efi_loader: static functions in efi_runtime.c
[platform/kernel/u-boot.git] / lib / tpm-v2.c
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * Copyright (c) 2018 Bootlin
4  * Author: Miquel Raynal <miquel.raynal@bootlin.com>
5  */
6
7 #include <common.h>
8 #include <dm.h>
9 #include <tpm-common.h>
10 #include <tpm-v2.h>
11 #include <linux/bitops.h>
12 #include "tpm-utils.h"
13
14 u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode)
15 {
16         const u8 command_v2[12] = {
17                 tpm_u16(TPM2_ST_NO_SESSIONS),
18                 tpm_u32(12),
19                 tpm_u32(TPM2_CC_STARTUP),
20                 tpm_u16(mode),
21         };
22         int ret;
23
24         /*
25          * Note TPM2_Startup command will return RC_SUCCESS the first time,
26          * but will return RC_INITIALIZE otherwise.
27          */
28         ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
29         if (ret && ret != TPM2_RC_INITIALIZE)
30                 return ret;
31
32         return 0;
33 }
34
35 u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test)
36 {
37         const u8 command_v2[12] = {
38                 tpm_u16(TPM2_ST_NO_SESSIONS),
39                 tpm_u32(11),
40                 tpm_u32(TPM2_CC_SELF_TEST),
41                 full_test,
42         };
43
44         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
45 }
46
47 u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
48                const ssize_t pw_sz)
49 {
50         /* Length of the message header, up to start of password */
51         uint offset = 27;
52         u8 command_v2[COMMAND_BUFFER_SIZE] = {
53                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
54                 tpm_u32(offset + pw_sz),        /* Length */
55                 tpm_u32(TPM2_CC_CLEAR),         /* Command code */
56
57                 /* HANDLE */
58                 tpm_u32(handle),                /* TPM resource handle */
59
60                 /* AUTH_SESSION */
61                 tpm_u32(9 + pw_sz),             /* Authorization size */
62                 tpm_u32(TPM2_RS_PW),            /* Session handle */
63                 tpm_u16(0),                     /* Size of <nonce> */
64                                                 /* <nonce> (if any) */
65                 0,                              /* Attributes: Cont/Excl/Rst */
66                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
67                 /* STRING(pw)                      <hmac/password> (if any) */
68         };
69         int ret;
70
71         /*
72          * Fill the command structure starting from the first buffer:
73          *     - the password (if any)
74          */
75         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
76                                offset, pw, pw_sz);
77         offset += pw_sz;
78         if (ret)
79                 return TPM_LIB_ERROR;
80
81         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
82 }
83
84 u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
85                          size_t space_size, u32 nv_attributes,
86                          const u8 *nv_policy, size_t nv_policy_size)
87 {
88         /*
89          * Calculate the offset of the nv_policy piece by adding each of the
90          * chunks below.
