]>
git.ipfire.org Git - thirdparty/u-boot.git/blob - cmd/tpm-v2.c
1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (c) 2018 Bootlin
4 * Author: Miquel Raynal <miquel.raynal@bootlin.com>
11 #include <tpm-common.h>
13 #include "tpm-user-utils.h"
15 static int do_tpm2_startup(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
18 enum tpm2_startup_types mode
;
28 if (!strcasecmp("TPM2_SU_CLEAR", argv
[1])) {
30 } else if (!strcasecmp("TPM2_SU_STATE", argv
[1])) {
33 printf("Couldn't recognize mode string: %s\n", argv
[1]);
34 return CMD_RET_FAILURE
;
37 return report_return_code(tpm2_startup(dev
, mode
));
40 static int do_tpm2_self_test(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
43 enum tpm2_yes_no full_test
;
53 if (!strcasecmp("full", argv
[1])) {
55 } else if (!strcasecmp("continue", argv
[1])) {
58 printf("Couldn't recognize test mode: %s\n", argv
[1]);
59 return CMD_RET_FAILURE
;
62 return report_return_code(tpm2_self_test(dev
, full_test
));
65 static int do_tpm2_clear(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
69 const char *pw
= (argc
< 3) ? NULL
: argv
[2];
70 const ssize_t pw_sz
= pw
? strlen(pw
) : 0;
78 if (argc
< 2 || argc
> 3)
81 if (pw_sz
> TPM2_DIGEST_LEN
)
84 if (!strcasecmp("TPM2_RH_LOCKOUT", argv
[1]))
85 handle
= TPM2_RH_LOCKOUT
;
86 else if (!strcasecmp("TPM2_RH_PLATFORM", argv
[1]))
87 handle
= TPM2_RH_PLATFORM
;
91 return report_return_code(tpm2_clear(dev
, handle
, pw
, pw_sz
));
94 static int do_tpm2_pcr_extend(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
98 struct tpm_chip_priv
*priv
;
99 u32 index
= simple_strtoul(argv
[1], NULL
, 0);
100 void *digest
= map_sysmem(simple_strtoul(argv
[2], NULL
, 0), 0);
105 return CMD_RET_USAGE
;
111 priv
= dev_get_uclass_priv(dev
);
115 if (index
>= priv
->pcr_count
)
118 rc
= tpm2_pcr_extend(dev
, index
, digest
);
120 unmap_sysmem(digest
);
122 return report_return_code(rc
);
125 static int do_tpm_pcr_read(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
129 struct tpm_chip_priv
*priv
;
131 unsigned int updates
;
136 return CMD_RET_USAGE
;
142 priv
= dev_get_uclass_priv(dev
);
146 index
= simple_strtoul(argv
[1], NULL
, 0);
147 if (index
>= priv
->pcr_count
)
150 data
= map_sysmem(simple_strtoul(argv
[2], NULL
, 0), 0);
152 rc
= tpm2_pcr_read(dev
, index
, priv
->pcr_select_min
, data
, &updates
);
154 printf("PCR #%u content (%u known updates):\n", index
, updates
);
155 print_byte_string(data
, TPM2_DIGEST_LEN
);
160 return report_return_code(rc
);
163 static int do_tpm_get_capability(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
166 u32 capability
, property
, rc
;
178 return CMD_RET_USAGE
;
180 capability
= simple_strtoul(argv
[1], NULL
, 0);
181 property
= simple_strtoul(argv
[2], NULL
, 0);
182 data
= map_sysmem(simple_strtoul(argv
[3], NULL
, 0), 0);
183 count
= simple_strtoul(argv
[4], NULL
, 0);
185 rc
= tpm2_get_capability(dev
, capability
, property
, data
, count
);
189 printf("Capabilities read from TPM:\n");
190 for (i
= 0; i
< count
; i
++) {
191 printf("Property 0x");
192 for (j
= 0; j
< 4; j
++)
193 printf("%02x", data
[(i
* 8) + j
]);
195 for (j
= 4; j
< 8; j
++)
196 printf("%02x", data
[(i
* 8) + j
]);
203 return report_return_code(rc
);
206 static int do_tpm_dam_reset(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
209 const char *pw
= (argc
< 2) ? NULL
: argv
[1];
210 const ssize_t pw_sz
