lib/tpm-v2.c

   1 // SPDX-License-Identifier: GPL-2.0+
   2 /*
   3  * Copyright (c) 2018 Bootlin
   4  * Author: Miquel Raynal <miquel.raynal@bootlin.com>
   5  */
   6
   7 #include <common.h>
   8 #include <dm.h>
   9 #include <tpm-common.h>
  10 #include <tpm-v2.h>
  11 #include "tpm-utils.h"
  12
  13 u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode)
  14 {
  15         const u8 command_v2[12] = {
  16                 tpm_u16(TPM2_ST_NO_SESSIONS),
  17                 tpm_u32(12),
  18                 tpm_u32(TPM2_CC_STARTUP),
  19                 tpm_u16(mode),
  20         };
  21         int ret;
  22
  23         /*
  24          * Note TPM2_Startup command will return RC_SUCCESS the first time,
  25          * but will return RC_INITIALIZE otherwise.
  26          */
  27         ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
  28         if (ret && ret != TPM2_RC_INITIALIZE)
  29                 return ret;
  30
  31         return 0;
  32 }
  33
  34 u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test)
  35 {
  36         const u8 command_v2[12] = {
  37                 tpm_u16(TPM2_ST_NO_SESSIONS),
  38                 tpm_u32(11),
  39                 tpm_u32(TPM2_CC_SELF_TEST),
  40                 full_test,
  41         };
  42
  43         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
  44 }
  45
  46 u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
  47                const ssize_t pw_sz)
  48 {
  49         u8 command_v2[COMMAND_BUFFER_SIZE] = {
  50                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
  51                 tpm_u32(27 + pw_sz),            /* Length */
  52                 tpm_u32(TPM2_CC_CLEAR),         /* Command code */
  53
  54                 /* HANDLE */
  55                 tpm_u32(handle),                /* TPM resource handle */
  56
  57                 /* AUTH_SESSION */
  58                 tpm_u32(9 + pw_sz),             /* Authorization size */
  59                 tpm_u32(TPM2_RS_PW),            /* Session handle */
  60                 tpm_u16(0),                     /* Size of <nonce> */
  61                                                 /* <nonce> (if any) */
  62                 0,                              /* Attributes: Cont/Excl/Rst */
  63                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
  64                 /* STRING(pw)                      <hmac/password> (if any) */
  65         };
  66         unsigned int offset = 27;
  67         int ret;
  68
  69         /*
  70          * Fill the command structure starting from the first buffer:
  71          *     - the password (if any)
  72          */
  73         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
  74                                offset, pw, pw_sz);
  75         offset += pw_sz;
  76         if (ret)
  77                 return TPM_LIB_ERROR;
  78
  79         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
  80 }
  81
  82 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, const uint8_t *digest)
  83 {
  84         u8 command_v2[COMMAND_BUFFER_SIZE] = {
  85                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
  86                 tpm_u32(33 + TPM2_DIGEST_LEN),  /* Length */
  87                 tpm_u32(TPM2_CC_PCR_EXTEND),    /* Command code */
  88
  89                 /* HANDLE */
  90                 tpm_u32(index),                 /* Handle (PCR Index) */
  91
  92                 /* AUTH_SESSION */
  93                 tpm_u32(9),                     /* Authorization size */
  94                 tpm_u32(TPM2_RS_PW),            /* Session handle */
  95                 tpm_u16(0),                     /* Size of <nonce> */
  96                                                 /* <nonce> (if any) */
  97                 0,                              /* Attributes: Cont/Excl/Rst */
  98                 tpm_u16(0),                     /* Size of <hmac/password> */
  99                                                 /* <hmac/password> (if any) */
 100                 tpm_u32(1),                     /* Count (number of hashes) */
 101                 tpm_u16(TPM2_ALG_SHA256),       /* Algorithm of the hash */
 102                 /* STRING(digest)                  Digest */
 103         };
 104         unsigned int offset = 33;
 105         int ret;
 106
 107         /*
 108          * Fill the command structure starting from the first buffer:
 109          *     - the digest
 110          */
 111         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
 112                                offset, digest, TPM2_DIGEST_LEN);
 113         offset += TPM2_DIGEST_LEN;
 114         if (ret)
 115                 return TPM_LIB_ERROR;
 116
 117         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 118 }