91          */
92         const int platform_len = sizeof(u32);
93         const int session_hdr_len = 13;
94         const int message_len = 14;
95         uint offset = TPM2_HDR_LEN + platform_len + session_hdr_len +
96                 message_len;
97         u8 command_v2[COMMAND_BUFFER_SIZE] = {
98                 /* header 10 bytes */
99                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
100                 tpm_u32(offset + nv_policy_size + 2),/* Length */
101                 tpm_u32(TPM2_CC_NV_DEFINE_SPACE),/* Command code */
102
103                 /* handles 4 bytes */
104                 tpm_u32(TPM2_RH_PLATFORM),      /* Primary platform seed */
105
106                 /* session header 13 bytes */
107                 tpm_u32(9),                     /* Header size */
108                 tpm_u32(TPM2_RS_PW),            /* Password authorisation */
109                 tpm_u16(0),                     /* nonce_size */
110                 0,                              /* session_attrs */
111                 tpm_u16(0),                     /* auth_size */
112
113                 /* message 14 bytes + policy */
114                 tpm_u16(message_len + nv_policy_size),  /* size */
115                 tpm_u32(space_index),
116                 tpm_u16(TPM2_ALG_SHA256),
117                 tpm_u32(nv_attributes),
118                 tpm_u16(nv_policy_size),
119                 /*
120                  * nv_policy
121                  * space_size
122                  */
123         };
124         int ret;
125
126         /*
127          * Fill the command structure starting from the first buffer:
128          *     - the password (if any)
129          */
130         ret = pack_byte_string(command_v2, sizeof(command_v2), "sw",
131                                offset, nv_policy, nv_policy_size,
132                                offset + nv_policy_size, space_size);
133         if (ret)
134                 return TPM_LIB_ERROR;
135
136         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
137 }
138
139 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
140                     const u8 *digest, u32 digest_len)
141 {
142         /* Length of the message header, up to start of digest */
143         uint offset = 33;
144         u8 command_v2[COMMAND_BUFFER_SIZE] = {
145                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
146                 tpm_u32(offset + digest_len),   /* Length */
147                 tpm_u32(TPM2_CC_PCR_EXTEND),    /* Command code */
148
149                 /* HANDLE */
150                 tpm_u32(index),                 /* Handle (PCR Index) */
151
152                 /* AUTH_SESSION */
153                 tpm_u32(9),                     /* Authorization size */
154                 tpm_u32(TPM2_RS_PW),            /* Session handle */
155                 tpm_u16(0),                     /* Size of <nonce> */
156                                                 /* <nonce> (if any) */
157                 0,                              /* Attributes: Cont/Excl/Rst */
158                 tpm_u16(0),                     /* Size of <hmac/password> */
159                                                 /* <hmac/password> (if any) */
160
161                 /* hashes */
162                 tpm_u32(1),                     /* Count (number of hashes) */
163                 tpm_u16(algorithm),     /* Algorithm of the hash */
164                 /* STRING(digest)                  Digest */
165         };
166         int ret;
167
168         if (!digest)
169                 return -EINVAL;
170         /*
171          * Fill the command structure starting from the first buffer:
172          *     - the digest
173          */
174         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
175                                offset, digest, digest_len);
176         if (ret)
177                 return TPM_LIB_ERROR;
178
179         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
180 }
181
182 u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
183 {
184         u8 command_v2[COMMAND_BUFFER_SIZE] = {
185                 /* header 10 bytes */
186                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
187                 tpm_u32(10 + 8 + 4 + 9 + 4),    /* Length */
188                 tpm_u32(TPM2_CC_NV_READ),       /* Command code */
189
190                 /* handles 8 bytes */
191                 tpm_u32(TPM2_RH_PLATFORM),      /* Primary platform seed */
192                 tpm_u32(HR_NV_INDEX + index),   /* Password authorisation */
193
194                 /* AUTH_SESSION */
195                 tpm_u32(9),                     /* Authorization size */
196                 tpm_u32(TPM2_RS_PW),            /* Session handle */
197                 tpm_u16(0),                     /* Size of <nonce> */
198                                                 /* <nonce> (if any) */
199                 0,                              /* Attributes: Cont/Excl/Rst */
200                 tpm_u16(0),                     /* Size of <hmac/password> */
201                                                 /* <hmac/password> (if any) */
202
203                 tpm_u16(count),                 /* Number of bytes */
204                 tpm_u16(0),                     /* Offset */
205         };
206         size_t response_len = COMMAND_BUFFER_SIZE;
207         u8 response[COMMAND_BUFFER_SIZE];
208         int ret;
209         u16 tag;
210         u32 size, code;
211
