lib: rsa: decouple rsa from FIT image verification
[platform/kernel/u-boot.git] / lib / tpm-v2.c
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * Copyright (c) 2018 Bootlin
4  * Author: Miquel Raynal <miquel.raynal@bootlin.com>
5  */
6
7 #include <common.h>
8 #include <dm.h>
9 #include <tpm-common.h>
10 #include <tpm-v2.h>
11 #include "tpm-utils.h"
12
13 u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode)
14 {
15         const u8 command_v2[12] = {
16                 tpm_u16(TPM2_ST_NO_SESSIONS),
17                 tpm_u32(12),
18                 tpm_u32(TPM2_CC_STARTUP),
19                 tpm_u16(mode),
20         };
21         int ret;
22
23         /*
24          * Note TPM2_Startup command will return RC_SUCCESS the first time,
25          * but will return RC_INITIALIZE otherwise.
26          */
27         ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
28         if (ret && ret != TPM2_RC_INITIALIZE)
29                 return ret;
30
31         return 0;
32 }
33
34 u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test)
35 {
36         const u8 command_v2[12] = {
37                 tpm_u16(TPM2_ST_NO_SESSIONS),
38                 tpm_u32(11),
39                 tpm_u32(TPM2_CC_SELF_TEST),
40                 full_test,
41         };
42
43         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
44 }
45
46 u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
47                const ssize_t pw_sz)
48 {
49         u8 command_v2[COMMAND_BUFFER_SIZE] = {
50                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
51                 tpm_u32(27 + pw_sz),            /* Length */
52                 tpm_u32(TPM2_CC_CLEAR),         /* Command code */
53
54                 /* HANDLE */
55                 tpm_u32(handle),                /* TPM resource handle */
56
57                 /* AUTH_SESSION */
58                 tpm_u32(9 + pw_sz),             /* Authorization size */
59                 tpm_u32(TPM2_RS_PW),            /* Session handle */
60                 tpm_u16(0),                     /* Size of <nonce> */
61                                                 /* <nonce> (if any) */
62                 0,                              /* Attributes: Cont/Excl/Rst */
63                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
64                 /* STRING(pw)                      <hmac/password> (if any) */
65         };
66         unsigned int offset = 27;
67         int ret;
68
69         /*
70          * Fill the command structure starting from the first buffer:
71          *     - the password (if any)
72          */
73         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
74                                offset, pw, pw_sz);
75         offset += pw_sz;
76         if (ret)
77                 return TPM_LIB_ERROR;
78
79         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
80 }
81
82 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, const uint8_t *digest)
83 {
84         u8 command_v2[COMMAND_BUFFER_SIZE] = {
85                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
86                 tpm_u32(33 + TPM2_DIGEST_LEN),  /* Length */
87                 tpm_u32(TPM2_CC_PCR_EXTEND),    /* Command code */
88
89                 /* HANDLE */
90                 tpm_u32(index),                 /* Handle (PCR Index) */
91
92                 /* AUTH_SESSION */
93                 tpm_u32(9),                     /* Authorization size */
94                 tpm_u32(TPM2_RS_PW),            /* Session handle */
95                 tpm_u16(0),                     /* Size of <nonce> */
96                                                 /* <nonce> (if any) */
97                 0,                              /* Attributes: Cont/Excl/Rst */
98                 tpm_u16(0),                     /* Size of <hmac/password> */
99                                                 /* <hmac/password> (if any) */
100                 tpm_u32(1),                     /* Count (number of hashes) */
101                 tpm_u16(TPM2_ALG_SHA256),       /* Algorithm of the hash */
102                 /* STRING(digest)                  Digest */
103         };
104         unsigned int offset = 33;
105         int ret;
106
107         /*
108          * Fill the command structure starting from the first buffer:
109          *     - the digest
110          */
111         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
112                                offset, digest, TPM2_DIGEST_LEN);
113         offset += TPM2_DIGEST_LEN;
114         if (ret)
115                 return TPM_LIB_ERROR;
116
117         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
118 }
119
