]> git.proxmox.com Git - libtpms.git/blame - src/tpm12/tpm_constants.h
projects / libtpms.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Move common debug, memory & nvfile units to src/
[libtpms.git] / src / tpm12 / tpm_constants.h
CommitLineData
a0098eda
CB		 1/********************************************************************************/
2/* */
3/* TPM Constants */
4/* Written by Ken Goldman */
5/* IBM Thomas J. Watson Research Center */
6/* $Id: tpm_constants.h 4603 2011-08-16 20:40:26Z kgoldman $ */
7/* */
8/* (c) Copyright IBM Corporation 2006, 2010. */
9/* */
10/* All rights reserved. */
11/* */
12/* Redistribution and use in source and binary forms, with or without */
13/* modification, are permitted provided that the following conditions are */
14/* met: */
15/* */
16/* Redistributions of source code must retain the above copyright notice, */
17/* this list of conditions and the following disclaimer. */
18/* */
19/* Redistributions in binary form must reproduce the above copyright */
20/* notice, this list of conditions and the following disclaimer in the */
21/* documentation and/or other materials provided with the distribution. */
22/* */
23/* Neither the names of the IBM Corporation nor the names of its */
24/* contributors may be used to endorse or promote products derived from */
25/* this software without specific prior written permission. */
26/* */
27/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS */
28/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT */
29/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR */
30/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT */
31/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, */
32/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT */
33/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, */
34/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY */
35/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT */
36/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE */
37/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
38/********************************************************************************/
39
40#ifndef TPM_CONSTANTS_H
41#define TPM_CONSTANTS_H
42
43#include <stdint.h>
44
ccdf2457
SB		 45#include <tpm_library_intern.h>
46
a0098eda
CB		 47/*
48 NOTE implementation Specific
49*/
50
51/*
52 version, revision, specLevel, errataRev
53*/
54
55/* current for released specification revision 103 */
56
57#define TPM_REVISION_MAX 9999
58#ifndef TPM_REVISION
59#define TPM_REVISION TPM_REVISION_MAX
60#endif
61
62#if (TPM_REVISION >= 116)
63
64#define TPM_SPEC_LEVEL 0x0002 /* uint16_t The level of ordinals supported */
65#define TPM_ERRATA_REV 0x03 /* specification errata level */
66
67#elif (TPM_REVISION >= 103)
68
69#define TPM_SPEC_LEVEL 0x0002 /* uint16_t The level of ordinals supported */
70#define TPM_ERRATA_REV 0x02 /* specification errata level */
71
72#elif (TPM_REVISION >= 94)
73
74#define TPM_SPEC_LEVEL 0x0002 /* uint16_t The level of ordinals supported */
75#define TPM_ERRATA_REV 0x01 /* specification errata level */
76
77#elif (TPM_REVISION >= 85)
78
79#define TPM_SPEC_LEVEL 0x0002 /* uint16_t The level of ordinals supported */
80#define TPM_ERRATA_REV 0x00 /* specification errata level */
81
82#else
83
84#define TPM_SPEC_LEVEL 0x0001 /* uint16_t The level of ordinals supported */
