1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (c) 2013 The Chromium OS Authors.
4 * Coypright (c) 2013 Guntermann & Drunck GmbH
7 #define LOG_CATEGORY UCLASS_TPM
11 #include <asm/unaligned.h>
12 #include <u-boot/sha1.h>
13 #include <tpm-common.h>
15 #include "tpm-utils.h"
17 #ifdef CONFIG_TPM_AUTH_SESSIONS
20 #error "TPM_AUTH_SESSIONS require SHA1 to be configured, too"
21 #endif /* !CONFIG_SHA1 */
26 u8 nonce_even[DIGEST_LENGTH];
27 u8 nonce_odd[DIGEST_LENGTH];
30 static struct session_data oiap_session = {0, };
32 #endif /* CONFIG_TPM_AUTH_SESSIONS */
34 u32 tpm1_startup(struct udevice *dev, enum tpm_startup_type mode)
36 const u8 command[12] = {
37 0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x0,
39 const size_t mode_offset = 10;
40 u8 buf[COMMAND_BUFFER_SIZE];
42 if (pack_byte_string(buf, sizeof(buf), "sw",
43 0, command, sizeof(command),
47 return tpm_sendrecv_command(dev, buf, NULL, NULL);
50 u32 tpm1_resume(struct udevice *dev)
52 return tpm1_startup(dev, TPM_ST_STATE);
55 u32 tpm1_self_test_full(struct udevice *dev)
57 const u8 command[10] = {
58 0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50,
60 return tpm_sendrecv_command(dev, command, NULL, NULL);
63 u32 tpm1_continue_self_test(struct udevice *dev)
65 const u8 command[10] = {
66 0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53,
68 return tpm_sendrecv_command(dev, command, NULL, NULL);
71 u32 tpm1_auto_start(struct udevice *dev)
75 rc = tpm1_startup(dev, TPM_ST_CLEAR);
76 /* continue on if the TPM is already inited */
77 if (rc && rc != TPM_INVALID_POSTINIT)
80 rc = tpm1_self_test_full(dev);
85 u32 tpm1_clear_and_reenable(struct udevice *dev)
89 log_info("TPM: Clear and re-enable\n");
90 ret = tpm1_force_clear(dev);
91 if (ret != TPM_SUCCESS) {
92 log_err("Can't initiate a force clear\n");
96 ret = tpm1_physical_enable(dev);
97 if (ret != TPM_SUCCESS) {
98 log_err("TPM: Can't set enabled state\n");
102 ret = tpm1_physical_set_deactivated(dev, 0);
103 if (ret != TPM_SUCCESS) {
104 log_err("TPM: Can't set deactivated state\n");
111 u32 tpm1_nv_define_space(struct udevice *dev, u32 index, u32 perm, u32 size)
113 const u8 command[101] = {
114 0x0, 0xc1, /* TPM_TAG */
115 0x0, 0x0, 0x0, 0x65, /* parameter size */
116 0x0, 0x0, 0x0, 0xcc, /* TPM_COMMAND_CODE */
117 /* TPM_NV_DATA_PUBLIC->... */
118 0x0, 0x18, /* ...->TPM_STRUCTURE_TAG */
119 0, 0, 0, 0, /* ...->TPM_NV_INDEX */
120 /* TPM_NV_DATA_PUBLIC->TPM_PCR_INFO_SHORT */
124 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
125 /* TPM_NV_DATA_PUBLIC->TPM_PCR_INFO_SHORT */
129 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
130 /* TPM_NV_ATTRIBUTES->... */
131 0x0, 0x17, /* ...->TPM_STRUCTURE_TAG */
132 0, 0, 0, 0, /* ...->attributes */
133 /* End of TPM_NV_ATTRIBUTES */
134 0, /* bReadSTClear */
135 0, /* bWriteSTClear */
136 0, /* bWriteDefine */
137 0, 0, 0, 0, /* size */
139 const size_t index_offset = 12;
140 const size_t perm_offset = 70;
141 const size_t size_offset = 77;
142 u8 buf[COMMAND_BUFFER_SIZE];
144 if (pack_byte_string(buf, sizeof(buf), "sddd",
145 0, command, sizeof(command),
149 return TPM_LIB_ERROR;
151 return tpm_sendrecv_command(dev, buf, NULL, NULL);
154 u32 tpm1_nv_set_locked(struct udevice *dev)
156 return tpm1_nv_define_space(dev, TPM_NV_INDEX_LOCK, 0, 0);
159 u32 tpm1_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
161 const u8 command[22] = {
162 0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf,
164 const size_t index_offset = 10;
165 const size_t length_offset = 18;
166 const size_t data_size_offset = 10;
167 const size_t data_offset = 14;
168 u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
169 size_t response_length = sizeof(response);
173 if (pack_byte_string(buf, sizeof(buf), "sdd",
