lib: tpm: Add command to flush resources

This patch adds a function to the TPM library, which allows U-Boot to flush resources, e.g. keys, from the TPM. Signed-off-by: Mario Six <mario.six@gdsys.cc> Reviewed-by: Stefan Roese <sr@denx.de> Reviewed-by: Simon Glass <sjg@chromium.org> Signed-off-by: Stefan Roese <sr@denx.de>
2024-11-10 23:24:38 +00:00 · 2017-01-11 16:00:50 +01:00 · 2017-01-11 16:00:50 +01:00 · 7690be35de
commit 7690be35de
parent 3add68c996
5 changed files with 150 additions and 9 deletions
--- a/board/gdsys/p1022/controlcenterd-id.c
+++ b/board/gdsys/p1022/controlcenterd-id.c
@ -43,15 +43,6 @@
 #define CCDM_AUTO_FIRST_STAGE
 #endif

-/* enums from TCG specs */
-enum {
-	/* capability areas */
-	TPM_CAP_NV_INDEX	= 0x00000011,
-	TPM_CAP_HANDLE		= 0x00000014,
-	/* resource types */
-	TPM_RT_KEY	= 0x00000001,
-};
-
 /* CCDM specific contants */
 enum {
 	/* NV indices */
--- a/cmd/tpm.c
+++ b/cmd/tpm.c
@ -646,6 +646,64 @@ TPM_COMMAND_NO_ARG(tpm_end_oiap)

 #endif /* CONFIG_TPM_AUTH_SESSIONS */

+#ifdef CONFIG_TPM_FLUSH_RESOURCES
+static int do_tpm_flush(cmd_tbl_t *cmdtp, int flag, int argc,
+			char * const argv[])
+{
+	int type = 0;
+
+	if (argc != 2)
+		return CMD_RET_USAGE;
+
+	if (strcasecmp(argv[1], "key"))
+		type = TPM_RT_KEY;
+	else if (strcasecmp(argv[1], "auth"))
+		type = TPM_RT_AUTH;
+	else if (strcasecmp(argv[1], "hash"))
+		type = TPM_RT_HASH;
+	else if (strcasecmp(argv[1], "trans"))
+		type = TPM_RT_TRANS;
+	else if (strcasecmp(argv[1], "context"))
+		type = TPM_RT_CONTEXT;
+	else if (strcasecmp(argv[1], "counter"))
+		type = TPM_RT_COUNTER;
+	else if (strcasecmp(argv[1], "delegate"))
+		type = TPM_RT_DELEGATE;
+	else if (strcasecmp(argv[1], "daa_tpm"))
+		type = TPM_RT_DAA_TPM;
+	else if (strcasecmp(argv[1], "daa_v0"))
+		type = TPM_RT_DAA_V0;
+	else if (strcasecmp(argv[1], "daa_v1"))
+		type = TPM_RT_DAA_V1;
+
+	if (strcasecmp(argv[2], "all")) {
+		uint16_t res_count;
+		uint8_t buf[288];
+		uint8_t *ptr;
+		int err;
+		uint i;
+
+		/* fetch list of already loaded resources in the TPM */
+		err = tpm_get_capability(TPM_CAP_HANDLE, type, buf,
+					 sizeof(buf));
+		if (err)
+			return -1;
+		res_count = get_unaligned_be16(buf);
+		ptr = buf + 2;
+		for (i = 0; i < res_count; ++i, ptr += 4)
+			tpm_flush_specific(get_unaligned_be32(ptr), type);
+	} else {
+		uint32_t handle = simple_strtoul(argv[2], NULL, 0);
+
+		if (!handle)
+			return -1;
+		tpm_flush_specific(cpu_to_be32(handle), type);
+	}
+
+	return 0;
+}
+#endif /* CONFIG_TPM_FLUSH_RESOURCES */
+
 #define MAKE_TPM_CMD_ENTRY(cmd) \
 	U_BOOT_CMD_MKENT(cmd, 0, 1, do_tpm_ ## cmd, "", "")

@ -701,6 +759,10 @@ static cmd_tbl_t tpm_commands[] = {
 	U_BOOT_CMD_MKENT(get_pub_key_oiap, 0, 1,
 			 do_tpm_get_pub_key_oiap, "", ""),
 #endif /* CONFIG_TPM_AUTH_SESSIONS */
+#ifdef CONFIG_TPM_FLUSH_RESOURCES
+	U_BOOT_CMD_MKENT(flush, 0, 1,
+			 do_tpm_flush, "", ""),
+#endif /* CONFIG_TPM_FLUSH_RESOURCES */
 };

 static int do_tpm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
@ -750,6 +812,14 @@ U_BOOT_CMD(tpm, CONFIG_SYS_MAXARGS, 1, do_tpm,
 "  get_capability cap_area sub_cap addr count\n"
 "    - Read <count> bytes of TPM capability indexed by <cap_area> and\n"
 "      <sub_cap> to memory address <addr>.\n"
+#ifdef CONFIG_TPM_FLUSH_RESOURCES
+"Resource management functions\n"
+"  flush resource_type id\n"
+"    - flushes a resource of type <resource_type> (may be one of key, auth,\n"
+"      hash, trans, context, counter, delegate, daa_tpm, daa_v0, daa_v1),\n"
+"      and id <id> from the TPM. Use an <id> of \"all\" to flush all\n"
+"      resources of that type.\n"
+#endif /* CONFIG_TPM_FLUSH_RESOURCES */
 #ifdef CONFIG_TPM_AUTH_SESSIONS
 "Storage functions\n"
 "  loadkey2_oiap parent_handle key_addr key_len usage_auth\n"
--- a/drivers/tpm/Kconfig
+++ b/drivers/tpm/Kconfig
@ -82,4 +82,10 @@ config TPM_ST33ZP24_SPI
 	  to the device using the standard TPM Interface Specification (TIS)
 	  protocol