85#define TPM_ERRATA_REV 0x00 /* specification errata level */
86
87#endif
88
89/* IBM specific */
90
91#if 0 /* at one time vendorID was the PCI vendor ID, this is the IBM code */
92#define TPM_VENDOR_ID "\x00\x00\x10\x14" /* BYTE[4], the vendor ID, obtained from the TCG,
93 typically PCI vendor ID */
94#endif
95
96
97
98#define TPM_VENDOR_ID "IBM" /* 4 bytes, as of rev 99 vendorID and TPM_CAP_PROP_MANUFACTURER
99 return the same value */
100#define TPM_MANUFACTURER "IBM" /* 4 characters, assigned by TCG, typically stock ticker symbol */
101
102
103/* Timeouts in microseconds. These are for the platform specific interface (e.g. the LPC bus
104 registers in the PC Client TPM). They are most likely not applicable to a software TPM. */
105#define TPM_TIMEOUT_A 1000000
106#define TPM_TIMEOUT_B 1000000
107#define TPM_TIMEOUT_C 1000000
108#define TPM_TIMEOUT_D 1000000
109
110/* dictionary attack mitigation */
111
112#define TPM_LOCKOUT_THRESHOLD 5 /* successive failures to trigger lockout, must be greater
113 than 0 */
114
115/* Denotes the duration value in microseconds of the duration of the three classes of commands:
116 Small, Medium and Long. The command types are in the Part 2 Ordinal Table. Essentially:
117
118 Long - creating an RSA key pair
119 Medium - using an RSA key
120 Short - anything else
121*/
122
123#ifndef TPM_SMALL_DURATION
124#define TPM_SMALL_DURATION 2000000
125#endif
126
127#ifndef TPM_MEDIUM_DURATION
128#define TPM_MEDIUM_DURATION 5000000
129#endif
130
131#ifndef TPM_LONG_DURATION
132#define TPM_LONG_DURATION 60000000
133#endif
134
135/* startup effects */
136
137#define TPM_STARTUP_EFFECTS_VALUE \
138(TPM_STARTUP_EFFECTS_ST_ANY_RT_KEY | /* key resources init by TPM_Startup(ST_ANY) */ \
139 TPM_STARTUP_EFFECTS_ST_STATE_RT_HASH | /* hash resources are init by TPM_Startup(ST_STATE) */ \
140 TPM_STARTUP_EFFECTS_ST_CLEAR_AUDITDIGEST) /* auditDigest nulled on TPM_Startup(ST_CLEAR) */
141
142/*
143 TPM buffer limits
144*/
145
a0098eda
CB		 146/* This is the increment by which the TPM_STORE_BUFFER grows. A larger number saves realloc's. A
147 smaller number saves memory.
148
149 TPM_ALLOC_MAX must be a multiple of this value.
150*/
151
152#define TPM_STORE_BUFFER_INCREMENT (TPM_ALLOC_MAX / 64)
153
154/* This is the maximum value of the TPM input and output packet buffer. It should be large enough
155 to accommodate the largest TPM command or response, currently about 1200 bytes. It should be
156 small enough to accommodate whatever software is driving the TPM.
157
158 NOTE: Some commands are somewhat open ended, and related to this parmater. E.g., The input size
159 for the TPM_SHA1Init. The output size for TPM_GetRandom.
160
161 It is returned by TPM_GetCapability -> TPM_CAP_PROP_INPUT_BUFFER
162*/
163
164#ifndef TPM_BUFFER_MAX
165#define TPM_BUFFER_MAX 0x1000 /* 4k bytes */
166#endif
167
ccdf2457
SB		 168#ifndef TPM_BUFFER_MIN
169#define TPM_BUFFER_MIN 0x0c00 /* 3k bytes */
170#endif
171
a0098eda
CB		 172/* Random number generator */
173
174/* maximum bytes in one TPM_GetRandom() call
175
176 Use maximum input buffer size minus tag, paramSize, returnCode, randomBytesSize.
177*/
178
ccdf2457 179#define TPM_RANDOM_MAX (TPM12_GetBufferSize() \
a0098eda
CB		 180 - sizeof(TPM_TAG) - sizeof(uint32_t) \
181 - sizeof(TPM_RESULT) - sizeof(uint32_t))
182
183/* Maximum number of bytes that can be sent to TPM_SHA1Update. Must be a multiple of 64 bytes.
