2 * Copyright (c) 2013 The Chromium OS Authors.
3 * Coypright (c) 2013 Guntermann & Drunck GmbH
5 * SPDX-License-Identifier: GPL-2.0+
14 * Here is a partial implementation of TPM commands. Please consult TCG Main
15 * Specification for definitions of TPM commands.
18 enum tpm_startup_type
{
19 TPM_ST_CLEAR
= 0x0001,
20 TPM_ST_STATE
= 0x0002,
21 TPM_ST_DEACTIVATED
= 0x0003,
24 enum tpm_physical_presence
{
25 TPM_PHYSICAL_PRESENCE_HW_DISABLE
= 0x0200,
26 TPM_PHYSICAL_PRESENCE_CMD_DISABLE
= 0x0100,
27 TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK
= 0x0080,
28 TPM_PHYSICAL_PRESENCE_HW_ENABLE
= 0x0040,
29 TPM_PHYSICAL_PRESENCE_CMD_ENABLE
= 0x0020,
30 TPM_PHYSICAL_PRESENCE_NOTPRESENT
= 0x0010,
31 TPM_PHYSICAL_PRESENCE_PRESENT
= 0x0008,
32 TPM_PHYSICAL_PRESENCE_LOCK
= 0x0004,
36 TPM_NV_INDEX_LOCK
= 0xffffffff,
37 TPM_NV_INDEX_0
= 0x00000000,
38 TPM_NV_INDEX_DIR
= 0x10000001,
42 * TPM return codes as defined in the TCG Main specification
43 * (TPM Main Part 2 Structures; Specification version 1.2)
45 enum tpm_return_code
{
46 TPM_BASE
= 0x00000000,
47 TPM_NON_FATAL
= 0x00000800,
48 TPM_SUCCESS
= TPM_BASE
,
49 /* TPM-defined fatal error codes */
50 TPM_AUTHFAIL
= TPM_BASE
+ 1,
51 TPM_BADINDEX
= TPM_BASE
+ 2,
52 TPM_BAD_PARAMETER
= TPM_BASE
+ 3,
53 TPM_AUDITFAILURE
= TPM_BASE
+ 4,
54 TPM_CLEAR_DISABLED
= TPM_BASE
+ 5,
55 TPM_DEACTIVATED
= TPM_BASE
+ 6,
56 TPM_DISABLED
= TPM_BASE
+ 7,
57 TPM_DISABLED_CMD
= TPM_BASE
+ 8,
58 TPM_FAIL
= TPM_BASE
+ 9,
59 TPM_BAD_ORDINAL
= TPM_BASE
+ 10,
60 TPM_INSTALL_DISABLED
= TPM_BASE
+ 11,
61 TPM_INVALID_KEYHANDLE
= TPM_BASE
+ 12,
62 TPM_KEYNOTFOUND
= TPM_BASE
+ 13,
63 TPM_INAPPROPRIATE_ENC
= TPM_BASE
+ 14,
64 TPM_MIGRATE_FAIL
= TPM_BASE
+ 15,
65 TPM_INVALID_PCR_INFO
= TPM_BASE
+ 16,
66 TPM_NOSPACE
= TPM_BASE
+ 17,
67 TPM_NOSRK
= TPM_BASE
+ 18,
68 TPM_NOTSEALED_BLOB
= TPM_BASE
+ 19,
69 TPM_OWNER_SET
= TPM_BASE
+ 20,
70 TPM_RESOURCES
= TPM_BASE
+ 21,
71 TPM_SHORTRANDOM
= TPM_BASE
+ 22,
72 TPM_SIZE
= TPM_BASE
+ 23,
73 TPM_WRONGPCRVAL
= TPM_BASE
+ 24,
74 TPM_BAD_PARAM_SIZE
= TPM_BASE
+ 25,
75 TPM_SHA_THREAD
= TPM_BASE
+ 26,
76 TPM_SHA_ERROR
= TPM_BASE
+ 27,
77 TPM_FAILEDSELFTEST
= TPM_BASE
+ 28,
78 TPM_AUTH2FAIL
= TPM_BASE
+ 29,
79 TPM_BADTAG
= TPM_BASE
+ 30,
80 TPM_IOERROR
= TPM_BASE
+ 31,
81 TPM_ENCRYPT_ERROR
= TPM_BASE
+ 32,
82 TPM_DECRYPT_ERROR
= TPM_BASE
+ 33,
83 TPM_INVALID_AUTHHANDLE
= TPM_BASE
