From patchwork Wed Dec 20 07:11:28 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: "niek.nooijens@omron.com" <niek.nooijens@omron.com>
X-Patchwork-Id: 1878502
X-Patchwork-Delegate: apalos@gmail.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=omron.com header.i=@omron.com header.a=rsa-sha256
 header.s=selector1 header.b=s7C4DHtM;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SwCDH2Whgz20LV
	for <incoming@patchwork.ozlabs.org>; Wed, 20 Dec 2023 23:14:39 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 3B13E877C4;
	Wed, 20 Dec 2023 13:13:49 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=fail (p=none dis=none) header.from=omron.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=omron.com header.i=@omron.com header.b="s7C4DHtM";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id E5CF9871C3; Wed, 20 Dec 2023 08:11:37 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,SPF_HELO_PASS,
 SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
 version=3.4.2
Received: from JPN01-OS0-obe.outbound.protection.outlook.com
 (mail-os0jpn01on20701.outbound.protection.outlook.com
 [IPv6:2a01:111:f403:201a::701])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id 16D308700D
 for <u-boot@lists.denx.de>; Wed, 20 Dec 2023 08:11:34 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=omron.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=niek.nooijens@omron.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=XOWF6B14jLDGtRSfdPiVuzskAMJRdyex5dn9tEqa1wAaBejSFWvnIYupCXvtWG3uBxmeWFZut8ozO9x8LjHitMYftD6vt0YQSlFguxWFdCzfIba+D/58x8WlllTFTnEJGe3WaVm8mQwfZJjNttbRm/Z38+e0haWbeYY/x3ygrkGsrHFSbAjm+5GtsMFG2JKcFtlFQM8gzFOe4CFPPwwaKTbejr0PPm8gOrSXTFv7C3DLi/dgMuB3re+zure/JWv2P5yU5BfaKqvuakw0FKOPvibrZai0s4BtcGgPhOQm8cJjv3JX1GHSnInKASkHlYJRvabPWKt3J0iV3yk5cKBOjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=OKbOnRaEyx4/HEqBJ+AjZP30VGQhkfOZ6IKo+deAzmo=;
 b=WQwmPY7soaw3Z10N2Rsj31X41kfl4zMUuMIXg23hCuFBJox5OlHQtyIUKGa7kAoR2/JaghETCp/zaK0VX6jDPhfQb0UDUUNXH/hM5Zp+1vXUluZwkOjW25fE2O09XNM0e+sr6jSZB6sy0coS2OY/d49CJuYkINW8Yn/Am5mHyjZ/GNeZ6dJlLv/MCkDhSaZ32bUF1vdGdqzYOB56lo5qRcz/WL5OLuz2/29eEqRJHSLbc+bKVWR/WUGhbyRouRYSP4hNwgtqx72Bp/pb/hA7dEEtUTneTGdlvKZ1c4gCS6Q9wKOG4YQqM8CwZuNLXfxyunS+p0Fzmlzne1GCGLIzaA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=omron.com; dmarc=pass action=none header.from=omron.com;
 dkim=pass header.d=omron.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=omron.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=OKbOnRaEyx4/HEqBJ+AjZP30VGQhkfOZ6IKo+deAzmo=;
 b=s7C4DHtMh4HFsEeRqRtN4FYY7YUyuRgmj8QD3KTJ9UivnJfn5FBNdsUx6Cy4XpyxBAeDdxZb7tdnp4IqIkQ3TTioQEWdS01vF8kbJLZH0FqM8SJc58C+gwUlKDZJ7E7U9IGTuN7XT+6oQe3lZo/kLfVuCjJgCrJR+zCvmw3IJ/U=
