1 // SPDX-License-Identifier: GPL-2.0+
3 * Copyright (c) 2018 Bootlin
4 * Author: Miquel Raynal <miquel.raynal@bootlin.com>
9 #include <tpm-common.h>
11 #include "tpm-utils.h"
13 u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode)
15 const u8 command_v2[12] = {
16 tpm_u16(TPM2_ST_NO_SESSIONS),
18 tpm_u32(TPM2_CC_STARTUP),
24 * Note TPM2_Startup command will return RC_SUCCESS the first time,
25 * but will return RC_INITIALIZE otherwise.
27 ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
28 if (ret && ret != TPM2_RC_INITIALIZE)
34 u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test)
36 const u8 command_v2[12] = {
37 tpm_u16(TPM2_ST_NO_SESSIONS),
39 tpm_u32(TPM2_CC_SELF_TEST),
43 return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
46 u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
49 u8 command_v2[COMMAND_BUFFER_SIZE] = {
50 tpm_u16(TPM2_ST_SESSIONS), /* TAG */
51 tpm_u32(27 + pw_sz), /* Length */
52 tpm_u32(TPM2_CC_CLEAR), /* Command code */
55 tpm_u32(handle), /* TPM resource handle */
58 tpm_u32(9 + pw_sz), /* Authorization size */
59 tpm_u32(TPM2_RS_PW), /* Session handle */
60 tpm_u16(0), /* Size of <nonce> */
61 /* <nonce> (if any) */
62 0, /* Attributes: Cont/Excl/Rst */
63 tpm_u16(pw_sz), /* Size of <hmac/password> */
64 /* STRING(pw) <hmac/password> (if any) */
66 unsigned int offset = 27;
70 * Fill the command structure starting from the first buffer:
71 * - the password (if any)
73 ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
79 return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
82 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, const uint8_t *digest)
84 u8 command_v2[COMMAND_BUFFER_SIZE] = {
85 tpm_u16(TPM2_ST_SESSIONS), /* TAG */
86 tpm_u32(33 + TPM2_DIGEST_LEN), /* Length */
87 tpm_u32(TPM2_CC_PCR_EXTEND), /* Command code */
90 tpm_u32(index), /* Handle (PCR Index) */
93 tpm_u32(9), /* Authorization size */
94 tpm_u32(TPM2_RS_PW), /* Session handle */
95 tpm_u16(0), /* Size of <nonce> */
96 /* <nonce> (if any) */
97 0, /* Attributes: Cont/Excl/Rst */
98 tpm_u16(0), /* Size of <hmac/password> */
99 /* <hmac/password> (if any) */
100 tpm_u32(1), /* Count (number of hashes) */
101 tpm_u16(TPM2_ALG_SHA256), /* Algorithm of the hash */
102 /* STRING(digest) Digest */
104 unsigned int offset = 33;
108 * Fill the command structure starting from the first buffer:
111 ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
112 offset, digest, TPM2_DIGEST_LEN);
113 offset += TPM2_DIGEST_LEN;
115 return TPM_LIB_ERROR;
117 return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
120 u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
121 void *data, unsigned int *updates)
123 u8 idx_array_sz = max(idx_min_sz, DIV_ROUND_UP(idx, 8));
124 u8 command_v2[COMMAND_BUFFER_SIZE] = {
125 tpm_u16(TPM2_ST_NO_SESSIONS), /* TAG */
126 tpm_u32(17 + idx_array_sz), /* Length */
127 tpm_u32(TPM2_CC_PCR_READ), /* Command code */
129 /* TPML_PCR_SELECTION */
130 tpm_u32(1), /* Number of selections */
131 tpm_u16(TPM2_ALG_SHA256), /* Algorithm of the hash */
132 idx_array_sz, /* Array size for selection */
133 /* bitmap(idx) Selected PCR bitmap */
135 size_t response_len = COMMAND_BUFFER_SIZE;
136 u8 response[COMMAND_BUFFER_SIZE];
137 unsigned int pcr_sel_idx = idx / 8;
138 u8 pcr_sel_bit = BIT(idx % 8);
139 unsigned int counter = 0;
142 if (pack_byte_string(command_v2, COMMAND_BUFFER_SIZE, "b",
143 17 + pcr_sel_idx, pcr_sel_bit))
144 return TPM_LIB_ERROR;
146 ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
150 if (unpack_byte_string(response, response_len, "ds",
152 response_len - TPM2_DIGEST_LEN, data,
154 return TPM_LIB_ERROR;
162 u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
163 void *buf, size_t prop_count)
165 u8 command_v2[COMMAND_BUFFER_SIZE] = {
166 tpm_u16(TPM2_ST_NO_SESSIONS), /* TAG */
167 tpm_u32(22), /* Length */
168 tpm_u32(TPM2_CC_GET_CAPABILITY), /* Command code */
170 tpm_u32(capability), /* Capability */
171 tpm_u32(property), /* Property */
172 tpm_u32(prop_count), /* Property count */
174 u8 response[COMMAND_BUFFER_SIZE];
175 size_t response_len = COMMAND_BUFFER_SIZE;
176 unsigned int properties_off;
179 ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
184 * In the response buffer, the properties are located after the:
185 * tag (u16), response size (u32), response code (u32),
186 * YES/NO flag (u8), TPM_CAP (u32) and TPMU_CAPABILITIES (u32).
