1 /* SPDX-License-Identifier: GPL-2.0+ */
3 * Defines APIs and structures that allow software to interact with a
6 * Copyright (c) 2020 Linaro
7 * Copyright (c) 2018 Bootlin
9 * https://trustedcomputinggroup.org/resource/tss-overview-common-structures-specification/
17 #include <tpm-common.h>
21 #define TPM2_DIGEST_LEN 32
23 #define TPM2_SHA1_DIGEST_SIZE 20
24 #define TPM2_SHA256_DIGEST_SIZE 32
25 #define TPM2_SHA384_DIGEST_SIZE 48
26 #define TPM2_SHA512_DIGEST_SIZE 64
27 #define TPM2_SM3_256_DIGEST_SIZE 32
29 #define TPM2_MAX_PCRS 32
30 #define TPM2_PCR_SELECT_MAX ((TPM2_MAX_PCRS + 7) / 8)
31 #define TPM2_MAX_CAP_BUFFER 1024
32 #define TPM2_MAX_TPM_PROPERTIES ((TPM2_MAX_CAP_BUFFER - sizeof(u32) /* TPM2_CAP */ - \
33 sizeof(u32)) / sizeof(struct tpms_tagged_property))
35 #define TPM2_HDR_LEN 10
38 * We deviate from this draft of the specification by increasing the value of
39 * TPM2_NUM_PCR_BANKS from 3 to 16 to ensure compatibility with TPM2
40 * implementations that have enabled a larger than typical number of PCR
41 * banks. This larger value for TPM2_NUM_PCR_BANKS is expected to be included
42 * in a future revision of the specification.
44 #define TPM2_NUM_PCR_BANKS 16
46 /* Definition of (UINT32) TPM2_CAP Constants */
47 #define TPM2_CAP_PCRS 0x00000005U
48 #define TPM2_CAP_TPM_PROPERTIES 0x00000006U
50 /* Definition of (UINT32) TPM2_PT Constants */
51 #define TPM2_PT_GROUP (u32)(0x00000100)
52 #define TPM2_PT_FIXED (u32)(TPM2_PT_GROUP * 1)
53 #define TPM2_PT_MANUFACTURER (u32)(TPM2_PT_FIXED + 5)
54 #define TPM2_PT_PCR_COUNT (u32)(TPM2_PT_FIXED + 18)
55 #define TPM2_PT_MAX_COMMAND_SIZE (u32)(TPM2_PT_FIXED + 30)
56 #define TPM2_PT_MAX_RESPONSE_SIZE (u32)(TPM2_PT_FIXED + 31)
58 /* TPMS_TAGGED_PROPERTY Structure */
59 struct tpms_tagged_property {
64 /* TPMS_PCR_SELECTION Structure */
65 struct tpms_pcr_selection {
68 u8 pcr_select[TPM2_PCR_SELECT_MAX];
71 /* TPML_PCR_SELECTION Structure */
72 struct tpml_pcr_selection {
74 struct tpms_pcr_selection selection[TPM2_NUM_PCR_BANKS];
77 /* TPML_TAGGED_TPM_PROPERTY Structure */
78 struct tpml_tagged_tpm_property {
80 struct tpms_tagged_property tpm_property[TPM2_MAX_TPM_PROPERTIES];
83 /* TPMU_CAPABILITIES Union */
84 union tpmu_capabilities {
86 * Non exhaustive. Only added the structs needed for our
89 struct tpml_pcr_selection assigned_pcr;
90 struct tpml_tagged_tpm_property tpm_properties;
93 /* TPMS_CAPABILITY_DATA Structure */
94 struct tpms_capability_data {
96 union tpmu_capabilities data;
100 * Definition of TPMU_HA Union
103 u8 sha1[TPM2_SHA1_DIGEST_SIZE];
104 u8 sha256[TPM2_SHA256_DIGEST_SIZE];
105 u8 sm3_256[TPM2_SM3_256_DIGEST_SIZE];
106 u8 sha384[TPM2_SHA384_DIGEST_SIZE];
107 u8 sha512[TPM2_SHA512_DIGEST_SIZE];
111 * Definition of TPMT_HA Structure
113 * @hash_alg: Hash algorithm defined in enum tpm2_algorithms
114 * @digest: Digest value for a given algorithm
118 union tpmu_ha digest;
122 * Definition of TPML_DIGEST_VALUES Structure
124 * @count: Number of algorithms supported by hardware
125 * @digests: struct for algorithm id and hash value
127 struct tpml_digest_values {
129 struct tpmt_ha digests[TPM2_NUM_PCR_BANKS];
133 * TPM2 Structure Tags for command/response buffers.
