]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
tpm: Add TPM2 support for read/write values
authorSimon Glass <sjg@chromium.org>
Sat, 6 Feb 2021 21:23:40 +0000 (14:23 -0700)
committerTom Rini <trini@konsulko.com>
Tue, 2 Mar 2021 20:53:37 +0000 (15:53 -0500)
Implement this API function for TPM2.

Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
include/tpm-common.h
include/tpm-v2.h
lib/tpm-v2.c
lib/tpm_api.c

index c1309a2735d16fe6995f1cf8c37c8b34b4424334..998b4fbb4159a44646fff2108b5add4713b20362 100644 (file)
@@ -55,6 +55,8 @@ enum tpm_version {
  * @buf:               Buffer used during the exchanges with the chip
  * @pcr_count:         Number of PCR per bank
  * @pcr_select_min:    Minimum size in bytes of the pcrSelect array
+ * @plat_hier_disabled:        Platform hierarchy has been disabled (TPM is locked
+ *                     down until next reboot)
  */
 struct tpm_chip_priv {
        enum tpm_version version;
@@ -66,6 +68,7 @@ struct tpm_chip_priv {
        /* TPM v2 specific data */
        uint pcr_count;
        uint pcr_select_min;
+       bool plat_hier_disabled;
 };
 
 /**
index aa8b6512b2b4257f5c100d4dfb81642748e95f57..b73a2d278e77d9bb59b84b57b833672d67c09e71 100644 (file)
@@ -242,6 +242,7 @@ enum tpm2_command_codes {
        TPM2_CC_HIERCHANGEAUTH  = 0x0129,
        TPM2_CC_NV_DEFINE_SPACE = 0x012a,
        TPM2_CC_PCR_SETAUTHPOL  = 0x012C,
+       TPM2_CC_NV_WRITE        = 0x0137,
        TPM2_CC_DAM_RESET       = 0x0139,
        TPM2_CC_DAM_PARAMETERS  = 0x013A,
        TPM2_CC_NV_READ         = 0x014E,
@@ -356,6 +357,20 @@ enum {
        TPM_MAX_BUF_SIZE        = 1260,
 };
 
+enum {
+       /* Secure storage for firmware settings */
+       TPM_HT_PCR = 0,
+       TPM_HT_NV_INDEX,
+       TPM_HT_HMAC_SESSION,
+       TPM_HT_POLICY_SESSION,
+
+       HR_SHIFT                = 24,
+       HR_PCR                  = TPM_HT_PCR << HR_SHIFT,
+       HR_HMAC_SESSION         = TPM_HT_HMAC_SESSION << HR_SHIFT,
+       HR_POLICY_SESSION       = TPM_HT_POLICY_SESSION << HR_SHIFT,
+       HR_NV_INDEX             = TPM_HT_NV_INDEX << HR_SHIFT,
+};
+
 /**
  * Issue a TPM2_Startup command.
  *
@@ -420,6 +435,29 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
                    const u8 *digest, u32 digest_len);
 
+/**
+ * Read data from the secure storage
+ *
+ * @dev                TPM device
+ * @index      Index of data to read
+ * @data       Place to put data
+ * @count      Number of bytes of data
+ * @return code of the operation
+ */
+u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
+
+/**
+ * Write data to the secure storage
+ *
+ * @dev                TPM device
+ * @index      Index of data to write
+ * @data       Data to write
+ * @count      Number of bytes of data
+ * @return code of the operation
+ */
+u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
+                       u32 count);
+
 /**
  * Issue a TPM2_PCR_Read command.
  *
index e9bf4018fede193d3152f252b52779c9bed821f9..9f1699131e1265b83075c05f25803e223dba53a5 100644 (file)
@@ -169,6 +169,90 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
        return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 }
 