 119
 120 u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
 121                   void *data, unsigned int *updates)
 122 {
 123         u8 idx_array_sz = max(idx_min_sz, DIV_ROUND_UP(idx, 8));
 124         u8 command_v2[COMMAND_BUFFER_SIZE] = {
 125                 tpm_u16(TPM2_ST_NO_SESSIONS),   /* TAG */
 126                 tpm_u32(17 + idx_array_sz),     /* Length */
 127                 tpm_u32(TPM2_CC_PCR_READ),      /* Command code */
 128
 129                 /* TPML_PCR_SELECTION */
 130                 tpm_u32(1),                     /* Number of selections */
 131                 tpm_u16(TPM2_ALG_SHA256),       /* Algorithm of the hash */
 132                 idx_array_sz,                   /* Array size for selection */
 133                 /* bitmap(idx)                     Selected PCR bitmap */
 134         };
 135         size_t response_len = COMMAND_BUFFER_SIZE;
 136         u8 response[COMMAND_BUFFER_SIZE];
 137         unsigned int pcr_sel_idx = idx / 8;
 138         u8 pcr_sel_bit = BIT(idx % 8);
 139         unsigned int counter = 0;
 140         int ret;
 141
 142         if (pack_byte_string(command_v2, COMMAND_BUFFER_SIZE, "b",
 143                              17 + pcr_sel_idx, pcr_sel_bit))
 144                 return TPM_LIB_ERROR;
 145
 146         ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
 147         if (ret)
 148                 return ret;
 149
 150         if (unpack_byte_string(response, response_len, "ds",
 151                                10, &counter,
 152                                response_len - TPM2_DIGEST_LEN, data,
 153                                TPM2_DIGEST_LEN))
 154                 return TPM_LIB_ERROR;
 155
 156         if (updates)
 157                 *updates = counter;
 158
 159         return 0;
 160 }
 161
 162 u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
 163                         void *buf, size_t prop_count)
 164 {
 165         u8 command_v2[COMMAND_BUFFER_SIZE] = {
 166                 tpm_u16(TPM2_ST_NO_SESSIONS),           /* TAG */
 167                 tpm_u32(22),                            /* Length */
 168                 tpm_u32(TPM2_CC_GET_CAPABILITY),        /* Command code */
 169
 170                 tpm_u32(capability),                    /* Capability */
 171                 tpm_u32(property),                      /* Property */
 172                 tpm_u32(prop_count),                    /* Property count */
 173         };
 174         u8 response[COMMAND_BUFFER_SIZE];
 175         size_t response_len = COMMAND_BUFFER_SIZE;
 176         unsigned int properties_off;
 177         int ret;
 178
 179         ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
 180         if (ret)
 181                 return ret;
 182
 183         /*
 184          * In the response buffer, the properties are located after the:
 185          * tag (u16), response size (u32), response code (u32),
 186          * YES/NO flag (u8), TPM_CAP (u32) and TPMU_CAPABILITIES (u32).
 187          */
 188         properties_off = sizeof(u16) + sizeof(u32) + sizeof(u32) +
 189                          sizeof(u8) + sizeof(u32) + sizeof(u32);
 190         memcpy(buf, &response[properties_off], response_len - properties_off);
 191
 192         return 0;
 193 }
 194
 195 u32 tpm2_dam_reset(struct udevice *dev, const char *pw, const ssize_t pw_sz)
 196 {
 197         u8 command_v2[COMMAND_BUFFER_SIZE] = {
 198                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
 199                 tpm_u32(27 + pw_sz),            /* Length */
 200                 tpm_u32(TPM2_CC_DAM_RESET),     /* Command code */
 201
 202                 /* HANDLE */
 203                 tpm_u32(TPM2_RH_LOCKOUT),       /* TPM resource handle */
 204
 205                 /* AUTH_SESSION */
 206                 tpm_u32(9 + pw_sz),             /* Authorization size */
 207                 tpm_u32(TPM2_RS_PW),            /* Session handle */
 208                 tpm_u16(0),                     /* Size of <nonce> */
 209                                                 /* <nonce> (if any) */
 210                 0,                              /* Attributes: Cont/Excl/Rst */
 211                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
 212                 /* STRING(pw)                      <hmac/password> (if any) */
 213         };
 214         unsigned int offset = 27;
 215         int ret;
 216
 217         /*
 218          * Fill the command structure starting from the first buffer:
 219          *     - the password (if any)
 220          */
 221         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
 222                                offset, pw, pw_sz);
 223         offset += pw_sz;
 224         if (ret)