184
185 Use maximum input buffer size minus tag, paramSize, ordinal, numBytes.
186*/
187
ccdf2457 188#define TPM_SHA1_MAXNUMBYTES (TPM12_GetBufferSize() - 64)
a0098eda
CB		 189
190/* extra audit status bits for TSC commands outside the normal ordinal range */
191#define TSC_PHYS_PRES_AUDIT 0x01
192#define TSC_RESET_ESTAB_AUDIT 0x02
193
194
195/* TPM_CAP_MFR capabilities */
196#define TPM_CAP_PROCESS_ID 0x00000020
197
198
199/* define a value for an illegal instance handle */
200
201#define TPM_ILLEGAL_INSTANCE_HANDLE 0xffffffff
202
203/*
204 NOTE End Implementation Specific
205*/
206
207/* 3. Structure Tags rev 105
208
209 There have been some indications that knowing what structure is in use would be valuable
210 information in each structure. This new tag will be in each new structure that the TPM defines.
211
212 The upper nibble of the value designates the purview of the structure tag. 0 is used for TPM
213 structures, 1 for platforms, and 2-F are reserved.
214*/
215
216/* 3.1 TPM_STRUCTURE_TAG */
217
218/* Structure */
219#define TPM_TAG_CONTEXTBLOB 0x0001 /* TPM_CONTEXT_BLOB */
220#define TPM_TAG_CONTEXT_SENSITIVE 0x0002 /* TPM_CONTEXT_SENSITIVE */
221#define TPM_TAG_CONTEXTPOINTER 0x0003 /* TPM_CONTEXT_POINTER */
222#define TPM_TAG_CONTEXTLIST 0x0004 /* TPM_CONTEXT_LIST */
223#define TPM_TAG_SIGNINFO 0x0005 /* TPM_SIGN_INFO */
224#define TPM_TAG_PCR_INFO_LONG 0x0006 /* TPM_PCR_INFO_LONG */
225#define TPM_TAG_PERSISTENT_FLAGS 0x0007 /* TPM_PERSISTENT_FLAGS (deprecated 1.1 struct) */
226#define TPM_TAG_VOLATILE_FLAGS 0x0008 /* TPM_VOLATILE_FLAGS (deprecated 1.1 struct) */
227#define TPM_TAG_PERSISTENT_DATA 0x0009 /* TPM_PERSISTENT_DATA (deprecated 1.1 struct) */
228#define TPM_TAG_VOLATILE_DATA 0x000A /* TPM_VOLATILE_DATA (deprecated 1.1 struct) */
229#define TPM_TAG_SV_DATA 0x000B /* TPM_SV_DATA */
230#define TPM_TAG_EK_BLOB 0x000C /* TPM_EK_BLOB */
231#define TPM_TAG_EK_BLOB_AUTH 0x000D /* TPM_EK_BLOB_AUTH */
232#define TPM_TAG_COUNTER_VALUE 0x000E /* TPM_COUNTER_VALUE */
233#define TPM_TAG_TRANSPORT_INTERNAL 0x000F /* TPM_TRANSPORT_INTERNAL */
234#define TPM_TAG_TRANSPORT_LOG_IN 0x0010 /* TPM_TRANSPORT_LOG_IN */
235#define TPM_TAG_TRANSPORT_LOG_OUT 0x0011 /* TPM_TRANSPORT_LOG_OUT */
236#define TPM_TAG_AUDIT_EVENT_IN 0x0012 /* TPM_AUDIT_EVENT_IN */
237#define TPM_TAG_AUDIT_EVENT_OUT 0X0013 /* TPM_AUDIT_EVENT_OUT */
238#define TPM_TAG_CURRENT_TICKS 0x0014 /* TPM_CURRENT_TICKS */
239#define TPM_TAG_KEY 0x0015 /* TPM_KEY */
240#define TPM_TAG_STORED_DATA12 0x0016 /* TPM_STORED_DATA12 */
241#define TPM_TAG_NV_ATTRIBUTES 0x0017 /* TPM_NV_ATTRIBUTES */
242#define TPM_TAG_NV_DATA_PUBLIC 0x0018 /* TPM_NV_DATA_PUBLIC */
