTPM(0, 0, 0, 1, &rsf), 0, "SetupTPM() clear owner");
+  TEST_STR_EQ(mock_calls,
+              "TlclLibInit()\n"
+              "TlclStartup()\n"
+              "TlclAssertPhysicalPresence()\n"
+              "TlclGetPermanentFlags()\n"
+              "TlclRead(0x1007, 10)\n"
+              "TlclForceClear()\n"
+              "TlclSetEnable()\n"
+              "TlclSetDeactivated(0)\n",
+              "tlcl calls");
+
  /* Note: SetupTPM() recovery_mode parameter sets a global flag in
   * rollback_index.c; this is tested along with RollbackKernelLock() below. */
 }
@ -691,7 +706,7 @@ static void RollbackFirmwareTest(void) {
  dev_mode = 0;
  version = 123;
  mock_rsf.fw_versions = 0x12345678;
-  TEST_EQ(RollbackFirmwareSetup(0, 0, dev_mode, &dev_mode, &version), 0,
+  TEST_EQ(RollbackFirmwareSetup(0, 0, dev_mode, 0, &dev_mode, &version), 0,
          "RollbackFirmwareSetup()");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
@ -707,7 +722,7 @@ static void RollbackFirmwareTest(void) {
  dev_mode = 0;
  version = 123;
  mock_rsf.fw_versions = 0x12345678;
-  TEST_EQ(RollbackFirmwareSetup(0, 0, dev_mode, &dev_mode, &version),
+  TEST_EQ(RollbackFirmwareSetup(0, 0, dev_mode, 0, &dev_mode, &version),
          TPM_E_IOERROR,
          "RollbackFirmwareSetup() error");
  TEST_STR_EQ(mock_calls,
@ -718,7 +733,7 @@ static void RollbackFirmwareTest(void) {
  /* Developer mode flag gets passed properly */
  ResetMocks(0, 0);
  dev_mode = 1;
-  TEST_EQ(RollbackFirmwareSetup(0, dev_mode, 0, &dev_mode, &version), 0,
+  TEST_EQ(RollbackFirmwareSetup(0, dev_mode, 0, 0, &dev_mode, &version), 0,
          "RollbackFirmwareSetup() to dev");
  TEST_STR_EQ(mock_calls,
              "TlclLibInit()\n"
@ -734,6 +749,22 @@ static void RollbackFirmwareTest(void) {
              "tlcl calls");
  TEST_EQ(mock_rsf.flags, FLAG_LAST_BOOT_DEVELOPER, "fw space flags to dev 2");

+  /* So does clear-TPM request */
+  ResetMocks(0, 0);
+  dev_mode = 0;
+  TEST_EQ(RollbackFirmwareSetup(0, dev_mode, 0, 1, &dev_mode, &version), 0,
+          "RollbackFirmwareSetup() clear owner");
+  TEST_STR_EQ(mock_calls,
+              "TlclLibInit()\n"
+              "TlclStartup()\n"
+              "TlclAssertPhysicalPresence()\n"
+              "TlclGetPermanentFlags()\n"
+              "TlclRead(0x1007, 10)\n"
+              "TlclForceClear()\n"
+              "TlclSetEnable()\n"
+              "TlclSetDeactivated(0)\n",
+              "tlcl calls");
+
  /* Test write */
  ResetMocks(0, 0);
  TEST_EQ(RollbackFirmwareWrite(0xBEAD1234), 0, "RollbackFirmwareWrite()");
@ -770,7 +801,7 @@ static void RollbackKernelTest(void) {
  /* RollbackKernel*() functions use a global flag inside
   * rollback_index.c based on recovery mode, which is set by
   * SetupTPM().  Clear the flag for the first set of tests. */
-  TEST_EQ(SetupTPM(0, 0, 0, &rsf), 0, "SetupTPM()");
+  TEST_EQ(SetupTPM(0, 0, 0, 0, &rsf), 0, "SetupTPM()");

  /* Normal read */
  ResetMocks(0, 0);
@ -831,7 +862,7 @@ static void RollbackKernelTest(void) {
  TEST_EQ(RollbackKernelLock(), TPM_E_IOERROR, "RollbackKernelLock() error");

  /* Test lock with recovery on; shouldn't lock PP */
-  SetupTPM(1, 0, 0, &rsf);
+  SetupTPM(1, 0, 0, 0, &rsf);
  ResetMocks(0, 0);
  TEST_EQ(RollbackKernelLock(), 0, "RollbackKernelLock() in recovery");
  TEST_STR_EQ(mock_calls, "", "no tlcl calls");
--- a/tests/vboot_api_init_tests.c
+++ b/tests/vboot_api_init_tests.c
@ -89,6 +89,7 @@ uint32_t RollbackS3Resume(void) {

 uint32_t RollbackFirmwareSetup(int recovery_mode, int is_hw_dev,
                               int disable_dev_request,
+                               int clear_tpm_owner_request,
                               /* two outputs on success */
                               int *is_virt_dev, uint32_t *version) {
  *is_virt_dev = mock_virt_dev_sw;
--- a/tests/vboot_nvstorage_test.c
+++ b/tests/vboot_nvstorage_test.c
@ -31,6 +31,9 @@ static VbNvField nvfields[] = {
  {VBNV_KERNEL_FIELD, 0, 0x12345678, 0xFEDCBA98, "kernel field"},
  {VBNV_DEV_BOOT_USB, 0, 1, 0, "dev boot usb"},
  {VBNV_DEV_BOOT_SIGNED_ONLY, 0, 1, 0, "dev boot custom"},
+  {VBNV_DISABLE_DEV_REQUEST, 0, 1, 0, "disable dev request"},
+  {VBNV_CLEAR_TPM_OWNER_REQUEST, 0, 1, 0, "clear tpm owner request"},
+  {VBNV_CLEAR_TPM_OWNER_DONE, 0, 1, 0, "clear tpm owner done"},
  {0, 0, 0, 0, NULL}
 };

--- a/utility/crossystem_main.c
+++ b/utility/crossystem_main.c
@ -1,4 +1,4 @@
-/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
+/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 *
@ -35,6 +35,8 @@ typedef struct Param {
 /* List of parameters, terminated with a param with NULL name */
 const Param sys_param_list[] = {
  {"arch", IS_STRING, "Platform architecture"},
+  {"clear_tpm_owner_request", CAN_WRITE, "Clear TPM owner on next boot"},
+  {"clear_tpm_owner_done", CAN_WRITE, "Clear TPM owner done"},
  {"cros_debug", 0, "OS should allow debug features"},
  {"dbg_reset", CAN_WRITE, "Debug reset mode request (writable)"},
  {"ddr_type", IS_STRING, "Type of DDR RAM"},