Received: from OS3P286MB1495.JPNP286.PROD.OUTLOOK.COM (2603:1096:604:17a::14)
 by TYCP286MB3282.JPNP286.PROD.OUTLOOK.COM (2603:1096:400:2cd::12)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.18; Wed, 20 Dec
 2023 07:11:28 +0000
Received: from OS3P286MB1495.JPNP286.PROD.OUTLOOK.COM
 ([fe80::2c3d:444b:277c:9da8]) by OS3P286MB1495.JPNP286.PROD.OUTLOOK.COM
 ([fe80::2c3d:444b:277c:9da8%4]) with mapi id 15.20.7113.016; Wed, 20 Dec 2023
 07:11:28 +0000
From: "niek.nooijens@omron.com" <niek.nooijens@omron.com>
To: "u-boot@lists.denx.de" <u-boot@lists.denx.de>,
 "ilias.apalodimas@linaro.org" <ilias.apalodimas@linaro.org>
Subject: New TPM commands.
Thread-Topic: New TPM commands.
Thread-Index: AQHaMxIjFfBQu0J6wUKDuNFIrj1EjA==
Date: Wed, 20 Dec 2023 07:11:28 +0000
Message-ID: 
 <OS3P286MB1495287ECFAC54B7800E3FCEF696A@OS3P286MB1495.JPNP286.PROD.OUTLOOK.COM>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: 
authentication-results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=omron.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: OS3P286MB1495:EE_|TYCP286MB3282:EE_
x-ms-office365-filtering-correlation-id: 1bb7d634-645e-45f8-16f5-08dc012ae2e5
x-ms-exchange-atpmessageproperties: SA
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 D4Pa4kwj4QdBZBouAYtk35MaY2Vh3pEb01+H/lfd0g8Mo6LJ9HLYE/wt6hnPEkv5kS6b1PCCe2ugCGqdPwReXGbhbyOwzq+usslaXUHiKLplzSdx0vJOTVGshRdE5FEcQwwalTMxIxI0fav06J7NeuSSbRyiWij9ayPb1I2pSJea94ztm5QQB+nsaTBWQr5SS2UDAnX78sp6d7TxEy8EEtxrmu9GRX17ZghwdTu1Q/S+sQkkdGN1ycd/i2blCXwMmwM/EactYyYq0xgXuXoXAK3fEuOO8I5PyiGki05Dh4YK8CKDYQcEadZodUQ5kAzCOSabrZaOCXi/FHMacvoJXfPnjmjW3usocZYCWYzJMkpbcinYK/+A3s8nwLWQIa0E4BLqLQU+HHvzoDMz+G4tG286ksDzwbG2yQTX1ASeHYuQjAywS9ryc9EsPwYe9r0GFfJcHgJbABdsv8HRIsP1CPX4qTP5jf4QdXJRpiOJ/M7Cu94NQw+6ZF0k231iWpGXtJ0Xn/YgbO3LGUCe89sDonnc0lwbwdW/N66cI3oVndUc1Oibft85zc0JKBFiZK/I4HdSQxLZ/ePB7nNpl0oMqKnEVZ1esMvWwjQXueGzM4vtnobtKK15LSfAAqfzgEq4zA8bVJPgq0dN2HJSwyi08fHdOXqD+4vjqUjtaMaiTTk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:OS3P286MB1495.JPNP286.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230031)(136003)(346002)(366004)(39860400002)(376002)(396003)(230173577357003)(230273577357003)(64100799003)(186009)(1800799012)(451199024)(26005)(86362001)(9686003)(6506007)(55016003)(3480700007)(66946007)(33656002)(38100700002)(52536014)(7116003)(64756008)(110136005)(122000001)(76116006)(66476007)(66556008)(66446008)(83380400001)(7696005)(71200400001)(478600001)(8676002)(316002)(8936002)(19627405001)(5660300002)(30864003)(2906002)(38070700009)(41300700001);
 DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?q?d7gZgRNtUlkiFp2ljQpdquGQcjGg?=