= pw
? strlen(pw
) : 0;
219 return CMD_RET_USAGE
;
221 if (pw_sz
> TPM2_DIGEST_LEN
)
224 return report_return_code(tpm2_dam_reset(dev
, pw
, pw_sz
));
227 static int do_tpm_dam_parameters(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
230 const char *pw
= (argc
< 5) ? NULL
: argv
[4];
231 const ssize_t pw_sz
= pw
? strlen(pw
) : 0;
233 * No Dictionary Attack Mitigation (DAM) means:
234 * maxtries = 0xFFFFFFFF, recovery_time = 1, lockout_recovery = 0
236 unsigned long int max_tries
;
237 unsigned long int recovery_time
;
238 unsigned long int lockout_recovery
;
246 if (argc
< 4 || argc
> 5)
247 return CMD_RET_USAGE
;
249 if (pw_sz
> TPM2_DIGEST_LEN
)
252 if (strict_strtoul(argv
[1], 0, &max_tries
))
253 return CMD_RET_USAGE
;
255 if (strict_strtoul(argv
[2], 0, &recovery_time
))
256 return CMD_RET_USAGE
;
258 if (strict_strtoul(argv
[3], 0, &lockout_recovery
))
259 return CMD_RET_USAGE
;
261 log(LOGC_NONE
, LOGL_INFO
, "Changing dictionary attack parameters:\n");
262 log(LOGC_NONE
, LOGL_INFO
, "- maxTries: %lu", max_tries
);
263 log(LOGC_NONE
, LOGL_INFO
, "- recoveryTime: %lu\n", recovery_time
);
264 log(LOGC_NONE
, LOGL_INFO
, "- lockoutRecovery: %lu\n", lockout_recovery
);
266 return report_return_code(tpm2_dam_parameters(dev
, pw
, pw_sz
, max_tries
,
271 static int do_tpm_change_auth(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
275 const char *newpw
= argv
[2];
276 const char *oldpw
= (argc
== 3) ? NULL
: argv
[3];
277 const ssize_t newpw_sz
= strlen(newpw
);
278 const ssize_t oldpw_sz
= oldpw
? strlen(oldpw
) : 0;
286 if (argc
< 3 || argc
> 4)
287 return CMD_RET_USAGE
;
289 if (newpw_sz
> TPM2_DIGEST_LEN
|| oldpw_sz
> TPM2_DIGEST_LEN
)
292 if (!strcasecmp("TPM2_RH_LOCKOUT", argv
[1]))
293 handle
= TPM2_RH_LOCKOUT
;
294 else if (!strcasecmp("TPM2_RH_ENDORSEMENT", argv
[1]))
295 handle
= TPM2_RH_ENDORSEMENT
;
296 else if (!strcasecmp("TPM2_RH_OWNER", argv
[1]))
297 handle
= TPM2_RH_OWNER
;
298 else if (!strcasecmp("TPM2_RH_PLATFORM", argv
[1]))
299 handle
= TPM2_RH_PLATFORM
;
301 return CMD_RET_USAGE
;
303 return report_return_code(tpm2_change_auth(dev
, handle
, newpw
, newpw_sz
,
307 static int do_tpm_pcr_setauthpolicy(cmd_tbl_t
*cmdtp
, int flag
, int argc
,
310 u32 index
= simple_strtoul(argv
[1], NULL
, 0);
312 const char *pw
= (argc
< 4) ? NULL
: argv
[3];
313 const ssize_t pw_sz
= pw
? strlen(pw
) : 0;
321 if (strlen(key
) != TPM2_DIGEST_LEN
)
324 if (argc
< 3 || argc
> 4)
325 return CMD_RET_USAGE
;
327 return report_return_code(tpm2_pcr_setauthpolicy(dev
, pw
, pw_sz
, index
,
331 static int do_tpm_pcr_setauthvalue(cmd_tbl_t
*cmdtp
, int flag
,
332 int argc
, char * const argv
[])
334 u32 index
= simple_strtoul(argv
[1], NULL
, 0);
336 const ssize_t key_sz
= strlen(key
);
337 const char *pw
= (argc
< 4) ? NULL
: argv
[3];
338 const ssize_t pw_sz
= pw
? strlen(pw
) : 0;
346 if (strlen(key
) != TPM2_DIGEST_LEN
)
349 if (argc
< 3 || argc
> 4)
350 return CMD_RET_USAGE
;
352 return report_return_code(tpm2_pcr_setauthvalue(dev
, pw
, pw_sz
, index
,
356 static cmd_tbl_t tpm2_commands
[] = {
357 U_BOOT_CMD_MKENT(info
, 0, 1, do_tpm_info
, "", ""),
358 U_BOOT_CMD_MKENT(init
, 0, 1, do_tpm_init
, "", ""),
359 U_BOOT_CMD_MKENT(startup
, 0, 1, do_tpm2_startup
, "", ""),
360 U_BOOT_CMD_MKENT(self_test
, 0, 1, do_tpm2_self_test
, "", ""),
361 U_BOOT_CMD_MKENT(clear
, 0, 1, do_tpm2_clear
, "", ""),