135 * @TPM2_ST_NO_SESSIONS: the command does not need an authentication.
136 * @TPM2_ST_SESSIONS: the command needs an authentication.
138 enum tpm2_structures {
139 TPM2_ST_NO_SESSIONS = 0x8001,
140 TPM2_ST_SESSIONS = 0x8002,
144 * TPM2 type of boolean.
152 * TPM2 startup values.
154 * @TPM2_SU_CLEAR: reset the internal state.
155 * @TPM2_SU_STATE: restore saved state (if any).
157 enum tpm2_startup_types {
158 TPM2_SU_CLEAR = 0x0000,
159 TPM2_SU_STATE = 0x0001,
163 * TPM2 permanent handles.
165 * @TPM2_RH_OWNER: refers to the 'owner' hierarchy.
166 * @TPM2_RS_PW: indicates a password.
167 * @TPM2_RH_LOCKOUT: refers to the 'lockout' hierarchy.
168 * @TPM2_RH_ENDORSEMENT: refers to the 'endorsement' hierarchy.
169 * @TPM2_RH_PLATFORM: refers to the 'platform' hierarchy.
172 TPM2_RH_OWNER = 0x40000001,
173 TPM2_RS_PW = 0x40000009,
174 TPM2_RH_LOCKOUT = 0x4000000A,
175 TPM2_RH_ENDORSEMENT = 0x4000000B,
176 TPM2_RH_PLATFORM = 0x4000000C,
180 * TPM2 command codes used at the beginning of a buffer, gives the command.
182 * @TPM2_CC_STARTUP: TPM2_Startup().
183 * @TPM2_CC_SELF_TEST: TPM2_SelfTest().
184 * @TPM2_CC_CLEAR: TPM2_Clear().
185 * @TPM2_CC_CLEARCONTROL: TPM2_ClearControl().
186 * @TPM2_CC_HIERCHANGEAUTH: TPM2_HierarchyChangeAuth().
187 * @TPM2_CC_PCR_SETAUTHPOL: TPM2_PCR_SetAuthPolicy().
188 * @TPM2_CC_DAM_RESET: TPM2_DictionaryAttackLockReset().
189 * @TPM2_CC_DAM_PARAMETERS: TPM2_DictionaryAttackParameters().
190 * @TPM2_CC_GET_CAPABILITY: TPM2_GetCapibility().
191 * @TPM2_CC_GET_RANDOM: TPM2_GetRandom().
192 * @TPM2_CC_PCR_READ: TPM2_PCR_Read().
193 * @TPM2_CC_PCR_EXTEND: TPM2_PCR_Extend().
194 * @TPM2_CC_PCR_SETAUTHVAL: TPM2_PCR_SetAuthValue().
196 enum tpm2_command_codes {
197 TPM2_CC_STARTUP = 0x0144,
198 TPM2_CC_SELF_TEST = 0x0143,
199 TPM2_CC_HIER_CONTROL = 0x0121,
200 TPM2_CC_CLEAR = 0x0126,
201 TPM2_CC_CLEARCONTROL = 0x0127,
202 TPM2_CC_HIERCHANGEAUTH = 0x0129,
203 TPM2_CC_NV_DEFINE_SPACE = 0x012a,
204 TPM2_CC_PCR_SETAUTHPOL = 0x012C,
205 TPM2_CC_NV_WRITE = 0x0137,
206 TPM2_CC_NV_WRITELOCK = 0x0138,
207 TPM2_CC_DAM_RESET = 0x0139,
208 TPM2_CC_DAM_PARAMETERS = 0x013A,
209 TPM2_CC_NV_READ = 0x014E,
210 TPM2_CC_GET_CAPABILITY = 0x017A,
211 TPM2_CC_GET_RANDOM = 0x017B,
212 TPM2_CC_PCR_READ = 0x017E,
213 TPM2_CC_PCR_EXTEND = 0x0182,
214 TPM2_CC_PCR_SETAUTHVAL = 0x0183,
220 enum tpm2_return_codes {
221 TPM2_RC_SUCCESS = 0x0000,
222 TPM2_RC_BAD_TAG = 0x001E,
223 TPM2_RC_FMT1 = 0x0080,
224 TPM2_RC_HASH = TPM2_RC_FMT1 + 0x0003,
225 TPM2_RC_VALUE = TPM2_RC_FMT1 + 0x0004,
226 TPM2_RC_SIZE = TPM2_RC_FMT1 + 0x0015,