120 u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
121                   void *data, unsigned int *updates)
122 {
123         u8 idx_array_sz = max(idx_min_sz, DIV_ROUND_UP(idx, 8));
124         u8 command_v2[COMMAND_BUFFER_SIZE] = {
125                 tpm_u16(TPM2_ST_NO_SESSIONS),   /* TAG */
126                 tpm_u32(17 + idx_array_sz),     /* Length */
127                 tpm_u32(TPM2_CC_PCR_READ),      /* Command code */
128
129                 /* TPML_PCR_SELECTION */
130                 tpm_u32(1),                     /* Number of selections */
131                 tpm_u16(TPM2_ALG_SHA256),       /* Algorithm of the hash */
132                 idx_array_sz,                   /* Array size for selection */
133                 /* bitmap(idx)                     Selected PCR bitmap */
134         };
135         size_t response_len = COMMAND_BUFFER_SIZE;
136         u8 response[COMMAND_BUFFER_SIZE];
137         unsigned int pcr_sel_idx = idx / 8;
138         u8 pcr_sel_bit = BIT(idx % 8);
139         unsigned int counter = 0;
140         int ret;
141
142         if (pack_byte_string(command_v2, COMMAND_BUFFER_SIZE, "b",
143                              17 + pcr_sel_idx, pcr_sel_bit))
144                 return TPM_LIB_ERROR;
145
146         ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
147         if (ret)
148                 return ret;
149
150         if (unpack_byte_string(response, response_len, "ds",
151                                10, &counter,
152                                response_len - TPM2_DIGEST_LEN, data,
153                                TPM2_DIGEST_LEN))
154                 return TPM_LIB_ERROR;
155
156         if (updates)
157                 *updates = counter;
158
159         return 0;
160 }
161
162 u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
163                         void *buf, size_t prop_count)
164 {
165         u8 command_v2[COMMAND_BUFFER_SIZE] = {
166                 tpm_u16(TPM2_ST_NO_SESSIONS),           /* TAG */
167                 tpm_u32(22),                            /* Length */
168                 tpm_u32(TPM2_CC_GET_CAPABILITY),        /* Command code */
169
170                 tpm_u32(capability),                    /* Capability */
171                 tpm_u32(property),                      /* Property */
172                 tpm_u32(prop_count),                    /* Property count */
173         };
174         u8 response[COMMAND_BUFFER_SIZE];
175         size_t response_len = COMMAND_BUFFER_SIZE;
176         unsigned int properties_off;
177         int ret;
178
179         ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
180         if (ret)
181                 return ret;
182
183         /*
184          * In the response buffer, the properties are located after the:
185          * tag (u16), response size (u32), response code (u32),
186          * YES/NO flag (u8), TPM_CAP (u32) and TPMU_CAPABILITIES (u32).
187          */
188         properties_off = sizeof(u16) + sizeof(u32) + sizeof(u32) +
189                          sizeof(u8) + sizeof(u32) + sizeof(u32);
190         memcpy(buf, &response[properties_off], response_len - properties_off);
191
192         return 0;
193 }
194
195 u32 tpm2_dam_reset(struct udevice *dev, const char *pw, const ssize_t pw_sz)
196 {
197         u8 command_v2[COMMAND_BUFFER_SIZE] = {
198                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
199                 tpm_u32(27 + pw_sz),            /* Length */
200                 tpm_u32(TPM2_CC_DAM_RESET),     /* Command code */
201
202                 /* HANDLE */
203                 tpm_u32(TPM2_RH_LOCKOUT),       /* TPM resource handle */
204
205                 /* AUTH_SESSION */
206                 tpm_u32(9 + pw_sz),             /* Authorization size */
207                 tpm_u32(TPM2_RS_PW),            /* Session handle */
208                 tpm_u16(0),                     /* Size of <nonce> */
209                                                 /* <nonce> (if any) */
210                 0,                              /* Attributes: Cont/Excl/Rst */
211                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
212                 /* STRING(pw)                      <hmac/password> (if any) */
213         };
214         unsigned int offset = 27;
215         int ret;
216
217         /*
218          * Fill the command structure starting from the first buffer:
219          *     - the password (if any)
220          */
221         ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
222                                offset, pw, pw_sz);
223         offset += pw_sz;
224         if (ret)
225                 return TPM_LIB_ERROR;