212         ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
213         if (ret)
214                 return log_msg_ret("read", ret);
215         if (unpack_byte_string(response, response_len, "wdds",
216                                0, &tag, 2, &size, 6, &code,
217                                16, data, count))
218                 return TPM_LIB_ERROR;
219
220         return 0;
221 }
222
223 u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
224                         u32 count)
225 {
226         struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
227         uint offset = 10 + 8 + 4 + 9 + 2;
228         uint len = offset + count + 2;
229         /* Use empty password auth if platform hierarchy is disabled */
230         u32 auth = priv->plat_hier_disabled ? HR_NV_INDEX + index :
231                 TPM2_RH_PLATFORM;
232         u8 command_v2[COMMAND_BUFFER_SIZE] = {
233                 /* header 10 bytes */
234                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
235                 tpm_u32(len),                   /* Length */
236                 tpm_u32(TPM2_CC_NV_WRITE),      /* Command code */
237
238                 /* handles 8 bytes */
239                 tpm_u32(auth),                  /* Primary platform seed */
240                 tpm_u32(HR_NV_INDEX + index),   /* Password authorisation */
241
242                 /* AUTH_SESSION */
243                 tpm_u32(9),                     /* Authorization size */
244                 tpm_u32(TPM2_RS_PW),            /* Session handle */
245                 tpm_u16(0),                     /* Size of <nonce> */
246                                                 /* <nonce> (if any) */
247                 0,                              /* Attributes: Cont/Excl/Rst */
248                 tpm_u16(0),                     /* Size of <hmac/password> */
249                                                 /* <hmac/password> (if any) */
250
251                 tpm_u16(count),
252         };
253         size_t response_len = COMMAND_BUFFER_SIZE;
254         u8 response[COMMAND_BUFFER_SIZE];
255         int ret;
256
257         ret = pack_byte_string(command_v2, sizeof(command_v2), "sw",
258                                offset, data, count,
259                                offset + count, 0);
260         if (ret)
261                 return TPM_LIB_ERROR;
262
263         return tpm_sendrecv_command(dev, command_v2, response, &response_len);
264 }
265
266 u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
267                   u16 algorithm, void *data, u32 digest_len,
268                   unsigned int *updates)
269 {
270         u8 idx_array_sz = max(idx_min_sz, DIV_ROUND_UP(idx, 8));
271         u8 command_v2[COMMAND_BUFFER_SIZE] = {
272                 tpm_u16(TPM2_ST_NO_SESSIONS),   /* TAG */
273                 tpm_u32(17 + idx_array_sz),     /* Length */
274                 tpm_u32(TPM2_CC_PCR_READ),      /* Command code */
275
276                 /* TPML_PCR_SELECTION */
277                 tpm_u32(1),                     /* Number of selections */
278                 tpm_u16(algorithm),             /* Algorithm of the hash */
279                 idx_array_sz,                   /* Array size for selection */
280                 /* bitmap(idx)                     Selected PCR bitmap */
281         };
282         size_t response_len = COMMAND_BUFFER_SIZE;
283         u8 response[COMMAND_BUFFER_SIZE];
284         unsigned int pcr_sel_idx = idx / 8;
285         u8 pcr_sel_bit = BIT(idx % 8);
286         unsigned int counter = 0;
287         int ret;
288
289         if (pack_byte_string(command_v2, COMMAND_BUFFER_SIZE, "b",
290                              17 + pcr_sel_idx, pcr_sel_bit))
291                 return TPM_LIB_ERROR;
292
293         ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
294         if (ret)
295                 return ret;
296
297         if (digest_len > response_len)
298                 return TPM_LIB_ERROR;
299
300         if (unpack_byte_string(response, response_len, "ds",
301                                10, &counter,
302                                response_len - digest_len, data,
303                                digest_len))
304                 return TPM_LIB_ERROR;
305
306         if (updates)
307                 *updates = counter;
308
309         return 0;
310 }
311
312 u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
313                         void *buf, size_t prop_count)
314 {
315         u8 command_v2[COMMAND_BUFFER_SIZE] = {
316                 tpm_u16(TPM2_ST_NO_SESSIONS),           /* TAG */
317                 tpm_u32(22),                            /* Length */
318                 tpm_u32(TPM2_CC_GET_CAPABILITY),        /* Command code */
319
320                 tpm_u32(capability),                    /* Capability */
321                 tpm_u32(property),                      /* Property */
322                 tpm_u32(prop_count),                    /* Property count */
323         };
324         u8 response[COMMAND_BUFFER_SIZE];
325         size_t response_len = COMMAND_BUFFER_SIZE;
326         unsigned int properties_off;
327         int ret;
328
329         ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
330         if (ret)
331                 return ret;
332
333         /*
334          * In the response buffer, the properties are located after the:
335          * tag (u16), response size (u32), response code (u32),
336          * YES/NO flag (u8), TPM_CAP (u32).
