1 // SPDX-License-Identifier: GPL-2.0+
3 * Defines APIs that allow an OS to interact with UEFI firmware to query
4 * information about the device.
5 * https://trustedcomputinggroup.org/resource/tcg-efi-protocol-specification/
7 * Copyright (c) 2020, Linaro Limited
10 #define LOG_CATEGORY LOGC_EFI
13 #include <efi_loader.h>
17 #include <linux/unaligned/access_ok.h>
18 #include <linux/unaligned/generic.h>
20 DECLARE_GLOBAL_DATA_PTR;
23 * When requesting TPM2_CAP_TPM_PROPERTIES the value is on a standard offset.
24 * Since the current tpm2_get_capability() response buffers starts at
25 * 'union tpmu_capabilities data' of 'struct tpms_capability_data', calculate
26 * the response size and offset once for all consumers
28 #define TPM2_RESPONSE_BUFFER_SIZE (sizeof(struct tpms_capability_data) - \
29 offsetof(struct tpms_capability_data, data))
30 #define properties_offset (offsetof(struct tpml_tagged_tpm_property, tpm_property) + \
31 offsetof(struct tpms_tagged_property, value))
36 } hash_algo_list[] = {
39 EFI_TCG2_BOOT_HASH_ALG_SHA1,
43 EFI_TCG2_BOOT_HASH_ALG_SHA256,
47 EFI_TCG2_BOOT_HASH_ALG_SHA384,
51 EFI_TCG2_BOOT_HASH_ALG_SHA512,
55 EFI_TCG2_BOOT_HASH_ALG_SM3_256,
59 #define MAX_HASH_COUNT ARRAY_SIZE(hash_algo_list)
61 * alg_to_mask - Get a TCG hash mask for algorithms
63 * @hash_alg: TCG defined algorithm
65 * @Return: TCG hashing algorithm bitmaps, 0 if the algorithm is not supported
67 static u32 alg_to_mask(u16 hash_alg)
71 for (i = 0; i < MAX_HASH_COUNT; i++) {
72 if (hash_algo_list[i].hash_alg == hash_alg)
73 return hash_algo_list[i].hash_mask;
79 const efi_guid_t efi_guid_tcg2_protocol = EFI_TCG2_PROTOCOL_GUID;
82 * platform_get_tpm_device() - retrieve TPM device
84 * This function retrieves the udevice implementing a TPM
86 * This function may be overridden if special initialization is needed.
91 __weak efi_status_t platform_get_tpm2_device(struct udevice **dev)
93 for_each_tpm_device(*dev) {
94 /* Only support TPMv2 devices */
95 if (tpm_get_version(*dev) == TPM_V2)
103 * tpm2_get_max_command_size() - get the supported max command size
106 * @max_command_size: output buffer for the size
108 * Return: 0 on success, -1 on error
110 static int tpm2_get_max_command_size(struct udevice *dev, u16 *max_command_size)
112 u8 response[TPM2_RESPONSE_BUFFER_SIZE];
115 memset(response, 0, sizeof(response));
116 ret = tpm2_get_capability(dev, TPM2_CAP_TPM_PROPERTIES,
117 TPM2_PT_MAX_COMMAND_SIZE, response, 1);
121 *max_command_size = (uint16_t)get_unaligned_be32(response +
128 * tpm2_get_max_response_size() - get the supported max response size
131 * @max_response_size: output buffer for the size
133 * Return: 0 on success, -1 on error
135 static int tpm2_get_max_response_size(struct udevice *dev,
136 u16 *max_response_size)
138 u8 response[TPM2_RESPONSE_BUFFER_SIZE];
141 memset(response, 0, sizeof(response));
142 ret = tpm2_get_capability(dev, TPM2_CAP_TPM_PROPERTIES,
143 TPM2_PT_MAX_RESPONSE_SIZE, response, 1);
147 *max_response_size = (uint16_t)get_unaligned_be32(response +
154 * tpm2_get_manufacturer_id() - get the manufacturer ID
157 * @manufacturer_id: output buffer for the id
159 * Return: 0 on success, -1 on error
161 static int tpm2_get_manufacturer_id(struct udevice *dev, u32 *manufacturer_id)