	=?utf-8?q?OPrDTyO3dvJVmKVO5IuLic5W+Rg2xalHjSc/pA1/NMUweRGciM+UwD7nR8lfUaBXd?=
	=?utf-8?q?CxMMJnmWmqH2cjrdONX4RGw4T91ME94UK6LpB7CeTNGN4H+lu9ycIscEKRRaNj+SY?=
	=?utf-8?q?o4Rdxrj465so05e4+AH5WiotGrOTRg78qZiwbxdbHNYhQA2EFITxLffqc1ODxiCLf?=
	=?utf-8?q?7dc76LQDipaX/qFWlTWTrLfpsuQp2Hjx8WdAbeYeEB2WVWqwW1VfomGLn5/qkUfxz?=
	=?utf-8?q?ml9ef/GRXsoxi6GP7QuVlDzS7/4M+NGdLYT7jBcZjlOhBgt+DzY7n9JEBzgeI+cl8?=
	=?utf-8?q?WCYQKTWvV4yxy63B9d8omlFO/MHh51k0+ovNyQvYfU3Bw6lp+VR5b+3Mjqq8JqoWO?=
	=?utf-8?q?k+dPLkxs2kvx8PlGn1dofto+FccUqA0PFYsqKI5nNAsBDgrfWcRv8wHDwhHXABkNi?=
	=?utf-8?q?vNCWUa88Aa6vT1l3gWxjRtoJu5GzLPi4h9/E3SjaDDzosMllH5IRL+rb1nKnxIEoB?=
	=?utf-8?q?KU4ABS4D6hoJWv67ieugKDmhTkt05DWNcE2TnBK9YBCU9q13G8gQ+sJBXqenp23tO?=
	=?utf-8?q?Zdp7EMQroPHFdp/a37CAeoIMtXWo6scterFkgHSPAcfe4AOQmXZOmZ7mV7wwejrll?=
	=?utf-8?q?z+D4ZCpJFI4ccnHpDGSvGzHc/avKWe1Ol4paZcpOeaAaM56PfDrpplPN+1+qCGrRu?=
	=?utf-8?q?rS8EyPhuB4o0HAASm78SE1df24KZuJu88tDaL3+dxw7RJjJ4/UZXaTRLOaHgEFC3Z?=
	=?utf-8?q?neSmPYjkToBFSI8pFU3WgvdaKQ1QgVjD5JeuVMHeh7xcYFCghSF3YA3pjkPm4diyF?=
	=?utf-8?q?ns570tFMi647LN59Pr2WduV35JcRNUJPymSAOuAlXW836uDSobctwUOzBATqV+VA5?=
	=?utf-8?q?fIEjQV/uGGHdLrQtYOklVhj3cAPwmTNwPuYs6BZ+Tk/OlPo7X32pyLKVLHEz3DYj3?=
	=?utf-8?q?FPtZCvQDIANvyObYEq0malaWBQpGEmq8X7+f7s5ceSGs+6O4u/OP5MpPGA2o2lPC1?=
	=?utf-8?q?x8BxeIaJZihP8d4xF4paubg0yiRNxO4gIMbv+V/VoWpqhjnxpOf0mPkuidWfC5V5G?=
	=?utf-8?q?gnY2XLsjn0GRdl89ceDbO5PQfpasJst/PqDunKAG00ArK7rbzuJhGxmw2RvFHBYjs?=
	=?utf-8?q?apifRVVL6V39VtSy1p5nESLGKksoYcgAGMTTaChroFPNgfrj4PLMDAi41/2RYCL4u?=
	=?utf-8?q?mTto9RksozbckCCbbmajAA/8D/6g4O5glOX0NrUh2kr9Ar+KuPap9KwUa0f4Ll92P?=
	=?utf-8?q?QitGICDeqvrDEHqqPPwqZGZtKHTdoCnbG9az6XZai6UhtlLvJNBbcLWO9k7tnquLP?=
	=?utf-8?q?pDLrft8QBvdIMTNdQJHVmMILp3o411eLwpSlXnsXzKGqzPPKFb6sVGCEyn1YJmHjU?=
	=?utf-8?q?n5s7V+g95FeuxdNW8ocZy1J2JEt95RWQCY2NtDcYA50XY5O6P7Htdvau+BCK4D1QK?=
	=?utf-8?q?qKui50mr1tKkhSDuLTdENZIvGgIGnVJdlOic4dzYWJIa1C324380DuCMmkdhDhUG+?=
	=?utf-8?q?HsSYo8SqdcXP?=
MIME-Version: 1.0
X-OriginatorOrg: omron.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: OS3P286MB1495.JPNP286.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 1bb7d634-645e-45f8-16f5-08dc012ae2e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2023 07:11:28.6223 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0ecff5a9-4bef-4a7b-96ec-a96579b4ac37
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 sYujEawF8scZDbzC6Da3S7xRzGm5SgNWBYqPp7rvcPGKsYg9Spc/9kdGTAFPVIldekUi3PPAvTAt2UCTqFKHHw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYCP286MB3282
X-Mailman-Approved-At: Wed, 20 Dec 2023 13:13:44 +0100
X-Content-Filtered-By: Mailman/MimeDel 2.1.39
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