362 U_BOOT_CMD_MKENT(pcr_extend
, 0, 1, do_tpm2_pcr_extend
, "", ""),
363 U_BOOT_CMD_MKENT(pcr_read
, 0, 1, do_tpm_pcr_read
, "", ""),
364 U_BOOT_CMD_MKENT(get_capability
, 0, 1, do_tpm_get_capability
, "", ""),
365 U_BOOT_CMD_MKENT(dam_reset
, 0, 1, do_tpm_dam_reset
, "", ""),
366 U_BOOT_CMD_MKENT(dam_parameters
, 0, 1, do_tpm_dam_parameters
, "", ""),
367 U_BOOT_CMD_MKENT(change_auth
, 0, 1, do_tpm_change_auth
, "", ""),
368 U_BOOT_CMD_MKENT(pcr_setauthpolicy
, 0, 1,
369 do_tpm_pcr_setauthpolicy
, "", ""),
370 U_BOOT_CMD_MKENT(pcr_setauthvalue
, 0, 1,
371 do_tpm_pcr_setauthvalue
, "", ""),
374 cmd_tbl_t
*get_tpm2_commands(unsigned int *size
)
376 *size
= ARRAY_SIZE(tpm2_commands
);
378 return tpm2_commands
;
381 U_BOOT_CMD(tpm2
, CONFIG_SYS_MAXARGS
, 1, do_tpm
, "Issue a TPMv2.x command",
382 "<command> [<arguments>]\n"
385 " Show information about the TPM.\n"
387 " Initialize the software stack. Always the first command to issue.\n"
389 " Issue a TPM2_Startup command.\n"
390 " <mode> is one of:\n"
391 " * TPM2_SU_CLEAR (reset state)\n"
392 " * TPM2_SU_STATE (preserved state)\n"
394 " Test the TPM capabilities.\n"
395 " <type> is one of:\n"
396 " * full (perform all tests)\n"
397 " * continue (only check untested tests)\n"
398 "clear <hierarchy>\n"
399 " Issue a TPM2_Clear command.\n"
400 " <hierarchy> is one of:\n"
401 " * TPM2_RH_LOCKOUT\n"
402 " * TPM2_RH_PLATFORM\n"
403 "pcr_extend <pcr> <digest_addr>\n"
404 " Extend PCR #<pcr> with digest at <digest_addr>.\n"
405 " <pcr>: index of the PCR\n"
406 " <digest_addr>: address of a 32-byte SHA256 digest\n"
407 "pcr_read <pcr> <digest_addr>\n"
408 " Read PCR #<pcr> to memory address <digest_addr>.\n"
409 " <pcr>: index of the PCR\n"
410 " <digest_addr>: address to store the a 32-byte SHA256 digest\n"
411 "get_capability <capability> <property> <addr> <count>\n"
412 " Read and display <count> entries indexed by <capability>/<property>.\n"
413 " Values are 4 bytes long and are written at <addr>.\n"
414 " <capability>: capability\n"
415 " <property>: property\n"
416 " <addr>: address to store <count> entries of 4 bytes\n"
417 " <count>: number of entries to retrieve\n"
418 "dam_reset [<password>]\n"
419 " If the TPM is not in a LOCKOUT state, reset the internal error counter.\n"
420 " <password>: optional password\n"
421 "dam_parameters <max_tries> <recovery_time> <lockout_recovery> [<password>]\n"
422 " If the TPM is not in a LOCKOUT state, set the DAM parameters\n"
423 " <maxTries>: maximum number of failures before lockout,\n"
424 " 0 means always locking\n"
425 " <recoveryTime>: time before decrement of the error counter,\n"
426 " 0 means no lockout\n"
427 " <lockoutRecovery>: time of a lockout (before the next try),\n"
428 " 0 means a reboot is needed\n"
429 " <password>: optional password of the LOCKOUT hierarchy\n"
430 "change_auth <hierarchy> <new_pw> [<old_pw>]\n"
431 " <hierarchy>: the hierarchy\n"
432 " <new_pw>: new password for <hierarchy>\n"
433 " <old_pw>: optional previous password of <hierarchy>\n"
434 "pcr_setauthpolicy|pcr_setauthvalue <pcr> <key> [<password>]\n"
435 " Change the <key> to access PCR #<pcr>.\n"
436 " hierarchy and may be empty.\n"
437 " /!\\WARNING: untested function, use at your own risks !\n"
438 " <pcr>: index of the PCR\n"
439 " <key>: secret to protect the access of PCR #<pcr>\n"
440 " <password>: optional password of the PLATFORM hierarchy\n"