[coreboot-gerrit] Change in coreboot[master]: security/tpm: Refactor TSS 1.2 and 2.0 implementation
Philipp Deppenwiese (Code Review)
gerrit at coreboot.org
Wed Nov 8 03:13:18 CET 2017
Philipp Deppenwiese has uploaded this change for review. ( https://review.coreboot.org/22374
Change subject: security/tpm: Refactor TSS 1.2 and 2.0 implementation
......................................................................
security/tpm: Refactor TSS 1.2 and 2.0 implementation
* Move TPM kconfig options into security/tpm.
* Fix structures and commands wording.
* Move cr50 specific functions into standalone directory.
Change-Id: I97bbc7b7b025500b49c743b0c303543c33627c88
Signed-off-by: Philipp Deppenwiese <zaolin at das-labor.org>
---
M src/drivers/pc80/tpm/Kconfig
M src/security/tpm/Kconfig
M src/security/tpm/Makefile.inc
M src/security/tpm/tis.h
M src/security/tpm/tss.h
A src/security/tpm/tss/cr50/tss.c
M src/security/tpm/tss/tcg-1.2/tss.c
A src/security/tpm/tss/tcg-1.2/tss_commands.h
M src/security/tpm/tss/tcg-1.2/tss_structures.h
M src/security/tpm/tss/tcg-2.0/tss.c
D src/security/tpm/tss_constants.h
11 files changed, 348 insertions(+), 315 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/74/22374/1
diff --git a/src/drivers/pc80/tpm/Kconfig b/src/drivers/pc80/tpm/Kconfig
index 3bd9083..ba8dbeb 100644
--- a/src/drivers/pc80/tpm/Kconfig
+++ b/src/drivers/pc80/tpm/Kconfig
@@ -24,25 +24,3 @@
help
This can be used to specify a PIRQ to use instead of SERIRQ,
which is needed for SPI TPM interrupt support on x86.
-
-config TPM_INIT_FAILURE_IS_FATAL
- bool
- default n
- depends on LPC_TPM
- help
- What to do if TPM init failed. If true, force a hard reset,
- otherwise just log error message to console.
-
-config SKIP_TPM_STARTUP_ON_NORMAL_BOOT
- bool
- default n
- depends on LPC_TPM
- help
- Skip TPM init on normal boot. Useful if payload does TPM init.
-
-config TPM_DEACTIVATE
- bool "Deactivate TPM"
- default n
- depends on LPC_TPM
- help
- Deactivate TPM by issuing deactivate command.
diff --git a/src/security/tpm/Kconfig b/src/security/tpm/Kconfig
index 111f91a..a2a6e61 100644
--- a/src/security/tpm/Kconfig
+++ b/src/security/tpm/Kconfig
@@ -66,4 +66,26 @@
compliant with version 2 TCG TPM specification. Could be connected
over LPC, SPI or I2C.
+config TPM_INIT_FAILURE_IS_FATAL
+ bool
+ default n
+ depends on LPC_TPM
+ help
+ What to do if TPM init failed. If true, force a hard reset,
+ otherwise just log error message to console.
+
+config SKIP_TPM_STARTUP_ON_NORMAL_BOOT
+ bool
+ default n
+ depends on LPC_TPM
+ help
+ Skip TPM init on normal boot. Useful if payload does TPM init.
+
+config TPM_DEACTIVATE
+ bool "Deactivate TPM"
+ default n
+ depends on (TPM || TPM2) && !VBOOT
+ help
+ Deactivate TPM by issuing deactivate command.
