[J-u-boot.git] / lib / tpm-v2.c

// SPDX-License-Identifier: GPL-2.0+
/*
 * Copyright (c) 2018 Bootlin
 * Author: Miquel Raynal <[email protected]>
 */

#include <common.h>
#include <dm.h>
#include <tpm-common.h>
#include <tpm-v2.h>
#include "tpm-utils.h"

u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode)
{
	const u8 command_v2[12] = {
		tpm_u16(TPM2_ST_NO_SESSIONS),
		tpm_u32(12),
		tpm_u32(TPM2_CC_STARTUP),
		tpm_u16(mode),
	};
	int ret;

	/*
	 * Note TPM2_Startup command will return RC_SUCCESS the first time,
	 * but will return RC_INITIALIZE otherwise.
	 */
	ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
	if (ret && ret != TPM2_RC_INITIALIZE)
		return ret;

	return 0;
}

u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test)
{
	const u8 command_v2[12] = {
		tpm_u16(TPM2_ST_NO_SESSIONS),
		tpm_u32(11),
		tpm_u32(TPM2_CC_SELF_TEST),
		full_test,
	};

	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}

u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
	       const ssize_t pw_sz)
{
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
		tpm_u32(27 + pw_sz),		/* Length */
		tpm_u32(TPM2_CC_CLEAR),		/* Command code */

		/* HANDLE */
		tpm_u32(handle),		/* TPM resource handle */

		/* AUTH_SESSION */
		tpm_u32(9 + pw_sz),		/* Authorization size */
		tpm_u32(TPM2_RS_PW),		/* Session handle */
		tpm_u16(0),			/* Size of <nonce> */
						/* <nonce> (if any) */
		0,				/* Attributes: Cont/Excl/Rst */
		tpm_u16(pw_sz),			/* Size of <hmac/password> */
		/* STRING(pw)			   <hmac/password> (if any) */
	};
	unsigned int offset = 27;
	int ret;

	/*
	 * Fill the command structure starting from the first buffer:
	 *     - the password (if any)
	 */
	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
			       offset, pw, pw_sz);
	offset += pw_sz;
	if (ret)
		return TPM_LIB_ERROR;

	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}

u32 tpm2_pcr_extend(struct udevice *dev, u32 index, const uint8_t *digest)
{
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
		tpm_u32(33 + TPM2_DIGEST_LEN),	/* Length */
		tpm_u32(TPM2_CC_PCR_EXTEND),	/* Command code */

		/* HANDLE */
		tpm_u32(index),			/* Handle (PCR Index) */

		/* AUTH_SESSION */
		tpm_u32(9),			/* Authorization size */
		tpm_u32(TPM2_RS_PW),		/* Session handle */
		tpm_u16(0),			/* Size of <nonce> */
						/* <nonce> (if any) */
		0,				/* Attributes: Cont/Excl/Rst */
		tpm_u16(0),			/* Size of <hmac/password> */
						/* <hmac/password> (if any) */
		tpm_u32(1),			/* Count (number of hashes) */
		tpm_u16(TPM2_ALG_SHA256),	/* Algorithm of the hash */
		/* STRING(digest)		   Digest */
	};
	unsigned int offset = 33;
	int ret;

	/*
	 * Fill the command structure starting from the first buffer:
	 *     - the digest
	 */
	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
			       offset, digest, TPM2_DIGEST_LEN);
	offset += TPM2_DIGEST_LEN;
	if (ret)
		return TPM_LIB_ERROR;

	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}

u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
		  void *data, unsigned int *updates)
{
	u8 idx_array_sz = max(idx_min_sz, DIV_ROUND_UP(idx, 8));
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_NO_SESSIONS),	/* TAG */
		tpm_u32(17 + idx_array_sz),	/* Length */
		tpm_u32(TPM2_CC_PCR_READ),	/* Command code */