243#define TPM_TAG_NV_DATA_SENSITIVE 0x0019 /* TPM_NV_DATA_SENSITIVE */
244#define TPM_TAG_DELEGATIONS 0x001A /* TPM DELEGATIONS */
245#define TPM_TAG_DELEGATE_PUBLIC 0x001B /* TPM_DELEGATE_PUBLIC */
246#define TPM_TAG_DELEGATE_TABLE_ROW 0x001C /* TPM_DELEGATE_TABLE_ROW */
247#define TPM_TAG_TRANSPORT_AUTH 0x001D /* TPM_TRANSPORT_AUTH */
248#define TPM_TAG_TRANSPORT_PUBLIC 0X001E /* TPM_TRANSPORT_PUBLIC */
249#define TPM_TAG_PERMANENT_FLAGS 0X001F /* TPM_PERMANENT_FLAGS */
250#define TPM_TAG_STCLEAR_FLAGS 0X0020 /* TPM_STCLEAR_FLAGS */
251#define TPM_TAG_STANY_FLAGS 0X0021 /* TPM_STANY_FLAGS */
252#define TPM_TAG_PERMANENT_DATA 0X0022 /* TPM_PERMANENT_DATA */
253#define TPM_TAG_STCLEAR_DATA 0X0023 /* TPM_STCLEAR_DATA */
254#define TPM_TAG_STANY_DATA 0X0024 /* TPM_STANY_DATA */
255#define TPM_TAG_FAMILY_TABLE_ENTRY 0X0025 /* TPM_FAMILY_TABLE_ENTRY */
256#define TPM_TAG_DELEGATE_SENSITIVE 0X0026 /* TPM_DELEGATE_SENSITIVE */
257#define TPM_TAG_DELG_KEY_BLOB 0X0027 /* TPM_DELG_KEY_BLOB */
258#define TPM_TAG_KEY12 0x0028 /* TPM_KEY12 */
259#define TPM_TAG_CERTIFY_INFO2 0X0029 /* TPM_CERTIFY_INFO2 */
260#define TPM_TAG_DELEGATE_OWNER_BLOB 0X002A /* TPM_DELEGATE_OWNER_BLOB */
261#define TPM_TAG_EK_BLOB_ACTIVATE 0X002B /* TPM_EK_BLOB_ACTIVATE */
262#define TPM_TAG_DAA_BLOB 0X002C /* TPM_DAA_BLOB */
263#define TPM_TAG_DAA_CONTEXT 0X002D /* TPM_DAA_CONTEXT */
264#define TPM_TAG_DAA_ENFORCE 0X002E /* TPM_DAA_ENFORCE */
265#define TPM_TAG_DAA_ISSUER 0X002F /* TPM_DAA_ISSUER */
266#define TPM_TAG_CAP_VERSION_INFO 0X0030 /* TPM_CAP_VERSION_INFO */
267#define TPM_TAG_DAA_SENSITIVE 0X0031 /* TPM_DAA_SENSITIVE */
268#define TPM_TAG_DAA_TPM 0X0032 /* TPM_DAA_TPM */
269#define TPM_TAG_CMK_MIGAUTH 0X0033 /* TPM_CMK_MIGAUTH */
270#define TPM_TAG_CMK_SIGTICKET 0X0034 /* TPM_CMK_SIGTICKET */
271#define TPM_TAG_CMK_MA_APPROVAL 0X0035 /* TPM_CMK_MA_APPROVAL */
272#define TPM_TAG_QUOTE_INFO2 0X0036 /* TPM_QUOTE_INFO2 */
273#define TPM_TAG_DA_INFO 0x0037 /* TPM_DA_INFO */
274#define TPM_TAG_DA_INFO_LIMITED 0x0038 /* TPM_DA_INFO_LIMITED */
275#define TPM_TAG_DA_ACTION_TYPE 0x0039 /* TPM_DA_ACTION_TYPE */
276
277/*
278 SW TPM Tags
279*/
280
281/*
282 These tags are used to describe the format of serialized TPM non-volatile state
283*/
284
285/* These describe the overall format */
286
287/* V1 state is the sequence permanent data, permanent flags, owner evict keys, NV defined space */
288
289#define TPM_TAG_NVSTATE_V1 0x0001 /* svn revision 4078 */
290
291/* These tags describe the TPM_PERMANENT_DATA format */
292
293/* For the first release, use the standard TPM_TAG_PERMANENT_DATA tag. Since this tag is never
294 visible outside the TPM, the tag value can be changed if the format changes.