188 properties_off = sizeof(u16) + sizeof(u32) + sizeof(u32) +
189 sizeof(u8) + sizeof(u32) + sizeof(u32);
190 memcpy(buf, &response[properties_off], response_len - properties_off);
195 u32 tpm2_dam_reset(struct udevice *dev, const char *pw, const ssize_t pw_sz)
197 u8 command_v2[COMMAND_BUFFER_SIZE] = {
198 tpm_u16(TPM2_ST_SESSIONS), /* TAG */
199 tpm_u32(27 + pw_sz), /* Length */
200 tpm_u32(TPM2_CC_DAM_RESET), /* Command code */
203 tpm_u32(TPM2_RH_LOCKOUT), /* TPM resource handle */
206 tpm_u32(9 + pw_sz), /* Authorization size */
207 tpm_u32(TPM2_RS_PW), /* Session handle */
208 tpm_u16(0), /* Size of <nonce> */
209 /* <nonce> (if any) */
210 0, /* Attributes: Cont/Excl/Rst */
211 tpm_u16(pw_sz), /* Size of <hmac/password> */
212 /* STRING(pw) <hmac/password> (if any) */
214 unsigned int offset = 27;
218 * Fill the command structure starting from the first buffer:
219 * - the password (if any)
221 ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
225 return TPM_LIB_ERROR;
227 return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
230 u32 tpm2_dam_parameters(struct udevice *dev, const char *pw,
231 const ssize_t pw_sz, unsigned int max_tries,
232 unsigned int recovery_time,
233 unsigned int lockout_recovery)
235 u8 command_v2[COMMAND_BUFFER_SIZE] = {
236 tpm_u16(TPM2_ST_SESSIONS), /* TAG */
237 tpm_u32(27 + pw_sz + 12), /* Length */
238 tpm_u32(TPM2_CC_DAM_PARAMETERS), /* Command code */
241 tpm_u32(TPM2_RH_LOCKOUT), /* TPM resource handle */
244 tpm_u32(9 + pw_sz), /* Authorization size */
245 tpm_u32(TPM2_RS_PW), /* Session handle */
246 tpm_u16(0), /* Size of <nonce> */
247 /* <nonce> (if any) */
248 0, /* Attributes: Cont/Excl/Rst */
249 tpm_u16(pw_sz), /* Size of <hmac/password> */
250 /* STRING(pw) <hmac/password> (if any) */
252 /* LOCKOUT PARAMETERS */
253 /* tpm_u32(max_tries) Max tries (0, always lock) */
254 /* tpm_u32(recovery_time) Recovery time (0, no lock) */
255 /* tpm_u32(lockout_recovery) Lockout recovery */
257 unsigned int offset = 27;
261 * Fill the command structure starting from the first buffer:
262 * - the password (if any)
267 ret = pack_byte_string(command_v2, sizeof(command_v2), "sddd",
269 offset + pw_sz, max_tries,
270 offset + pw_sz + 4, recovery_time,
271 offset + pw_sz + 8, lockout_recovery);
272 offset += pw_sz + 12;
274 return TPM_LIB_ERROR;
276 return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
279 int tpm2_change_auth(struct udevice *dev, u32 handle, const char *newpw,
280 const ssize_t newpw_sz, const char *oldpw,
281 const ssize_t oldpw_sz)
283 unsigned int offset = 27;
284 u8 command_v2[COMMAND_BUFFER_SIZE] = {
285 tpm_u16(TPM2_ST_SESSIONS), /* TAG */
286 tpm_u32(offset + oldpw_sz + 2 + newpw_sz), /* Length */
287 tpm_u32(TPM2_CC_HIERCHANGEAUTH), /* Command code */
290 tpm_u32(handle), /* TPM resource handle */
293 tpm_u32(9 + oldpw_sz), /* Authorization size */
294 tpm_u32(TPM2_RS_PW), /* Session handle */
295 tpm_u16(0), /* Size of <nonce> */
296 /* <nonce> (if any) */
297 0, /* Attributes: Cont/Excl/Rst */
298 tpm_u16(oldpw_sz) /* Size of <hmac/password> */
299 /* STRING(oldpw) <hmac/password> (if any) */
301 /* TPM2B_AUTH (TPM2B_DIGEST) */