		/* TPML_PCR_SELECTION */
		tpm_u32(1),			/* Number of selections */
		tpm_u16(TPM2_ALG_SHA256),	/* Algorithm of the hash */
		idx_array_sz,			/* Array size for selection */
		/* bitmap(idx)			   Selected PCR bitmap */
	};
	size_t response_len = COMMAND_BUFFER_SIZE;
	u8 response[COMMAND_BUFFER_SIZE];
	unsigned int pcr_sel_idx = idx / 8;
	u8 pcr_sel_bit = BIT(idx % 8);
	unsigned int counter = 0;
	int ret;

	if (pack_byte_string(command_v2, COMMAND_BUFFER_SIZE, "b",
			     17 + pcr_sel_idx, pcr_sel_bit))
		return TPM_LIB_ERROR;

	ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
	if (ret)
		return ret;

	if (unpack_byte_string(response, response_len, "ds",
			       10, &counter,
			       response_len - TPM2_DIGEST_LEN, data,
			       TPM2_DIGEST_LEN))
		return TPM_LIB_ERROR;

	if (updates)
		*updates = counter;

	return 0;
}

u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
			void *buf, size_t prop_count)
{
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_NO_SESSIONS),		/* TAG */
		tpm_u32(22),				/* Length */
		tpm_u32(TPM2_CC_GET_CAPABILITY),	/* Command code */

		tpm_u32(capability),			/* Capability */
		tpm_u32(property),			/* Property */
		tpm_u32(prop_count),			/* Property count */
	};
	u8 response[COMMAND_BUFFER_SIZE];
	size_t response_len = COMMAND_BUFFER_SIZE;
	unsigned int properties_off;
	int ret;

	ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
	if (ret)
		return ret;

	/*
	 * In the response buffer, the properties are located after the:
	 * tag (u16), response size (u32), response code (u32),
	 * YES/NO flag (u8), TPM_CAP (u32) and TPMU_CAPABILITIES (u32).
	 */
	properties_off = sizeof(u16) + sizeof(u32) + sizeof(u32) +
			 sizeof(u8) + sizeof(u32) + sizeof(u32);
	memcpy(buf, &response[properties_off], response_len - properties_off);

	return 0;
}

u32 tpm2_dam_reset(struct udevice *dev, const char *pw, const ssize_t pw_sz)
{
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
		tpm_u32(27 + pw_sz),		/* Length */
		tpm_u32(TPM2_CC_DAM_RESET),	/* Command code */

		/* HANDLE */
		tpm_u32(TPM2_RH_LOCKOUT),	/* TPM resource handle */

		/* AUTH_SESSION */
		tpm_u32(9 + pw_sz),		/* Authorization size */
		tpm_u32(TPM2_RS_PW),		/* Session handle */
		tpm_u16(0),			/* Size of <nonce> */
						/* <nonce> (if any) */
		0,				/* Attributes: Cont/Excl/Rst */
		tpm_u16(pw_sz),			/* Size of <hmac/password> */
		/* STRING(pw)			   <hmac/password> (if any) */
	};
	unsigned int offset = 27;
	int ret;

	/*
	 * Fill the command structure starting from the first buffer:
	 *     - the password (if any)
	 */
	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
			       offset, pw, pw_sz);
	offset += pw_sz;
	if (ret)
		return TPM_LIB_ERROR;

	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}

u32 tpm2_dam_parameters(struct udevice *dev, const char *pw,
			const ssize_t pw_sz, unsigned int max_tries,
			unsigned int recovery_time,
			unsigned int lockout_recovery)
{
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
		tpm_u32(27 + pw_sz + 12),	/* Length */
		tpm_u32(TPM2_CC_DAM_PARAMETERS), /* Command code */

		/* HANDLE */
		tpm_u32(TPM2_RH_LOCKOUT),	/* TPM resource handle */

		/* AUTH_SESSION */
		tpm_u32(9 + pw_sz),		/* Authorization size */
		tpm_u32(TPM2_RS_PW),		/* Session handle */
		tpm_u16(0),			/* Size of <nonce> */
						/* <nonce> (if any) */
		0,				/* Attributes: Cont/Excl/Rst */
		tpm_u16(pw_sz),			/* Size of <hmac/password> */
		/* STRING(pw)			   <hmac/password> (if any) */

		/* LOCKOUT PARAMETERS */
		/* tpm_u32(max_tries)		   Max tries (0, always lock) */
		/* tpm_u32(recovery_time)	   Recovery time (0, no lock) */
		/* tpm_u32(lockout_recovery)	   Lockout recovery */
	};
	unsigned int offset = 27;
	int ret;

