[coreboot-gerrit] Change in coreboot[master]: security/tpm: Refactor TSS 1.2 and 2.0 implementation

7 Nov 2017

Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/22374
Change subject: security/tpm: Refactor TSS 1.2 and 2.0 implementation
......................................................................
security/tpm: Refactor TSS 1.2 and 2.0 implementation
* Move TPM kconfig options into security/tpm.
* Fix structures and commands wording.
* Move cr50 specific functions into standalone directory.
Change-Id: I97bbc7b7b025500b49c743b0c303543c33627c88
Signed-off-by: Philipp Deppenwiese zaolin@das-labor.org
---
M src/drivers/pc80/tpm/Kconfig
M src/security/tpm/Kconfig
M src/security/tpm/Makefile.inc
M src/security/tpm/tis.h
M src/security/tpm/tss.h
A src/security/tpm/tss/cr50/tss.c
M src/security/tpm/tss/tcg-1.2/tss.c
A src/security/tpm/tss/tcg-1.2/tss_commands.h
M src/security/tpm/tss/tcg-1.2/tss_structures.h
M src/security/tpm/tss/tcg-2.0/tss.c
D src/security/tpm/tss_constants.h
11 files changed, 348 insertions(+), 315 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/74/22374/1

diff --git a/src/drivers/pc80/tpm/Kconfig b/src/drivers/pc80/tpm/Kconfig
index 3bd9083..ba8dbeb 100644
--- a/src/drivers/pc80/tpm/Kconfig
+++ b/src/drivers/pc80/tpm/Kconfig
@@ -24,25 +24,3 @@
    help
      This can be used to specify a PIRQ to use instead of SERIRQ,
      which is needed for SPI TPM interrupt support on x86.
-
-config TPM_INIT_FAILURE_IS_FATAL
-	bool
-	default n
-	depends on LPC_TPM
-	help
-	  What to do if TPM init failed. If true, force a hard reset,
-	  otherwise just log error message to console.
-
-config SKIP_TPM_STARTUP_ON_NORMAL_BOOT
-	bool
-	default n
-	depends on LPC_TPM
-	help
-	  Skip TPM init on normal boot. Useful if payload does TPM init.
-
-config TPM_DEACTIVATE
-	bool "Deactivate TPM"
-	default n
-	depends on LPC_TPM
-	help
-	  Deactivate TPM by issuing deactivate command.
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index 111f91a..a2a6e61 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -66,4 +66,26 @@
      compliant with version 2 TCG TPM specification. Could be connected
      over LPC, SPI or I2C.
+config TPM_INIT_FAILURE_IS_FATAL
+	bool
+	default n
+	depends on LPC_TPM
+	help
+	  What to do if TPM init failed. If true, force a hard reset,
+	  otherwise just log error message to console.
+
+config SKIP_TPM_STARTUP_ON_NORMAL_BOOT
+	bool
+	default n
+	depends on LPC_TPM
+	help
+	  Skip TPM init on normal boot. Useful if payload does TPM init.
+
+config TPM_DEACTIVATE
+	bool "Deactivate TPM"
+	default n
+	depends on (TPM || TPM2) && !VBOOT
+	help
+	  Deactivate TPM by issuing deactivate command.