295*/
296
297/* These tags describe the TPM_PERMANENT_FLAGS format */
298
299/* The TPM_PERMANENT_FLAGS structure changed from rev 94 to 103. Unfortunately, the standard TPM
300 tag did not change. Define distinguishing values here.
301*/
302
303#define TPM_TAG_NVSTATE_PF94 0x0001
304#define TPM_TAG_NVSTATE_PF103 0x0002
305
306/* This tag describes the owner evict key format */
307
308#define TPM_TAG_NVSTATE_OE_V1 0x0001
309
310/* This tag describes the NV defined space format */
311
312#define TPM_TAG_NVSTATE_NV_V1 0x0001
313
314/* V2 added the NV public optimization */
315
316#define TPM_TAG_NVSTATE_NV_V2 0x0002
317
318/*
319 These tags are used to describe the format of serialized TPM volatile state
320*/
321
322/* These describe the overall format */
323
324/* V1 state is the sequence TPM Parameters, TPM_STCLEAR_FLAGS, TPM_STANY_FLAGS, TPM_STCLEAR_DATA,
325 TPM_STANY_DATA, TPM_KEY_HANDLE_ENTRY, SHA1 context(s), TPM_TRANSHANDLE, testState, NV volatile
326 flags */
327
328#define TPM_TAG_VSTATE_V1 0x0001
329
330/* This tag defines the TPM Parameters format */
331
332#define TPM_TAG_TPM_PARAMETERS_V1 0x0001
333
334/* This tag defines the TPM_STCLEAR_FLAGS format */
335
336/* V1 is the TCG standard returned by the getcap. It's unlikely that this will change */
337
338#define TPM_TAG_STCLEAR_FLAGS_V1 0x0001
339
340/* These tags describe the TPM_STANY_FLAGS format */
341
342/* For the first release, use the standard TPM_TAG_STANY_FLAGS tag. Since this tag is never visible
343 outside the TPM, the tag value can be changed if the format changes.
344*/
345
346/* This tag defines the TPM_STCLEAR_DATA format */
347
348/* V2 deleted the ordinalResponse, responseCount */
349
350#define TPM_TAG_STCLEAR_DATA_V2 0X0024
351
352/* These tags describe the TPM_STANY_DATA format */
353
354/* For the first release, use the standard TPM_TAG_STANY_DATA tag. Since this tag is never visible
355 outside the TPM, the tag value can be changed if the format changes.