163 u8 response[TPM2_RESPONSE_BUFFER_SIZE];
166 memset(response, 0, sizeof(response));
167 ret = tpm2_get_capability(dev, TPM2_CAP_TPM_PROPERTIES,
168 TPM2_PT_MANUFACTURER, response, 1);
172 *manufacturer_id = get_unaligned_be32(response + properties_offset);
178 * tpm2_get_num_pcr() - get the number of PCRs
181 * @manufacturer_id: output buffer for the number
183 * Return: 0 on success, -1 on error
185 static int tpm2_get_num_pcr(struct udevice *dev, u32 *num_pcr)
187 u8 response[TPM2_RESPONSE_BUFFER_SIZE];
190 memset(response, 0, sizeof(response));
191 ret = tpm2_get_capability(dev, TPM2_CAP_TPM_PROPERTIES,
192 TPM2_PT_PCR_COUNT, response, 1);
196 *num_pcr = get_unaligned_be32(response + properties_offset);
197 if (*num_pcr > TPM2_MAX_PCRS)
204 * is_active_pcr() - Check if a supported algorithm is active
207 * @selection: struct of PCR information
209 * Return: true if PCR is active
211 bool is_active_pcr(struct tpms_pcr_selection *selection)
215 * check the pcr_select. If at least one of the PCRs supports the
216 * algorithm add it on the active ones
218 for (i = 0; i < selection->size_of_select; i++) {
219 if (selection->pcr_select[i])
227 * tpm2_get_pcr_info() - get the supported, active PCRs and number of banks
230 * @supported_pcr: bitmask with the algorithms supported
231 * @active_pcr: bitmask with the active algorithms
232 * @pcr_banks: number of PCR banks
234 * Return: 0 on success, -1 on error
236 static int tpm2_get_pcr_info(struct udevice *dev, u32 *supported_pcr,
237 u32 *active_pcr, u32 *pcr_banks)
239 u8 response[TPM2_RESPONSE_BUFFER_SIZE];
240 struct tpml_pcr_selection pcrs;
244 memset(response, 0, sizeof(response));
245 ret = tpm2_get_capability(dev, TPM2_CAP_PCRS, 0, response, 1);
249 pcrs.count = get_unaligned_be32(response);
251 * We only support 5 algorithms for now so check against that
252 * instead of TPM2_NUM_PCR_BANKS
254 if (pcrs.count > MAX_HASH_COUNT || pcrs.count < 1)
257 tpm_ret = tpm2_get_num_pcr(dev, &num_pcr);
261 for (i = 0; i < pcrs.count; i++) {
263 * Definition of TPMS_PCR_SELECTION Structure
266 * pcr_select: u8 array
268 * The offsets depend on the number of the device PCRs
269 * so we have to calculate them based on that
271 u32 hash_offset = offsetof(struct tpml_pcr_selection, selection) +
272 i * offsetof(struct tpms_pcr_selection, pcr_select) +
273 i * ((num_pcr + 7) / 8);
274 u32 size_select_offset =
275 hash_offset + offsetof(struct tpms_pcr_selection,
277 u32 pcr_select_offset =
278 hash_offset + offsetof(struct tpms_pcr_selection,
281 pcrs.selection[i].hash =
282 get_unaligned_be16(response + hash_offset);
283 pcrs.selection[i].size_of_select =
284 __get_unaligned_be(response + size_select_offset);
285 if (pcrs.selection[i].size_of_select > TPM2_PCR_SELECT_MAX)
287 /* copy the array of pcr_select */
288 memcpy(pcrs.selection[i].pcr_select, response + pcr_select_offset,
289 pcrs.selection[i].size_of_select);
292 for (i = 0; i < pcrs.count; i++) {
293 u32 hash_mask = alg_to_mask(pcrs.selection[i].hash);
296 *supported_pcr |= hash_mask;
297 if (is_active_pcr(&pcrs.selection[i]))
298 *active_pcr |= hash_mask;
300 EFI_PRINT("Unknown algorithm %x\n", pcrs.selection[i].hash);
304 *pcr_banks = pcrs.count;