+
endmenu # Trusted Platform Module (tpm)
diff --git a/src/security/tpm/Makefile.inc b/src/security/tpm/Makefile.inc
index 66d6771..b0d633a 100644
--- a/src/security/tpm/Makefile.inc
+++ b/src/security/tpm/Makefile.inc
@@ -14,6 +14,14 @@
ramstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss_marshaling.c
ramstage-$(CONFIG_TPM2) += tss/tcg-2.0/tss.c
+ifeq ($(CONFIG_MAINBOARD_HAS_TPM_CR50),y)
+
+verstage-y += tss/cr50/tss.c
+ramstage-y += tss/cr50/tss.c
+romstage-y += tss/cr50/tss.c
+
+endif # CONFIG_MAINBOARD_HAS_TPM_CR50
+
endif # CONFIG_VBOOT
## TSPI
diff --git a/src/security/tpm/tis.h b/src/security/tpm/tis.h
index 6906ce3..c410838 100644
--- a/src/security/tpm/tis.h
+++ b/src/security/tpm/tis.h
@@ -88,8 +88,6 @@
int tis_sendrecv(const u8 *sendbuf, size_t send_size, u8 *recvbuf,
size_t *recv_len);
-void init_tpm(int s3resume);
-
/*
* tis_plat_irq_status()
*
diff --git a/src/security/tpm/tss.h b/src/security/tpm/tss.h
index 8f3f1cb..c680a33 100644
--- a/src/security/tpm/tss.h
+++ b/src/security/tpm/tss.h
@@ -14,7 +14,11 @@
#include <stdint.h>
#include <types.h>
-#include "tss_constants.h"
+#ifdef CONFIG_TPM
+#include <security/tpm/tss/tcg-1.2/tss_structures.h>
+#else
+#include <security/tpm/tss/tcg-2.0/tss_structures.h>
+#endif
/*****************************************************************************/
/* Functions implemented in tlcl.c */
diff --git a/src/security/tpm/tss/cr50/tss.c b/src/security/tpm/tss/cr50/tss.c
new file mode 100644
index 0000000..ffc4326
--- /dev/null
+++ b/src/security/tpm/tss/cr50/tss.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright 2016 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+#include <arch/early_variables.h>
+#include <console/console.h>
+#include <endian.h>
+#include <string.h>
+#include <vb2_api.h>
+#include <security/tpm/tddl.h>
+
+#include "../tcg-2.0/tss_structures.h"
+#include "../tcg-2.0/tss_marshaling.h"
+
+// Forward declaration for CR50 use
+void *tpm_process_command(TPM_CC command, void *command_body);
+
+uint32_t tlcl_cr50_enable_nvcommits(void)
+{
+ uint16_t sub_command = TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS;
+ struct tpm2_response *response;
+
+ printk(BIOS_INFO, "Enabling cr50 nvmem commmits\n");
+
+ response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &sub_command);
+
+ if (response == NULL || (response && response->hdr.tpm_code)) {
+ if (response)
+ printk(BIOS_INFO, "%s: failed %x\n", __func__,
+ response->hdr.tpm_code);
+ else
+ printk(BIOS_INFO, "%s: failed\n", __func__);
+ return TPM_E_IOERROR;
+ }
+ return TPM_SUCCESS;
+}
+
+uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms,
+ uint8_t *num_restored_headers)
+{
+ struct tpm2_response *response;
+ uint16_t command_body[] = {
+ TPM2_CR50_SUB_CMD_TURN_UPDATE_ON, timeout_ms
+ };
+
+ printk(BIOS_INFO, "Checking cr50 for pending updates\n");
+
+ response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, command_body);
+
+ if (!response || response->hdr.tpm_code)
+ return TPM_E_INTERNAL_INCONSISTENCY;
+
+ *num_restored_headers = response->vcr.num_restored_headers;
+ return TPM_SUCCESS;
+}
diff --git a/src/security/tpm/tss/tcg-1.2/tss.c b/src/security/tpm/tss/tcg-1.2/tss.c
index b7b2d94..b6a61c1 100644
--- a/src/security/tpm/tss/tcg-1.2/tss.c
+++ b/src/security/tpm/tss/tcg-1.2/tss.c
@@ -20,8 +20,9 @@
#include <security/tpm/tis.h>