337          */
338         properties_off = sizeof(u16) + sizeof(u32) + sizeof(u32) +
339                          sizeof(u8) + sizeof(u32);
340         memcpy(buf, &response[properties_off], response_len - properties_off);
341
342         return 0;
343 }
344
345 u32 tpm2_dam_reset(struct udevice *dev, const char *pw, const ssize_t pw_sz)
346 {
347         u8 command_v2[COMMAND_BUFFER_SIZE] = {
348                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
349                 tpm_u32(27 + pw_sz),            /* Length */
350                 tpm_u32(TPM2_CC_DAM_RESET),     /* Command code */
351
352                 /* HANDLE */
353                 tpm_u32(TPM2_RH_LOCKOUT),       /* TPM resource handle */
354
355                 /* AUTH_SESSION */
356                 tpm_u32(9 + pw_sz),             /* Authorization size */
357                 tpm_u32(TPM2_RS_PW),            /* Session handle */
358                 tpm_u16(0),                     /* Size of <nonce> */
359                                                 /* <nonce> (if any) */
360                 0,                              /* Attributes: Cont/Excl/Rst */
361                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
362                 /* STRING(pw)                      <hmac/password> (if any) */
363         };
364         unsigned int offset = 27;
365         int ret;
366
367         /*
368          * Fill the command structure starting from the first buffer:
369          *     - the password (if any)
370          */
371         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
372                                offset, pw, pw_sz);
373         offset += pw_sz;
374         if (ret)
375                 return TPM_LIB_ERROR;
376
377         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
378 }
379
380 u32 tpm2_dam_parameters(struct udevice *dev, const char *pw,
381                         const ssize_t pw_sz, unsigned int max_tries,
382                         unsigned int recovery_time,
383                         unsigned int lockout_recovery)
384 {
385         u8 command_v2[COMMAND_BUFFER_SIZE] = {
386                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
387                 tpm_u32(27 + pw_sz + 12),       /* Length */
388                 tpm_u32(TPM2_CC_DAM_PARAMETERS), /* Command code */
389
390                 /* HANDLE */
391                 tpm_u32(TPM2_RH_LOCKOUT),       /* TPM resource handle */
392
393                 /* AUTH_SESSION */
394                 tpm_u32(9 + pw_sz),             /* Authorization size */
395                 tpm_u32(TPM2_RS_PW),            /* Session handle */
396                 tpm_u16(0),                     /* Size of <nonce> */
397                                                 /* <nonce> (if any) */
398                 0,                              /* Attributes: Cont/Excl/Rst */
399                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
400                 /* STRING(pw)                      <hmac/password> (if any) */
401
402                 /* LOCKOUT PARAMETERS */
403                 /* tpm_u32(max_tries)              Max tries (0, always lock) */
404                 /* tpm_u32(recovery_time)          Recovery time (0, no lock) */
405                 /* tpm_u32(lockout_recovery)       Lockout recovery */
406         };
407         unsigned int offset = 27;
408         int ret;
409
410         /*
411          * Fill the command structure starting from the first buffer:
412          *     - the password (if any)
413          *     - max tries
414          *     - recovery time
415          *     - lockout recovery
416          */
417         ret = pack_byte_string(command_v2, sizeof(command_v2), "sddd",
418                                offset, pw, pw_sz,
419                                offset + pw_sz, max_tries,
420                                offset + pw_sz + 4, recovery_time,
421                                offset + pw_sz + 8, lockout_recovery);
422         offset += pw_sz + 12;
423         if (ret)
424                 return TPM_LIB_ERROR;
425
426         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
427 }
428
429 int tpm2_change_auth(struct udevice *dev, u32 handle, const char *newpw,
430                      const ssize_t newpw_sz, const char *oldpw,