Hi There

I added some new commands to the TPM2 command to allow read/writes to nv_memory. I also implemented the nv_define and nv_undefine commands so spaces can be created/deleted.
Still need to test with PCR policies, but at least for now we can store values in the TPM.

Here's the patch:

Signed-off-by: Niek Nooijens <niek.nooijens@omron.com>
================BEGIN OF PATCH==============
===================END OF PATCH================
Signed-off-by: Niek Nooijens <niek.nooijens@omron.com>

diff --git a/cmd/tpm-v2.c b/cmd/tpm-v2.c
index d93b83ada9..d2a06b9f65 100644
--- a/cmd/tpm-v2.c
+++ b/cmd/tpm-v2.c
@@ -356,6 +356,133 @@ static int do_tpm_pcr_setauthvalue(struct cmd_tbl *cmdtp, int flag,
                                          key, key_sz));
 }

+static int do_tpm_nv_define(struct cmd_tbl *cmdtp, int flag,
+              int argc, char *const argv[])
+{
+     struct udevice *dev;
+     struct tpm_chip_priv *priv;
+     u32 nv_addr, nv_size,nv_attributes, rc;
+     void *policy_addr = NULL;
+     size_t policy_size = 0;
+     int ret;
+
+     nv_attributes = 0;
+
+     if ((argc < 3 && argc > 6) || argc == 4)
+           return CMD_RET_USAGE;
+
+     ret = get_tpm(&dev);
+     if (ret)
+           return ret;
+
+     priv = dev_get_uclass_priv(dev);
+     if (!priv)
+           return -EINVAL;
+
+     nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+
+     nv_size = simple_strtoul(argv[2], NULL, 0); //size
+
+     if(argc > 3) { //attributes
+           nv_attributes = simple_strtoul(argv[3], NULL, 0);
+     } else {
+           nv_attributes = TPMA_NV_PLATFORMCREATE|TPMA_NV_OWNERWRITE|TPMA_NV_OWNERREAD|TPMA_NV_PPWRITE|TPMA_NV_PPREAD;
+     }
+
+     if(argc > 4) {//policy
+           policy_addr = map_sysmem(simple_strtoul(argv[4], NULL, 0), 0);
+           if((nv_attributes & (TPMA_NV_POLICYREAD|TPMA_NV_POLICYWRITE)) == 0) { //not sure if I should enforce this or just warn the user?
+                 printf("Warning: policy provided, but TPMA_NV_POLICYREAD and TPMA_NV_POLICYWRITE are NOT set!\n");
+           }
+           policy_size = simple_strtoul(argv[5], NULL, 0);
+     }
+
+     rc = tpm2_nv_define_space(dev, nv_addr, nv_size, nv_attributes,policy_addr, policy_size);
+
+     if (rc) {
+           printf("ERROR: nv_define #%u returns: 0x%x\n", nv_addr, rc);
+     }
+     if(argc > 4) {
+           unmap_sysmem(policy_addr);
+     }
+     return report_return_code(rc);
+}
+
+static int do_tpm_nv_undefine(struct cmd_tbl *cmdtp, int flag,
+              int argc, char *const argv[])
+{
+     struct udevice *dev;
+     u32 nv_addr,ret, rc;
+
+     ret = get_tpm(&dev);
+     if (ret)
+           return ret;
+
+     if (argc !=2)
+                 return CMD_RET_USAGE;
+     nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+     rc = tpm2_nv_undefine_space(dev, nv_addr);
+
+     return report_return_code(rc);
+}
+
+static int do_tpm_nv_read_value(struct cmd_tbl *cmdtp, int flag,
+              int argc, char *const argv[])
+{
+     struct udevice *dev;
+     u32 nv_addr, nv_size, rc;
+     int ret;
+     void *out_data;
+     ret = get_tpm(&dev);
+           if (ret)
+                 return ret;
+
+           if (argc != 4)
+                 return CMD_RET_USAGE;
+
+     nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+
+     nv_size = simple_strtoul(argv[2], NULL, 0); //size
+
+     out_data = map_sysmem(simple_strtoul(argv[3], NULL, 0), 0);
+
+     rc = tpm2_nv_read_value(dev,nv_addr, out_data, nv_size);
+
+     if (rc) {
+           printf("ERROR: nv_read #%u returns: #%u\n", nv_addr, rc);
+     }
+     unmap_sysmem(out_data);
+     return report_return_code(rc);
+}
+
+static int do_tpm_nv_write_value(struct cmd_tbl *cmdtp, int flag,
+              int argc, char *const argv[])
+{
+     struct udevice *dev;
+     u32 nv_addr, nv_size, rc;
+     int ret;
+     ret = get_tpm(&dev);
+           if (ret)
+                 return ret;
+
+           if (argc != 4)
+                 return CMD_RET_USAGE;
+
+     nv_addr = simple_strtoul(argv[1], NULL, 0); //tpm_addr
+
+     nv_size = simple_strtoul(argv[2], NULL, 0); //size
+
+     void *data_to_write = map_sysmem(simple_strtoul(argv[3], NULL, 0), 0);
+
+     rc = tpm2_nv_write_value(dev,nv_addr, data_to_write, nv_size);
+
+     if (rc) {
+           printf("ERROR: nv_read #%u returns: #%u\n", nv_addr, rc);
+     }
+     unmap_sysmem(data_to_write);
+     return report_return_code(rc);
+}
+
 static struct cmd_tbl tpm2_commands[] = {
      U_BOOT_CMD_MKENT(device, 0, 1, do_tpm_device, "", ""),
      U_BOOT_CMD_MKENT(info, 0, 1, do_tpm_info, "", ""),
@@ -374,6 +501,10 @@ static struct cmd_tbl tpm2_commands[] = {
                   do_tpm_pcr_setauthpolicy, "", ""),
      U_BOOT_CMD_MKENT(pcr_setauthvalue, 0, 1,
                   do_tpm_pcr_setauthvalue, "", ""),
+     U_BOOT_CMD_MKENT(nv_define, 0, 1, do_tpm_nv_define, "", ""),
+     U_BOOT_CMD_MKENT(nv_undefine, 0, 1, do_tpm_nv_undefine, "", ""),
+     U_BOOT_CMD_MKENT(nv_read, 0, 1, do_tpm_nv_read_value, "", ""),
+     U_BOOT_CMD_MKENT(nv_write, 0, 1, do_tpm_nv_write_value, "", ""),
 };