#include <vb2_api.h>
#include <security/tpm/tss.h>
+
#include "tss_internal.h"
-#include "tss_structures.h"
+#include "tss_commands.h"
#ifdef FOR_TEST
#include <stdio.h>
diff --git a/src/security/tpm/tss/tcg-1.2/tss_commands.h b/src/security/tpm/tss/tcg-1.2/tss_commands.h
new file mode 100644
index 0000000..880864e
--- /dev/null
+++ b/src/security/tpm/tss/tcg-1.2/tss_commands.h
@@ -0,0 +1,164 @@
+/* This file is automatically generated */
+
+const struct s_tpm_extend_cmd{
+ uint8_t buffer[34];
+ uint16_t pcrNum;
+ uint16_t inDigest;
+} tpm_extend_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14, },
+10, 14, };
+
+const struct s_tpm_get_random_cmd{
+ uint8_t buffer[14];
+ uint16_t bytesRequested;
+} tpm_get_random_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x46, },
+10, };
+
+const struct s_tpm_getownership_cmd{
+ uint8_t buffer[22];
+} tpm_getownership_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+ 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x11, },
+};
+
+const struct s_tpm_getpermissions_cmd{
+ uint8_t buffer[22];
+ uint16_t index;
+} tpm_getpermissions_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+ 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x4, },
+18, };
+
+const struct s_tpm_getstclearflags_cmd{
+ uint8_t buffer[22];
+} tpm_getstclearflags_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+ 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x9, },
+};
+
+const struct s_tpm_getflags_cmd{
+ uint8_t buffer[22];
+} tpm_getflags_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
+ 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x8, },
+};
+
+const struct s_tpm_physicalsetdeactivated_cmd{
+ uint8_t buffer[11];
+ uint16_t deactivated;
+} tpm_physicalsetdeactivated_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72, },
+10, };
+
+const struct s_tpm_physicalenable_cmd{
+ uint8_t buffer[10];
+} tpm_physicalenable_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f, },
+};
+
+const struct s_tpm_physicaldisable_cmd{
+ uint8_t buffer[10];
+} tpm_physicaldisable_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70, },
+};
+
+const struct s_tpm_forceclear_cmd{
+ uint8_t buffer[10];
+} tpm_forceclear_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d, },
+};
+
+const struct s_tpm_readpubek_cmd{
+ uint8_t buffer[30];
+} tpm_readpubek_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c, },
+};
+
+const struct s_tpm_continueselftest_cmd{
+ uint8_t buffer[10];
+} tpm_continueselftest_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53, },
+};
+
+const struct s_tpm_selftestfull_cmd{
+ uint8_t buffer[10];
+} tpm_selftestfull_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50, },
+};
+
+const struct s_tpm_resume_cmd{
+ uint8_t buffer[12];
+} tpm_resume_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x2, },
+};
+
+const struct s_tpm_savestate_cmd{
+ uint8_t buffer[10];
+} tpm_savestate_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x98, },
+};
+
+const struct s_tpm_startup_cmd{
+ uint8_t buffer[12];
+} tpm_startup_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x1, },
+};
+
+const struct s_tpm_finalizepp_cmd{
+ uint8_t buffer[12];
+} tpm_finalizepp_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0, },
+};
+
+const struct s_tpm_pplock_cmd{
+ uint8_t buffer[12];
+} tpm_pplock_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x4, },