 225                 return TPM_LIB_ERROR;
 226
 227         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 228 }
 229
 230 u32 tpm2_dam_parameters(struct udevice *dev, const char *pw,
 231                         const ssize_t pw_sz, unsigned int max_tries,
 232                         unsigned int recovery_time,
 233                         unsigned int lockout_recovery)
 234 {
 235         u8 command_v2[COMMAND_BUFFER_SIZE] = {
 236                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
 237                 tpm_u32(27 + pw_sz + 12),       /* Length */
 238                 tpm_u32(TPM2_CC_DAM_PARAMETERS), /* Command code */
 239
 240                 /* HANDLE */
 241                 tpm_u32(TPM2_RH_LOCKOUT),       /* TPM resource handle */
 242
 243                 /* AUTH_SESSION */
 244                 tpm_u32(9 + pw_sz),             /* Authorization size */
 245                 tpm_u32(TPM2_RS_PW),            /* Session handle */
 246                 tpm_u16(0),                     /* Size of <nonce> */
 247                                                 /* <nonce> (if any) */
 248                 0,                              /* Attributes: Cont/Excl/Rst */
 249                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
 250                 /* STRING(pw)                      <hmac/password> (if any) */
 251
 252                 /* LOCKOUT PARAMETERS */
 253                 /* tpm_u32(max_tries)              Max tries (0, always lock) */
 254                 /* tpm_u32(recovery_time)          Recovery time (0, no lock) */
 255                 /* tpm_u32(lockout_recovery)       Lockout recovery */
 256         };
 257         unsigned int offset = 27;
 258         int ret;
 259
 260         /*
 261          * Fill the command structure starting from the first buffer:
 262          *     - the password (if any)
 263          *     - max tries
 264          *     - recovery time
 265          *     - lockout recovery
 266          */
 267         ret = pack_byte_string(command_v2, sizeof(command_v2), "sddd",
 268                                offset, pw, pw_sz,
 269                                offset + pw_sz, max_tries,
 270                                offset + pw_sz + 4, recovery_time,
 271                                offset + pw_sz + 8, lockout_recovery);
 272         offset += pw_sz + 12;
 273         if (ret)
 274                 return TPM_LIB_ERROR;
 275
 276         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 277 }
 278
 279 int tpm2_change_auth(struct udevice *dev, u32 handle, const char *newpw,
 280                      const ssize_t newpw_sz, const char *oldpw,
 281                      const ssize_t oldpw_sz)
 282 {
 283         unsigned int offset = 27;
 284         u8 command_v2[COMMAND_BUFFER_SIZE] = {
 285                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
 286                 tpm_u32(offset + oldpw_sz + 2 + newpw_sz), /* Length */
 287                 tpm_u32(TPM2_CC_HIERCHANGEAUTH), /* Command code */
 288
 289                 /* HANDLE */
 290                 tpm_u32(handle),                /* TPM resource handle */
 291
 292                 /* AUTH_SESSION */
 293                 tpm_u32(9 + oldpw_sz),          /* Authorization size */
 294                 tpm_u32(TPM2_RS_PW),            /* Session handle */
 295                 tpm_u16(0),                     /* Size of <nonce> */
 296                                                 /* <nonce> (if any) */
 297                 0,                              /* Attributes: Cont/Excl/Rst */
 298                 tpm_u16(oldpw_sz)               /* Size of <hmac/password> */
 299                 /* STRING(oldpw)                   <hmac/password> (if any) */
 300
 301                 /* TPM2B_AUTH (TPM2B_DIGEST) */
 302                 /* tpm_u16(newpw_sz)               Digest size, new pw length */
 303                 /* STRING(newpw)                   Digest buffer, new pw */
 304         };
 305         int ret;
 306
 307         /*
 308          * Fill the command structure starting from the first buffer:
 309          *     - the old password (if any)
 310          *     - size of the new password
 311          *     - new password
 312          */
 313         ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
 314                                offset, oldpw, oldpw_sz,
 315                                offset + oldpw_sz, newpw_sz,
 316                                offset + oldpw_sz + 2, newpw, newpw_sz);
 317         offset += oldpw_sz + 2 + newpw_sz;
 318         if (ret)
 319                 return TPM_LIB_ERROR;
 320
 321         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 322 }
 323
 324 u32 tpm2_pcr_setauthpolicy(struct udevice *dev, const char *pw,