356*/
357
358/* This tag defines the key handle entries format */
359
360#define TPM_TAG_KEY_HANDLE_ENTRIES_V1 0x0001
361
362/* This tag defines the SHA-1 context format */
363
364#define TPM_TAG_SHA1CONTEXT_OSSL_V1 0x0001 /* for openssl */
365
366#define TPM_TAG_SHA1CONTEXT_FREEBL_V1 0x0101 /* for freebl */
367
368/* This tag defines the NV index entries volatile format */
369
370#define TPM_TAG_NV_INDEX_ENTRIES_VOLATILE_V1 0x0001
371
372/* 4. Types
373 */
374
375/* 4.1 TPM_RESOURCE_TYPE rev 87 */
376
377#define TPM_RT_KEY 0x00000001 /* The handle is a key handle and is the result of a LoadKey
378 type operation */
379
380#define TPM_RT_AUTH 0x00000002 /* The handle is an authorization handle. Auth handles come from
381 TPM_OIAP, TPM_OSAP and TPM_DSAP */
382
383#define TPM_RT_HASH 0X00000003 /* Reserved for hashes */
384
385#define TPM_RT_TRANS 0x00000004 /* The handle is for a transport session. Transport handles come
386 from TPM_EstablishTransport */
387
388#define TPM_RT_CONTEXT 0x00000005 /* Resource wrapped and held outside the TPM using the context
389 save/restore commands */
390
391#define TPM_RT_COUNTER 0x00000006 /* Reserved for counters */
392
393#define TPM_RT_DELEGATE 0x00000007 /* The handle is for a delegate row. These are the internal rows
394 held in NV storage by the TPM */
395
396#define TPM_RT_DAA_TPM 0x00000008 /* The value is a DAA TPM specific blob */
397
398#define TPM_RT_DAA_V0 0x00000009 /* The value is a DAA V0 parameter */
399
400#define TPM_RT_DAA_V1 0x0000000A /* The value is a DAA V1 parameter */
401
402/* 4.2 TPM_PAYLOAD_TYPE rev 87
403
404 This structure specifies the type of payload in various messages.
405*/
406
407#define TPM_PT_ASYM 0x01 /* The entity is an asymmetric key */
408#define TPM_PT_BIND 0x02 /* The entity is bound data */
409#define TPM_PT_MIGRATE 0x03 /* The entity is a migration blob */
410#define TPM_PT_MAINT 0x04 /* The entity is a maintenance blob */
411#define TPM_PT_SEAL 0x05 /* The entity is sealed data */
412#define TPM_PT_MIGRATE_RESTRICTED 0x06 /* The entity is a restricted-migration asymmetric key */
413#define TPM_PT_MIGRATE_EXTERNAL 0x07 /* The entity is a external migratable key */
414#define TPM_PT_CMK_MIGRATE 0x08 /* The entity is a CMK migratable blob */
415/* 0x09 - 0x7F Reserved for future use by TPM */
416/* 0x80 - 0xFF Vendor specific payloads */
417
418/* 4.3 TPM_ENTITY_TYPE rev 100
419
420 This specifies the types of entity that are supported by the TPM.
421
422 The LSB is used to indicate the entity type. The MSB is used to indicate the ADIP
423 encryption scheme when applicable.
424
425 For compatibility with TPM 1.1, this mapping is maintained:
426
427 0x0001 specifies a keyHandle entity with XOR encryption
428 0x0002 specifies an owner entity with XOR encryption
429 0x0003 specifies some data entity with XOR encryption
430 0x0004 specifies the SRK entity with XOR encryption
431 0x0005 specifies a key entity with XOR encryption
432
433 When the entity is not being used for ADIP encryption, the MSB MUST be 0x00.
434*/
435
436/* TPM_ENTITY_TYPE LSB Values (entity type) */
437
438#define TPM_ET_KEYHANDLE 0x01 /* The entity is a keyHandle or key */
439#define TPM_ET_OWNER 0x02 /*0x40000001 The entity is the TPM Owner */
440#define TPM_ET_DATA 0x03 /* The entity is some data */
441#define TPM_ET_SRK 0x04 /*0x40000000 The entity is the SRK */
442#define TPM_ET_KEY 0x05 /* The entity is a key or keyHandle */
443#define TPM_ET_REVOKE 0x06 /*0x40000002 The entity is the RevokeTrust value */
444#define TPM_ET_DEL_OWNER_BLOB 0x07 /* The entity is a delegate owner blob */
445#define TPM_ET_DEL_ROW 0x08 /* The entity is a delegate row */
446#define TPM_ET_DEL_KEY_BLOB 0x09 /* The entity is a delegate key blob */
447#define TPM_ET_COUNTER 0x0A /* The entity is a counter */
448#define TPM_ET_NV 0x0B /* The entity is a NV index */
449#define TPM_ET_OPERATOR 0x0C /* The entity is the operator */
450#define TPM_ET_RESERVED_HANDLE 0x40 /* Reserved. This value avoids collisions with the handle
451 MSB setting.*/
452
453/* TPM_ENTITY_TYPE MSB Values (ADIP encryption scheme) */
454
455#define TPM_ET_XOR 0x00 /* XOR */
456#define TPM_ET_AES128_CTR 0x06 /* AES 128 bits in CTR mode */
457
458/* 4.4 Handles rev 88
459
460 Handles provides pointers to TPM internal resources. Handles should provide the ability to locate
461 a value without collision.