	/*
	 * Fill the command structure starting from the first buffer:
	 *     - the password (if any)
	 *     - max tries
	 *     - recovery time
	 *     - lockout recovery
	 */
	ret = pack_byte_string(command_v2, sizeof(command_v2), "sddd",
			       offset, pw, pw_sz,
			       offset + pw_sz, max_tries,
			       offset + pw_sz + 4, recovery_time,
			       offset + pw_sz + 8, lockout_recovery);
	offset += pw_sz + 12;
	if (ret)
		return TPM_LIB_ERROR;

	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}

int tpm2_change_auth(struct udevice *dev, u32 handle, const char *newpw,
		     const ssize_t newpw_sz, const char *oldpw,
		     const ssize_t oldpw_sz)
{
	unsigned int offset = 27;
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
		tpm_u32(offset + oldpw_sz + 2 + newpw_sz), /* Length */
		tpm_u32(TPM2_CC_HIERCHANGEAUTH), /* Command code */

		/* HANDLE */
		tpm_u32(handle),		/* TPM resource handle */

		/* AUTH_SESSION */
		tpm_u32(9 + oldpw_sz),		/* Authorization size */
		tpm_u32(TPM2_RS_PW),		/* Session handle */
		tpm_u16(0),			/* Size of <nonce> */
						/* <nonce> (if any) */
		0,				/* Attributes: Cont/Excl/Rst */
		tpm_u16(oldpw_sz)		/* Size of <hmac/password> */
		/* STRING(oldpw)		   <hmac/password> (if any) */

		/* TPM2B_AUTH (TPM2B_DIGEST) */
		/* tpm_u16(newpw_sz)		   Digest size, new pw length */
		/* STRING(newpw)		   Digest buffer, new pw */
	};
	int ret;

	/*
	 * Fill the command structure starting from the first buffer:
	 *     - the old password (if any)
	 *     - size of the new password
	 *     - new password
	 */
	ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
			       offset, oldpw, oldpw_sz,
			       offset + oldpw_sz, newpw_sz,
			       offset + oldpw_sz + 2, newpw, newpw_sz);
	offset += oldpw_sz + 2 + newpw_sz;
	if (ret)
		return TPM_LIB_ERROR;

	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}

u32 tpm2_pcr_setauthpolicy(struct udevice *dev, const char *pw,
			   const ssize_t pw_sz, u32 index, const char *key)
{
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
		tpm_u32(35 + pw_sz + TPM2_DIGEST_LEN), /* Length */
		tpm_u32(TPM2_CC_PCR_SETAUTHPOL), /* Command code */

		/* HANDLE */
		tpm_u32(TPM2_RH_PLATFORM),	/* TPM resource handle */

		/* AUTH_SESSION */
		tpm_u32(9 + pw_sz),		/* Authorization size */
		tpm_u32(TPM2_RS_PW),		/* session handle */
		tpm_u16(0),			/* Size of <nonce> */
						/* <nonce> (if any) */
		0,				/* Attributes: Cont/Excl/Rst */
		tpm_u16(pw_sz)			/* Size of <hmac/password> */
		/* STRING(pw)			   <hmac/password> (if any) */

		/* TPM2B_AUTH (TPM2B_DIGEST) */
		/* tpm_u16(TPM2_DIGEST_LEN)	   Digest size length */
		/* STRING(key)			   Digest buffer (PCR key) */

		/* TPMI_ALG_HASH */
		/* tpm_u16(TPM2_ALG_SHA256)   Algorithm of the hash */

		/* TPMI_DH_PCR */
		/* tpm_u32(index),		   PCR Index */
	};
	unsigned int offset = 27;
	int ret;