174 0, command, sizeof(command),
176 length_offset, count))
177 return TPM_LIB_ERROR;
178 err = tpm_sendrecv_command(dev, buf, response, &response_length);
181 if (unpack_byte_string(response, response_length, "d",
182 data_size_offset, &data_size))
183 return TPM_LIB_ERROR;
184 if (data_size > count)
185 return TPM_LIB_ERROR;
186 if (unpack_byte_string(response, response_length, "s",
187 data_offset, data, data_size))
188 return TPM_LIB_ERROR;
193 u32 tpm1_nv_write_value(struct udevice *dev, u32 index, const void *data,
196 const u8 command[256] = {
197 0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd,
199 const size_t command_size_offset = 2;
200 const size_t index_offset = 10;
201 const size_t length_offset = 18;
202 const size_t data_offset = 22;
203 const size_t write_info_size = 12;
204 const u32 total_length =
205 TPM_REQUEST_HEADER_LENGTH + write_info_size + length;
206 u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
207 size_t response_length = sizeof(response);
210 if (pack_byte_string(buf, sizeof(buf), "sddds",
211 0, command, sizeof(command),
212 command_size_offset, total_length,
214 length_offset, length,
215 data_offset, data, length))
216 return TPM_LIB_ERROR;
217 err = tpm_sendrecv_command(dev, buf, response, &response_length);
224 u32 tpm1_extend(struct udevice *dev, u32 index, const void *in_digest,
227 const u8 command[34] = {
228 0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14,
230 const size_t index_offset = 10;
231 const size_t in_digest_offset = 14;
232 const size_t out_digest_offset = 10;
233 u8 buf[COMMAND_BUFFER_SIZE];
234 u8 response[TPM_RESPONSE_HEADER_LENGTH + PCR_DIGEST_LENGTH];
235 size_t response_length = sizeof(response);
238 if (pack_byte_string(buf, sizeof(buf), "sds",
239 0, command, sizeof(command),
241 in_digest_offset, in_digest,
243 return TPM_LIB_ERROR;
244 err = tpm_sendrecv_command(dev, buf, response, &response_length);
248 if (unpack_byte_string(response, response_length, "s",
249 out_digest_offset, out_digest,
251 return TPM_LIB_ERROR;
256 u32 tpm1_pcr_read(struct udevice *dev, u32 index, void *data, size_t count)
258 const u8 command[14] = {
259 0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15,
261 const size_t index_offset = 10;
262 const size_t out_digest_offset = 10;
263 u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
264 size_t response_length = sizeof(response);
267 if (count < PCR_DIGEST_LENGTH)
268 return TPM_LIB_ERROR;
270 if (pack_byte_string(buf, sizeof(buf), "sd",
271 0, command, sizeof(command),
272 index_offset, index))
273 return TPM_LIB_ERROR;
274 err = tpm_sendrecv_command(dev, buf, response, &response_length);
277 if (unpack_byte_string(response, response_length, "s",
278 out_digest_offset, data, PCR_DIGEST_LENGTH))
279 return TPM_LIB_ERROR;
284 u32 tpm1_tsc_physical_presence(struct udevice *dev, u16 presence)
286 const u8 command[12] = {
287 0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x0,
289 const size_t presence_offset = 10;
290 u8 buf[COMMAND_BUFFER_SIZE];
292 if (pack_byte_string(buf, sizeof(buf), "sw",
293 0, command, sizeof(command),
294 presence_offset, presence))
295 return TPM_LIB_ERROR;
297 return tpm_sendrecv_command(dev, buf, NULL, NULL);
300 u32 tpm1_finalise_physical_presence(struct udevice *dev)
302 const u8 command[12] = {
303 0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0,
306 return tpm_sendrecv_command(dev, command, NULL, NULL);
309 u32 tpm1_read_pubek(struct udevice *dev, void *data, size_t count)
311 const u8 command[30] = {
312 0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c,
314 const size_t response_size_offset = 2;
315 const size_t data_offset = 10;
316 const size_t header_and_checksum_size = TPM_RESPONSE_HEADER_LENGTH + 20;
317 u8 response[COMMAND_BUFFER_SIZE + TPM_PUBEK_SIZE];