+config TPM_FLUSH_RESOURCES
+	bool "Enable TPM resource flushing support"
+	depends on TPM
+	help
+	  Enable support to flush specific resources (e.g. keys) from the TPM.
+	  The functionality is available via the 'tpm' command as well.
 endmenu
--- a/include/tpm.h
+++ b/include/tpm.h
@ -47,6 +47,42 @@ enum tpm_nv_index {
 	TPM_NV_INDEX_DIR	= 0x10000001,
 };

+enum tpm_resource_type {
+	TPM_RT_KEY	= 0x00000001,
+	TPM_RT_AUTH	= 0x00000002,
+	TPM_RT_HASH	= 0x00000003,
+	TPM_RT_TRANS	= 0x00000004,
+	TPM_RT_CONTEXT	= 0x00000005,
+	TPM_RT_COUNTER	= 0x00000006,
+	TPM_RT_DELEGATE	= 0x00000007,
+	TPM_RT_DAA_TPM	= 0x00000008,
+	TPM_RT_DAA_V0	= 0x00000009,
+	TPM_RT_DAA_V1	= 0x0000000A,
+};
+
+enum tpm_capability_areas {
+	TPM_CAP_ORD		= 0x00000001,
+	TPM_CAP_ALG		= 0x00000002,
+	TPM_CAP_PID		= 0x00000003,
+	TPM_CAP_FLAG		= 0x00000004,
+	TPM_CAP_PROPERTY	= 0x00000005,
+	TPM_CAP_VERSION		= 0x00000006,
+	TPM_CAP_KEY_HANDLE	= 0x00000007,
+	TPM_CAP_CHECK_LOADED	= 0x00000008,
+	TPM_CAP_SYM_MODE	= 0x00000009,
+	TPM_CAP_KEY_STATUS	= 0x0000000C,
+	TPM_CAP_NV_LIST		= 0x0000000D,
+	TPM_CAP_MFR		= 0x00000010,
+	TPM_CAP_NV_INDEX	= 0x00000011,
+	TPM_CAP_TRANS_ALG	= 0x00000012,
+	TPM_CAP_HANDLE		= 0x00000014,
+	TPM_CAP_TRANS_ES	= 0x00000015,
+	TPM_CAP_AUTH_ENCRYPT	= 0x00000017,
+	TPM_CAP_SELECT_SIZE	= 0x00000018,
+	TPM_CAP_DA_LOGIC	= 0x00000019,
+	TPM_CAP_VERSION_VAL	= 0x0000001A,
+};
+
 #define TPM_NV_PER_GLOBALLOCK		(1U << 15)
 #define TPM_NV_PER_PPWRITE		(1U << 0)
 #define TPM_NV_PER_READ_STCLEAR		(1U << 31)
@ -594,4 +630,13 @@ uint32_t tpm_get_permanent_flags(struct tpm_permanent_flags *pflags);
 */
 uint32_t tpm_get_permissions(uint32_t index, uint32_t *perm);

+/**
+ * Flush a resource with a given handle and type from the TPM
+ *
+ * @param key_handle           handle of the resource
+ * @param resource_type                type of the resource
+ * @return return code of the operation
+ */
+uint32_t tpm_flush_specific(uint32_t key_handle, uint32_t resource_type);
+
 #endif /* __TPM_H */
--- a/lib/tpm.c
+++ b/lib/tpm.c
@ -645,6 +645,35 @@ uint32_t tpm_get_permissions(uint32_t index, uint32_t *perm)
 	return 0;
 }

+#ifdef CONFIG_TPM_FLUSH_RESOURCES
+uint32_t tpm_flush_specific(uint32_t key_handle, uint32_t resource_type)
+{
+	const uint8_t command[18] = {
+		0x00, 0xc1,             /* TPM_TAG */
+		0x00, 0x00, 0x00, 0x12, /* parameter size */
+		0x00, 0x00, 0x00, 0xba, /* TPM_COMMAND_CODE */
+		0x00, 0x00, 0x00, 0x00, /* key handle */
+		0x00, 0x00, 0x00, 0x00, /* resource type */
+	};
+	const size_t key_handle_offset = 10;
+	const size_t resource_type_offset = 14;
+	uint8_t buf[COMMAND_BUFFER_SIZE], response[COMMAND_BUFFER_SIZE];
+	size_t response_length = sizeof(response);
+	uint32_t err;
+
+	if (pack_byte_string(buf, sizeof(buf), "sdd",
+			     0, command, sizeof(command),
+			     key_handle_offset, key_handle,
+			     resource_type_offset, resource_type))
+		return TPM_LIB_ERROR;
+
+	err = tpm_sendrecv_command(buf, response, &response_length);
+	if (err)
+		return err;
+	return 0;
+}
+#endif /* CONFIG_TPM_FLUSH_RESOURCES */
+
 #ifdef CONFIG_TPM_AUTH_SESSIONS

 /**