431                      const ssize_t oldpw_sz)
432 {
433         unsigned int offset = 27;
434         u8 command_v2[COMMAND_BUFFER_SIZE] = {
435                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
436                 tpm_u32(offset + oldpw_sz + 2 + newpw_sz), /* Length */
437                 tpm_u32(TPM2_CC_HIERCHANGEAUTH), /* Command code */
438
439                 /* HANDLE */
440                 tpm_u32(handle),                /* TPM resource handle */
441
442                 /* AUTH_SESSION */
443                 tpm_u32(9 + oldpw_sz),          /* Authorization size */
444                 tpm_u32(TPM2_RS_PW),            /* Session handle */
445                 tpm_u16(0),                     /* Size of <nonce> */
446                                                 /* <nonce> (if any) */
447                 0,                              /* Attributes: Cont/Excl/Rst */
448                 tpm_u16(oldpw_sz)               /* Size of <hmac/password> */
449                 /* STRING(oldpw)                   <hmac/password> (if any) */
450
451                 /* TPM2B_AUTH (TPM2B_DIGEST) */
452                 /* tpm_u16(newpw_sz)               Digest size, new pw length */
453                 /* STRING(newpw)                   Digest buffer, new pw */
454         };
455         int ret;
456
457         /*
458          * Fill the command structure starting from the first buffer:
459          *     - the old password (if any)
460          *     - size of the new password
461          *     - new password
462          */
463         ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
464                                offset, oldpw, oldpw_sz,
465                                offset + oldpw_sz, newpw_sz,
466                                offset + oldpw_sz + 2, newpw, newpw_sz);
467         offset += oldpw_sz + 2 + newpw_sz;
468         if (ret)
469                 return TPM_LIB_ERROR;
470
471         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
472 }
473
474 u32 tpm2_pcr_setauthpolicy(struct udevice *dev, const char *pw,
475                            const ssize_t pw_sz, u32 index, const char *key)
476 {
477         u8 command_v2[COMMAND_BUFFER_SIZE] = {
478                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
479                 tpm_u32(35 + pw_sz + TPM2_DIGEST_LEN), /* Length */
480                 tpm_u32(TPM2_CC_PCR_SETAUTHPOL), /* Command code */
481
482                 /* HANDLE */
483                 tpm_u32(TPM2_RH_PLATFORM),      /* TPM resource handle */
484
485                 /* AUTH_SESSION */
486                 tpm_u32(9 + pw_sz),             /* Authorization size */
487                 tpm_u32(TPM2_RS_PW),            /* session handle */
488                 tpm_u16(0),                     /* Size of <nonce> */
489                                                 /* <nonce> (if any) */
490                 0,                              /* Attributes: Cont/Excl/Rst */
491                 tpm_u16(pw_sz)                  /* Size of <hmac/password> */
492                 /* STRING(pw)                      <hmac/password> (if any) */
493
494                 /* TPM2B_AUTH (TPM2B_DIGEST) */
495                 /* tpm_u16(TPM2_DIGEST_LEN)        Digest size length */
496                 /* STRING(key)                     Digest buffer (PCR key) */
497
498                 /* TPMI_ALG_HASH */
499                 /* tpm_u16(TPM2_ALG_SHA256)   Algorithm of the hash */
500
501                 /* TPMI_DH_PCR */
502                 /* tpm_u32(index),                 PCR Index */
503         };
504         unsigned int offset = 27;
505         int ret;
506
507         /*
508          * Fill the command structure starting from the first buffer:
509          *     - the password (if any)
510          *     - the PCR key length
511          *     - the PCR key
512          *     - the hash algorithm
513          *     - the PCR index
514          */
515         ret = pack_byte_string(command_v2, sizeof(command_v2), "swswd",
516                                offset, pw, pw_sz,
517                                offset + pw_sz, TPM2_DIGEST_LEN,
518                                offset + pw_sz + 2, key, TPM2_DIGEST_LEN,
519                                offset + pw_sz + 2 + TPM2_DIGEST_LEN,