+};
+
+const struct s_tpm_ppenable_cmd{
+ uint8_t buffer[12];
+} tpm_ppenable_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x20, },
+};
+
+const struct s_tpm_ppassert_cmd{
+ uint8_t buffer[12];
+} tpm_ppassert_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x8, },
+};
+
+const struct s_tpm_pcr_read_cmd{
+ uint8_t buffer[14];
+ uint16_t pcrNum;
+} tpm_pcr_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15, },
+10, };
+
+const struct s_tpm_nv_read_cmd{
+ uint8_t buffer[22];
+ uint16_t index;
+ uint16_t length;
+} tpm_nv_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf, },
+10, 18, };
+
+const struct s_tpm_nv_write_cmd{
+ uint8_t buffer[256];
+ uint16_t index;
+ uint16_t length;
+ uint16_t data;
+} tpm_nv_write_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd, },
+10, 18, 22, };
+
+const struct s_tpm_nv_definespace_cmd{
+ uint8_t buffer[101];
+ uint16_t index;
+ uint16_t perm;
+ uint16_t size;
+} tpm_nv_definespace_cmd = {
+ {0x0, 0xc1, 0x0, 0x0, 0x0, 0x65, 0x0, 0x0, 0x0, 0xcc,
+ 0x0, 0x18, 0, 0, 0, 0, 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x0, 0x17,
+ },
+ 12, 70, 77,
+};
+
+const int kWriteInfoLength = 12;
+const int kNvDataPublicPermissionsOffset = 60;
diff --git a/src/security/tpm/tss/tcg-1.2/tss_structures.h b/src/security/tpm/tss/tcg-1.2/tss_structures.h
index 880864e..c06bbf7 100644
--- a/src/security/tpm/tss/tcg-1.2/tss_structures.h
+++ b/src/security/tpm/tss/tcg-1.2/tss_structures.h
@@ -1,164 +1,101 @@
-/* This file is automatically generated */
+/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ *
+ * Some TPM constants and type definitions for standalone compilation for use
+ * in the firmware
+ */
+#ifndef TCG_TSS_STRUCTURES_H_
+#define TCG_TSS_STRUCTURES_H_
-const struct s_tpm_extend_cmd{
- uint8_t buffer[34];
- uint16_t pcrNum;
- uint16_t inDigest;
-} tpm_extend_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x22, 0x0, 0x0, 0x0, 0x14, },
-10, 14, };
+#include <stdint.h>
-const struct s_tpm_get_random_cmd{
- uint8_t buffer[14];
- uint16_t bytesRequested;
-} tpm_get_random_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x46, },
-10, };
+#define TPM_MAX_COMMAND_SIZE 4096
+#define TPM_LARGE_ENOUGH_COMMAND_SIZE 256 /* saves space in the firmware */
+#define TPM_PUBEK_SIZE 256
+#define TPM_PCR_DIGEST 20
-const struct s_tpm_getownership_cmd{
- uint8_t buffer[22];
-} tpm_getownership_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
- 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x11, },
-};
+#define TPM_E_NON_FATAL 0x800
-const struct s_tpm_getpermissions_cmd{
- uint8_t buffer[22];
- uint16_t index;
-} tpm_getpermissions_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
- 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x0, 0x4, },
-18, };
+#define TPM_SUCCESS ((uint32_t)0x00000000)
-const struct s_tpm_getstclearflags_cmd{
- uint8_t buffer[22];
-} tpm_getstclearflags_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
- 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x9, },
-};
+#define TPM_E_AREA_LOCKED ((uint32_t)0x0000003c)
+#define TPM_E_BADINDEX ((uint32_t)0x00000002)
+#define TPM_E_BAD_PRESENCE ((uint32_t)0x0000002d)
+#define TPM_E_IOERROR ((uint32_t)0x0000001f)
+#define TPM_E_INVALID_POSTINIT ((uint32_t)0x00000026)
+#define TPM_E_MAXNVWRITES ((uint32_t)0x00000048)