227 TPM2_RC_BAD_AUTH = TPM2_RC_FMT1 + 0x0022,
228 TPM2_RC_HANDLE = TPM2_RC_FMT1 + 0x000B,
229 TPM2_RC_VER1 = 0x0100,
230 TPM2_RC_INITIALIZE = TPM2_RC_VER1 + 0x0000,
231 TPM2_RC_FAILURE = TPM2_RC_VER1 + 0x0001,
232 TPM2_RC_DISABLED = TPM2_RC_VER1 + 0x0020,
233 TPM2_RC_AUTH_MISSING = TPM2_RC_VER1 + 0x0025,
234 TPM2_RC_COMMAND_CODE = TPM2_RC_VER1 + 0x0043,
235 TPM2_RC_AUTHSIZE = TPM2_RC_VER1 + 0x0044,
236 TPM2_RC_AUTH_CONTEXT = TPM2_RC_VER1 + 0x0045,
237 TPM2_RC_NV_DEFINED = TPM2_RC_VER1 + 0x004c,
238 TPM2_RC_NEEDS_TEST = TPM2_RC_VER1 + 0x0053,
239 TPM2_RC_WARN = 0x0900,
240 TPM2_RC_TESTING = TPM2_RC_WARN + 0x000A,
241 TPM2_RC_REFERENCE_H0 = TPM2_RC_WARN + 0x0010,
242 TPM2_RC_LOCKOUT = TPM2_RC_WARN + 0x0021,
248 enum tpm2_algorithms {
249 TPM2_ALG_SHA1 = 0x04,
251 TPM2_ALG_SHA256 = 0x0B,
252 TPM2_ALG_SHA384 = 0x0C,
253 TPM2_ALG_SHA512 = 0x0D,
254 TPM2_ALG_NULL = 0x10,
255 TPM2_ALG_SM3_256 = 0x12,
259 * struct digest_info - details of supported digests
261 * @hash_name: hash name
262 * @hash_alg: hash algorithm id
263 * @hash_mask: hash registry mask
264 * @hash_len: hash digest length
267 const char *hash_name;
273 /* Algorithm Registry */
274 #define TCG2_BOOT_HASH_ALG_SHA1 0x00000001
275 #define TCG2_BOOT_HASH_ALG_SHA256 0x00000002
276 #define TCG2_BOOT_HASH_ALG_SHA384 0x00000004
277 #define TCG2_BOOT_HASH_ALG_SHA512 0x00000008
278 #define TCG2_BOOT_HASH_ALG_SM3_256 0x00000010
280 static const struct digest_info hash_algo_list[] = {
281 #if IS_ENABLED(CONFIG_SHA1)
285 TCG2_BOOT_HASH_ALG_SHA1,
286 TPM2_SHA1_DIGEST_SIZE,
289 #if IS_ENABLED(CONFIG_SHA256)
293 TCG2_BOOT_HASH_ALG_SHA256,
294 TPM2_SHA256_DIGEST_SIZE,
297 #if IS_ENABLED(CONFIG_SHA384)
301 TCG2_BOOT_HASH_ALG_SHA384,
302 TPM2_SHA384_DIGEST_SIZE,
305 #if IS_ENABLED(CONFIG_SHA512)
309 TCG2_BOOT_HASH_ALG_SHA512,
310 TPM2_SHA512_DIGEST_SIZE,
315 /* NV index attributes */
316 enum tpm_index_attrs {
317 TPMA_NV_PPWRITE = 1UL << 0,
318 TPMA_NV_OWNERWRITE = 1UL << 1,
319 TPMA_NV_AUTHWRITE = 1UL << 2,
320 TPMA_NV_POLICYWRITE = 1UL << 3,
321 TPMA_NV_COUNTER = 1UL << 4,
322 TPMA_NV_BITS = 1UL << 5,
323 TPMA_NV_EXTEND = 1UL << 6,
324 TPMA_NV_POLICY_DELETE = 1UL << 10,
325 TPMA_NV_WRITELOCKED = 1UL << 11,
326 TPMA_NV_WRITEALL = 1UL << 12,
327 TPMA_NV_WRITEDEFINE = 1UL << 13,
328 TPMA_NV_WRITE_STCLEAR = 1UL << 14,
329 TPMA_NV_GLOBALLOCK = 1UL << 15,
330 TPMA_NV_PPREAD = 1UL << 16,
331 TPMA_NV_OWNERREAD = 1UL << 17,
332 TPMA_NV_AUTHREAD = 1UL << 18,
333 TPMA_NV_POLICYREAD = 1UL << 19,
334 TPMA_NV_NO_DA = 1UL << 25,
335 TPMA_NV_ORDERLY = 1UL << 26,
336 TPMA_NV_CLEAR_STCLEAR = 1UL << 27,
337 TPMA_NV_READLOCKED = 1UL << 28,