462
463 1. The TPM MAY order and set a handle to any value the TPM determines is appropriate
464
465 2. The handle value SHALL provide assurance that collisions SHOULD not occur in 2^24 handles
466
467 4.4.1 Reserved Key Handles
468
469 The reserved key handles. These values specify specific keys or specific actions for the TPM.
470*/
471
472/* 4.4.1 Reserved Key Handles rev 87
473
474 The reserved key handles. These values specify specific keys or specific actions for the TPM.
475
476 TPM_KH_TRANSPORT indicates to TPM_EstablishTransport that there is no encryption key, and that
477 the "secret" wrapped parameters are actually passed unencrypted.
478*/
479
480#define TPM_KH_SRK 0x40000000 /* The handle points to the SRK */
481#define TPM_KH_OWNER 0x40000001 /* The handle points to the TPM Owner */
482#define TPM_KH_REVOKE 0x40000002 /* The handle points to the RevokeTrust value */
483#define TPM_KH_TRANSPORT 0x40000003 /* The handle points to the TPM_EstablishTransport static
484 authorization */
485#define TPM_KH_OPERATOR 0x40000004 /* The handle points to the Operator auth */
486#define TPM_KH_ADMIN 0x40000005 /* The handle points to the delegation administration
487 auth */
488#define TPM_KH_EK 0x40000006 /* The handle points to the PUBEK, only usable with
489 TPM_OwnerReadInternalPub */
490
491/* 4.5 TPM_STARTUP_TYPE rev 87
492
493 To specify what type of startup is occurring.
494*/
495
496#define TPM_ST_CLEAR 0x0001 /* The TPM is starting up from a clean state */
497#define TPM_ST_STATE 0x0002 /* The TPM is starting up from a saved state */
498#define TPM_ST_DEACTIVATED 0x0003 /* The TPM is to startup and set the deactivated flag to
499 TRUE */
500
501/* 4.6 TPM_STARTUP_EFFECTS rev 101
502
503 This structure lists for the various resources and sessions on a TPM the affect that TPM_Startup
504 has on the values.
505
506 There are three ST_STATE options for keys (restore all, restore non-volatile, or restore none)
507 and two ST_CLEAR options (restore non-volatile or restore none). As bit 4 was insufficient to
508 describe the possibilities, it is deprecated. Software should use TPM_CAP_KEY_HANDLE to
509 determine which keys are loaded after TPM_Startup.