 struct cmd_tbl *get_tpm2_commands(unsigned int *size)
@@ -447,4 +578,22 @@ U_BOOT_CMD(tpm2, CONFIG_SYS_MAXARGS, 1, do_tpm, "Issue a TPMv2.x command",
 "    <pcr>: index of the PCR\n"
 "    <key>: secret to protect the access of PCR #<pcr>\n"
 "    <password>: optional password of the PLATFORM hierarchy\n"
+"\n"
+"nv_define <tpm_addr> <size> [<attributes>, <policy_digest_addr> <policy_size>]\n"
+"    Define new nv index in the TPM at <tpm_addr> with size <size>\n"
+"    <tpm_addr>: the internal address used within the TPM for the NV-index\n"
+"    <attributes>: is described in tpp-v2.h enum tpm_index_attrs. Note; Always use TPMA_NV_PLATFORMCREATE!\n"
+"                  will default to: TPMA_NV_PLATFORMCREATE|TPMA_NV_OWNERWRITE|TPMA_NV_OWNERREAD|TPMA_NV_PPWRITE|TPMA_NV_PPREAD\n"
+"nv_undefine <tpm_addr> \n"
+"    delete nv index \n"
+"nv_read <tpm_addr> <size> <data_addr>\n"
+"    Read data stored in TPM nv_memory at <tpm_addr> with size <size>\n"
+"    <tpm_addr>: the internal address used within the TPM for the NV-index\n"
+"    <size>: datasize in bytes\n"
+"    <data_addr>: memory address where to store the data read from the TPM\n"
+"nv_write <tpm_addr> <size> <data_addr> [<policy_digest_addr> <policy_size>]\n"
+"    Write data to the TPM's nv_memory at <tpm_addr> with size <size>\n"
+"    <tpm_addr>: the internal address used within the TPM for the NV-index\n"
+"    <size>: datasize in bytes\n"
+"    <data_addr>: memory address of the data to be written to the TPM's NV-index\n"
 );
diff --git a/include/tpm-v2.h b/include/tpm-v2.h
index 737e57551d..b9801e91eb 100644
--- a/include/tpm-v2.h
+++ b/include/tpm-v2.h
@@ -214,6 +214,7 @@ struct tcg_pcr_event2 {
      u8 event[];
 } __packed;