318 size_t response_length = sizeof(response);
322 err = tpm_sendrecv_command(dev, command, response, &response_length);
325 if (unpack_byte_string(response, response_length, "d",
326 response_size_offset, &data_size))
327 return TPM_LIB_ERROR;
328 if (data_size < header_and_checksum_size)
329 return TPM_LIB_ERROR;
330 data_size -= header_and_checksum_size;
331 if (data_size > count)
332 return TPM_LIB_ERROR;
333 if (unpack_byte_string(response, response_length, "s",
334 data_offset, data, data_size))
335 return TPM_LIB_ERROR;
340 u32 tpm1_force_clear(struct udevice *dev)
342 const u8 command[10] = {
343 0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d,
346 return tpm_sendrecv_command(dev, command, NULL, NULL);
349 u32 tpm1_physical_enable(struct udevice *dev)
351 const u8 command[10] = {
352 0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f,
355 return tpm_sendrecv_command(dev, command, NULL, NULL);
358 u32 tpm1_physical_disable(struct udevice *dev)
360 const u8 command[10] = {
361 0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70,
364 return tpm_sendrecv_command(dev, command, NULL, NULL);
367 u32 tpm1_physical_set_deactivated(struct udevice *dev, u8 state)
369 const u8 command[11] = {
370 0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72,
372 const size_t state_offset = 10;
373 u8 buf[COMMAND_BUFFER_SIZE];
375 if (pack_byte_string(buf, sizeof(buf), "sb",
376 0, command, sizeof(command),
377 state_offset, state))
378 return TPM_LIB_ERROR;
380 return tpm_sendrecv_command(dev, buf, NULL, NULL);
383 u32 tpm1_get_capability(struct udevice *dev, u32 cap_area, u32 sub_cap,
384 void *cap, size_t count)
386 const u8 command[22] = {
387 0x0, 0xc1, /* TPM_TAG */
388 0x0, 0x0, 0x0, 0x16, /* parameter size */
389 0x0, 0x0, 0x0, 0x65, /* TPM_COMMAND_CODE */
390 0x0, 0x0, 0x0, 0x0, /* TPM_CAPABILITY_AREA */
391 0x0, 0x0, 0x0, 0x4, /* subcap size */
392 0x0, 0x0, 0x0, 0x0, /* subcap value */
394 const size_t cap_area_offset = 10;
395 const size_t sub_cap_offset = 18;
396 const size_t cap_offset = 14;
397 const size_t cap_size_offset = 10;
398 u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
399 size_t response_length = sizeof(response);
403 if (pack_byte_string(buf, sizeof(buf), "sdd",
404 0, command, sizeof(command),
405 cap_area_offset, cap_area,
406 sub_cap_offset, sub_cap))
407 return TPM_LIB_ERROR;
408 err = tpm_sendrecv_command(dev, buf, response, &response_length);
411 if (unpack_byte_string(response, response_length, "d",
412 cap_size_offset, &cap_size))
413 return TPM_LIB_ERROR;
414 if (cap_size > response_length || cap_size > count)
415 return TPM_LIB_ERROR;
416 if (unpack_byte_string(response, response_length, "s",
417 cap_offset, cap, cap_size))
418 return TPM_LIB_ERROR;
423 u32 tpm1_get_permanent_flags(struct udevice *dev,
424 struct tpm_permanent_flags *pflags)
426 const u8 command[22] = {
427 0x0, 0xc1, /* TPM_TAG */
428 0x0, 0x0, 0x0, 0x16, /* parameter size */
429 0x0, 0x0, 0x0, 0x65, /* TPM_COMMAND_CODE */
430 0x0, 0x0, 0x0, 0x4, /* TPM_CAP_FLAG_PERM */
431 0x0, 0x0, 0x0, 0x4, /* subcap size */
432 0x0, 0x0, 0x1, 0x8, /* subcap value */
434 const size_t data_size_offset = TPM_HEADER_SIZE;
435 const size_t data_offset = TPM_HEADER_SIZE + sizeof(u32);
436 u8 response[COMMAND_BUFFER_SIZE];
437 size_t response_length = sizeof(response);
441 err = tpm_sendrecv_command(dev, command, response, &response_length);
444 if (unpack_byte_string(response, response_length, "d",
445 data_size_offset, &data_size)) {
446 log_err("Cannot unpack data size\n");
447 return TPM_LIB_ERROR;
449 if (data_size < sizeof(*pflags)) {
450 log_err("Data size too small\n");
451 return TPM_LIB_ERROR;
453 if (unpack_byte_string(response, response_length, "s",
454 data_offset, pflags, sizeof(*pflags))) {