+
 endmenu # Trusted Platform Module (tpm)
diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc
index 66d6771..b0d633a 100644
--- a/src/security/tpm/Makefile.inc
+++ b/src/security/tpm/Makefile.inc
@@ -14,6 +14,14 @@
 ramstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss_marshaling.c
 ramstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss.c
+ifeq ($(CONFIG_MAINBOARD_HAS_TPM_CR50),y)
+
+verstage-y += tss/cr50/tss.c
+ramstage-y += tss/cr50/tss.c
+romstage-y += tss/cr50/tss.c
+
+endif # CONFIG_MAINBOARD_HAS_TPM_CR50
+
 endif # CONFIG_VBOOT
## TSPI
diff --git a/src/security/tpm/tis.h b/src/security/tpm/tis.h
index 6906ce3..c410838 100644
--- a/src/security/tpm/tis.h
+++ b/src/security/tpm/tis.h
@@ -88,8 +88,6 @@
 int tis_sendrecv(const u8 *sendbuf, size_t send_size, u8 *recvbuf,
    		size_t *recv_len);
-void init_tpm(int s3resume);
-
 /*
  * tis_plat_irq_status()
  *
diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h
index 8f3f1cb..c680a33 100644
--- a/src/security/tpm/tss.h
+++ b/src/security/tpm/tss.h
@@ -14,7 +14,11 @@
 #include <stdint.h>
 #include <types.h>
-#include "tss_constants.h"
+#ifdef CONFIG_TPM
+#include <security/tpm/tss/tcg-1.2/tss_structures.h>
+#else
+#include <security/tpm/tss/tcg-2.0/tss_structures.h>
+#endif
/*****************************************************************************/
 /* Functions implemented in tlcl.c */
diff --git a/src/security/tpm/tss/cr50/tss.c b/src/security/tpm/tss/cr50/tss.c
new file mode 100644
index 0000000..ffc4326
--- /dev/null
+++ b/src/security/tpm/tss/cr50/tss.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include <arch/early_variables.h>
+#include <console/console.h>
+#include <endian.h>
+#include <string.h>
+#include <vb2_api.h>
+#include <security/tpm/tddl.h>
+
+#include "../tcg-2.0/tss_structures.h"
+#include "../tcg-2.0/tss_marshaling.h"
+
+// Forward declaration for CR50 use
+void *tpm_process_command(TPM_CC command, void *command_body);
+
+uint32_t tlcl_cr50_enable_nvcommits(void)
+{
+	uint16_t sub_command = TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS;
+	struct tpm2_response *response;
+
+	printk(BIOS_INFO, "Enabling cr50 nvmem commmits\n");
+
+	response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &sub_command);
+
+	if (response == NULL || (response && response->hdr.tpm_code)) {
+		if (response)
+			printk(BIOS_INFO, "%s: failed %x\n", __func__,
+				response->hdr.tpm_code);
+		else
+			printk(BIOS_INFO, "%s: failed\n", __func__);
+		return TPM_E_IOERROR;
+	}
+	return TPM_SUCCESS;
+}
+
+uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms,
+				 uint8_t *num_restored_headers)
+{
+	struct tpm2_response *response;
+	uint16_t command_body[] = {
+		TPM2_CR50_SUB_CMD_TURN_UPDATE_ON, timeout_ms
+	};
+
+	printk(BIOS_INFO, "Checking cr50 for pending updates\n");
+
+	response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, command_body);
+
+	if (!response || response->hdr.tpm_code)
+		return TPM_E_INTERNAL_INCONSISTENCY;
+
+	*num_restored_headers = response->vcr.num_restored_headers;
+	return TPM_SUCCESS;
+}
diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c
index b7b2d94..b6a61c1 100644
--- a/src/security/tpm/tss/tcg-1.2/tss.c
+++ b/src/security/tpm/tss/tcg-1.2/tss.c
@@ -20,8 +20,9 @@
 #include <security/tpm/tis.h>
 #include <vb2_api.h>
 #include <security/tpm/tss.h>
+
 #include "tss_internal.h"