520                                TPM2_ALG_SHA256,
521                                offset + pw_sz + 4 + TPM2_DIGEST_LEN, index);
522         offset += pw_sz + 2 + TPM2_DIGEST_LEN + 2 + 4;
523         if (ret)
524                 return TPM_LIB_ERROR;
525
526         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
527 }
528
529 u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
530                           const ssize_t pw_sz, u32 index, const char *key,
531                           const ssize_t key_sz)
532 {
533         u8 command_v2[COMMAND_BUFFER_SIZE] = {
534                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
535                 tpm_u32(33 + pw_sz + TPM2_DIGEST_LEN), /* Length */
536                 tpm_u32(TPM2_CC_PCR_SETAUTHVAL), /* Command code */
537
538                 /* HANDLE */
539                 tpm_u32(index),                 /* Handle (PCR Index) */
540
541                 /* AUTH_SESSION */
542                 tpm_u32(9 + pw_sz),             /* Authorization size */
543                 tpm_u32(TPM2_RS_PW),            /* session handle */
544                 tpm_u16(0),                     /* Size of <nonce> */
545                                                 /* <nonce> (if any) */
546                 0,                              /* Attributes: Cont/Excl/Rst */
547                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
548                 /* STRING(pw)                      <hmac/password> (if any) */
549
550                 /* TPM2B_DIGEST */
551                 /* tpm_u16(key_sz)                 Key length */
552                 /* STRING(key)                     Key */
553         };
554         unsigned int offset = 27;
555         int ret;
556
557         /*
558          * Fill the command structure starting from the first buffer:
559          *     - the password (if any)
560          *     - the number of digests, 1 in our case
561          *     - the algorithm, sha256 in our case
562          *     - the digest (64 bytes)
563          */
564         ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
565                                offset, pw, pw_sz,
566                                offset + pw_sz, key_sz,
567                                offset + pw_sz + 2, key, key_sz);
568         offset += pw_sz + 2 + key_sz;
569         if (ret)
570                 return TPM_LIB_ERROR;
571
572         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
573 }
574
575 u32 tpm2_get_random(struct udevice *dev, void *data, u32 count)
576 {
577         const u8 command_v2[10] = {
578                 tpm_u16(TPM2_ST_NO_SESSIONS),
579                 tpm_u32(12),
580                 tpm_u32(TPM2_CC_GET_RANDOM),
581         };
582         u8 buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
583
584         const size_t data_size_offset = 10;
585         const size_t data_offset = 12;
586         size_t response_length = sizeof(response);
587         u32 data_size;
588         u8 *out = data;
589
590         while (count > 0) {
591                 u32 this_bytes = min((size_t)count,
592                                      sizeof(response) - data_offset);
593                 u32 err;
594
595                 if (pack_byte_string(buf, sizeof(buf), "sw",
596                                      0, command_v2, sizeof(command_v2),
597                                      sizeof(command_v2), this_bytes))
598                         return TPM_LIB_ERROR;
599                 err = tpm_sendrecv_command(dev, buf, response,
600                                            &response_length);
601                 if (err)
602                         return err;
603                 if (unpack_byte_string(response, response_length, "w",
604                                        data_size_offset, &data_size))
605                         return TPM_LIB_ERROR;
606                 if (data_size > this_bytes)
607                         return TPM_LIB_ERROR;
608                 if (unpack_byte_string(response, response_length, "s",
609                                        data_offset, out, data_size))
610                         return TPM_LIB_ERROR;
611
612                 count -= data_size;
613                 out += data_size;
614         }
615
616         return 0;
617 }
618
619 u32 tpm2_write_lock(struct udevice *dev, u32 index)