+ 34,
84 TPM_NO_ENDORSEMENT
= TPM_BASE
+ 35,
85 TPM_INVALID_KEYUSAGE
= TPM_BASE
+ 36,
86 TPM_WRONG_ENTITYTYPE
= TPM_BASE
+ 37,
87 TPM_INVALID_POSTINIT
= TPM_BASE
+ 38,
88 TPM_INAPPROPRIATE_SIG
= TPM_BASE
+ 39,
89 TPM_BAD_KEY_PROPERTY
= TPM_BASE
+ 40,
90 TPM_BAD_MIGRATION
= TPM_BASE
+ 41,
91 TPM_BAD_SCHEME
= TPM_BASE
+ 42,
92 TPM_BAD_DATASIZE
= TPM_BASE
+ 43,
93 TPM_BAD_MODE
= TPM_BASE
+ 44,
94 TPM_BAD_PRESENCE
= TPM_BASE
+ 45,
95 TPM_BAD_VERSION
= TPM_BASE
+ 46,
96 TPM_NO_WRAP_TRANSPORT
= TPM_BASE
+ 47,
97 TPM_AUDITFAIL_UNSUCCESSFUL
= TPM_BASE
+ 48,
98 TPM_AUDITFAIL_SUCCESSFUL
= TPM_BASE
+ 49,
99 TPM_NOTRESETABLE
= TPM_BASE
+ 50,
100 TPM_NOTLOCAL
= TPM_BASE
+ 51,
101 TPM_BAD_TYPE
= TPM_BASE
+ 52,
102 TPM_INVALID_RESOURCE
= TPM_BASE
+ 53,
103 TPM_NOTFIPS
= TPM_BASE
+ 54,
104 TPM_INVALID_FAMILY
= TPM_BASE
+ 55,
105 TPM_NO_NV_PERMISSION
= TPM_BASE
+ 56,
106 TPM_REQUIRES_SIGN
= TPM_BASE
+ 57,
107 TPM_KEY_NOTSUPPORTED
= TPM_BASE
+ 58,
108 TPM_AUTH_CONFLICT
= TPM_BASE
+ 59,
109 TPM_AREA_LOCKED
= TPM_BASE
+ 60,
110 TPM_BAD_LOCALITY
= TPM_BASE
+ 61,
111 TPM_READ_ONLY
= TPM_BASE
+ 62,
112 TPM_PER_NOWRITE
= TPM_BASE
+ 63,
113 TPM_FAMILY_COUNT
= TPM_BASE
+ 64,
114 TPM_WRITE_LOCKED
= TPM_BASE
+ 65,
115 TPM_BAD_ATTRIBUTES
= TPM_BASE
+ 66,
116 TPM_INVALID_STRUCTURE
= TPM_BASE
+ 67,
117 TPM_KEY_OWNER_CONTROL
= TPM_BASE
+ 68,
118 TPM_BAD_COUNTER
= TPM_BASE
+ 69,
119 TPM_NOT_FULLWRITE
= TPM_BASE
+ 70,
120 TPM_CONTEXT_GAP
= TPM_BASE
+ 71,
121 TPM_MAXNVWRITES
= TPM_BASE
+ 72,
122 TPM_NOOPERATOR
= TPM_BASE
+ 73,
123 TPM_RESOURCEMISSING
= TPM_BASE
+ 74,
124 TPM_DELEGATE_LOCK
= TPM_BASE
+ 75,
125 TPM_DELEGATE_FAMILY
= TPM_BASE
+ 76,
126 TPM_DELEGATE_ADMIN
= TPM_BASE
+ 77,
127 TPM_TRANSPORT_NOTEXCLUSIVE
= TPM_BASE
+ 78,
128 TPM_OWNER_CONTROL
= TPM_BASE
+ 79,
129 TPM_DAA_RESOURCES
= TPM_BASE
+ 80,
130 TPM_DAA_INPUT_DATA0
= TPM_BASE
+ 81,
131 TPM_DAA_INPUT_DATA1
= TPM_BASE
+ 82,
132 TPM_DAA_ISSUER_SETTINGS
= TPM_BASE
+ 83,
133 TPM_DAA_TPM_SETTINGS
= TPM_BASE
+ 84,
134 TPM_DAA_STAGE
= TPM_BASE
+ 85,
135 TPM_DAA_ISSUER_VALIDITY
= TPM_BASE
+ 86,
136 TPM_DAA_WRONG_W
= TPM_BASE
+ 87,
137 TPM_BAD_HANDLE
= TPM_BASE
+ 88,
138 TPM_BAD_DELEGATE
= TPM_BASE
+ 89,
139 TPM_BADCONTEXT
= TPM_BASE
+ 90,
140 TPM_TOOMANYCONTEXTS
= TPM_BASE
+ 91,
141 TPM_MA_TICKET_SIGNATURE
= TPM_BASE
+ 92,
142 TPM_MA_DESTINATION
= TPM_BASE
+ 93,
143 TPM_MA_SOURCE
= TPM_BASE
+ 94,
144 TPM_MA_AUTHORITY