226
227         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
228 }
229
230 u32 tpm2_dam_parameters(struct udevice *dev, const char *pw,
231                         const ssize_t pw_sz, unsigned int max_tries,
232                         unsigned int recovery_time,
233                         unsigned int lockout_recovery)
234 {
235         u8 command_v2[COMMAND_BUFFER_SIZE] = {
236                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
237                 tpm_u32(27 + pw_sz + 12),       /* Length */
238                 tpm_u32(TPM2_CC_DAM_PARAMETERS), /* Command code */
239
240                 /* HANDLE */
241                 tpm_u32(TPM2_RH_LOCKOUT),       /* TPM resource handle */
242
243                 /* AUTH_SESSION */
244                 tpm_u32(9 + pw_sz),             /* Authorization size */
245                 tpm_u32(TPM2_RS_PW),            /* Session handle */
246                 tpm_u16(0),                     /* Size of <nonce> */
247                                                 /* <nonce> (if any) */
248                 0,                              /* Attributes: Cont/Excl/Rst */
249                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
250                 /* STRING(pw)                      <hmac/password> (if any) */
251
252                 /* LOCKOUT PARAMETERS */
253                 /* tpm_u32(max_tries)              Max tries (0, always lock) */
254                 /* tpm_u32(recovery_time)          Recovery time (0, no lock) */
255                 /* tpm_u32(lockout_recovery)       Lockout recovery */
256         };
257         unsigned int offset = 27;
258         int ret;
259
260         /*
261          * Fill the command structure starting from the first buffer:
262          *     - the password (if any)
263          *     - max tries
264          *     - recovery time
265          *     - lockout recovery
266          */
267         ret = pack_byte_string(command_v2, sizeof(command_v2), "sddd",
268                                offset, pw, pw_sz,
269                                offset + pw_sz, max_tries,
270                                offset + pw_sz + 4, recovery_time,
271                                offset + pw_sz + 8, lockout_recovery);
272         offset += pw_sz + 12;
273         if (ret)
274                 return TPM_LIB_ERROR;
275
276         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
277 }
278
279 int tpm2_change_auth(struct udevice *dev, u32 handle, const char *newpw,
280                      const ssize_t newpw_sz, const char *oldpw,
281                      const ssize_t oldpw_sz)
282 {
283         unsigned int offset = 27;
284         u8 command_v2[COMMAND_BUFFER_SIZE] = {
285                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
286                 tpm_u32(offset + oldpw_sz + 2 + newpw_sz), /* Length */
287                 tpm_u32(TPM2_CC_HIERCHANGEAUTH), /* Command code */
288
289                 /* HANDLE */
290                 tpm_u32(handle),                /* TPM resource handle */
291
292                 /* AUTH_SESSION */
293                 tpm_u32(9 + oldpw_sz),          /* Authorization size */
294                 tpm_u32(TPM2_RS_PW),            /* Session handle */
295                 tpm_u16(0),                     /* Size of <nonce> */
296                                                 /* <nonce> (if any) */
297                 0,                              /* Attributes: Cont/Excl/Rst */
298                 tpm_u16(oldpw_sz)               /* Size of <hmac/password> */
299                 /* STRING(oldpw)                   <hmac/password> (if any) */
300
301                 /* TPM2B_AUTH (TPM2B_DIGEST) */
302                 /* tpm_u16(newpw_sz)               Digest size, new pw length */
303                 /* STRING(newpw)                   Digest buffer, new pw */
304         };
305         int ret;
306
307         /*
308          * Fill the command structure starting from the first buffer:
309          *     - the old password (if any)
310          *     - size of the new password
311          *     - new password
312          */
313         ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
314                                offset, oldpw, oldpw_sz,
315                                offset + oldpw_sz, newpw_sz,
316                                offset + oldpw_sz + 2, newpw, newpw_sz);
317         offset += oldpw_sz + 2 + newpw_sz;
318         if (ret)
319                 return TPM_LIB_ERROR;
320
321         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
322 }
323
324 u32 tpm2_pcr_setauthpolicy(struct udevice *dev, const char *pw,
