From patchwork Thu Mar 8 15:40:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miquel Raynal X-Patchwork-Id: 883202 X-Patchwork-Delegate: sjg@chromium.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=bootlin.com Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3zxw1x3lhJz9shc for ; Fri, 9 Mar 2018 02:49:57 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id D5F4AC21EAE; Thu, 8 Mar 2018 15:46:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=RCVD_IN_DNSWL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 5953AC21FBF; Thu, 8 Mar 2018 15:41:23 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 1F050C21FCF; Thu, 8 Mar 2018 15:40:56 +0000 (UTC) Received: from mail.bootlin.com (mail.bootlin.com [62.4.15.54]) by lists.denx.de (Postfix) with ESMTP id 9DD04C21FD6 for ; Thu, 8 Mar 2018 15:40:49 +0000 (UTC) Received: by mail.bootlin.com (Postfix, from userid 110) id 1086620755; Thu, 8 Mar 2018 16:40:48 +0100 (CET) Received: from localhost.localdomain (LStLambert-657-1-97-87.w90-63.abo.wanadoo.fr [90.63.216.87]) by mail.bootlin.com (Postfix) with ESMTPSA id 255C220888; Thu, 8 Mar 2018 16:40:29 +0100 (CET) From: Miquel Raynal To: u-boot@lists.denx.de Date: Thu, 8 Mar 2018 16:40:20 +0100 Message-Id: <20180308154021.25255-18-miquel.raynal@bootlin.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180308154021.25255-1-miquel.raynal@bootlin.com> References: <20180308154021.25255-1-miquel.raynal@bootlin.com> Subject: [U-Boot] [PATCH 17/18] tpm: add TPM2_HierarchyChangeAuth command support X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Add support for the TPM2_HierarchyChangeAuth command. Change the command file and the help accordingly. Signed-off-by: Miquel Raynal --- cmd/tpm.c | 34 ++++++++++++++++++++++++++++++++++ include/tpm.h | 14 ++++++++++++++ lib/tpm.c | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+) diff --git a/cmd/tpm.c b/cmd/tpm.c index 533da2d2ac..3c486c313b 100644 --- a/cmd/tpm.c +++ b/cmd/tpm.c @@ -555,6 +555,36 @@ static int do_tpm_force_clear(cmd_tbl_t *cmdtp, int flag, return report_return_code(tpm_force_clear(handle, pw, pw_sz)); } +static int do_tpm_change_auth(cmd_tbl_t *cmdtp, int flag, + int argc, char *const argv[]) +{ + u32 handle; + const char *newpw = argv[2]; + const char *oldpw = (argc == 3) ? NULL : argv[3]; + const ssize_t newpw_sz = strlen(newpw); + const ssize_t oldpw_sz = oldpw ? strlen(oldpw) : 0; + + if (argc < 3 || argc > 4) + return CMD_RET_USAGE; + + if (newpw_sz > TPM2_DIGEST_LENGTH || oldpw_sz > TPM2_DIGEST_LENGTH) + return -EINVAL; + + if (!strcasecmp("TPM2_RH_LOCKOUT", argv[1])) + handle = TPM2_RH_LOCKOUT; + else if (!strcasecmp("TPM2_RH_ENDORSEMENT", argv[1])) + handle = TPM2_RH_ENDORSEMENT; + else if (!strcasecmp("TPM2_RH_OWNER", argv[1])) + handle = TPM2_RH_OWNER; + else if (!strcasecmp("TPM2_RH_PLATFORM", argv[1])) + handle = TPM2_RH_PLATFORM; + else + return CMD_RET_USAGE; + + return report_return_code(tpm2_change_auth(handle, newpw, newpw_sz, + oldpw, oldpw_sz)); +} + #define TPM_COMMAND_NO_ARG(cmd) \ static int do_##cmd(cmd_tbl_t *cmdtp, int flag, \ int argc, char * const argv[]) \ @@ -959,6 +989,8 @@ static cmd_tbl_t tpm_commands[] = { do_tpm_dam_set_parameters, "", ""), U_BOOT_CMD_MKENT(force_clear, 0, 1, do_tpm_force_clear, "", ""), + U_BOOT_CMD_MKENT(change_auth, 0, 1, + do_tpm_change_auth, "", ""), U_BOOT_CMD_MKENT(physical_enable, 0, 1, do_tpm_physical_enable, "", ""), U_BOOT_CMD_MKENT(physical_disable, 0, 1, @@ -1060,6 +1092,8 @@ U_BOOT_CMD(tpm, CONFIG_SYS_MAXARGS, 1, do_tpm, " force_clear []\n" " - Issue TPM_[Force]Clear command, with one of (TPMv2 only):\n" " * TPM2_RH_LOCKOUT, TPM2_RH_PLATFORM.