+
 /**
  * TPM2 Structure Tags for command/response buffers.
  *
@@ -286,6 +287,7 @@ enum tpm2_command_codes {
      TPM2_CC_CLEARCONTROL    = 0x0127,
      TPM2_CC_HIERCHANGEAUTH  = 0x0129,
      TPM2_CC_NV_DEFINE_SPACE = 0x012a,
+     TPM2_CC_NV_UNDEFINE_SPACE = 0x0122,
      TPM2_CC_PCR_SETAUTHPOL  = 0x012C,
      TPM2_CC_NV_WRITE  = 0x0137,
      TPM2_CC_NV_WRITELOCK    = 0x0138,
@@ -469,6 +471,20 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
                   size_t space_size, u32 nv_attributes,
                   const u8 *nv_policy, size_t nv_policy_size);

+
+
+
+/**
+ * Issue a TPM_NV_UnDefineSpace command
+ *
+ * This allows a space to be removed. Needed because TPM_clear doesn't clear platform entries
+ *
+ * @dev                TPM device
+ * @space_index        index of the area
+ * Return: return code of the operation
+ */
+u32 tpm2_nv_undefine_space(struct udevice *dev, u32 space_index);
+
 /**
  * Issue a TPM2_PCR_Extend command.
  *
@@ -494,6 +510,7 @@ u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
  */
 u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count);

+
 /**
  * Write data to the secure storage
  *
diff --git a/lib/tpm-common.c b/lib/tpm-common.c
index 82ffdc5341..fbb78a941f 100644
--- a/lib/tpm-common.c
+++ b/lib/tpm-common.c
@@ -3,7 +3,7 @@
  * Copyright (c) 2013 The Chromium OS Authors.
  * Coypright (c) 2013 Guntermann & Drunck GmbH
  */
-
+#define LOG_DEBUG
 #define LOG_CATEGORY UCLASS_TPM

 #include <common.h>
@@ -13,6 +13,8 @@
 #include <tpm-common.h>
 #include "tpm-utils.h"

+
+
 enum tpm_version tpm_get_version(struct udevice *dev)
 {
      struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
diff --git a/lib/tpm-v2.c b/lib/tpm-v2.c
index 697b982e07..9df3968033 100644
--- a/lib/tpm-v2.c
+++ b/lib/tpm-v2.c
@@ -90,7 +90,7 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
       * chunks below.
       */
      const int platform_len = sizeof(u32);
-     const int session_hdr_len = 13;
+     const int session_hdr_len = 15;
      const int message_len = 14;
      uint offset = TPM2_HDR_LEN + platform_len + session_hdr_len +
            message_len;
@@ -103,11 +103,15 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
            /* handles 4 bytes */
            tpm_u32(TPM2_RH_PLATFORM),    /* Primary platform seed */

-           /* session header 13 bytes */
+
+           /* session header 15 bytes */
+           /*null auth session*/
            tpm_u32(9),             /* Header size */
            tpm_u32(TPM2_RS_PW),          /* Password authorisation */
            tpm_u16(0),             /* nonce_size */
            0,                      /* session_attrs */
+           tpm_u16(0),       /* HMAC size */
+           /*end auth area*/
            tpm_u16(0),             /* auth_size */

            /* message 14 bytes + policy */
@@ -136,6 +140,35 @@ u32 tpm2_nv_define_space(struct udevice *dev, u32 space_index,
      return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
 }