 325                            const ssize_t pw_sz, u32 index, const char *key)
 326 {
 327         u8 command_v2[COMMAND_BUFFER_SIZE] = {
 328                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
 329                 tpm_u32(35 + pw_sz + TPM2_DIGEST_LEN), /* Length */
 330                 tpm_u32(TPM2_CC_PCR_SETAUTHPOL), /* Command code */
 331
 332                 /* HANDLE */
 333                 tpm_u32(TPM2_RH_PLATFORM),      /* TPM resource handle */
 334
 335                 /* AUTH_SESSION */
 336                 tpm_u32(9 + pw_sz),             /* Authorization size */
 337                 tpm_u32(TPM2_RS_PW),            /* session handle */
 338                 tpm_u16(0),                     /* Size of <nonce> */
 339                                                 /* <nonce> (if any) */
 340                 0,                              /* Attributes: Cont/Excl/Rst */
 341                 tpm_u16(pw_sz)                  /* Size of <hmac/password> */
 342                 /* STRING(pw)                      <hmac/password> (if any) */
 343
 344                 /* TPM2B_AUTH (TPM2B_DIGEST) */
 345                 /* tpm_u16(TPM2_DIGEST_LEN)        Digest size length */
 346                 /* STRING(key)                     Digest buffer (PCR key) */
 347
 348                 /* TPMI_ALG_HASH */
 349                 /* tpm_u16(TPM2_ALG_SHA256)   Algorithm of the hash */
 350
 351                 /* TPMI_DH_PCR */
 352                 /* tpm_u32(index),                 PCR Index */
 353         };
 354         unsigned int offset = 27;
 355         int ret;
 356
 357         /*
 358          * Fill the command structure starting from the first buffer:
 359          *     - the password (if any)
 360          *     - the PCR key length
 361          *     - the PCR key
 362          *     - the hash algorithm
 363          *     - the PCR index
 364          */
 365         ret = pack_byte_string(command_v2, sizeof(command_v2), "swswd",
 366                                offset, pw, pw_sz,
 367                                offset + pw_sz, TPM2_DIGEST_LEN,
 368                                offset + pw_sz + 2, key, TPM2_DIGEST_LEN,
 369                                offset + pw_sz + 2 + TPM2_DIGEST_LEN,
 370                                TPM2_ALG_SHA256,
 371                                offset + pw_sz + 4 + TPM2_DIGEST_LEN, index);
 372         offset += pw_sz + 2 + TPM2_DIGEST_LEN + 2 + 4;
 373         if (ret)
 374                 return TPM_LIB_ERROR;
 375
 376         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 377 }
 378
 379 u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
 380                           const ssize_t pw_sz, u32 index, const char *key,
 381                           const ssize_t key_sz)
 382 {
 383         u8 command_v2[COMMAND_BUFFER_SIZE] = {
 384                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
 385                 tpm_u32(33 + pw_sz + TPM2_DIGEST_LEN), /* Length */
 386                 tpm_u32(TPM2_CC_PCR_SETAUTHVAL), /* Command code */
 387
 388                 /* HANDLE */
 389                 tpm_u32(index),                 /* Handle (PCR Index) */
 390
 391                 /* AUTH_SESSION */
 392                 tpm_u32(9 + pw_sz),             /* Authorization size */
 393                 tpm_u32(TPM2_RS_PW),            /* session handle */
 394                 tpm_u16(0),                     /* Size of <nonce> */
 395                                                 /* <nonce> (if any) */
 396                 0,                              /* Attributes: Cont/Excl/Rst */
 397                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
 398                 /* STRING(pw)                      <hmac/password> (if any) */
 399
 400                 /* TPM2B_DIGEST */
 401                 /* tpm_u16(key_sz)                 Key length */
 402                 /* STRING(key)                     Key */
 403         };
 404         unsigned int offset = 27;
 405         int ret;
 406
 407         /*
 408          * Fill the command structure starting from the first buffer:
 409          *     - the password (if any)
 410          *     - the number of digests, 1 in our case
 411          *     - the algorithm, sha256 in our case
 412          *     - the digest (64 bytes)
 413          */
 414         ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
 415                                offset, pw, pw_sz,
 416                                offset + pw_sz, key_sz,
 417                                offset + pw_sz + 2, key, key_sz);
 418         offset += pw_sz + 2 + key_sz;
 419         if (ret)
 420                 return TPM_LIB_ERROR;
 421
 422         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 423 }