	/*
	 * Fill the command structure starting from the first buffer:
	 *     - the password (if any)
	 *     - the PCR key length
	 *     - the PCR key
	 *     - the hash algorithm
	 *     - the PCR index
	 */
	ret = pack_byte_string(command_v2, sizeof(command_v2), "swswd",
			       offset, pw, pw_sz,
			       offset + pw_sz, TPM2_DIGEST_LEN,
			       offset + pw_sz + 2, key, TPM2_DIGEST_LEN,
			       offset + pw_sz + 2 + TPM2_DIGEST_LEN,
			       TPM2_ALG_SHA256,
			       offset + pw_sz + 4 + TPM2_DIGEST_LEN, index);
	offset += pw_sz + 2 + TPM2_DIGEST_LEN + 2 + 4;
	if (ret)
		return TPM_LIB_ERROR;

	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}

u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
			  const ssize_t pw_sz, u32 index, const char *key,
			  const ssize_t key_sz)
{
	u8 command_v2[COMMAND_BUFFER_SIZE] = {
		tpm_u16(TPM2_ST_SESSIONS),	/* TAG */
		tpm_u32(33 + pw_sz + TPM2_DIGEST_LEN), /* Length */
		tpm_u32(TPM2_CC_PCR_SETAUTHVAL), /* Command code */

		/* HANDLE */
		tpm_u32(index),			/* Handle (PCR Index) */

		/* AUTH_SESSION */
		tpm_u32(9 + pw_sz),		/* Authorization size */
		tpm_u32(TPM2_RS_PW),		/* session handle */
		tpm_u16(0),			/* Size of <nonce> */
						/* <nonce> (if any) */
		0,				/* Attributes: Cont/Excl/Rst */
		tpm_u16(pw_sz),			/* Size of <hmac/password> */
		/* STRING(pw)			   <hmac/password> (if any) */

		/* TPM2B_DIGEST */
		/* tpm_u16(key_sz)		   Key length */
		/* STRING(key)			   Key */
	};
	unsigned int offset = 27;
	int ret;

	/*
	 * Fill the command structure starting from the first buffer:
	 *     - the password (if any)
	 *     - the number of digests, 1 in our case
	 *     - the algorithm, sha256 in our case
	 *     - the digest (64 bytes)
	 */
	ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
			       offset, pw, pw_sz,
			       offset + pw_sz, key_sz,
			       offset + pw_sz + 2, key, key_sz);
	offset += pw_sz + 2 + key_sz;
	if (ret)
		return TPM_LIB_ERROR;