312 * efi_tcg2_get_capability() - protocol capability information and state information
314 * @this: TCG2 protocol instance
315 * @capability: caller allocated memory with size field to the size of
316 * the structure allocated
318 * Return: status code
320 static efi_status_t EFIAPI
321 efi_tcg2_get_capability(struct efi_tcg2_protocol *this,
322 struct efi_tcg2_boot_service_capability *capability)
325 efi_status_t efi_ret;
328 EFI_ENTRY("%p, %p", this, capability);
330 if (!this || !capability) {
331 efi_ret = EFI_INVALID_PARAMETER;
335 if (capability->size < boot_service_capability_min) {
336 capability->size = boot_service_capability_min;
337 efi_ret = EFI_BUFFER_TOO_SMALL;
341 if (capability->size < sizeof(*capability)) {
342 capability->size = sizeof(*capability);
343 efi_ret = EFI_BUFFER_TOO_SMALL;
347 capability->structure_version.major = 1;
348 capability->structure_version.minor = 1;
349 capability->protocol_version.major = 1;
350 capability->protocol_version.minor = 1;
352 efi_ret = platform_get_tpm2_device(&dev);
353 if (efi_ret != EFI_SUCCESS) {
354 capability->supported_event_logs = 0;
355 capability->hash_algorithm_bitmap = 0;
356 capability->tpm_present_flag = false;
357 capability->max_command_size = 0;
358 capability->max_response_size = 0;
359 capability->manufacturer_id = 0;
360 capability->number_of_pcr_banks = 0;
361 capability->active_pcr_banks = 0;
363 efi_ret = EFI_SUCCESS;
367 /* We only allow a TPMv2 device to register the EFI protocol */
368 capability->supported_event_logs = TCG2_EVENT_LOG_FORMAT_TCG_2;
370 capability->tpm_present_flag = true;
372 /* Supported and active PCRs */
373 capability->hash_algorithm_bitmap = 0;
374 capability->active_pcr_banks = 0;
375 ret = tpm2_get_pcr_info(dev, &capability->hash_algorithm_bitmap,
376 &capability->active_pcr_banks,
377 &capability->number_of_pcr_banks);
379 efi_ret = EFI_DEVICE_ERROR;
383 /* Max command size */
384 ret = tpm2_get_max_command_size(dev, &capability->max_command_size);
386 efi_ret = EFI_DEVICE_ERROR;
390 /* Max response size */
391 ret = tpm2_get_max_response_size(dev, &capability->max_response_size);
393 efi_ret = EFI_DEVICE_ERROR;
397 /* Manufacturer ID */
398 ret = tpm2_get_manufacturer_id(dev, &capability->manufacturer_id);
400 efi_ret = EFI_DEVICE_ERROR;
404 return EFI_EXIT(EFI_SUCCESS);
406 return EFI_EXIT(efi_ret);
410 * efi_tcg2_get_eventlog() - retrieve the the address of an event log and its
413 * @this: TCG2 protocol instance
414 * @log_format: type of event log format
415 * @event_log_location: pointer to the memory address of the event log
416 * @event_log_last_entry: pointer to the address of the start of the last
417 * entry in the event log in memory, if log contains
419 * @event_log_truncated: set to true, if the Event Log is missing at i
422 * Return: status code
424 static efi_status_t EFIAPI
425 efi_tcg2_get_eventlog(struct efi_tcg2_protocol *this,
426 efi_tcg_event_log_format log_format,
427 u64 *event_log_location, u64 *event_log_last_entry,
428 bool *event_log_truncated)
430 return EFI_UNSUPPORTED;
434 * efi_tcg2_hash_log_extend_event() - extend and optionally log events
436 * @this: TCG2 protocol instance
437 * @flags: bitmap providing additional information on the