325                            const ssize_t pw_sz, u32 index, const char *key)
326 {
327         u8 command_v2[COMMAND_BUFFER_SIZE] = {
328                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
329                 tpm_u32(35 + pw_sz + TPM2_DIGEST_LEN), /* Length */
330                 tpm_u32(TPM2_CC_PCR_SETAUTHPOL), /* Command code */
331
332                 /* HANDLE */
333                 tpm_u32(TPM2_RH_PLATFORM),      /* TPM resource handle */
334
335                 /* AUTH_SESSION */
336                 tpm_u32(9 + pw_sz),             /* Authorization size */
337                 tpm_u32(TPM2_RS_PW),            /* session handle */
338                 tpm_u16(0),                     /* Size of <nonce> */
339                                                 /* <nonce> (if any) */
340                 0,                              /* Attributes: Cont/Excl/Rst */
341                 tpm_u16(pw_sz)                  /* Size of <hmac/password> */
342                 /* STRING(pw)                      <hmac/password> (if any) */
343
344                 /* TPM2B_AUTH (TPM2B_DIGEST) */
345                 /* tpm_u16(TPM2_DIGEST_LEN)        Digest size length */
346                 /* STRING(key)                     Digest buffer (PCR key) */
347
348                 /* TPMI_ALG_HASH */
349                 /* tpm_u16(TPM2_ALG_SHA256)   Algorithm of the hash */
350
351                 /* TPMI_DH_PCR */
352                 /* tpm_u32(index),                 PCR Index */
353         };
354         unsigned int offset = 27;
355         int ret;
356
357         /*
358          * Fill the command structure starting from the first buffer:
359          *     - the password (if any)
360          *     - the PCR key length
361          *     - the PCR key
362          *     - the hash algorithm
363          *     - the PCR index
364          */
365         ret = pack_byte_string(command_v2, sizeof(command_v2), "swswd",
366                                offset, pw, pw_sz,
367                                offset + pw_sz, TPM2_DIGEST_LEN,
368                                offset + pw_sz + 2, key, TPM2_DIGEST_LEN,
369                                offset + pw_sz + 2 + TPM2_DIGEST_LEN,
370                                TPM2_ALG_SHA256,
371                                offset + pw_sz + 4 + TPM2_DIGEST_LEN, index);
372         offset += pw_sz + 2 + TPM2_DIGEST_LEN + 2 + 4;
373         if (ret)
374                 return TPM_LIB_ERROR;
375
376         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
377 }
378
379 u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
380                           const ssize_t pw_sz, u32 index, const char *key,
381                           const ssize_t key_sz)
382 {
383         u8 command_v2[COMMAND_BUFFER_SIZE] = {
384                 tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
385                 tpm_u32(33 + pw_sz + TPM2_DIGEST_LEN), /* Length */
386                 tpm_u32(TPM2_CC_PCR_SETAUTHVAL), /* Command code */
387
388                 /* HANDLE */
389                 tpm_u32(index),                 /* Handle (PCR Index) */
390
391                 /* AUTH_SESSION */
392                 tpm_u32(9 + pw_sz),             /* Authorization size */
393                 tpm_u32(TPM2_RS_PW),            /* session handle */
394                 tpm_u16(0),                     /* Size of <nonce> */
395                                                 /* <nonce> (if any) */
396                 0,                              /* Attributes: Cont/Excl/Rst */
397                 tpm_u16(pw_sz),                 /* Size of <hmac/password> */
398                 /* STRING(pw)                      <hmac/password> (if any) */
399
400                 /* TPM2B_DIGEST */
401                 /* tpm_u16(key_sz)                 Key length */
402                 /* STRING(key)                     Key */
403         };
404         unsigned int offset = 27;
405         int ret;
406
407         /*
408          * Fill the command structure starting from the first buffer:
409          *     - the password (if any)
410          *     - the number of digests, 1 in our case
411          *     - the algorithm, sha256 in our case
412          *     - the digest (64 bytes)
413          */
414         ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
415                                offset, pw, pw_sz,
416                                offset + pw_sz, key_sz,
417                                offset + pw_sz + 2, key, key_sz);
418         offset += pw_sz + 2 + key_sz;
419         if (ret)
420                 return TPM_LIB_ERROR;
421
422         return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
423 }