620 {
621         u8 command_v2[COMMAND_BUFFER_SIZE] = {
622                 /* header 10 bytes */
623                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
624                 tpm_u32(10 + 8 + 13), /* Length */
625                 tpm_u32(TPM2_CC_NV_WRITELOCK), /* Command code */
626
627                 /* handles 8 bytes */
628                 tpm_u32(TPM2_RH_PLATFORM),      /* Primary platform seed */
629                 tpm_u32(HR_NV_INDEX + index),   /* Password authorisation */
630
631                 /* session header 9 bytes */
632                 tpm_u32(9),                     /* Header size */
633                 tpm_u32(TPM2_RS_PW),            /* Password authorisation */
634                 tpm_u16(0),                     /* nonce_size */
635                 0,                              /* session_attrs */
636                 tpm_u16(0),                     /* auth_size */
637         };
638
639         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
640 }
641
642 u32 tpm2_disable_platform_hierarchy(struct udevice *dev)
643 {
644         struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
645         u8 command_v2[COMMAND_BUFFER_SIZE] = {
646                 /* header 10 bytes */
647                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
648                 tpm_u32(10 + 4 + 13 + 5),       /* Length */
649                 tpm_u32(TPM2_CC_HIER_CONTROL),  /* Command code */
650
651                 /* 4 bytes */
652                 tpm_u32(TPM2_RH_PLATFORM),      /* Primary platform seed */
653
654                 /* session header 9 bytes */
655                 tpm_u32(9),                     /* Header size */
656                 tpm_u32(TPM2_RS_PW),            /* Password authorisation */
657                 tpm_u16(0),                     /* nonce_size */
658                 0,                              /* session_attrs */
659                 tpm_u16(0),                     /* auth_size */
660
661                 /* payload 5 bytes */
662                 tpm_u32(TPM2_RH_PLATFORM),      /* Hierarchy to disable */
663                 0,                              /* 0=disable */
664         };
665         int ret;
666
667         ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
668         log_info("ret=%s, %x\n", dev->name, ret);
669         if (ret)
670                 return ret;
671
672         priv->plat_hier_disabled = true;
673
674         return 0;
675 }
676
677 u32 tpm2_submit_command(struct udevice *dev, const u8 *sendbuf,
678                         u8 *recvbuf, size_t *recv_size)
679 {
680         return tpm_sendrecv_command(dev, sendbuf, recvbuf, recv_size);
681 }
682
683 u32 tpm2_report_state(struct udevice *dev, uint vendor_cmd, uint vendor_subcmd,
684                       u8 *recvbuf, size_t *recv_size)
685 {
686         u8 command_v2[COMMAND_BUFFER_SIZE] = {
687                 /* header 10 bytes */
688                 tpm_u16(TPM2_ST_NO_SESSIONS),           /* TAG */
689                 tpm_u32(10 + 2),                        /* Length */
690                 tpm_u32(vendor_cmd),    /* Command code */
691
692                 tpm_u16(vendor_subcmd),
693         };
694         int ret;
695
696         ret = tpm_sendrecv_command(dev, command_v2, recvbuf, recv_size);
697         log_debug("ret=%s, %x\n", dev->name, ret);
698         if (ret)
699                 return ret;
700         if (*recv_size < 12)
701                 return -ENODATA;
702         *recv_size -= 12;
703         memcpy(recvbuf, recvbuf + 12, *recv_size);
704
705         return 0;
706 }
707
708 u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
709                           uint vendor_subcmd)
710 {
711         u8 command_v2[COMMAND_BUFFER_SIZE] = {
712                 /* header 10 bytes */
713                 tpm_u16(TPM2_ST_NO_SESSIONS),           /* TAG */
714                 tpm_u32(10 + 2),                        /* Length */
715                 tpm_u32(vendor_cmd),    /* Command code */
716
717                 tpm_u16(vendor_subcmd),
718         };
719         int ret;
720
721         ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
722         log_debug("ret=%s, %x\n", dev->name, ret);
723         if (ret)
724                 return ret;
725
726         return 0;
727 }