439 * @data_to_hash: physical address of the start of the data buffer
441 * @data_to_hash_len: the length in bytes of the buffer referenced by
443 * @efi_tcg_event: pointer to data buffer containing information
446 * Return: status code
448 static efi_status_t EFIAPI
449 efi_tcg2_hash_log_extend_event(struct efi_tcg2_protocol *this, u64 flags,
450 u64 data_to_hash, u64 data_to_hash_len,
451 struct efi_tcg2_event *efi_tcg_event)
453 return EFI_UNSUPPORTED;
457 * efi_tcg2_submit_command() - Send command to the TPM
459 * @this: TCG2 protocol instance
460 * @input_param_block_size: size of the TPM input parameter block
461 * @input_param_block: pointer to the TPM input parameter block
462 * @output_param_block_size: size of the TPM output parameter block
463 * @output_param_block: pointer to the TPM output parameter block
465 * Return: status code
468 efi_tcg2_submit_command(struct efi_tcg2_protocol *this,
469 u32 input_param_block_size, u8 *input_param_block,
470 u32 output_param_block_size, u8 *output_param_block)
472 return EFI_UNSUPPORTED;
476 * efi_tcg2_get_active_pcr_banks() - returns the currently active PCR banks
478 * @this: TCG2 protocol instance
479 * @active_pcr_banks: pointer for receiving the bitmap of currently
482 * Return: status code
485 efi_tcg2_get_active_pcr_banks(struct efi_tcg2_protocol *this,
486 u32 *active_pcr_banks)
488 return EFI_UNSUPPORTED;
492 * efi_tcg2_set_active_pcr_banks() - sets the currently active PCR banks
494 * @this: TCG2 protocol instance
495 * @active_pcr_banks: bitmap of the requested active PCR banks
497 * Return: status code
500 efi_tcg2_set_active_pcr_banks(struct efi_tcg2_protocol *this,
501 u32 active_pcr_banks)
503 return EFI_UNSUPPORTED;
507 * efi_tcg2_get_result_of_set_active_pcr_banks() - retrieve result for previous
508 * set_active_pcr_banks()
510 * @this: TCG2 protocol instance
511 * @operation_present: non-zero value to indicate a
512 * set_active_pcr_banks operation was
513 * invoked during last boot
514 * @response: result value could be returned
516 * Return: status code
519 efi_tcg2_get_result_of_set_active_pcr_banks(struct efi_tcg2_protocol *this,
520 u32 *operation_present, u32 *response)
522 return EFI_UNSUPPORTED;
525 static const struct efi_tcg2_protocol efi_tcg2_protocol = {
526 .get_capability = efi_tcg2_get_capability,
527 .get_eventlog = efi_tcg2_get_eventlog,
528 .hash_log_extend_event = efi_tcg2_hash_log_extend_event,
529 .submit_command = efi_tcg2_submit_command,
530 .get_active_pcr_banks = efi_tcg2_get_active_pcr_banks,
531 .set_active_pcr_banks = efi_tcg2_set_active_pcr_banks,
532 .get_result_of_set_active_pcr_banks = efi_tcg2_get_result_of_set_active_pcr_banks,
536 * efi_tcg2_register() - register EFI_TCG2_PROTOCOL
538 * If a TPM2 device is available, the TPM TCG2 Protocol is registered
540 * Return: An error status is only returned if adding the protocol fails.
542 efi_status_t efi_tcg2_register(void)
547 ret = platform_get_tpm2_device(&dev);
548 if (ret != EFI_SUCCESS) {
549 log_warning("Unable to find TPMv2 device\n");
552 ret = efi_add_protocol(efi_root, &efi_guid_tcg2_protocol,
553 (void *)&efi_tcg2_protocol);
554 if (ret != EFI_SUCCESS)
555 log_err("Cannot install EFI_TCG2_PROTOCOL\n");