-#include "tss_structures.h"
+#include "tss_commands.h"
#ifdef FOR_TEST
 #include <stdio.h>
diff --git a/src/security/tpm/tss/tcg-1.2/tss_commands.h b/src/security/tpm/tss/tcg-1.2/tss_commands.h
new file mode 100644
index 0000000..880864e
--- /dev/null
+++ b/src/security/tpm/tss/tcg-1.2/tss_commands.h
@@ -0,0 +1,164 @@
+/* This file is automatically generated */
+
+const struct s_tpm_extend_cmd{
+	uint8_t buffer[34];
+	uint16_t pcrNum;
+	uint16_t inDigest;
+} tpm_extend_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14, },
+10, 14, };
+
+const struct s_tpm_get_random_cmd{
+	uint8_t buffer[14];
+	uint16_t bytesRequested;
+} tpm_get_random_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x46, },
+10, };
+
+const struct s_tpm_getownership_cmd{
+	uint8_t buffer[22];
+} tpm_getownership_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+	0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x11, },
+};
+
+const struct s_tpm_getpermissions_cmd{
+	uint8_t buffer[22];
+	uint16_t index;
+} tpm_getpermissions_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+	0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x4, },
+18, };
+
+const struct s_tpm_getstclearflags_cmd{
+	uint8_t buffer[22];
+} tpm_getstclearflags_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+	0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x9, },
+};
+
+const struct s_tpm_getflags_cmd{
+	uint8_t buffer[22];
+} tpm_getflags_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+	0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x8, },
+};
+
+const struct s_tpm_physicalsetdeactivated_cmd{
+	uint8_t buffer[11];
+	uint16_t deactivated;
+} tpm_physicalsetdeactivated_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72, },
+10, };
+
+const struct s_tpm_physicalenable_cmd{
+	uint8_t buffer[10];
+} tpm_physicalenable_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f, },
+};
+
+const struct s_tpm_physicaldisable_cmd{
+	uint8_t buffer[10];
+} tpm_physicaldisable_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70, },
+};
+
+const struct s_tpm_forceclear_cmd{
+	uint8_t buffer[10];
+} tpm_forceclear_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d, },
+};
+
+const struct s_tpm_readpubek_cmd{
+	uint8_t buffer[30];
+} tpm_readpubek_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c, },
+};
+
+const struct s_tpm_continueselftest_cmd{
+	uint8_t buffer[10];
+} tpm_continueselftest_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53, },
+};
+
+const struct s_tpm_selftestfull_cmd{
+	uint8_t buffer[10];
+} tpm_selftestfull_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50, },
+};
+
+const struct s_tpm_resume_cmd{
+	uint8_t buffer[12];
+} tpm_resume_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x2, },
+};
+
+const struct s_tpm_savestate_cmd{
+	uint8_t buffer[10];
+} tpm_savestate_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x98, },
+};
+
+const struct s_tpm_startup_cmd{
+	uint8_t buffer[12];
+} tpm_startup_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x1, },
+};
+
+const struct s_tpm_finalizepp_cmd{
+	uint8_t buffer[12];
+} tpm_finalizepp_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0, },
+};
+
+const struct s_tpm_pplock_cmd{
+	uint8_t buffer[12];
+} tpm_pplock_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x4, },
+};
+
+const struct s_tpm_ppenable_cmd{