	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
}
Commit	Line	Data
ff32245b MR	1	// SPDX-License-Identifier: GPL-2.0+
	2	/*
	3	* Copyright (c) 2018 Bootlin
	4	* Author: Miquel Raynal <[email protected]>
	5	*/
	6
	7	#include <common.h>
	8	#include <dm.h>
	9	#include <tpm-common.h>
	10	#include <tpm-v2.h>
	11	#include "tpm-utils.h"
1922df20	12
abdc7b8a	13	u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode)
1922df20 MR	14	{
	15	const u8 command_v2[12] = {
	16	tpm_u16(TPM2_ST_NO_SESSIONS),
	17	tpm_u32(12),
	18	tpm_u32(TPM2_CC_STARTUP),
	19	tpm_u16(mode),
	20	};
	21	int ret;
	22
	23	/*
	24	* Note TPM2_Startup command will return RC_SUCCESS the first time,
	25	* but will return RC_INITIALIZE otherwise.
	26	*/
abdc7b8a	27	ret = tpm_sendrecv_command(dev, command_v2, NULL, NULL);
1922df20 MR	28	if (ret && ret != TPM2_RC_INITIALIZE)
	29	return ret;
	30
	31	return 0;
	32	}
2dc6d97e	33
abdc7b8a	34	u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test)
2dc6d97e MR	35	{
	36	const u8 command_v2[12] = {
	37	tpm_u16(TPM2_ST_NO_SESSIONS),
	38	tpm_u32(11),
	39	tpm_u32(TPM2_CC_SELF_TEST),
	40	full_test,
	41	};
	42
abdc7b8a	43	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
2dc6d97e	44	}
bad8ff56	45
abdc7b8a SG	46	u32 tpm2_clear(struct udevice dev, u32 handle, const char pw,
abdc7b8a SG	47	const ssize_t pw_sz)
bad8ff56 MR	48	{
	49	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	50	tpm_u16(TPM2_ST_SESSIONS), /* TAG */
	51	tpm_u32(27 + pw_sz), /* Length */
	52	tpm_u32(TPM2_CC_CLEAR), /* Command code */
	53
	54	/* HANDLE */
	55	tpm_u32(handle), /* TPM resource handle */
	56
	57	/* AUTH_SESSION */
	58	tpm_u32(9 + pw_sz), /* Authorization size */
	59	tpm_u32(TPM2_RS_PW), /* Session handle */
	60	tpm_u16(0), /* Size of <nonce> */
	61	/* <nonce> (if any) */
	62	0, /* Attributes: Cont/Excl/Rst */
	63	tpm_u16(pw_sz), /* Size of <hmac/password> */
	64	/* STRING(pw) <hmac/password> (if any) */
	65	};
	66	unsigned int offset = 27;
	67	int ret;
	68
	69	/*
	70	* Fill the command structure starting from the first buffer:
	71	* - the password (if any)
	72	*/
	73	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
	74	offset, pw, pw_sz);
	75	offset += pw_sz;
	76	if (ret)
	77	return TPM_LIB_ERROR;
	78
abdc7b8a	79	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
bad8ff56	80	}
6284be5a	81
abdc7b8a	82	u32 tpm2_pcr_extend(struct udevice dev, u32 index, const uint8_t digest)
6284be5a MR	83	{
	84	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	85	tpm_u16(TPM2_ST_SESSIONS), /* TAG */
	86	tpm_u32(33 + TPM2_DIGEST_LEN), /* Length */
	87	tpm_u32(TPM2_CC_PCR_EXTEND), /* Command code */
	88
	89	/* HANDLE */
	90	tpm_u32(index), /* Handle (PCR Index) */
	91
	92	/* AUTH_SESSION */
	93	tpm_u32(9), /* Authorization size */
	94	tpm_u32(TPM2_RS_PW), /* Session handle */
	95	tpm_u16(0), /* Size of <nonce> */
	96	/* <nonce> (if any) */
	97	0, /* Attributes: Cont/Excl/Rst */
	98	tpm_u16(0), /* Size of <hmac/password> */
	99	/* <hmac/password> (if any) */
	100	tpm_u32(1), /* Count (number of hashes) */
	101	tpm_u16(TPM2_ALG_SHA256), /* Algorithm of the hash */
	102	/* STRING(digest) Digest */
	103	};
	104	unsigned int offset = 33;
	105	int ret;
	106
	107	/*
	108	* Fill the command structure starting from the first buffer:
	109	* - the digest
	110	*/
	111	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
	112	offset, digest, TPM2_DIGEST_LEN);
	113	offset += TPM2_DIGEST_LEN;
	114	if (ret)