+#define TPM_E_OWNER_SET ((uint32_t)0x00000014)
-const struct s_tpm_getflags_cmd{
- uint8_t buffer[22];
-} tpm_getflags_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0x65,
- 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x0, 0x4, 0x0, 0x0, 0x1, 0x8, },
-};
+#define TPM_E_NEEDS_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 1))
+#define TPM_E_DOING_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 2))
-const struct s_tpm_physicalsetdeactivated_cmd{
- uint8_t buffer[11];
- uint16_t deactivated;
-} tpm_physicalsetdeactivated_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xb, 0x0, 0x0, 0x0, 0x72, },
-10, };
+#define TPM_E_ALREADY_INITIALIZED ((uint32_t)0x00005000) /* vboot local */
+#define TPM_E_INTERNAL_INCONSISTENCY ((uint32_t)0x00005001) /* vboot local */
+#define TPM_E_MUST_REBOOT ((uint32_t)0x00005002) /* vboot local */
+#define TPM_E_CORRUPTED_STATE ((uint32_t)0x00005003) /* vboot local */
+#define TPM_E_COMMUNICATION_ERROR ((uint32_t)0x00005004) /* vboot local */
+#define TPM_E_RESPONSE_TOO_LARGE ((uint32_t)0x00005005) /* vboot local */
+#define TPM_E_NO_DEVICE ((uint32_t)0x00005006) /* vboot local */
+#define TPM_E_INPUT_TOO_SMALL ((uint32_t)0x00005007) /* vboot local */
+#define TPM_E_WRITE_FAILURE ((uint32_t)0x00005008) /* vboot local */
+#define TPM_E_READ_EMPTY ((uint32_t)0x00005009) /* vboot local */
+#define TPM_E_READ_FAILURE ((uint32_t)0x0000500a) /* vboot local */
+#define TPM_E_NV_DEFINED ((uint32_t)0x0000500b) /* vboot local */
-const struct s_tpm_physicalenable_cmd{
- uint8_t buffer[10];
-} tpm_physicalenable_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x6f, },
-};
+#define TPM_NV_INDEX0 ((uint32_t)0x00000000)
+#define TPM_NV_INDEX_LOCK ((uint32_t)0xffffffff)
+#define TPM_NV_PER_GLOBALLOCK (((uint32_t)1)<<15)
+#define TPM_NV_PER_PPWRITE (((uint32_t)1)<<0)
+#define TPM_NV_PER_READ_STCLEAR (((uint32_t)1)<<31)
+#define TPM_NV_PER_WRITE_STCLEAR (((uint32_t)1)<<14)
-const struct s_tpm_physicaldisable_cmd{
- uint8_t buffer[10];
-} tpm_physicaldisable_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x70, },
-};
+#define TPM_TAG_RQU_COMMAND ((uint16_t) 0xc1)
+#define TPM_TAG_RQU_AUTH1_COMMAND ((uint16_t) 0xc2)
+#define TPM_TAG_RQU_AUTH2_COMMAND ((uint16_t) 0xc3)
-const struct s_tpm_forceclear_cmd{
- uint8_t buffer[10];
-} tpm_forceclear_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x5d, },
-};
+#define TPM_TAG_RSP_COMMAND ((uint16_t) 0xc4)
+#define TPM_TAG_RSP_AUTH1_COMMAND ((uint16_t) 0xc5)
+#define TPM_TAG_RSP_AUTH2_COMMAND ((uint16_t) 0xc6)
-const struct s_tpm_readpubek_cmd{
- uint8_t buffer[30];
-} tpm_readpubek_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x1e, 0x0, 0x0, 0x0, 0x7c, },
-};
+/* Some TPM2 return codes used in this library. */
+#define TPM2_RC_SUCCESS 0
+#define TPM2_RC_NV_DEFINED 0x14c
-const struct s_tpm_continueselftest_cmd{
- uint8_t buffer[10];
-} tpm_continueselftest_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x53, },
-};
+typedef uint8_t TSS_BOOL;
+typedef uint16_t TPM_STRUCTURE_TAG;
-const struct s_tpm_selftestfull_cmd{
- uint8_t buffer[10];
-} tpm_selftestfull_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x50, },
-};
+typedef struct tdTPM_PERMANENT_FLAGS {
+ TPM_STRUCTURE_TAG tag;
+ TSS_BOOL disable;
+ TSS_BOOL ownership;
+ TSS_BOOL deactivated;
+ TSS_BOOL readPubek;
+ TSS_BOOL disableOwnerClear;