\n" +" change_auth []\n" +" - Change the hierarchy authorizations (TPMv2 only).\n" " tsc_physical_presence flags\n" " - Set TPM device's Physical Presence flags to .\n" "The Capability Commands:\n" diff --git a/include/tpm.h b/include/tpm.h index 4d062584f9..cc63f06634 100644 --- a/include/tpm.h +++ b/include/tpm.h @@ -60,6 +60,7 @@ enum tpm2_command_codes { TPM2_CC_SELF_TEST = 0x0143, TPM2_CC_CLEAR = 0x0126, TPM2_CC_CLEARCONTROL = 0x0127, + TPM2_CC_HIERCHANGEAUTH = 0x0129, TPM2_CC_DAM_RESET = 0x0139, TPM2_CC_DAM_PARAMETERS = 0x013A, TPM2_CC_GET_CAPABILITY = 0x017A, @@ -630,6 +631,19 @@ int tpm2_dam_set_parameters(const char *pw, const ssize_t pw_sz, */ int tpm_force_clear(u32 handle, const char *pw, const ssize_t pw_sz); +/** + * Issue a TPM2_HierarchyChangeAuthorization command. + * + * @param handle Handle + * @param newpw New password + * @param newpw_sz Length of the new password + * @param oldpw Old password + * @param oldpw_sz Length of the old password + * @return return code of the operation + */ +int tpm2_change_auth(u32 handle, const char *newpw, const ssize_t newpw_sz, + const char *oldpw, const ssize_t oldpw_sz); + /** * Issue a TPM_PhysicalEnable command. * diff --git a/lib/tpm.c b/lib/tpm.c index 1e064e6ff1..f09b9ce9eb 100644 --- a/lib/tpm.c +++ b/lib/tpm.c @@ -835,6 +835,53 @@ int tpm_force_clear(u32 handle, const char *pw, const ssize_t pw_sz) return tpm_sendrecv_command(command_v2, NULL, NULL); } +int tpm2_change_auth(u32 handle, const char *newpw, const ssize_t newpw_sz, + const char *oldpw, const ssize_t oldpw_sz) +{ + unsigned int offset = 27; + u8 command_v2[COMMAND_BUFFER_SIZE] = { + STRINGIFY16(TPM2_ST_SESSIONS), /* TAG */ + STRINGIFY32(offset + oldpw_sz + 2 + newpw_sz), /* Command len */ + STRINGIFY32(TPM2_CC_HIERCHANGEAUTH), /* Command code */ + + /* HANDLE */ + STRINGIFY32(handle), /* TPM resource handle */ + + /* AUTH_SESSION */ + STRINGIFY32(9 + oldpw_sz), /* Authorization size */ + STRINGIFY32(TPM2_RS_PW), /* Session handle */ + STRINGIFY16(0), /* Size of */ + /* (if any) */ + 0, /* Attributes: Cont/Excl/Rst */ + STRINGIFY16(oldpw_sz) /* Size of */ + /* STRING(oldpw) (if any) */ + + /* TPM2B_AUTH (TPM2B_DIGEST) */ + /* STRINGIFY16(newpw_sz) Digest size, new pw length */ + /* STRING(newpw) Digest buffer, new pw */ + }; + int ret; + + if (!is_tpmv2) + return TPM_LIB_ERROR; + + /* + * Fill the command structure starting from the first buffer: + * - the old password (if any) + * - size of the new password + * - new password + */ + ret = pack_byte_string(command_v2, sizeof(command_v2), "sws", + offset, oldpw, oldpw_sz, + offset + oldpw_sz, newpw_sz, + offset + oldpw_sz + 2, newpw, newpw_sz); + offset += oldpw_sz + 2 + newpw_sz; + if (ret) + return TPM_LIB_ERROR; + + return tpm_sendrecv_command(command_v2, NULL, NULL); +} + uint32_t tpm_physical_enable(void) { const uint8_t command[10] = {