= TPM_BASE
+ 95,
145 TPM_PERMANENTEK
= TPM_BASE
+ 97,
146 TPM_BAD_SIGNATURE
= TPM_BASE
+ 98,
147 TPM_NOCONTEXTSPACE
= TPM_BASE
+ 99,
148 /* TPM-defined non-fatal errors */
149 TPM_RETRY
= TPM_BASE
+ TPM_NON_FATAL
,
150 TPM_NEEDS_SELFTEST
= TPM_BASE
+ TPM_NON_FATAL
+ 1,
151 TPM_DOING_SELFTEST
= TPM_BASE
+ TPM_NON_FATAL
+ 2,
152 TPM_DEFEND_LOCK_RUNNING
= TPM_BASE
+ TPM_NON_FATAL
+ 3,
156 * Initialize TPM device. It must be called before any TPM commands.
158 * @return 0 on success, non-0 on error.
160 uint32_t tpm_init(void);
163 * Issue a TPM_Startup command.
165 * @param mode TPM startup mode
166 * @return return code of the operation
168 uint32_t tpm_startup(enum tpm_startup_type mode
);
171 * Issue a TPM_SelfTestFull command.
173 * @return return code of the operation
175 uint32_t tpm_self_test_full(void);
178 * Issue a TPM_ContinueSelfTest command.
180 * @return return code of the operation
182 uint32_t tpm_continue_self_test(void);
185 * Issue a TPM_NV_DefineSpace command. The implementation is limited
186 * to specify TPM_NV_ATTRIBUTES and size of the area. The area index
187 * could be one of the special value listed in enum tpm_nv_index.
189 * @param index index of the area
190 * @param perm TPM_NV_ATTRIBUTES of the area
191 * @param size size of the area
192 * @return return code of the operation
194 uint32_t tpm_nv_define_space(uint32_t index
, uint32_t perm
, uint32_t size
);
197 * Issue a TPM_NV_ReadValue command. This implementation is limited
198 * to read the area from offset 0. The area index could be one of
199 * the special value listed in enum tpm_nv_index.
201 * @param index index of the area
202 * @param data output buffer of the area contents
203 * @param count size of output buffer
204 * @return return code of the operation
206 uint32_t tpm_nv_read_value(uint32_t index
, void *data
, uint32_t count
);
209 * Issue a TPM_NV_WriteValue command. This implementation is limited
210 * to write the area from offset 0. The area index could be one of
211 * the special value listed in enum tpm_nv_index.
213 * @param index index of the area
214 * @param data input buffer to be wrote to the area
215 * @param length length of data bytes of input buffer
216 * @return return code of the operation
218 uint32_t tpm_nv_write_value(uint32_t index
, const void *data
, uint32_t length
);
221 * Issue a TPM_Extend command.
