[coreboot-gerrit] Change in coreboot[master]: src/security/tpm: Add TPM2_NV_Increment command

18 Nov 2021

Karthik Ramasubramanian has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/59475 )
Change subject: src/security/tpm: Add TPM2_NV_Increment command
......................................................................
src/security/tpm: Add TPM2_NV_Increment command
This command is used to increment the value in an NV Index that has the
TPM_NT_COUNTER attribute. The data value of the NV Index is incremented
by one. Introduce the command code, structure and marshaling function.
BUG=b:205261728
TEST=Build and boot to OS in Guybrush. Ensure that when the command is
applied on an appropriate NV Index, it is incremented successfully.
Change-Id: Ic86f8db5ad0926e9d1fd34a9ca5d55d884f76423
Signed-off-by: Karthikeyan Ramasubramanian kramasub@google.com
---
M src/security/tpm/tss.h
M src/security/tpm/tss/tcg-2.0/tss.c
M src/security/tpm/tss/tcg-2.0/tss_marshaling.c
M src/security/tpm/tss/tcg-2.0/tss_structures.h
M src/security/tpm/tss_errors.h
5 files changed, 43 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/75/59475/1

diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h
index f68e1f4..be1db1b 100644
--- a/src/security/tpm/tss.h
+++ b/src/security/tpm/tss.h
@@ -200,4 +200,9 @@
  */
 uint32_t tlcl_get_permissions(uint32_t index, uint32_t *permissions);
+/**
+ * Increment the NVRAM Secure Counter at index.
+ */
+uint32_t tlcl_nv_increment(uint32_t index);
+
 #endif /* TSS_H_ */
diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c
index 8c9d12f..1415805 100644
--- a/src/security/tpm/tss/tcg-2.0/tss.c
+++ b/src/security/tpm/tss/tcg-2.0/tss.c
@@ -343,6 +343,25 @@
    return TPM_SUCCESS;
 }
+uint32_t tlcl_nv_increment(uint32_t index)
+{
+	struct tpm2_response *response;
+	/* TPM Will reject attempts to increment at non-defined index. */
+	struct tpm2_nv_increment_cmd nv_inc = {
+		.nvIndex = HR_NV_INDEX + index,
+	};
+
+	response = tpm_process_command(TPM2_NV_Increment, &nv_inc);
+
+	printk(BIOS_INFO, "%s: response is %x\n",
+	       __func__, response ? response->hdr.tpm_code : -1);
+
+	if (!response || response->hdr.tpm_code)
+		return TPM_E_INC_FAILURE;
+
+	return TPM_SUCCESS;
+}
+
 uint32_t tlcl_define_space(uint32_t space_index, size_t space_size,
    		   const TPMA_NV nv_attributes,
    		   const uint8_t *nv_policy, size_t nv_policy_size)
diff --git a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c
index 83fff5f..9145e75 100644
--- a/src/security/tpm/tss/tcg-2.0/tss_marshaling.c
+++ b/src/security/tpm/tss/tcg-2.0/tss_marshaling.c
@@ -197,6 +197,14 @@
    return rc;
 }
+static int marshal_nv_increment(struct obuf *ob,
+			const struct tpm2_nv_increment_cmd *command_body)
+{
+	const uint32_t handles[] = { TPM_RH_PLATFORM, command_body->nvIndex };
+
+	return marshal_common_session_header(ob, handles, ARRAY_SIZE(handles));
+}
+
 static int marshal_nv_setbits(struct obuf *ob,
    		      const struct tpm2_nv_setbits_cmd *command_body)
 {
@@ -398,6 +406,10 @@
    	rc |= marshal_nv_define_space(ob, tpm_command_body);
    	break;
+	case TPM2_NV_Increment:
+		rc |= marshal_nv_increment(ob, tpm_command_body);
+		break;
+
    case TPM2_NV_SetBits:
    	rc |= marshal_nv_setbits(ob, tpm_command_body);
    	break;
@@ -634,6 +646,7 @@
    case TPM2_Clear:
    case TPM2_ClearControl:
    case TPM2_NV_DefineSpace:
+	case TPM2_NV_Increment:
    case TPM2_NV_SetBits:
    case TPM2_NV_Write:
    case TPM2_NV_WriteLock:
diff --git a/src/security/tpm/tss/tcg-2.0/tss_structures.h b/src/security/tpm/tss/tcg-2.0/tss_structures.h
index c0e354d..53bd793 100644
--- a/src/security/tpm/tss/tcg-2.0/tss_structures.h
+++ b/src/security/tpm/tss/tcg-2.0/tss_structures.h
@@ -81,6 +81,7 @@
 #define TPM2_Clear             ((TPM_CC)0x00000126)
 #define TPM2_ClearControl      ((TPM_CC)0x00000127)
 #define TPM2_NV_DefineSpace    ((TPM_CC)0x0000012A)
+#define TPM2_NV_Increment      ((TPM_CC)0x00000134)
 #define TPM2_NV_SetBits        ((TPM_CC)0x00000135)
 #define TPM2_NV_Write          ((TPM_CC)0x00000137)
 #define TPM2_NV_WriteLock      ((TPM_CC)0x00000138)
@@ -430,4 +431,8 @@
    TPMI_YES_NO state;
 };
+struct tpm2_nv_increment_cmd {
+	TPMI_RH_NV_INDEX nvIndex;
+};
+
 #endif // TCG2_TSS_STRUCTURES_H_
diff --git a/src/security/tpm/tss_errors.h b/src/security/tpm/tss_errors.h
index 49a7405..82fc099 100644
--- a/src/security/tpm/tss_errors.h
+++ b/src/security/tpm/tss_errors.h
@@ -42,5 +42,6 @@
 #define TPM_E_HASH_ERROR             ((uint32_t)0x0000500d)
 #define TPM_E_NO_SUCH_COMMAND        ((uint32_t)0x0000500e)
 #define TPM_E_RANGE                  ((uint32_t)0x0000500f)
+#define TPM_E_INC_FAILURE            ((uint32_t)0x00005010)
#endif /* TSS_ERRORS_H_ */
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/59475
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Ic86f8db5ad0926e9d1fd34a9ca5d55d884f76423
Gerrit-Change-Number: 59475
Gerrit-PatchSet: 1
Gerrit-Owner: Karthik Ramasubramanian kramasub@google.com
Gerrit-MessageType: newchange



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: src/security/tpm: Add TPM2_NV_Increment command