338 TPMA_NV_WRITTEN = 1UL << 29,
339 TPMA_NV_PLATFORMCREATE = 1UL << 30,
340 TPMA_NV_READ_STCLEAR = 1UL << 31,
342 TPMA_NV_MASK_READ = TPMA_NV_PPREAD | TPMA_NV_OWNERREAD |
343 TPMA_NV_AUTHREAD | TPMA_NV_POLICYREAD,
344 TPMA_NV_MASK_WRITE = TPMA_NV_PPWRITE | TPMA_NV_OWNERWRITE |
345 TPMA_NV_AUTHWRITE | TPMA_NV_POLICYWRITE,
349 TPM_ACCESS_VALID = 1 << 7,
350 TPM_ACCESS_ACTIVE_LOCALITY = 1 << 5,
351 TPM_ACCESS_REQUEST_PENDING = 1 << 2,
352 TPM_ACCESS_REQUEST_USE = 1 << 1,
353 TPM_ACCESS_ESTABLISHMENT = 1 << 0,
357 TPM_STS_FAMILY_SHIFT = 26,
358 TPM_STS_FAMILY_MASK = 0x3 << TPM_STS_FAMILY_SHIFT,
359 TPM_STS_FAMILY_TPM2 = 1 << TPM_STS_FAMILY_SHIFT,
360 TPM_STS_RESE_TESTABLISMENT_BIT = 1 << 25,
361 TPM_STS_COMMAND_CANCEL = 1 << 24,
362 TPM_STS_BURST_COUNT_SHIFT = 8,
363 TPM_STS_BURST_COUNT_MASK = 0xffff << TPM_STS_BURST_COUNT_SHIFT,
364 TPM_STS_VALID = 1 << 7,
365 TPM_STS_COMMAND_READY = 1 << 6,
367 TPM_STS_DATA_AVAIL = 1 << 4,
368 TPM_STS_DATA_EXPECT = 1 << 3,
369 TPM_STS_SELF_TEST_DONE = 1 << 2,
370 TPM_STS_RESPONSE_RETRY = 1 << 1,
371 TPM_STS_READ_ZERO = 0x23
375 TPM_CMD_COUNT_OFFSET = 2,
376 TPM_CMD_ORDINAL_OFFSET = 6,
377 TPM_MAX_BUF_SIZE = 1260,
381 /* Secure storage for firmware settings */
385 TPM_HT_POLICY_SESSION,
388 HR_PCR = TPM_HT_PCR << HR_SHIFT,
389 HR_HMAC_SESSION = TPM_HT_HMAC_SESSION << HR_SHIFT,
390 HR_POLICY_SESSION = TPM_HT_POLICY_SESSION << HR_SHIFT,
391 HR_NV_INDEX = TPM_HT_NV_INDEX << HR_SHIFT,
395 * Issue a TPM2_Startup command.
398 * @mode TPM startup mode
400 * Return: code of the operation
402 u32 tpm2_startup(struct udevice *dev, enum tpm2_startup_types mode);
405 * Issue a TPM2_SelfTest command.
408 * @full_test Asking to perform all tests or only the untested ones
410 * Return: code of the operation
412 u32 tpm2_self_test(struct udevice *dev, enum tpm2_yes_no full_test);
415 * Issue a TPM2_Clear command.
420 * @pw_sz Length of the password
422 * Return: code of the operation
424 u32 tpm2_clear(struct udevice *dev, u32 handle, const char *pw,
425 const ssize_t pw_sz);
428 * Issue a TPM_NV_DefineSpace command
430 * This allows a space to be defined with given attributes and policy
433 * @space_index index of the area
434 * @space_size size of area in bytes
435 * @nv_attributes TPM_NV_ATTRIBUTES of the area
436 * @nv_policy policy to use
437 * @nv_policy_size size of the policy
438 * Return: return code of the operation
440 u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
441 size_t space_size, u32 nv_attributes,
442 const u8 *nv_policy, size_t nv_policy_size);
445 * Issue a TPM2_PCR_Extend command.