455 log_err("Cannot unpack pflags\n");
456 return TPM_LIB_ERROR;
462 u32 tpm1_get_permissions(struct udevice *dev, u32 index, u32 *perm)
464 const u8 command[22] = {
465 0x0, 0xc1, /* TPM_TAG */
466 0x0, 0x0, 0x0, 0x16, /* parameter size */
467 0x0, 0x0, 0x0, 0x65, /* TPM_COMMAND_CODE */
471 const size_t index_offset = 18;
472 const size_t perm_offset = 74;
473 u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
474 size_t response_length = sizeof(response);
477 if (pack_byte_string(buf, sizeof(buf), "sd",
478 0, command, sizeof(command),
479 index_offset, index))
480 return TPM_LIB_ERROR;
481 err = tpm_sendrecv_command(dev, buf, response, &response_length);
484 if (unpack_byte_string(response, response_length, "d",
486 return TPM_LIB_ERROR;
491 #ifdef CONFIG_TPM_FLUSH_RESOURCES
492 u32 tpm1_flush_specific(struct udevice *dev, u32 key_handle, u32 resource_type)
494 const u8 command[18] = {
495 0x00, 0xc1, /* TPM_TAG */
496 0x00, 0x00, 0x00, 0x12, /* parameter size */
497 0x00, 0x00, 0x00, 0xba, /* TPM_COMMAND_CODE */
498 0x00, 0x00, 0x00, 0x00, /* key handle */
499 0x00, 0x00, 0x00, 0x00, /* resource type */
501 const size_t key_handle_offset = 10;
502 const size_t resource_type_offset = 14;
503 u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
504 size_t response_length = sizeof(response);
507 if (pack_byte_string(buf, sizeof(buf), "sdd",
508 0, command, sizeof(command),
509 key_handle_offset, key_handle,
510 resource_type_offset, resource_type))
511 return TPM_LIB_ERROR;
513 err = tpm_sendrecv_command(dev, buf, response, &response_length);
518 #endif /* CONFIG_TPM_FLUSH_RESOURCES */
520 #ifdef CONFIG_TPM_AUTH_SESSIONS
523 * Fill an authentication block in a request.
524 * This func can create the first as well as the second auth block (for
525 * double authorized commands).
527 * @param request pointer to the request (w/ uninitialised auth data)
528 * @param request_len0 length of the request without auth data
529 * @param handles_len length of the handles area in request
530 * @param auth_session pointer to the (valid) auth session to be used
531 * @param request_auth pointer to the auth block of the request to be filled
532 * @param auth authentication data (HMAC key)
534 static u32 create_request_auth(const void *request, size_t request_len0,
536 struct session_data *auth_session,
537 void *request_auth, const void *auth)
539 u8 hmac_data[DIGEST_LENGTH * 3 + 1];
540 sha1_context hash_ctx;
541 const size_t command_code_offset = 6;
542 const size_t auth_nonce_odd_offset = 4;
543 const size_t auth_continue_offset = 24;
544 const size_t auth_auth_offset = 25;
546 if (!auth_session || !auth_session->valid)
547 return TPM_LIB_ERROR;
549 sha1_starts(&hash_ctx);
550 sha1_update(&hash_ctx, request + command_code_offset, 4);
551 if (request_len0 > TPM_REQUEST_HEADER_LENGTH + handles_len)
552 sha1_update(&hash_ctx,
553 request + TPM_REQUEST_HEADER_LENGTH + handles_len,
554 request_len0 - TPM_REQUEST_HEADER_LENGTH
556 sha1_finish(&hash_ctx, hmac_data);
558 sha1_starts(&hash_ctx);
559 sha1_update(&hash_ctx, auth_session->nonce_odd, DIGEST_LENGTH);
560 sha1_update(&hash_ctx, hmac_data, sizeof(hmac_data));
561 sha1_finish(&hash_ctx, auth_session->nonce_odd);
563 if (pack_byte_string(request_auth, TPM_REQUEST_AUTH_LENGTH, "dsb",
564 0, auth_session->handle,
565 auth_nonce_odd_offset, auth_session->nonce_odd,
567 auth_continue_offset, 1))
568 return TPM_LIB_ERROR;
569 if (pack_byte_string(hmac_data, sizeof(hmac_data), "ss",
571 auth_session->nonce_even,
574 request_auth + auth_nonce_odd_offset,
576 return TPM_LIB_ERROR;
577 sha1_hmac(auth, DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
578 request_auth + auth_auth_offset);
584 * Verify an authentication block in a response.