+	uint8_t buffer[12];
+} tpm_ppenable_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x20, },
+};
+
+const struct s_tpm_ppassert_cmd{
+	uint8_t buffer[12];
+} tpm_ppassert_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x8, },
+};
+
+const struct s_tpm_pcr_read_cmd{
+	uint8_t buffer[14];
+	uint16_t pcrNum;
+} tpm_pcr_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15, },
+10, };
+
+const struct s_tpm_nv_read_cmd{
+	uint8_t buffer[22];
+	uint16_t index;
+	uint16_t length;
+} tpm_nv_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf, },
+10, 18, };
+
+const struct s_tpm_nv_write_cmd{
+	uint8_t buffer[256];
+	uint16_t index;
+	uint16_t length;
+	uint16_t data;
+} tpm_nv_write_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd, },
+10, 18, 22, };
+
+const struct s_tpm_nv_definespace_cmd{
+	uint8_t buffer[101];
+	uint16_t index;
+	uint16_t perm;
+	uint16_t size;
+} tpm_nv_definespace_cmd = {
+	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x65, 0x0, 0x0, 0x0, 0xcc,
+	0x0, 0x18, 0, 0, 0, 0, 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0x0, 0x3, 0, 0, 0, 0x1f, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x0, 0x17,
+	},
+	12, 70, 77,
+};
+
+const int kWriteInfoLength = 12;
+const int kNvDataPublicPermissionsOffset = 60;
diff --git a/src/security/tpm/tss/tcg-1.2/tss_structures.h b/src/security/tpm/tss/tcg-1.2/tss_structures.h
index 880864e..c06bbf7 100644
--- a/src/security/tpm/tss/tcg-1.2/tss_structures.h
+++ b/src/security/tpm/tss/tcg-1.2/tss_structures.h
@@ -1,164 +1,101 @@
-/* This file is automatically generated */
+/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * Some TPM constants and type definitions for standalone compilation for use
+ * in the firmware
+ */
+#ifndef TCG_TSS_STRUCTURES_H_
+#define TCG_TSS_STRUCTURES_H_
-const struct s_tpm_extend_cmd{
-	uint8_t buffer[34];
-	uint16_t pcrNum;
-	uint16_t inDigest;
-} tpm_extend_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14, },
-10, 14, };
+#include <stdint.h>
-const struct s_tpm_get_random_cmd{
-	uint8_t buffer[14];
-	uint16_t bytesRequested;
-} tpm_get_random_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x46, },
-10, };
+#define TPM_MAX_COMMAND_SIZE 4096
+#define TPM_LARGE_ENOUGH_COMMAND_SIZE 256  /* saves space in the firmware */
+#define TPM_PUBEK_SIZE 256
+#define TPM_PCR_DIGEST 20
-const struct s_tpm_getownership_cmd{
-	uint8_t buffer[22];
-} tpm_getownership_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
-	0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x11, },
-};
+#define TPM_E_NON_FATAL 0x800
-const struct s_tpm_getpermissions_cmd{
-	uint8_t buffer[22];
-	uint16_t index;
-} tpm_getpermissions_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
-	0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x4, },
-18, };
+#define TPM_SUCCESS ((uint32_t)0x00000000)
-const struct s_tpm_getstclearflags_cmd{
-	uint8_t buffer[22];
-} tpm_getstclearflags_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
-	0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x9, },
-};
+#define TPM_E_AREA_LOCKED           ((uint32_t)0x0000003c)
+#define TPM_E_BADINDEX              ((uint32_t)0x00000002)
+#define TPM_E_BAD_PRESENCE          ((uint32_t)0x0000002d)
+#define TPM_E_IOERROR               ((uint32_t)0x0000001f)
+#define TPM_E_INVALID_POSTINIT      ((uint32_t)0x00000026)