	115	return TPM_LIB_ERROR;
	116
abdc7b8a	117	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
6284be5a	118	}
1c4ea8f4	119
abdc7b8a SG	120	u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
abdc7b8a SG	121	void data, unsigned int updates)
1c4ea8f4 MR	122	{
	123	u8 idx_array_sz = max(idx_min_sz, DIV_ROUND_UP(idx, 8));
	124	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	125	tpm_u16(TPM2_ST_NO_SESSIONS), /* TAG */
	126	tpm_u32(17 + idx_array_sz), /* Length */
	127	tpm_u32(TPM2_CC_PCR_READ), /* Command code */
	128
	129	/* TPML_PCR_SELECTION */
	130	tpm_u32(1), /* Number of selections */
	131	tpm_u16(TPM2_ALG_SHA256), /* Algorithm of the hash */
	132	idx_array_sz, /* Array size for selection */
	133	/* bitmap(idx) Selected PCR bitmap */
	134	};
	135	size_t response_len = COMMAND_BUFFER_SIZE;
	136	u8 response[COMMAND_BUFFER_SIZE];
	137	unsigned int pcr_sel_idx = idx / 8;
	138	u8 pcr_sel_bit = BIT(idx % 8);
	139	unsigned int counter = 0;
	140	int ret;
	141
	142	if (pack_byte_string(command_v2, COMMAND_BUFFER_SIZE, "b",
	143	17 + pcr_sel_idx, pcr_sel_bit))
	144	return TPM_LIB_ERROR;
	145
abdc7b8a	146	ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
1c4ea8f4 MR	147	if (ret)
	148	return ret;
	149
	150	if (unpack_byte_string(response, response_len, "ds",
	151	10, &counter,
	152	response_len - TPM2_DIGEST_LEN, data,
	153	TPM2_DIGEST_LEN))
	154	return TPM_LIB_ERROR;
	155
	156	if (updates)
	157	*updates = counter;
	158
	159	return 0;
	160	}
69cd8f06	161
abdc7b8a SG	162	u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
abdc7b8a SG	163	void *buf, size_t prop_count)
69cd8f06 MR	164	{
	165	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	166	tpm_u16(TPM2_ST_NO_SESSIONS), /* TAG */
	167	tpm_u32(22), /* Length */
	168	tpm_u32(TPM2_CC_GET_CAPABILITY), /* Command code */
	169
	170	tpm_u32(capability), /* Capability */
	171	tpm_u32(property), /* Property */
	172	tpm_u32(prop_count), /* Property count */
	173	};
	174	u8 response[COMMAND_BUFFER_SIZE];
	175	size_t response_len = COMMAND_BUFFER_SIZE;
	176	unsigned int properties_off;
	177	int ret;
	178
abdc7b8a	179	ret = tpm_sendrecv_command(dev, command_v2, response, &response_len);
69cd8f06 MR	180	if (ret)
	181	return ret;
	182
	183	/*
	184	* In the response buffer, the properties are located after the:
	185	* tag (u16), response size (u32), response code (u32),
	186	* YES/NO flag (u8), TPM_CAP (u32) and TPMU_CAPABILITIES (u32).
	187	*/
	188	properties_off = sizeof(u16) + sizeof(u32) + sizeof(u32) +
	189	sizeof(u8) + sizeof(u32) + sizeof(u32);
	190	memcpy(buf, &response[properties_off], response_len - properties_off);
	191
	192	return 0;
	193	}
da9c3392	194
abdc7b8a	195	u32 tpm2_dam_reset(struct udevice dev, const char pw, const ssize_t pw_sz)
da9c3392 MR	196	{
	197	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	198	tpm_u16(TPM2_ST_SESSIONS), /* TAG */
	199	tpm_u32(27 + pw_sz), /* Length */
	200	tpm_u32(TPM2_CC_DAM_RESET), /* Command code */
	201
	202	/* HANDLE */
	203	tpm_u32(TPM2_RH_LOCKOUT), /* TPM resource handle */
	204
	205	/* AUTH_SESSION */
	206	tpm_u32(9 + pw_sz), /* Authorization size */
	207	tpm_u32(TPM2_RS_PW), /* Session handle */
	208	tpm_u16(0), /* Size of <nonce> */
	209	/* <nonce> (if any) */
	210	0, /* Attributes: Cont/Excl/Rst */
	211	tpm_u16(pw_sz), /* Size of <hmac/password> */
	212	/* STRING(pw) <hmac/password> (if any) */
	213	};
	214	unsigned int offset = 27;
	215	int ret;
	216
	217	/*