+ TSS_BOOL allowMaintenance;
+ TSS_BOOL physicalPresenceLifetimeLock;
+ TSS_BOOL physicalPresenceHWEnable;
+ TSS_BOOL physicalPresenceCMDEnable;
+ TSS_BOOL CEKPUsed;
+ TSS_BOOL TPMpost;
+ TSS_BOOL TPMpostLock;
+ TSS_BOOL FIPS;
+ TSS_BOOL Operator;
+ TSS_BOOL enableRevokeEK;
+ TSS_BOOL nvLocked;
+ TSS_BOOL readSRKPub;
+ TSS_BOOL tpmEstablished;
+ TSS_BOOL maintenanceDone;
+ TSS_BOOL disableFullDALogicInfo;
+} TPM_PERMANENT_FLAGS;
-const struct s_tpm_resume_cmd{
- uint8_t buffer[12];
-} tpm_resume_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x2, },
-};
+typedef struct tdTPM_STCLEAR_FLAGS {
+ TPM_STRUCTURE_TAG tag;
+ TSS_BOOL deactivated;
+ TSS_BOOL disableForceClear;
+ TSS_BOOL physicalPresence;
+ TSS_BOOL physicalPresenceLock;
+ TSS_BOOL bGlobalLock;
+} TPM_STCLEAR_FLAGS;
-const struct s_tpm_savestate_cmd{
- uint8_t buffer[10];
-} tpm_savestate_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xa, 0x0, 0x0, 0x0, 0x98, },
-};
-
-const struct s_tpm_startup_cmd{
- uint8_t buffer[12];
-} tpm_startup_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x99, 0x0, 0x1, },
-};
-
-const struct s_tpm_finalizepp_cmd{
- uint8_t buffer[12];
-} tpm_finalizepp_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x2, 0xa0, },
-};
-
-const struct s_tpm_pplock_cmd{
- uint8_t buffer[12];
-} tpm_pplock_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x4, },
-};
-
-const struct s_tpm_ppenable_cmd{
- uint8_t buffer[12];
-} tpm_ppenable_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x20, },
-};
-
-const struct s_tpm_ppassert_cmd{
- uint8_t buffer[12];
-} tpm_ppassert_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0xc, 0x40, 0x0, 0x0, 0xa, 0x0, 0x8, },
-};
-
-const struct s_tpm_pcr_read_cmd{
- uint8_t buffer[14];
- uint16_t pcrNum;
-} tpm_pcr_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0xe, 0x0, 0x0, 0x0, 0x15, },
-10, };
-
-const struct s_tpm_nv_read_cmd{
- uint8_t buffer[22];
- uint16_t index;
- uint16_t length;
-} tpm_nv_read_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x16, 0x0, 0x0, 0x0, 0xcf, },
-10, 18, };
-
-const struct s_tpm_nv_write_cmd{
- uint8_t buffer[256];
- uint16_t index;
- uint16_t length;
- uint16_t data;
-} tpm_nv_write_cmd = {{0x0, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xcd, },
-10, 18, 22, };
-
-const struct s_tpm_nv_definespace_cmd{
- uint8_t buffer[101];
- uint16_t index;
- uint16_t perm;
- uint16_t size;
-} tpm_nv_definespace_cmd = {
- {0x0, 0xc1, 0x0, 0x0, 0x0, 0x65, 0x0, 0x0, 0x0, 0xcc,
- 0x0, 0x18, 0, 0, 0, 0, 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0x0, 0x3, 0, 0, 0, 0x1f, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x0, 0x17,
- },
- 12, 70, 77,
-};
-
-const int kWriteInfoLength = 12;
-const int kNvDataPublicPermissionsOffset = 60;
+#endif /* TCG_TSS_STRUCTURES_H_ */
diff --git a/src/security/tpm/tss/tcg-2.0/tss.c b/src/security/tpm/tss/tcg-2.0/tss.c
index 15ce767..670d748 100644
--- a/src/security/tpm/tss/tcg-2.0/tss.c
+++ b/src/security/tpm/tss/tcg-2.0/tss.c
@@ -15,13 +15,16 @@
#include "tss_structures.h"
#include "tss_marshaling.h"
+// Forward declaration for CR50 use
+void *tpm_process_command(TPM_CC command, void *command_body);
+
/*
* This file provides interface between firmware and TPM2 device. The TPM1.2
* API was copied as is and relevant functions modified to comply with the
* TPM2 specification.