302 /* tpm_u16(newpw_sz) Digest size, new pw length */
303 /* STRING(newpw) Digest buffer, new pw */
308 * Fill the command structure starting from the first buffer:
309 * - the old password (if any)
310 * - size of the new password
313 ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
314 offset, oldpw, oldpw_sz,
315 offset + oldpw_sz, newpw_sz,
316 offset + oldpw_sz + 2, newpw, newpw_sz);
317 offset += oldpw_sz + 2 + newpw_sz;
319 return TPM_LIB_ERROR;
321 return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
324 u32 tpm2_pcr_setauthpolicy(struct udevice *dev, const char *pw,
325 const ssize_t pw_sz, u32 index, const char *key)
327 u8 command_v2[COMMAND_BUFFER_SIZE] = {
328 tpm_u16(TPM2_ST_SESSIONS), /* TAG */
329 tpm_u32(35 + pw_sz + TPM2_DIGEST_LEN), /* Length */
330 tpm_u32(TPM2_CC_PCR_SETAUTHPOL), /* Command code */
333 tpm_u32(TPM2_RH_PLATFORM), /* TPM resource handle */
336 tpm_u32(9 + pw_sz), /* Authorization size */
337 tpm_u32(TPM2_RS_PW), /* session handle */
338 tpm_u16(0), /* Size of <nonce> */
339 /* <nonce> (if any) */
340 0, /* Attributes: Cont/Excl/Rst */
341 tpm_u16(pw_sz) /* Size of <hmac/password> */
342 /* STRING(pw) <hmac/password> (if any) */
344 /* TPM2B_AUTH (TPM2B_DIGEST) */
345 /* tpm_u16(TPM2_DIGEST_LEN) Digest size length */
346 /* STRING(key) Digest buffer (PCR key) */
349 /* tpm_u16(TPM2_ALG_SHA256) Algorithm of the hash */
352 /* tpm_u32(index), PCR Index */
354 unsigned int offset = 27;
358 * Fill the command structure starting from the first buffer:
359 * - the password (if any)
360 * - the PCR key length
362 * - the hash algorithm
365 ret = pack_byte_string(command_v2, sizeof(command_v2), "swswd",
367 offset + pw_sz, TPM2_DIGEST_LEN,
368 offset + pw_sz + 2, key, TPM2_DIGEST_LEN,
369 offset + pw_sz + 2 + TPM2_DIGEST_LEN,
371 offset + pw_sz + 4 + TPM2_DIGEST_LEN, index);
372 offset += pw_sz + 2 + TPM2_DIGEST_LEN + 2 + 4;
374 return TPM_LIB_ERROR;
376 return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
379 u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
380 const ssize_t pw_sz, u32 index, const char *key,
381 const ssize_t key_sz)
383 u8 command_v2[COMMAND_BUFFER_SIZE] = {
384 tpm_u16(TPM2_ST_SESSIONS), /* TAG */
385 tpm_u32(33 + pw_sz + TPM2_DIGEST_LEN), /* Length */
386 tpm_u32(TPM2_CC_PCR_SETAUTHVAL), /* Command code */
389 tpm_u32(index), /* Handle (PCR Index) */
392 tpm_u32(9 + pw_sz), /* Authorization size */
393 tpm_u32(TPM2_RS_PW), /* session handle */
394 tpm_u16(0), /* Size of <nonce> */
395 /* <nonce> (if any) */
396 0, /* Attributes: Cont/Excl/Rst */
397 tpm_u16(pw_sz), /* Size of <hmac/password> */
398 /* STRING(pw) <hmac/password> (if any) */
401 /* tpm_u16(key_sz) Key length */
402 /* STRING(key) Key */
404 unsigned int offset = 27;
408 * Fill the command structure starting from the first buffer:
409 * - the password (if any)
410 * - the number of digests, 1 in our case
411 * - the algorithm, sha256 in our case
412 * - the digest (64 bytes)
414 ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
416 offset + pw_sz, key_sz,
417 offset + pw_sz + 2, key, key_sz);
418 offset += pw_sz + 2 + key_sz;
420 return TPM_LIB_ERROR;
422 return tpm_sendrecv_command(dev, command_v2, NULL, NULL);