]>
git.ipfire.org Git - thirdparty/u-boot.git/blob - lib/tpm-v2.c
1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (c) 2018 Bootlin
4 * Author: Miquel Raynal <miquel.raynal@bootlin.com>
9 #include <tpm-common.h>
11 #include "tpm-utils.h"
13 u32
tpm2_startup(struct udevice
*dev
, enum tpm2_startup_types mode
)
15 const u8 command_v2
[12] = {
16 tpm_u16(TPM2_ST_NO_SESSIONS
),
18 tpm_u32(TPM2_CC_STARTUP
),
24 * Note TPM2_Startup command will return RC_SUCCESS the first time,
25 * but will return RC_INITIALIZE otherwise.
27 ret
= tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);
28 if (ret
&& ret
!= TPM2_RC_INITIALIZE
)
34 u32
tpm2_self_test(struct udevice
*dev
, enum tpm2_yes_no full_test
)
36 const u8 command_v2
[12] = {
37 tpm_u16(TPM2_ST_NO_SESSIONS
),
39 tpm_u32(TPM2_CC_SELF_TEST
),
43 return tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);
46 u32
tpm2_clear(struct udevice
*dev
, u32 handle
, const char *pw
,
49 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
50 tpm_u16(TPM2_ST_SESSIONS
), /* TAG */
51 tpm_u32(27 + pw_sz
), /* Length */
52 tpm_u32(TPM2_CC_CLEAR
), /* Command code */
55 tpm_u32(handle
), /* TPM resource handle */
58 tpm_u32(9 + pw_sz
), /* Authorization size */
59 tpm_u32(TPM2_RS_PW
), /* Session handle */
60 tpm_u16(0), /* Size of <nonce> */
61 /* <nonce> (if any) */
62 0, /* Attributes: Cont/Excl/Rst */
63 tpm_u16(pw_sz
), /* Size of <hmac/password> */
64 /* STRING(pw) <hmac/password> (if any) */
66 unsigned int offset
= 27;
70 * Fill the command structure starting from the first buffer:
71 * - the password (if any)
73 ret
= pack_byte_string(command_v2
, sizeof(command_v2
), "s",
79 return tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);
82 u32
tpm2_pcr_extend(struct udevice
*dev
, u32 index
, const uint8_t *digest
)
84 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
85 tpm_u16(TPM2_ST_SESSIONS
), /* TAG */
86 tpm_u32(33 + TPM2_DIGEST_LEN
), /* Length */
87 tpm_u32(TPM2_CC_PCR_EXTEND
), /* Command code */
90 tpm_u32(index
), /* Handle (PCR Index) */
93 tpm_u32(9), /* Authorization size */
94 tpm_u32(TPM2_RS_PW
), /* Session handle */
95 tpm_u16(0), /* Size of <nonce> */
96 /* <nonce> (if any) */
97 0, /* Attributes: Cont/Excl/Rst */
98 tpm_u16(0), /* Size of <hmac/password> */
99 /* <hmac/password> (if any) */
100 tpm_u32(1), /* Count (number of hashes) */
101 tpm_u16(TPM2_ALG_SHA256
), /* Algorithm of the hash */
102 /* STRING(digest) Digest */
104 unsigned int offset
= 33;
108 * Fill the command structure starting from the first buffer:
111 ret
= pack_byte_string(command_v2
, sizeof(command_v2
), "s",
112 offset
, digest
, TPM2_DIGEST_LEN
);
113 offset
+= TPM2_DIGEST_LEN
;
115 return TPM_LIB_ERROR
;
117 return tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);
120 u32
tpm2_pcr_read(struct udevice
*dev
, u32 idx
, unsigned int idx_min_sz
,
121 void *data
, unsigned int *updates
)
123 u8 idx_array_sz
= max(idx_min_sz
, DIV_ROUND_UP(idx
, 8));
124 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
125 tpm_u16(TPM2_ST_NO_SESSIONS
), /* TAG */
126 tpm_u32(17 + idx_array_sz
), /* Length */
127 tpm_u32(TPM2_CC_PCR_READ
), /* Command code */
129 /* TPML_PCR_SELECTION */
130 tpm_u32(1), /* Number of selections */
131 tpm_u16(TPM2_ALG_SHA256
), /* Algorithm of the hash */
132 idx_array_sz
, /* Array size for selection */
133 /* bitmap(idx) Selected PCR bitmap */
135 size_t response_len
= COMMAND_BUFFER_SIZE
;
136 u8 response
[COMMAND_BUFFER_SIZE
];
137 unsigned int pcr_sel_idx
= idx
/ 8;
138 u8 pcr_sel_bit
= BIT(idx
% 8);
139 unsigned int counter
= 0;
142 if (pack_byte_string(command_v2
, COMMAND_BUFFER_SIZE
, "b",
143 17 + pcr_sel_idx
, pcr_sel_bit
))
144 return TPM_LIB_ERROR
;
146 ret
= tpm_sendrecv_command(dev
, command_v2
, response
, &response_len
);
150 if (unpack_byte_string(response
, response_len
, "ds",
152 response_len
- TPM2_DIGEST_LEN
, data
,
154 return TPM_LIB_ERROR
;
162 u32
tpm2_get_capability(struct udevice
*dev
, u32 capability
, u32 property
,
163 void *buf
, size_t prop_count
)
165 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
166 tpm_u16(TPM2_ST_NO_SESSIONS
), /* TAG */
167 tpm_u32(22), /* Length */
168 tpm_u32(TPM2_CC_GET_CAPABILITY
), /* Command code */
170 tpm_u32(capability
), /* Capability */
171 tpm_u32(property
), /* Property */
172 tpm_u32(prop_count
), /* Property count */
174 u8 response
[COMMAND_BUFFER_SIZE
];
175 size_t response_len
= COMMAND_BUFFER_SIZE
;
176 unsigned int properties_off
;
179 ret
= tpm_sendrecv_command(dev
, command_v2
, response
, &response_len
);
184 * In the response buffer, the properties are located after the:
185 * tag (u16), response size (u32), response code (u32),
186 * YES/NO flag (u8), TPM_CAP (u32) and TPMU_CAPABILITIES (u32).