585 * Since this func updates the nonce_even in the session data it has to be
586 * called when receiving a succesfull AUTH response.
587 * This func can verify the first as well as the second auth block (for
588 * double authorized commands).
590 * @param command_code command code of the request
591 * @param response pointer to the request (w/ uninitialised auth data)
592 * @param handles_len length of the handles area in response
593 * @param auth_session pointer to the (valid) auth session to be used
594 * @param response_auth pointer to the auth block of the response to be verified
595 * @param auth authentication data (HMAC key)
597 static u32 verify_response_auth(u32 command_code, const void *response,
598 size_t response_len0, size_t handles_len,
599 struct session_data *auth_session,
600 const void *response_auth, const void *auth)
602 u8 hmac_data[DIGEST_LENGTH * 3 + 1];
603 u8 computed_auth[DIGEST_LENGTH];
604 sha1_context hash_ctx;
605 const size_t return_code_offset = 6;
606 const size_t auth_continue_offset = 20;
607 const size_t auth_auth_offset = 21;
610 if (!auth_session || !auth_session->valid)
612 if (pack_byte_string(hmac_data, sizeof(hmac_data), "d",
614 return TPM_LIB_ERROR;
615 if (response_len0 < TPM_RESPONSE_HEADER_LENGTH)
616 return TPM_LIB_ERROR;
618 sha1_starts(&hash_ctx);
619 sha1_update(&hash_ctx, response + return_code_offset, 4);
620 sha1_update(&hash_ctx, hmac_data, 4);
621 if (response_len0 > TPM_RESPONSE_HEADER_LENGTH + handles_len)
622 sha1_update(&hash_ctx,
623 response + TPM_RESPONSE_HEADER_LENGTH + handles_len,
624 response_len0 - TPM_RESPONSE_HEADER_LENGTH
626 sha1_finish(&hash_ctx, hmac_data);
628 memcpy(auth_session->nonce_even, response_auth, DIGEST_LENGTH);
629 auth_continue = ((u8 *)response_auth)[auth_continue_offset];
630 if (pack_byte_string(hmac_data, sizeof(hmac_data), "ssb",
635 auth_session->nonce_odd,
639 return TPM_LIB_ERROR;
641 sha1_hmac(auth, DIGEST_LENGTH, hmac_data, sizeof(hmac_data),
644 if (memcmp(computed_auth, response_auth + auth_auth_offset,
651 u32 tpm1_terminate_auth_session(struct udevice *dev, u32 auth_handle)
653 const u8 command[18] = {
654 0x00, 0xc1, /* TPM_TAG */
655 0x00, 0x00, 0x00, 0x00, /* parameter size */
656 0x00, 0x00, 0x00, 0xba, /* TPM_COMMAND_CODE */
657 0x00, 0x00, 0x00, 0x00, /* TPM_HANDLE */
658 0x00, 0x00, 0x00, 0x02, /* TPM_RESOURCE_TYPE */
660 const size_t req_handle_offset = TPM_REQUEST_HEADER_LENGTH;
661 u8 request[COMMAND_BUFFER_SIZE];
663 if (pack_byte_string(request, sizeof(request), "sd",
664 0, command, sizeof(command),
665 req_handle_offset, auth_handle))
666 return TPM_LIB_ERROR;
667 if (oiap_session.valid && oiap_session.handle == auth_handle)
668 oiap_session.valid = 0;
670 return tpm_sendrecv_command(dev, request, NULL, NULL);
673 u32 tpm1_end_oiap(struct udevice *dev)
675 u32 err = TPM_SUCCESS;
677 if (oiap_session.valid)
678 err = tpm1_terminate_auth_session(dev, oiap_session.handle);
682 u32 tpm1_oiap(struct udevice *dev, u32 *auth_handle)
684 const u8 command[10] = {