*/
-static void *tpm_process_command(TPM_CC command, void *command_body)
+void *tpm_process_command(TPM_CC command, void *command_body)
{
struct obuf ob;
struct ibuf ib;
@@ -395,44 +398,5 @@
if (!response || response->hdr.tpm_code)
return TPM_E_INTERNAL_INCONSISTENCY;
- return TPM_SUCCESS;
-}
-
-uint32_t tlcl_cr50_enable_nvcommits(void)
-{
- uint16_t sub_command = TPM2_CR50_SUB_CMD_NVMEM_ENABLE_COMMITS;
- struct tpm2_response *response;
-
- printk(BIOS_INFO, "Enabling cr50 nvmem commmits\n");
-
- response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, &sub_command);
-
- if (response == NULL || (response && response->hdr.tpm_code)) {
- if (response)
- printk(BIOS_INFO, "%s: failed %x\n", __func__,
- response->hdr.tpm_code);
- else
- printk(BIOS_INFO, "%s: failed\n", __func__);
- return TPM_E_IOERROR;
- }
- return TPM_SUCCESS;
-}
-
-uint32_t tlcl_cr50_enable_update(uint16_t timeout_ms,
- uint8_t *num_restored_headers)
-{
- struct tpm2_response *response;
- uint16_t command_body[] = {
- TPM2_CR50_SUB_CMD_TURN_UPDATE_ON, timeout_ms
- };
-
- printk(BIOS_INFO, "Checking cr50 for pending updates\n");
-
- response = tpm_process_command(TPM2_CR50_VENDOR_COMMAND, command_body);
-
- if (!response || response->hdr.tpm_code)
- return TPM_E_INTERNAL_INCONSISTENCY;
-
- *num_restored_headers = response->vcr.num_restored_headers;
return TPM_SUCCESS;
}
diff --git a/src/security/tpm/tss_constants.h b/src/security/tpm/tss_constants.h
deleted file mode 100644
index 937e553..0000000
--- a/src/security/tpm/tss_constants.h
+++ /dev/null
@@ -1,100 +0,0 @@
-/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
- * Use of this source code is governed by a BSD-style license that can be
- * found in the LICENSE file.
- *
- * Some TPM constants and type definitions for standalone compilation for use
- * in the firmware
- */
-#ifndef VBOOT_REFERENCE_TSS_CONSTANTS_H_
-#define VBOOT_REFERENCE_TSS_CONSTANTS_H_
-#include <stdint.h>
-
-#define TPM_MAX_COMMAND_SIZE 4096
-#define TPM_LARGE_ENOUGH_COMMAND_SIZE 256 /* saves space in the firmware */
-#define TPM_PUBEK_SIZE 256
-#define TPM_PCR_DIGEST 20
-
-#define TPM_E_NON_FATAL 0x800
-
-#define TPM_SUCCESS ((uint32_t)0x00000000)
-
-#define TPM_E_AREA_LOCKED ((uint32_t)0x0000003c)
-#define TPM_E_BADINDEX ((uint32_t)0x00000002)
-#define TPM_E_BAD_PRESENCE ((uint32_t)0x0000002d)
-#define TPM_E_IOERROR ((uint32_t)0x0000001f)
-#define TPM_E_INVALID_POSTINIT ((uint32_t)0x00000026)
-#define TPM_E_MAXNVWRITES ((uint32_t)0x00000048)
-#define TPM_E_OWNER_SET ((uint32_t)0x00000014)
-
-#define TPM_E_NEEDS_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 1))
-#define TPM_E_DOING_SELFTEST ((uint32_t)(TPM_E_NON_FATAL + 2))
-
-#define TPM_E_ALREADY_INITIALIZED ((uint32_t)0x00005000) /* vboot local */
-#define TPM_E_INTERNAL_INCONSISTENCY ((uint32_t)0x00005001) /* vboot local */