+#define TPM_E_MAXNVWRITES           ((uint32_t)0x00000048)
+#define TPM_E_OWNER_SET             ((uint32_t)0x00000014)
-const struct s_tpm_getflags_cmd{
-	uint8_t buffer[22];
-} tpm_getflags_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
-	0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x8, },
-};
+#define TPM_E_NEEDS_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 1))
+#define TPM_E_DOING_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 2))
-const struct s_tpm_physicalsetdeactivated_cmd{
-	uint8_t buffer[11];
-	uint16_t deactivated;
-} tpm_physicalsetdeactivated_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72, },
-10, };
+#define TPM_E_ALREADY_INITIALIZED    ((uint32_t)0x00005000)  /* vboot local */
+#define TPM_E_INTERNAL_INCONSISTENCY ((uint32_t)0x00005001)  /* vboot local */
+#define TPM_E_MUST_REBOOT            ((uint32_t)0x00005002)  /* vboot local */
+#define TPM_E_CORRUPTED_STATE        ((uint32_t)0x00005003)  /* vboot local */
+#define TPM_E_COMMUNICATION_ERROR    ((uint32_t)0x00005004)  /* vboot local */
+#define TPM_E_RESPONSE_TOO_LARGE     ((uint32_t)0x00005005)  /* vboot local */
+#define TPM_E_NO_DEVICE              ((uint32_t)0x00005006)  /* vboot local */
+#define TPM_E_INPUT_TOO_SMALL        ((uint32_t)0x00005007)  /* vboot local */
+#define TPM_E_WRITE_FAILURE          ((uint32_t)0x00005008)  /* vboot local */
+#define TPM_E_READ_EMPTY             ((uint32_t)0x00005009)  /* vboot local */
+#define TPM_E_READ_FAILURE           ((uint32_t)0x0000500a)  /* vboot local */
+#define TPM_E_NV_DEFINED             ((uint32_t)0x0000500b)  /* vboot local */
-const struct s_tpm_physicalenable_cmd{
-	uint8_t buffer[10];
-} tpm_physicalenable_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f, },
-};
+#define TPM_NV_INDEX0 ((uint32_t)0x00000000)
+#define TPM_NV_INDEX_LOCK ((uint32_t)0xffffffff)
+#define TPM_NV_PER_GLOBALLOCK (((uint32_t)1)<<15)
+#define TPM_NV_PER_PPWRITE (((uint32_t)1)<<0)
+#define TPM_NV_PER_READ_STCLEAR (((uint32_t)1)<<31)
+#define TPM_NV_PER_WRITE_STCLEAR (((uint32_t)1)<<14)
-const struct s_tpm_physicaldisable_cmd{
-	uint8_t buffer[10];
-} tpm_physicaldisable_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70, },
-};
+#define TPM_TAG_RQU_COMMAND       ((uint16_t) 0xc1)
+#define TPM_TAG_RQU_AUTH1_COMMAND ((uint16_t) 0xc2)
+#define TPM_TAG_RQU_AUTH2_COMMAND ((uint16_t) 0xc3)
-const struct s_tpm_forceclear_cmd{
-	uint8_t buffer[10];
-} tpm_forceclear_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d, },
-};
+#define TPM_TAG_RSP_COMMAND       ((uint16_t) 0xc4)
+#define TPM_TAG_RSP_AUTH1_COMMAND ((uint16_t) 0xc5)
+#define TPM_TAG_RSP_AUTH2_COMMAND ((uint16_t) 0xc6)
-const struct s_tpm_readpubek_cmd{
-	uint8_t buffer[30];
-} tpm_readpubek_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c, },
-};
+/* Some TPM2 return codes used in this library. */
+#define TPM2_RC_SUCCESS    0
+#define TPM2_RC_NV_DEFINED 0x14c
-const struct s_tpm_continueselftest_cmd{
-	uint8_t buffer[10];
-} tpm_continueselftest_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53, },
-};
+typedef uint8_t TSS_BOOL;
+typedef uint16_t TPM_STRUCTURE_TAG;
-const struct s_tpm_selftestfull_cmd{
-	uint8_t buffer[10];
-} tpm_selftestfull_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50, },
-};
+typedef struct tdTPM_PERMANENT_FLAGS {
+	TPM_STRUCTURE_TAG tag;
+	TSS_BOOL disable;