	218	* Fill the command structure starting from the first buffer:
	219	* - the password (if any)
	220	*/
	221	ret = pack_byte_string(command_v2, sizeof(command_v2), "s",
	222	offset, pw, pw_sz);
	223	offset += pw_sz;
	224	if (ret)
	225	return TPM_LIB_ERROR;
	226
abdc7b8a	227	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
da9c3392 MR	228	}
da9c3392 MR	229
abdc7b8a SG	230	u32 tpm2_dam_parameters(struct udevice dev, const char pw,
	231	const ssize_t pw_sz, unsigned int max_tries,
	232	unsigned int recovery_time,
da9c3392 MR	233	unsigned int lockout_recovery)
	234	{
	235	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	236	tpm_u16(TPM2_ST_SESSIONS), /* TAG */
	237	tpm_u32(27 + pw_sz + 12), /* Length */
	238	tpm_u32(TPM2_CC_DAM_PARAMETERS), /* Command code */
	239
	240	/* HANDLE */
	241	tpm_u32(TPM2_RH_LOCKOUT), /* TPM resource handle */
	242
	243	/* AUTH_SESSION */
	244	tpm_u32(9 + pw_sz), /* Authorization size */
	245	tpm_u32(TPM2_RS_PW), /* Session handle */
	246	tpm_u16(0), /* Size of <nonce> */
	247	/* <nonce> (if any) */
	248	0, /* Attributes: Cont/Excl/Rst */
	249	tpm_u16(pw_sz), /* Size of <hmac/password> */
	250	/* STRING(pw) <hmac/password> (if any) */
	251
	252	/* LOCKOUT PARAMETERS */
	253	/* tpm_u32(max_tries) Max tries (0, always lock) */
	254	/* tpm_u32(recovery_time) Recovery time (0, no lock) */
	255	/* tpm_u32(lockout_recovery) Lockout recovery */
	256	};
	257	unsigned int offset = 27;
	258	int ret;
	259
	260	/*
	261	* Fill the command structure starting from the first buffer:
	262	* - the password (if any)
	263	* - max tries
	264	* - recovery time
	265	* - lockout recovery
	266	*/
	267	ret = pack_byte_string(command_v2, sizeof(command_v2), "sddd",
	268	offset, pw, pw_sz,
	269	offset + pw_sz, max_tries,
	270	offset + pw_sz + 4, recovery_time,
	271	offset + pw_sz + 8, lockout_recovery);
	272	offset += pw_sz + 12;
	273	if (ret)
	274	return TPM_LIB_ERROR;
	275
abdc7b8a	276	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
da9c3392	277	}
dc26e913	278
abdc7b8a SG	279	int tpm2_change_auth(struct udevice dev, u32 handle, const char newpw,
	280	const ssize_t newpw_sz, const char *oldpw,
	281	const ssize_t oldpw_sz)
dc26e913 MR	282	{
	283	unsigned int offset = 27;
	284	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	285	tpm_u16(TPM2_ST_SESSIONS), /* TAG */
	286	tpm_u32(offset + oldpw_sz + 2 + newpw_sz), /* Length */
	287	tpm_u32(TPM2_CC_HIERCHANGEAUTH), /* Command code */
	288
	289	/* HANDLE */
	290	tpm_u32(handle), /* TPM resource handle */
	291
	292	/* AUTH_SESSION */
	293	tpm_u32(9 + oldpw_sz), /* Authorization size */
	294	tpm_u32(TPM2_RS_PW), /* Session handle */
	295	tpm_u16(0), /* Size of <nonce> */
	296	/* <nonce> (if any) */
	297	0, /* Attributes: Cont/Excl/Rst */
	298	tpm_u16(oldpw_sz) /* Size of <hmac/password> */
	299	/* STRING(oldpw) <hmac/password> (if any) */
	300
	301	/* TPM2B_AUTH (TPM2B_DIGEST) */
	302	/* tpm_u16(newpw_sz) Digest size, new pw length */
	303	/* STRING(newpw) Digest buffer, new pw */
	304	};
	305	int ret;
	306
	307	/*
	308	* Fill the command structure starting from the first buffer:
	309	* - the old password (if any)
	310	* - size of the new password
	311	* - new password
	312	*/
	313	ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
	314	offset, oldpw, oldpw_sz,
	315	offset + oldpw_sz, newpw_sz,
	316	offset + oldpw_sz + 2, newpw, newpw_sz);
	317	offset += oldpw_sz + 2 + newpw_sz;
	318	if (ret)
	319	return TPM_LIB_ERROR;