+u32 tpm2_nv_undefine_space(struct udevice *dev, u32 space_index) {
+
+     const int platform_len = sizeof(u32);
+     const int session_hdr_len = 13;
+     const int message_len = 4;
+     u8 command_v2[COMMAND_BUFFER_SIZE] = {
+           /* header 10 bytes */
+           tpm_u16(TPM2_ST_SESSIONS),    /* TAG */
+           tpm_u32(TPM2_HDR_LEN + platform_len + session_hdr_len +
+                       message_len),/* Length - header + provision + index + auth area*/
+           tpm_u32(TPM2_CC_NV_UNDEFINE_SPACE),/* Command code */
+
+           /* handles 4 bytes */
+           tpm_u32(TPM2_RH_PLATFORM),    /* Primary platform seed */
+           /* nv_index */
+           tpm_u32(space_index),
+
+           /*null auth session*/
+           tpm_u32(9),             /* Header size */
+           tpm_u32(TPM2_RS_PW),          /* Password authorisation FIXME: allow PCR authorization */
+           tpm_u16(0),             /* nonce_size */
+           0,                      /* session_attrs */
+           tpm_u16(0),       /* HMAC size */
+           /*end auth area*/
+
+     };
+     return tpm_sendrecv_command(dev, command_v2, NULL, NULL);
+}
+
 u32 tpm2_pcr_extend(struct udevice *dev, u32 index, u32 algorithm,
                const u8 *digest, u32 digest_len)
 {
@@ -184,22 +217,23 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
      u8 command_v2[COMMAND_BUFFER_SIZE] = {
            /* header 10 bytes */
            tpm_u16(TPM2_ST_SESSIONS),    /* TAG */
-           tpm_u32(10 + 8 + 4 + 9 + 4),  /* Length */
+           tpm_u32(TPM2_HDR_LEN + 8 + 4 + 9 + 4),    /* Length */
            tpm_u32(TPM2_CC_NV_READ),     /* Command code */

            /* handles 8 bytes */
            tpm_u32(TPM2_RH_PLATFORM),    /* Primary platform seed */
-           tpm_u32(HR_NV_INDEX + index), /* Password authorisation */
+           tpm_u32(index),                     /*nv index*/

            /* AUTH_SESSION */
-           tpm_u32(9),             /* Authorization size */
-           tpm_u32(TPM2_RS_PW),          /* Session handle */
+           tpm_u32(9),             /* Authorization size - 4 bytes*/
+           /*auth handle - 9 bytes */
+           tpm_u32(TPM2_RS_PW),    /* Password authorisation */  /* Session handle */
            tpm_u16(0),             /* Size of <nonce> */
                                    /* <nonce> (if any) */
            0,                      /* Attributes: Cont/Excl/Rst */
            tpm_u16(0),             /* Size of <hmac/password> */
                                    /* <hmac/password> (if any) */
-
+           /*end auth handle */
            tpm_u16(count),               /* Number of bytes */
            tpm_u16(0),             /* Offset */
      };
@@ -220,11 +254,12 @@ u32 tpm2_nv_read_value(struct udevice *dev, u32 index, void *data, u32 count)
      return 0;
 }

+
 u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,
                  u32 count)
 {
      struct tpm_chip_priv *priv = dev_get_uclass_priv(dev);
-     uint offset = 10 + 8 + 4 + 9 + 2;
+     uint offset = TPM2_HDR_LEN + 8 + 4 + 9 + 2;
      uint len = offset + count + 2;
      /* Use empty password auth if platform hierarchy is disabled */
      u32 auth = priv->plat_hier_disabled ? HR_NV_INDEX + index :
@@ -237,18 +272,21 @@ u32 tpm2_nv_write_value(struct udevice *dev, u32 index, const void *data,

            /* handles 8 bytes */
            tpm_u32(auth),                /* Primary platform seed */
-           tpm_u32(HR_NV_INDEX + index), /* Password authorisation */
+           tpm_u32(index),               /*nv index*/

            /* AUTH_SESSION */
-           tpm_u32(9),             /* Authorization size */
-           tpm_u32(TPM2_RS_PW),          /* Session handle */
+           tpm_u32(9),             /* Authorization size - 4 bytes */
+           /*auth handle - 9 bytes */
+           tpm_u32(TPM2_RS_PW),    /* Password authorisation */  /* Session handle */
            tpm_u16(0),             /* Size of <nonce> */
                                    /* <nonce> (if any) */
            0,                      /* Attributes: Cont/Excl/Rst */
            tpm_u16(0),             /* Size of <hmac/password> */
                                    /* <hmac/password> (if any) */
-
-           tpm_u16(count),
+           /*end auth handle */
+           tpm_u16(count),/*size of buffer - 2 bytes*/
+           /*data (buffer)*/
+           /*offset -> the octet offset into the NV Area*/
      };
      size_t response_len = COMMAND_BUFFER_SIZE;
      u8 response[COMMAND_BUFFER_SIZE];