+	TSS_BOOL ownership;
+	TSS_BOOL deactivated;
+	TSS_BOOL readPubek;
+	TSS_BOOL disableOwnerClear;
+	TSS_BOOL allowMaintenance;
+	TSS_BOOL physicalPresenceLifetimeLock;
+	TSS_BOOL physicalPresenceHWEnable;
+	TSS_BOOL physicalPresenceCMDEnable;
+	TSS_BOOL CEKPUsed;
+	TSS_BOOL TPMpost;
+	TSS_BOOL TPMpostLock;
+	TSS_BOOL FIPS;
+	TSS_BOOL Operator;
+	TSS_BOOL enableRevokeEK;
+	TSS_BOOL nvLocked;
+	TSS_BOOL readSRKPub;
+	TSS_BOOL tpmEstablished;
+	TSS_BOOL maintenanceDone;
+	TSS_BOOL disableFullDALogicInfo;
+} TPM_PERMANENT_FLAGS;
-const struct s_tpm_resume_cmd{
-	uint8_t buffer[12];
-} tpm_resume_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x2, },
-};
+typedef struct tdTPM_STCLEAR_FLAGS {
+	TPM_STRUCTURE_TAG tag;
+	TSS_BOOL deactivated;
+	TSS_BOOL disableForceClear;
+	TSS_BOOL physicalPresence;
+	TSS_BOOL physicalPresenceLock;
+	TSS_BOOL bGlobalLock;
+} TPM_STCLEAR_FLAGS;
-const struct s_tpm_savestate_cmd{
-	uint8_t buffer[10];
-} tpm_savestate_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x98, },
-};
-
-const struct s_tpm_startup_cmd{
-	uint8_t buffer[12];
-} tpm_startup_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x1, },
-};
-
-const struct s_tpm_finalizepp_cmd{
-	uint8_t buffer[12];
-} tpm_finalizepp_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0, },
-};
-
-const struct s_tpm_pplock_cmd{
-	uint8_t buffer[12];
-} tpm_pplock_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x4, },
-};
-
-const struct s_tpm_ppenable_cmd{
-	uint8_t buffer[12];
-} tpm_ppenable_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x20, },
-};
-
-const struct s_tpm_ppassert_cmd{
-	uint8_t buffer[12];
-} tpm_ppassert_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x8, },
-};
-
-const struct s_tpm_pcr_read_cmd{
-	uint8_t buffer[14];
-	uint16_t pcrNum;
-} tpm_pcr_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15, },
-10, };
-
-const struct s_tpm_nv_read_cmd{
-	uint8_t buffer[22];
-	uint16_t index;
-	uint16_t length;
-} tpm_nv_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf, },
-10, 18, };
-
-const struct s_tpm_nv_write_cmd{
-	uint8_t buffer[256];
-	uint16_t index;
-	uint16_t length;
-	uint16_t data;
-} tpm_nv_write_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd, },
-10, 18, 22, };
-
-const struct s_tpm_nv_definespace_cmd{
-	uint8_t buffer[101];
-	uint16_t index;
-	uint16_t perm;
-	uint16_t size;
-} tpm_nv_definespace_cmd = {
-	{0x0, 0xc1, 0x0, 0x0, 0x0, 0x65, 0x0, 0x0, 0x0, 0xcc,
-	0x0, 0x18, 0, 0, 0, 0, 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0,
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-	0x0, 0x3, 0, 0, 0, 0x1f, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x0, 0x17,
-	},
-	12, 70, 77,
-};
-
-const int kWriteInfoLength = 12;
-const int kNvDataPublicPermissionsOffset = 60;
+#endif  /* TCG_TSS_STRUCTURES_H_ */
diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c
index 15ce767..670d748 100644
--- a/src/security/tpm/tss/tcg-2.0/tss.c
+++ b/src/security/tpm/tss/tcg-2.0/tss.c
@@ -15,13 +15,16 @@
 #include "tss_structures.h"
 #include "tss_marshaling.h"
+// Forward declaration for CR50 use
+void *tpm_process_command(TPM_CC command, void *command_body);
+
 /*
  * This file provides interface between firmware and TPM2 device. The TPM1.2
  * API was copied as is and relevant functions modified to comply with the
  * TPM2 specification.