-#define TPM_E_MUST_REBOOT ((uint32_t)0x00005002) /* vboot local */
-#define TPM_E_CORRUPTED_STATE ((uint32_t)0x00005003) /* vboot local */
-#define TPM_E_COMMUNICATION_ERROR ((uint32_t)0x00005004) /* vboot local */
-#define TPM_E_RESPONSE_TOO_LARGE ((uint32_t)0x00005005) /* vboot local */
-#define TPM_E_NO_DEVICE ((uint32_t)0x00005006) /* vboot local */
-#define TPM_E_INPUT_TOO_SMALL ((uint32_t)0x00005007) /* vboot local */
-#define TPM_E_WRITE_FAILURE ((uint32_t)0x00005008) /* vboot local */
-#define TPM_E_READ_EMPTY ((uint32_t)0x00005009) /* vboot local */
-#define TPM_E_READ_FAILURE ((uint32_t)0x0000500a) /* vboot local */
-#define TPM_E_NV_DEFINED ((uint32_t)0x0000500b) /* vboot local */
-
-#define TPM_NV_INDEX0 ((uint32_t)0x00000000)
-#define TPM_NV_INDEX_LOCK ((uint32_t)0xffffffff)
-#define TPM_NV_PER_GLOBALLOCK (((uint32_t)1)<<15)
-#define TPM_NV_PER_PPWRITE (((uint32_t)1)<<0)
-#define TPM_NV_PER_READ_STCLEAR (((uint32_t)1)<<31)
-#define TPM_NV_PER_WRITE_STCLEAR (((uint32_t)1)<<14)
-
-#define TPM_TAG_RQU_COMMAND ((uint16_t) 0xc1)
-#define TPM_TAG_RQU_AUTH1_COMMAND ((uint16_t) 0xc2)
-#define TPM_TAG_RQU_AUTH2_COMMAND ((uint16_t) 0xc3)
-
-#define TPM_TAG_RSP_COMMAND ((uint16_t) 0xc4)
-#define TPM_TAG_RSP_AUTH1_COMMAND ((uint16_t) 0xc5)
-#define TPM_TAG_RSP_AUTH2_COMMAND ((uint16_t) 0xc6)
-
-/* Some TPM2 return codes used in this library. */
-#define TPM2_RC_SUCCESS 0
-#define TPM2_RC_NV_DEFINED 0x14c
-
-typedef uint8_t TSS_BOOL;
-typedef uint16_t TPM_STRUCTURE_TAG;
-
-typedef struct tdTPM_PERMANENT_FLAGS {
- TPM_STRUCTURE_TAG tag;
- TSS_BOOL disable;
- TSS_BOOL ownership;
- TSS_BOOL deactivated;
- TSS_BOOL readPubek;
- TSS_BOOL disableOwnerClear;
- TSS_BOOL allowMaintenance;
- TSS_BOOL physicalPresenceLifetimeLock;
- TSS_BOOL physicalPresenceHWEnable;
- TSS_BOOL physicalPresenceCMDEnable;
- TSS_BOOL CEKPUsed;
- TSS_BOOL TPMpost;
- TSS_BOOL TPMpostLock;
- TSS_BOOL FIPS;
- TSS_BOOL Operator;
- TSS_BOOL enableRevokeEK;
- TSS_BOOL nvLocked;
- TSS_BOOL readSRKPub;
- TSS_BOOL tpmEstablished;
- TSS_BOOL maintenanceDone;
- TSS_BOOL disableFullDALogicInfo;
-} TPM_PERMANENT_FLAGS;
-
-typedef struct tdTPM_STCLEAR_FLAGS {
- TPM_STRUCTURE_TAG tag;
- TSS_BOOL deactivated;
- TSS_BOOL disableForceClear;
- TSS_BOOL physicalPresence;
- TSS_BOOL physicalPresenceLock;
- TSS_BOOL bGlobalLock;
-} TPM_STCLEAR_FLAGS;
-
-#endif /* VBOOT_REFERENCE_TSS_CONSTANTS_H_ */
--
To view, visit https://review.coreboot.org/22374
To unsubscribe, visit https://review.coreboot.org/settings
Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I97bbc7b7b025500b49c743b0c303543c33627c88
Gerrit-Change-Number: 22374
Gerrit-PatchSet: 1
Gerrit-Owner: Philipp Deppenwiese <zaolin.daisuki at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot-gerrit/attachments/20171108/92beb71f/attachment-0001.html>
More information about the coreboot-gerrit
mailing list