685 0x00, 0xc1, /* TPM_TAG */
686 0x00, 0x00, 0x00, 0x0a, /* parameter size */
687 0x00, 0x00, 0x00, 0x0a, /* TPM_COMMAND_CODE */
689 const size_t res_auth_handle_offset = TPM_RESPONSE_HEADER_LENGTH;
690 const size_t res_nonce_even_offset = TPM_RESPONSE_HEADER_LENGTH + 4;
691 u8 response[COMMAND_BUFFER_SIZE];
692 size_t response_length = sizeof(response);
695 if (oiap_session.valid)
696 tpm1_terminate_auth_session(dev, oiap_session.handle);
698 err = tpm_sendrecv_command(dev, command, response, &response_length);
701 if (unpack_byte_string(response, response_length, "ds",
702 res_auth_handle_offset, &oiap_session.handle,
703 res_nonce_even_offset, &oiap_session.nonce_even,
705 return TPM_LIB_ERROR;
706 oiap_session.valid = 1;
708 *auth_handle = oiap_session.handle;
712 u32 tpm1_load_key2_oiap(struct udevice *dev, u32 parent_handle, const void *key,
713 size_t key_length, const void *parent_key_usage_auth,
716 const u8 command[14] = {
717 0x00, 0xc2, /* TPM_TAG */
718 0x00, 0x00, 0x00, 0x00, /* parameter size */
719 0x00, 0x00, 0x00, 0x41, /* TPM_COMMAND_CODE */
720 0x00, 0x00, 0x00, 0x00, /* parent handle */
722 const size_t req_size_offset = 2;
723 const size_t req_parent_handle_offset = TPM_REQUEST_HEADER_LENGTH;
724 const size_t req_key_offset = TPM_REQUEST_HEADER_LENGTH + 4;
725 const size_t res_handle_offset = TPM_RESPONSE_HEADER_LENGTH;
726 u8 request[sizeof(command) + TPM_KEY12_MAX_LENGTH +
727 TPM_REQUEST_AUTH_LENGTH];
728 u8 response[COMMAND_BUFFER_SIZE];
729 size_t response_length = sizeof(response);
732 if (!oiap_session.valid) {
733 err = tpm1_oiap(dev, NULL);
737 if (pack_byte_string(request, sizeof(request), "sdds",
738 0, command, sizeof(command),
740 sizeof(command) + key_length
741 + TPM_REQUEST_AUTH_LENGTH,
742 req_parent_handle_offset, parent_handle,
743 req_key_offset, key, key_length
745 return TPM_LIB_ERROR;
747 err = create_request_auth(request, sizeof(command) + key_length, 4,
749 request + sizeof(command) + key_length,
750 parent_key_usage_auth);
753 err = tpm_sendrecv_command(dev, request, response, &response_length);
755 if (err == TPM_AUTHFAIL)
756 oiap_session.valid = 0;
760 err = verify_response_auth(0x00000041, response,
761 response_length - TPM_RESPONSE_AUTH_LENGTH,
763 response + response_length -
764 TPM_RESPONSE_AUTH_LENGTH,
765 parent_key_usage_auth);
770 if (unpack_byte_string(response, response_length, "d",
771 res_handle_offset, key_handle))
772 return TPM_LIB_ERROR;
778 u32 tpm1_get_pub_key_oiap(struct udevice *dev, u32 key_handle,
779 const void *usage_auth, void *pubkey,
782 const u8 command[14] = {
783 0x00, 0xc2, /* TPM_TAG */
784 0x00, 0x00, 0x00, 0x00, /* parameter size */
785 0x00, 0x00, 0x00, 0x21, /* TPM_COMMAND_CODE */
786 0x00, 0x00, 0x00, 0x00, /* key handle */
788 const size_t req_size_offset = 2;
789 const size_t req_key_handle_offset = TPM_REQUEST_HEADER_LENGTH;
790 const size_t res_pubkey_offset = TPM_RESPONSE_HEADER_LENGTH;
791 u8 request[sizeof(command) + TPM_REQUEST_AUTH_LENGTH];
792 u8 response[TPM_RESPONSE_HEADER_LENGTH + TPM_PUBKEY_MAX_LENGTH +