223 * @param index index of the PCR
224 * @param in_digest 160-bit value representing the event to be
226 * @param out_digest 160-bit PCR value after execution of the
228 * @return return code of the operation
230 uint32_t tpm_extend(uint32_t index
, const void *in_digest
, void *out_digest
);
233 * Issue a TPM_PCRRead command.
235 * @param index index of the PCR
236 * @param data output buffer for contents of the named PCR
237 * @param count size of output buffer
238 * @return return code of the operation
240 uint32_t tpm_pcr_read(uint32_t index
, void *data
, size_t count
);
243 * Issue a TSC_PhysicalPresence command. TPM physical presence flag
244 * is bit-wise OR'ed of flags listed in enum tpm_physical_presence.
246 * @param presence TPM physical presence flag
247 * @return return code of the operation
249 uint32_t tpm_tsc_physical_presence(uint16_t presence
);
252 * Issue a TPM_ReadPubek command.
254 * @param data output buffer for the public endorsement key
255 * @param count size of ouput buffer
256 * @return return code of the operation
258 uint32_t tpm_read_pubek(void *data
, size_t count
);
261 * Issue a TPM_ForceClear command.
263 * @return return code of the operation
265 uint32_t tpm_force_clear(void);
268 * Issue a TPM_PhysicalEnable command.
270 * @return return code of the operation
272 uint32_t tpm_physical_enable(void);
275 * Issue a TPM_PhysicalDisable command.
277 * @return return code of the operation
279 uint32_t tpm_physical_disable(void);
282 * Issue a TPM_PhysicalSetDeactivated command.
284 * @param state boolean state of the deactivated flag
285 * @return return code of the operation
287 uint32_t tpm_physical_set_deactivated(uint8_t state
);
290 * Issue a TPM_GetCapability command. This implementation is limited
291 * to query sub_cap index that is 4-byte wide.
293 * @param cap_area partition of capabilities
294 * @param sub_cap further definition of capability, which is
295 * limited to be 4-byte wide
296 * @param cap output buffer for capability information
297 * @param count size of ouput buffer
298 * @return return code of the operation
300 uint32_t tpm_get_capability(uint32_t cap_area
, uint32_t sub_cap
,
301 void *cap
, size_t count
);
304 * Issue a TPM_FlushSpecific command for a AUTH ressource.
306 * @param auth_handle handle of the auth session
307 * @return return code of the operation
309 uint32_t tpm_terminate_auth_session(uint32_t auth_handle
);
312 * Issue a TPM_OIAP command to setup an object independant authorization
314 * Information about the session is stored internally.
315 * If there was already an OIAP session active it is terminated and a new
318 * @param auth_handle pointer to the (new) auth handle or NULL.
319 * @return return code of the operation
321 uint32_t tpm_oiap(uint32_t *auth_handle
);
324 * Ends an active OIAP session.
326 * @return return code of the operation
328 uint32_t tpm_end_oiap(void);
331 * Issue a TPM_LoadKey2 (Auth1) command using an OIAP session for authenticating
332 * the usage of the parent key.
334 * @param parent_handle handle of the parent key.
335 * @param key pointer to the key structure (TPM_KEY or TPM_KEY12).
336 * @param key_length size of the key structure
337 * @param parent_key_usage_auth usage auth for the parent key
338 * @param key_handle pointer to the key handle
339 * @return return code of the operation
341 uint32_t tpm_load_key2_oiap(uint32_t parent_handle
,
342 const void *key
, size_t key_length
,
343 const void *parent_key_usage_auth
,
344 uint32_t *key_handle
);
347 * Issue a TPM_GetPubKey (Auth1) command using an OIAP session for
348 * authenticating the usage of the key.
350 * @param key_handle handle of the key
351 * @param usage_auth usage auth for the key
352 * @param pubkey pointer to the pub key buffer; may be NULL if the pubkey
353 * should not be stored.
354 * @param pubkey_len pointer to the pub key buffer len. On entry: the size of
355 * the provided pubkey buffer. On successful exit: the size
356 * of the stored TPM_PUBKEY structure (iff pubkey != NULL).
357 * @return return code of the operation
359 uint32_t tpm_get_pub_key_oiap(uint32_t key_handle
, const void *usage_auth
,
360 void *pubkey
, size_t *pubkey_len
);