  */
-static void *tpm_process_command(TPM_CC command, void *command_body)
+void *tpm_process_command(TPM_CC command, void *command_body)
 {
    struct obuf ob;
    struct ibuf ib;
@@ -395,44 +398,5 @@
    if (!response || response->hdr.tpm_code)
    	return TPM_E_INTERNAL_INCONSISTENCY;
-	return TPM_SUCCESS;
-}
-
-uint32_t tlcl_cr50_enable_nvcommits(void)
-{
-	uint16_t sub_command = TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS;
-	struct tpm2_response *response;
-
-	printk(BIOS_INFO, "Enabling cr50 nvmem commmits\n");
-
-	response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &sub_command);
-
-	if (response == NULL || (response && response->hdr.tpm_code)) {
-		if (response)
-			printk(BIOS_INFO, "%s: failed %x\n", __func__,
-				response->hdr.tpm_code);
-		else
-			printk(BIOS_INFO, "%s: failed\n", __func__);
-		return TPM_E_IOERROR;
-	}
-	return TPM_SUCCESS;
-}
-
-uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms,
-				 uint8_t *num_restored_headers)
-{
-	struct tpm2_response *response;
-	uint16_t command_body[] = {
-		TPM2_CR50_SUB_CMD_TURN_UPDATE_ON, timeout_ms
-	};
-
-	printk(BIOS_INFO, "Checking cr50 for pending updates\n");
-
-	response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, command_body);
-
-	if (!response || response->hdr.tpm_code)
-		return TPM_E_INTERNAL_INCONSISTENCY;
-
-	*num_restored_headers = response->vcr.num_restored_headers;
    return TPM_SUCCESS;
 }
diff --git a/src/security/tpm/tss_constants.h b/src/security/tpm/tss_constants.h
deleted file mode 100644
index 937e553..0000000
--- a/src/security/tpm/tss_constants.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Some TPM constants and type definitions for standalone compilation for use
- * in the firmware
- */
-#ifndef VBOOT_REFERENCE_TSS_CONSTANTS_H_
-#define VBOOT_REFERENCE_TSS_CONSTANTS_H_
-#include <stdint.h>
-
-#define TPM_MAX_COMMAND_SIZE 4096
-#define TPM_LARGE_ENOUGH_COMMAND_SIZE 256  /* saves space in the firmware */
-#define TPM_PUBEK_SIZE 256
-#define TPM_PCR_DIGEST 20
-
-#define TPM_E_NON_FATAL 0x800
-
-#define TPM_SUCCESS ((uint32_t)0x00000000)
-
-#define TPM_E_AREA_LOCKED           ((uint32_t)0x0000003c)
-#define TPM_E_BADINDEX              ((uint32_t)0x00000002)
-#define TPM_E_BAD_PRESENCE          ((uint32_t)0x0000002d)
-#define TPM_E_IOERROR               ((uint32_t)0x0000001f)
-#define TPM_E_INVALID_POSTINIT      ((uint32_t)0x00000026)
-#define TPM_E_MAXNVWRITES           ((uint32_t)0x00000048)
-#define TPM_E_OWNER_SET             ((uint32_t)0x00000014)
-
-#define TPM_E_NEEDS_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 1))
-#define TPM_E_DOING_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 2))
-
-#define TPM_E_ALREADY_INITIALIZED    ((uint32_t)0x00005000)  /* vboot local */
-#define TPM_E_INTERNAL_INCONSISTENCY ((uint32_t)0x00005001)  /* vboot local */
-#define TPM_E_MUST_REBOOT            ((uint32_t)0x00005002)  /* vboot local */