448 * @index Index of the PCR
449 * @algorithm Algorithm used, defined in 'enum tpm2_algorithms'
450 * @digest Value representing the event to be recorded
451 * @digest_len len of the hash
453 * Return: code of the operation
455 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
456 const u8 *digest, u32 digest_len);
459 * Read data from the secure storage
462 * @index Index of data to read
463 * @data Place to put data
464 * @count Number of bytes of data
465 * Return: code of the operation
467 u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);
470 * Write data to the secure storage
473 * @index Index of data to write
474 * @data Data to write
475 * @count Number of bytes of data
476 * Return: code of the operation
478 u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
482 * Issue a TPM2_PCR_Read command.
485 * @idx Index of the PCR
486 * @idx_min_sz Minimum size in bytes of the pcrSelect array
487 * @algorithm Algorithm used, defined in 'enum tpm2_algorithms'
488 * @data Output buffer for contents of the named PCR
489 * @digest_len len of the data
490 * @updates Optional out parameter: number of updates for this PCR
492 * Return: code of the operation
494 u32 tpm2_pcr_read(struct udevice *dev, u32 idx, unsigned int idx_min_sz,
495 u16 algorithm, void *data, u32 digest_len,
496 unsigned int *updates);
499 * Issue a TPM2_GetCapability command. This implementation is limited
500 * to query property index that is 4-byte wide.
503 * @capability Partition of capabilities
504 * @property Further definition of capability, limited to be 4 bytes wide
505 * @buf Output buffer for capability information
506 * @prop_count Size of output buffer
508 * Return: code of the operation
510 u32 tpm2_get_capability(struct udevice *dev, u32 capability, u32 property,
511 void *buf, size_t prop_count);
514 * tpm2_get_pcr_info() - get the supported, active PCRs and number of banks
517 * @pcrs: struct tpml_pcr_selection of available PCRs
519 * @return 0 on success, code of operation or negative errno on failure
521 int tpm2_get_pcr_info(struct udevice *dev, struct tpml_pcr_selection *pcrs);
524 * Issue a TPM2_DictionaryAttackLockReset command.
528 * @pw_sz Length of the password
530 * Return: code of the operation
532 u32 tpm2_dam_reset(struct udevice *dev, const char *pw, const ssize_t pw_sz);
535 * Issue a TPM2_DictionaryAttackParameters command.
539 * @pw_sz Length of the password
540 * @max_tries Count of authorizations before lockout
541 * @recovery_time Time before decrementation of the failure count
542 * @lockout_recovery Time to wait after a lockout
544 * Return: code of the operation
546 u32 tpm2_dam_parameters(struct udevice *dev, const char *pw,
547 const ssize_t pw_sz, unsigned int max_tries,
548 unsigned int recovery_time,
549 unsigned int lockout_recovery);
552 * Issue a TPM2_HierarchyChangeAuth command.
556 * @newpw New password
557 * @newpw_sz Length of the new password
558 * @oldpw Old password
559 * @oldpw_sz Length of the old password
561 * Return: code of the operation
563 int tpm2_change_auth(struct udevice *dev, u32 handle, const char *newpw,
564 const ssize_t newpw_sz, const char *oldpw,
565 const ssize_t oldpw_sz);
568 * Issue a TPM_PCR_SetAuthPolicy command.
571 * @pw Platform password
572 * @pw_sz Length of the password
573 * @index Index of the PCR
574 * @digest New key to access the PCR
576 * Return: code of the operation
578 u32 tpm2_pcr_setauthpolicy(struct udevice *dev, const char *pw,
579 const ssize_t pw_sz, u32 index, const char *key);
582 * Issue a TPM_PCR_SetAuthValue command.
585 * @pw Platform password
586 * @pw_sz Length of the password
587 * @index Index of the PCR
588 * @digest New key to access the PCR
589 * @key_sz Length of the new key
591 * Return: code of the operation
593 u32 tpm2_pcr_setauthvalue(struct udevice *dev, const char *pw,
594 const ssize_t pw_sz, u32 index, const char *key,
595 const ssize_t key_sz);
598 * Issue a TPM2_GetRandom command.
601 * @param data output buffer for the random bytes
602 * @param count size of output buffer
604 * Return: return code of the operation
606 u32 tpm2_get_random(struct udevice *dev, void *data, u32 count);
609 * Lock data in the TPM
611 * Once locked the data cannot be written until after a reboot
614 * @index Index of data to lock
615 * Return: code of the operation
617 u32 tpm2_write_lock(struct udevice *dev, u32 index);
620 * Disable access to any platform data
622 * This can be called to close off access to the firmware data in the data,
623 * before calling the kernel.