188 properties_off
= sizeof(u16
) + sizeof(u32
) + sizeof(u32
) +
189 sizeof(u8
) + sizeof(u32
) + sizeof(u32
);
190 memcpy(buf
, &response
[properties_off
], response_len
- properties_off
);
195 u32
tpm2_dam_reset(struct udevice
*dev
, const char *pw
, const ssize_t pw_sz
)
197 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
198 tpm_u16(TPM2_ST_SESSIONS
), /* TAG */
199 tpm_u32(27 + pw_sz
), /* Length */
200 tpm_u32(TPM2_CC_DAM_RESET
), /* Command code */
203 tpm_u32(TPM2_RH_LOCKOUT
), /* TPM resource handle */
206 tpm_u32(9 + pw_sz
), /* Authorization size */
207 tpm_u32(TPM2_RS_PW
), /* Session handle */
208 tpm_u16(0), /* Size of <nonce> */
209 /* <nonce> (if any) */
210 0, /* Attributes: Cont/Excl/Rst */
211 tpm_u16(pw_sz
), /* Size of <hmac/password> */
212 /* STRING(pw) <hmac/password> (if any) */
214 unsigned int offset
= 27;
218 * Fill the command structure starting from the first buffer:
219 * - the password (if any)
221 ret
= pack_byte_string(command_v2
, sizeof(command_v2
), "s",
225 return TPM_LIB_ERROR
;
227 return tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);
230 u32
tpm2_dam_parameters(struct udevice
*dev
, const char *pw
,
231 const ssize_t pw_sz
, unsigned int max_tries
,
232 unsigned int recovery_time
,
233 unsigned int lockout_recovery
)
235 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
236 tpm_u16(TPM2_ST_SESSIONS
), /* TAG */
237 tpm_u32(27 + pw_sz
+ 12), /* Length */
238 tpm_u32(TPM2_CC_DAM_PARAMETERS
), /* Command code */
241 tpm_u32(TPM2_RH_LOCKOUT
), /* TPM resource handle */
244 tpm_u32(9 + pw_sz
), /* Authorization size */
245 tpm_u32(TPM2_RS_PW
), /* Session handle */
246 tpm_u16(0), /* Size of <nonce> */
247 /* <nonce> (if any) */
248 0, /* Attributes: Cont/Excl/Rst */
249 tpm_u16(pw_sz
), /* Size of <hmac/password> */
250 /* STRING(pw) <hmac/password> (if any) */
252 /* LOCKOUT PARAMETERS */
253 /* tpm_u32(max_tries) Max tries (0, always lock) */
254 /* tpm_u32(recovery_time) Recovery time (0, no lock) */
255 /* tpm_u32(lockout_recovery) Lockout recovery */
257 unsigned int offset
= 27;
261 * Fill the command structure starting from the first buffer:
262 * - the password (if any)
267 ret
= pack_byte_string(command_v2
, sizeof(command_v2
), "sddd",
269 offset
+ pw_sz
, max_tries
,
270 offset
+ pw_sz
+ 4, recovery_time
,
271 offset
+ pw_sz
+ 8, lockout_recovery
);
272 offset
+= pw_sz
+ 12;
274 return TPM_LIB_ERROR
;
276 return tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);
279 int tpm2_change_auth(struct udevice
*dev
, u32 handle
, const char *newpw
,
280 const ssize_t newpw_sz
, const char *oldpw
,
281 const ssize_t oldpw_sz
)
283 unsigned int offset
= 27;
284 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
285 tpm_u16(TPM2_ST_SESSIONS
), /* TAG */
286 tpm_u32(offset
+ oldpw_sz
+ 2 + newpw_sz
), /* Length */
287 tpm_u32(TPM2_CC_HIERCHANGEAUTH
), /* Command code */
290 tpm_u32(handle
), /* TPM resource handle */
293 tpm_u32(9 + oldpw_sz
), /* Authorization size */
294 tpm_u32(TPM2_RS_PW
), /* Session handle */
295 tpm_u16(0), /* Size of <nonce> */
296 /* <nonce> (if any) */
297 0, /* Attributes: Cont/Excl/Rst */
298 tpm_u16(oldpw_sz
) /* Size of <hmac/password> */
299 /* STRING(oldpw) <hmac/password> (if any) */
301 /* TPM2B_AUTH (TPM2B_DIGEST) */