+u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
+{
+       u8 command_v2[COMMAND_BUFFER_SIZE] = {
+               /* header 10 bytes */
+               tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
+               tpm_u32(10 + 8 + 4 + 9 + 4),    /* Length */
+               tpm_u32(TPM2_CC_NV_READ),       /* Command code */
+
+               /* handles 8 bytes */
+               tpm_u32(TPM2_RH_PLATFORM),      /* Primary platform seed */
+               tpm_u32(HR_NV_INDEX + index),   /* Password authorisation */
+
+               /* AUTH_SESSION */
+               tpm_u32(9),                     /* Authorization size */
+               tpm_u32(TPM2_RS_PW),            /* Session handle */
+               tpm_u16(0),                     /* Size of <nonce> */
+                                               /* <nonce> (if any) */
+               0,                              /* Attributes: Cont/Excl/Rst */
+               tpm_u16(0),                     /* Size of <hmac/password> */
+                                               /* <hmac/password> (if any) */
+
+               tpm_u16(count),                 /* Number of bytes */
+               tpm_u16(0),                     /* Offset */
+       };
+       size_t response_len = COMMAND_BUFFER_SIZE;
+       u8 response[COMMAND_BUFFER_SIZE];
+       int ret;
+       u16 tag;
+       u32 size, code;
+
+       ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
+       if (ret)
+               return log_msg_ret("read", ret);
+       if (unpack_byte_string(response, response_len, "wdds",
+                              0, &tag, 2, &size, 6, &code,
+                              16, data, count))
+               return TPM_LIB_ERROR;
+
+       return 0;
+}
+
+u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
+                       u32 count)
+{
+       struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
+       uint offset = 10 + 8 + 4 + 9 + 2;
+       uint len = offset + count + 2;
+       /* Use empty password auth if platform hierarchy is disabled */
+       u32 auth = priv->plat_hier_disabled ? HR_NV_INDEX + index :
+               TPM2_RH_PLATFORM;
+       u8 command_v2[COMMAND_BUFFER_SIZE] = {
+               /* header 10 bytes */
+               tpm_u16(TPM2_ST_SESSIONS),      /* TAG */
+               tpm_u32(len),                   /* Length */
+               tpm_u32(TPM2_CC_NV_WRITE),      /* Command code */
+
+               /* handles 8 bytes */
+               tpm_u32(auth),                  /* Primary platform seed */
+               tpm_u32(HR_NV_INDEX + index),   /* Password authorisation */
+
+               /* AUTH_SESSION */
+               tpm_u32(9),                     /* Authorization size */
+               tpm_u32(TPM2_RS_PW),            /* Session handle */
+               tpm_u16(0),                     /* Size of <nonce> */
+                                               /* <nonce> (if any) */
+               0,                              /* Attributes: Cont/Excl/Rst */
+               tpm_u16(0),                     /* Size of <hmac/password> */
+                                               /* <hmac/password> (if any) */
+
+               tpm_u16(count),
+       };
+       size_t response_len = COMMAND_BUFFER_SIZE;
+       u8 response[COMMAND_BUFFER_SIZE];
+       int ret;
+
+       ret = pack_byte_string(command_v2, sizeof(command_v2), "sw",
+                              offset, data, count,
+                              offset + count, 0);
+       if (ret)
+               return TPM_LIB_ERROR;
+
+       return tpm_sendrecv_command(dev, command_v2, response, &response_len);
+}
+
 u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
                  void *data, unsigned int *updates)
 {
index f1553512cc544de60efa0ecf4c3ff0215a123bcf..687fc8bc7ee807078b8131a63a826a0ba5733631 100644 (file)
@@ -118,7 +118,7 @@ u32 tpm_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
        if (is_tpm1(dev))
                return tpm1_nv_read_value(dev, index, data, count);
        else if (is_tpm2(dev))
-               return -ENOSYS;
+               return tpm2_nv_read_value(dev, index, data, count);
        else
                return -ENOSYS;
 }
@@ -129,7 +129,7 @@ u32 tpm_nv_write_value(struct udevice *dev, u32 index, const void *data,
        if (is_tpm1(dev))
                return tpm1_nv_write_value(dev, index, data, count);
        else if (is_tpm2(dev))
-               return -ENOSYS;
+               return tpm2_nv_write_value(dev, index, data, count);
        else
                return -ENOSYS;
 }