626 * Return: code of the operation
628 u32 tpm2_disable_platform_hierarchy(struct udevice *dev);
631 * submit user specified data to the TPM and get response
634 * @sendbuf: Buffer of the data to send
635 * @recvbuf: Buffer to save the response to
636 * @recv_size: Pointer to the size of the response buffer
638 * Return: code of the operation
640 u32 tpm2_submit_command(struct udevice *dev, const u8 *sendbuf,
641 u8 *recvbuf, size_t *recv_size);
644 * tpm_cr50_report_state() - Report the Cr50 internal state
647 * @vendor_cmd: Vendor command number to send
648 * @vendor_subcmd: Vendor sub-command number to send
649 * @recvbuf: Buffer to save the response to
650 * @recv_size: Pointer to the size of the response buffer
651 * Return: result of the operation
653 u32 tpm2_report_state(struct udevice *dev, uint vendor_cmd, uint vendor_subcmd,
654 u8 *recvbuf, size_t *recv_size);
657 * tpm2_enable_nvcommits() - Tell TPM to commit NV data immediately
659 * For Chromium OS verified boot, we may reboot or reset at different times,
660 * possibly leaving non-volatile data unwritten by the TPM.
662 * This vendor command is used to indicate that non-volatile data should be
663 * written to its store immediately.
666 * @vendor_cmd: Vendor command number to send
667 * @vendor_subcmd: Vendor sub-command number to send
668 * Return: result of the operation
670 u32 tpm2_enable_nvcommits(struct udevice *dev, uint vendor_cmd,
674 * tpm2_auto_start() - start up the TPM and perform selftests.
675 * If a testable function has not been tested and is
676 * requested the TPM2 will return TPM_RC_NEEDS_TEST.
678 * @param dev TPM device
679 * Return: TPM2_RC_TESTING, if TPM2 self-test is in progress.
680 * TPM2_RC_SUCCESS, if testing of all functions is complete without
681 * functional failures.
682 * TPM2_RC_FAILURE, if any test failed.
683 * TPM2_RC_INITIALIZE, if the TPM has not gone through the Startup
687 u32 tpm2_auto_start(struct udevice *dev);
690 * tpm2_name_to_algorithm() - Return an algorithm id given a supported
693 * @name: algorithm name
694 * Return: enum tpm2_algorithms or -EINVAL
696 enum tpm2_algorithms tpm2_name_to_algorithm(const char *name);
699 * tpm2_algorithm_name() - Return an algorithm name string for a
700 * supported algorithm id
702 * @algorithm_id: algorithm defined in enum tpm2_algorithms
703 * Return: algorithm name string or ""
705 const char *tpm2_algorithm_name(enum tpm2_algorithms);
708 * tpm2_algorithm_to_len() - Return an algorithm length for supported algorithm id
710 * @algorithm_id: algorithm defined in enum tpm2_algorithms
711 * Return: len or 0 if not supported
713 u16 tpm2_algorithm_to_len(enum tpm2_algorithms algo);
716 * When measured boot is enabled via EFI or bootX commands all the algorithms
717 * above are selected by our Kconfigs. Due to U-Boots nature of being small there
718 * are cases where we need some functionality from the TPM -- e.g storage or RNG
719 * but we don't want to support measurements.
721 * The choice of hash algorithms are determined by the platform and the TPM
722 * configuration. Failing to cap a PCR in a bank which the platform left
723 * active is a security vulnerability. It permits the unsealing of secrets
724 * if an attacker can replay a good set of measurements into an unused bank.
726 * On top of that a previous stage bootloader (e.g TF-A), migh pass an eventlog
727 * since it doesn't have a TPM driver, which U-Boot needs to replace. The algorit h
728 * choice is a compile time option in that case and we need to make sure we conform.
730 * Add a variable here that sums the supported algorithms U-Boot was compiled
731 * with so we can refuse to do measurements if we don't support all of them
735 * tpm2_allow_extend() - Check if extending PCRs is allowed and safe
738 * Return: true if allowed
740 bool tpm2_allow_extend(struct udevice *dev);
743 * tpm2_is_active_pcr() - check the pcr_select. If at least one of the PCRs
744 * supports the algorithm add it on the active ones
746 * @selection: PCR selection structure
747 * Return: True if the algorithm is active
749 bool tpm2_is_active_pcr(struct tpms_pcr_selection *selection);
751 #endif /* __TPM_V2_H */
projects / J-u-boot.git / blob