	320
abdc7b8a	321	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
dc26e913	322	}
b9dd4fab	323
abdc7b8a SG	324	u32 tpm2_pcr_setauthpolicy(struct udevice dev, const char pw,
abdc7b8a SG	325	const ssize_t pw_sz, u32 index, const char *key)
b9dd4fab MR	326	{
	327	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	328	tpm_u16(TPM2_ST_SESSIONS), /* TAG */
	329	tpm_u32(35 + pw_sz + TPM2_DIGEST_LEN), /* Length */
	330	tpm_u32(TPM2_CC_PCR_SETAUTHPOL), /* Command code */
	331
	332	/* HANDLE */
	333	tpm_u32(TPM2_RH_PLATFORM), /* TPM resource handle */
	334
	335	/* AUTH_SESSION */
	336	tpm_u32(9 + pw_sz), /* Authorization size */
	337	tpm_u32(TPM2_RS_PW), /* session handle */
	338	tpm_u16(0), /* Size of <nonce> */
	339	/* <nonce> (if any) */
	340	0, /* Attributes: Cont/Excl/Rst */
	341	tpm_u16(pw_sz) /* Size of <hmac/password> */
	342	/* STRING(pw) <hmac/password> (if any) */
	343
	344	/* TPM2B_AUTH (TPM2B_DIGEST) */
	345	/* tpm_u16(TPM2_DIGEST_LEN) Digest size length */
	346	/* STRING(key) Digest buffer (PCR key) */
	347
	348	/* TPMI_ALG_HASH */
	349	/* tpm_u16(TPM2_ALG_SHA256) Algorithm of the hash */
	350
	351	/* TPMI_DH_PCR */
	352	/* tpm_u32(index), PCR Index */
	353	};
	354	unsigned int offset = 27;
	355	int ret;
	356
	357	/*
	358	* Fill the command structure starting from the first buffer:
	359	* - the password (if any)
	360	* - the PCR key length
	361	* - the PCR key
	362	* - the hash algorithm
	363	* - the PCR index
	364	*/
	365	ret = pack_byte_string(command_v2, sizeof(command_v2), "swswd",
	366	offset, pw, pw_sz,
	367	offset + pw_sz, TPM2_DIGEST_LEN,
	368	offset + pw_sz + 2, key, TPM2_DIGEST_LEN,
	369	offset + pw_sz + 2 + TPM2_DIGEST_LEN,
	370	TPM2_ALG_SHA256,
	371	offset + pw_sz + 4 + TPM2_DIGEST_LEN, index);
	372	offset += pw_sz + 2 + TPM2_DIGEST_LEN + 2 + 4;
	373	if (ret)
	374	return TPM_LIB_ERROR;
	375
abdc7b8a	376	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
b9dd4fab MR	377	}
b9dd4fab MR	378
abdc7b8a SG	379	u32 tpm2_pcr_setauthvalue(struct udevice dev, const char pw,
	380	const ssize_t pw_sz, u32 index, const char *key,
	381	const ssize_t key_sz)
b9dd4fab MR	382	{
	383	u8 command_v2[COMMAND_BUFFER_SIZE] = {
	384	tpm_u16(TPM2_ST_SESSIONS), /* TAG */
	385	tpm_u32(33 + pw_sz + TPM2_DIGEST_LEN), /* Length */
	386	tpm_u32(TPM2_CC_PCR_SETAUTHVAL), /* Command code */
	387
	388	/* HANDLE */
	389	tpm_u32(index), /* Handle (PCR Index) */
	390
	391	/* AUTH_SESSION */
	392	tpm_u32(9 + pw_sz), /* Authorization size */
	393	tpm_u32(TPM2_RS_PW), /* session handle */
	394	tpm_u16(0), /* Size of <nonce> */
	395	/* <nonce> (if any) */
	396	0, /* Attributes: Cont/Excl/Rst */
	397	tpm_u16(pw_sz), /* Size of <hmac/password> */
	398	/* STRING(pw) <hmac/password> (if any) */
	399
	400	/* TPM2B_DIGEST */
	401	/* tpm_u16(key_sz) Key length */
	402	/* STRING(key) Key */
	403	};
	404	unsigned int offset = 27;
	405	int ret;
	406
	407	/*
	408	* Fill the command structure starting from the first buffer:
	409	* - the password (if any)
	410	* - the number of digests, 1 in our case
	411	* - the algorithm, sha256 in our case
	412	* - the digest (64 bytes)
	413	*/
	414	ret = pack_byte_string(command_v2, sizeof(command_v2), "sws",
	415	offset, pw, pw_sz,
	416	offset + pw_sz, key_sz,
	417	offset + pw_sz + 2, key, key_sz);
	418	offset += pw_sz + 2 + key_sz;
	419	if (ret)
	420	return TPM_LIB_ERROR;
	421
abdc7b8a	422	return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
b9dd4fab	423	}