-#define TPM_E_CORRUPTED_STATE        ((uint32_t)0x00005003)  /* vboot local */
-#define TPM_E_COMMUNICATION_ERROR    ((uint32_t)0x00005004)  /* vboot local */
-#define TPM_E_RESPONSE_TOO_LARGE     ((uint32_t)0x00005005)  /* vboot local */
-#define TPM_E_NO_DEVICE              ((uint32_t)0x00005006)  /* vboot local */
-#define TPM_E_INPUT_TOO_SMALL        ((uint32_t)0x00005007)  /* vboot local */
-#define TPM_E_WRITE_FAILURE          ((uint32_t)0x00005008)  /* vboot local */
-#define TPM_E_READ_EMPTY             ((uint32_t)0x00005009)  /* vboot local */
-#define TPM_E_READ_FAILURE           ((uint32_t)0x0000500a)  /* vboot local */
-#define TPM_E_NV_DEFINED             ((uint32_t)0x0000500b)  /* vboot local */
-
-#define TPM_NV_INDEX0 ((uint32_t)0x00000000)
-#define TPM_NV_INDEX_LOCK ((uint32_t)0xffffffff)
-#define TPM_NV_PER_GLOBALLOCK (((uint32_t)1)<<15)
-#define TPM_NV_PER_PPWRITE (((uint32_t)1)<<0)
-#define TPM_NV_PER_READ_STCLEAR (((uint32_t)1)<<31)
-#define TPM_NV_PER_WRITE_STCLEAR (((uint32_t)1)<<14)
-
-#define TPM_TAG_RQU_COMMAND       ((uint16_t) 0xc1)
-#define TPM_TAG_RQU_AUTH1_COMMAND ((uint16_t) 0xc2)
-#define TPM_TAG_RQU_AUTH2_COMMAND ((uint16_t) 0xc3)
-
-#define TPM_TAG_RSP_COMMAND       ((uint16_t) 0xc4)
-#define TPM_TAG_RSP_AUTH1_COMMAND ((uint16_t) 0xc5)
-#define TPM_TAG_RSP_AUTH2_COMMAND ((uint16_t) 0xc6)
-
-/* Some TPM2 return codes used in this library. */
-#define TPM2_RC_SUCCESS    0
-#define TPM2_RC_NV_DEFINED 0x14c
-
-typedef uint8_t TSS_BOOL;
-typedef uint16_t TPM_STRUCTURE_TAG;
-
-typedef struct tdTPM_PERMANENT_FLAGS {
-	TPM_STRUCTURE_TAG tag;
-	TSS_BOOL disable;
-	TSS_BOOL ownership;
-	TSS_BOOL deactivated;
-	TSS_BOOL readPubek;
-	TSS_BOOL disableOwnerClear;
-	TSS_BOOL allowMaintenance;
-	TSS_BOOL physicalPresenceLifetimeLock;
-	TSS_BOOL physicalPresenceHWEnable;
-	TSS_BOOL physicalPresenceCMDEnable;
-	TSS_BOOL CEKPUsed;
-	TSS_BOOL TPMpost;
-	TSS_BOOL TPMpostLock;
-	TSS_BOOL FIPS;
-	TSS_BOOL Operator;
-	TSS_BOOL enableRevokeEK;
-	TSS_BOOL nvLocked;
-	TSS_BOOL readSRKPub;
-	TSS_BOOL tpmEstablished;
-	TSS_BOOL maintenanceDone;
-	TSS_BOOL disableFullDALogicInfo;
-} TPM_PERMANENT_FLAGS;
-
-typedef struct tdTPM_STCLEAR_FLAGS {
-	TPM_STRUCTURE_TAG tag;
-	TSS_BOOL deactivated;
-	TSS_BOOL disableForceClear;
-	TSS_BOOL physicalPresence;
-	TSS_BOOL physicalPresenceLock;
-	TSS_BOOL bGlobalLock;
-} TPM_STCLEAR_FLAGS;
-
-#endif  /* VBOOT_REFERENCE_TSS_CONSTANTS_H_ */
-- 
To view, visit https://review.coreboot.org/22374
To unsubscribe, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I97bbc7b7b025500b49c743b0c303543c33627c88
Gerrit-Change-Number: 22374
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese zaolin.daisuki@gmail.com



    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

[coreboot-gerrit] Change in coreboot[master]: security/tpm: Refactor TSS 1.2 and 2.0 implementation