302 /* tpm_u16(newpw_sz) Digest size, new pw length */
303 /* STRING(newpw) Digest buffer, new pw */
308 * Fill the command structure starting from the first buffer:
309 * - the old password (if any)
310 * - size of the new password
313 ret
= pack_byte_string(command_v2
, sizeof(command_v2
), "sws",
314 offset
, oldpw
, oldpw_sz
,
315 offset
+ oldpw_sz
, newpw_sz
,
316 offset
+ oldpw_sz
+ 2, newpw
, newpw_sz
);
317 offset
+= oldpw_sz
+ 2 + newpw_sz
;
319 return TPM_LIB_ERROR
;
321 return tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);
324 u32
tpm2_pcr_setauthpolicy(struct udevice
*dev
, const char *pw
,
325 const ssize_t pw_sz
, u32 index
, const char *key
)
327 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
328 tpm_u16(TPM2_ST_SESSIONS
), /* TAG */
329 tpm_u32(35 + pw_sz
+ TPM2_DIGEST_LEN
), /* Length */
330 tpm_u32(TPM2_CC_PCR_SETAUTHPOL
), /* Command code */
333 tpm_u32(TPM2_RH_PLATFORM
), /* TPM resource handle */
336 tpm_u32(9 + pw_sz
), /* Authorization size */
337 tpm_u32(TPM2_RS_PW
), /* session handle */
338 tpm_u16(0), /* Size of <nonce> */
339 /* <nonce> (if any) */
340 0, /* Attributes: Cont/Excl/Rst */
341 tpm_u16(pw_sz
) /* Size of <hmac/password> */
342 /* STRING(pw) <hmac/password> (if any) */
344 /* TPM2B_AUTH (TPM2B_DIGEST) */
345 /* tpm_u16(TPM2_DIGEST_LEN) Digest size length */
346 /* STRING(key) Digest buffer (PCR key) */
349 /* tpm_u16(TPM2_ALG_SHA256) Algorithm of the hash */
352 /* tpm_u32(index), PCR Index */
354 unsigned int offset
= 27;
358 * Fill the command structure starting from the first buffer:
359 * - the password (if any)
360 * - the PCR key length
362 * - the hash algorithm
365 ret
= pack_byte_string(command_v2
, sizeof(command_v2
), "swswd",
367 offset
+ pw_sz
, TPM2_DIGEST_LEN
,
368 offset
+ pw_sz
+ 2, key
, TPM2_DIGEST_LEN
,
369 offset
+ pw_sz
+ 2 + TPM2_DIGEST_LEN
,
371 offset
+ pw_sz
+ 4 + TPM2_DIGEST_LEN
, index
);
372 offset
+= pw_sz
+ 2 + TPM2_DIGEST_LEN
+ 2 + 4;
374 return TPM_LIB_ERROR
;
376 return tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);
379 u32
tpm2_pcr_setauthvalue(struct udevice
*dev
, const char *pw
,
380 const ssize_t pw_sz
, u32 index
, const char *key
,
381 const ssize_t key_sz
)
383 u8 command_v2
[COMMAND_BUFFER_SIZE
] = {
384 tpm_u16(TPM2_ST_SESSIONS
), /* TAG */
385 tpm_u32(33 + pw_sz
+ TPM2_DIGEST_LEN
), /* Length */
386 tpm_u32(TPM2_CC_PCR_SETAUTHVAL
), /* Command code */
389 tpm_u32(index
), /* Handle (PCR Index) */
392 tpm_u32(9 + pw_sz
), /* Authorization size */
393 tpm_u32(TPM2_RS_PW
), /* session handle */
394 tpm_u16(0), /* Size of <nonce> */
395 /* <nonce> (if any) */
396 0, /* Attributes: Cont/Excl/Rst */
397 tpm_u16(pw_sz
), /* Size of <hmac/password> */
398 /* STRING(pw) <hmac/password> (if any) */
401 /* tpm_u16(key_sz) Key length */
402 /* STRING(key) Key */
404 unsigned int offset
= 27;
408 * Fill the command structure starting from the first buffer:
409 * - the password (if any)
410 * - the number of digests, 1 in our case
411 * - the algorithm, sha256 in our case
412 * - the digest (64 bytes)
414 ret
= pack_byte_string(command_v2
, sizeof(command_v2
), "sws",
416 offset
+ pw_sz
, key_sz
,
417 offset
+ pw_sz
+ 2, key
, key_sz
);
418 offset
+= pw_sz
+ 2 + key_sz
;
420 return TPM_LIB_ERROR
;
422 return tpm_sendrecv_command(dev
, command_v2
, NULL
, NULL
);