793 TPM_RESPONSE_AUTH_LENGTH];
794 size_t response_length = sizeof(response);
797 if (!oiap_session.valid) {
798 err = tpm1_oiap(dev, NULL);
802 if (pack_byte_string(request, sizeof(request), "sdd",
803 0, command, sizeof(command),
805 (u32)(sizeof(command)
806 + TPM_REQUEST_AUTH_LENGTH),
807 req_key_handle_offset, key_handle
809 return TPM_LIB_ERROR;
810 err = create_request_auth(request, sizeof(command), 4, &oiap_session,
811 request + sizeof(command), usage_auth);
814 err = tpm_sendrecv_command(dev, request, response, &response_length);
816 if (err == TPM_AUTHFAIL)
817 oiap_session.valid = 0;
820 err = verify_response_auth(0x00000021, response,
821 response_length - TPM_RESPONSE_AUTH_LENGTH,
823 response + response_length -
824 TPM_RESPONSE_AUTH_LENGTH,
830 if ((response_length - TPM_RESPONSE_HEADER_LENGTH
831 - TPM_RESPONSE_AUTH_LENGTH) > *pubkey_len)
832 return TPM_LIB_ERROR;
833 *pubkey_len = response_length - TPM_RESPONSE_HEADER_LENGTH
834 - TPM_RESPONSE_AUTH_LENGTH;
835 memcpy(pubkey, response + res_pubkey_offset,
836 response_length - TPM_RESPONSE_HEADER_LENGTH
837 - TPM_RESPONSE_AUTH_LENGTH);
843 #ifdef CONFIG_TPM_LOAD_KEY_BY_SHA1
844 u32 tpm1_find_key_sha1(struct udevice *dev, const u8 auth[20],
845 const u8 pubkey_digest[20], u32 *handle)
856 /* fetch list of already loaded keys in the TPM */
857 err = tpm1_get_capability(dev, TPM_CAP_HANDLE, TPM_RT_KEY, buf,
861 key_count = get_unaligned_be16(buf);
863 for (i = 0; i < key_count; ++i, ptr += 4)
864 key_handles[i] = get_unaligned_be32(ptr);
866 /* now search a(/ the) key which we can access with the given auth */
867 for (i = 0; i < key_count; ++i) {
868 buf_len = sizeof(buf);
869 err = tpm1_get_pub_key_oiap(dev, key_handles[i], auth, buf, &buf_len);
870 if (err && err != TPM_AUTHFAIL)
874 sha1_csum(buf, buf_len, digest);
875 if (!memcmp(digest, pubkey_digest, 20)) {
876 *handle = key_handles[i];
882 #endif /* CONFIG_TPM_LOAD_KEY_BY_SHA1 */
884 #endif /* CONFIG_TPM_AUTH_SESSIONS */
886 u32 tpm1_get_random(struct udevice *dev, void *data, u32 count)
888 const u8 command[14] = {
889 0x0, 0xc1, /* TPM_TAG */
890 0x0, 0x0, 0x0, 0xe, /* parameter size */
891 0x0, 0x0, 0x0, 0x46, /* TPM_COMMAND_CODE */
893 const size_t length_offset = 10;
894 const size_t data_size_offset = 10;
895 const size_t data_offset = 14;
896 u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
897 size_t response_length = sizeof(response);
902 u32 this_bytes = min((size_t)count,
903 sizeof(response) - data_offset);
906 if (pack_byte_string(buf, sizeof(buf), "sd",
907 0, command, sizeof(command),
908 length_offset, this_bytes))
909 return TPM_LIB_ERROR;
910 err = tpm_sendrecv_command(dev, buf, response,
914 if (unpack_byte_string(response, response_length, "d",
915 data_size_offset, &data_size))
916 return TPM_LIB_ERROR;
917 if (data_size > count)
918 return TPM_LIB_ERROR;
919 if (unpack_byte_string(response, response_length, "s",
920 data_offset, out, data_size))
921 return TPM_LIB_ERROR;
projects / platform / kernel / u-boot.git / blob