510
511 31-9 No information and MUST be FALSE
512
513 8 TPM_RT_DAA_TPM resources are initialized by TPM_Startup(ST_STATE)
514 7 TPM_Startup has no effect on auditDigest
515 6 auditDigest is set to all zeros on TPM_Startup(ST_CLEAR) but not on other types of TPM_Startup
516 5 auditDigest is set to all zeros on TPM_Startup(any)
517 4 TPM_RT_KEY Deprecated, as the meaning was subject to interpretation. (Was:TPM_RT_KEY resources
518 are initialized by TPM_Startup(ST_ANY))
519 3 TPM_RT_AUTH resources are initialized by TPM_Startup(ST_STATE)
520 2 TPM_RT_HASH resources are initialized by TPM_Startup(ST_STATE)
521 1 TPM_RT_TRANS resources are initialized by TPM_Startup(ST_STATE)
522 0 TPM_RT_CONTEXT session (but not key) resources are initialized by TPM_Startup(ST_STATE)
523*/
524
525
526#define TPM_STARTUP_EFFECTS_ST_STATE_RT_DAA 0x00000100 /* bit 8 */
527#define TPM_STARTUP_EFFECTS_STARTUP_NO_AUDITDIGEST 0x00000080 /* bit 7 */
528#define TPM_STARTUP_EFFECTS_ST_CLEAR_AUDITDIGEST 0x00000040 /* bit 6 */
529#define TPM_STARTUP_EFFECTS_STARTUP_AUDITDIGEST 0x00000020 /* bit 5 */
530#define TPM_STARTUP_EFFECTS_ST_ANY_RT_KEY 0x00000010 /* bit 4 */
531#define TPM_STARTUP_EFFECTS_ST_STATE_RT_AUTH 0x00000008 /* bit 3 */
532#define TPM_STARTUP_EFFECTS_ST_STATE_RT_HASH 0x00000004 /* bit 2 */
533#define TPM_STARTUP_EFFECTS_ST_STATE_RT_TRANS 0x00000002 /* bit 1 */
534#define TPM_STARTUP_EFFECTS_ST_STATE_RT_CONTEXT 0x00000001 /* bit 0 */
535
536/* 4.7 TPM_PROTOCOL_ID rev 87
537
538 This value identifies the protocol in use.
539*/
540
541#define TPM_PID_NONE 0x0000 /* kgold - added */
542#define TPM_PID_OIAP 0x0001 /* The OIAP protocol. */
543#define TPM_PID_OSAP 0x0002 /* The OSAP protocol. */
544#define TPM_PID_ADIP 0x0003 /* The ADIP protocol. */
545#define TPM_PID_ADCP 0X0004 /* The ADCP protocol. */
546#define TPM_PID_OWNER 0X0005 /* The protocol for taking ownership of a TPM. */
547#define TPM_PID_DSAP 0x0006 /* The DSAP protocol */
548#define TPM_PID_TRANSPORT 0x0007 /*The transport protocol */
549
550/* 4.8 TPM_ALGORITHM_ID rev 99
551
552 This table defines the types of algorithms that may be supported by the TPM.
553
554 The TPM MUST support the algorithms TPM_ALG_RSA, TPM_ALG_SHA, TPM_ALG_HMAC, and TPM_ALG_MGF1
555*/
556
557#define TPM_ALG_RSA 0x00000001 /* The RSA algorithm. */
558/* #define TPM_ALG_DES 0x00000002 (was the DES algorithm) */
559/* #define TPM_ALG_3DES 0X00000003 (was the 3DES algorithm in EDE mode) */
560#define TPM_ALG_SHA 0x00000004 /* The SHA1 algorithm */
561#define TPM_ALG_HMAC 0x00000005 /* The RFC 2104 HMAC algorithm */
562#define TPM_ALG_AES128 0x00000006 /* The AES algorithm, key size 128 */
563#define TPM_ALG_MGF1 0x00000007 /* The XOR algorithm using MGF1 to create a string the size
564 of the encrypted block */
565#define TPM_ALG_AES192 0x00000008 /* AES, key size 192 */
566#define TPM_ALG_AES256 0x00000009 /* AES, key size 256 */
567#define TPM_ALG_XOR 0x0000000A /* XOR using the rolling nonces */
568
569/* 4.9 TPM_PHYSICAL_PRESENCE rev 87
570
571*/
572
573#define TPM_PHYSICAL_PRESENCE_HW_DISABLE 0x0200 /* Sets the physicalPresenceHWEnable to FALSE
574 */
575#define TPM_PHYSICAL_PRESENCE_CMD_DISABLE 0x0100 /* Sets the physicalPresenceCMDEnable to
576 FALSE */
577#define TPM_PHYSICAL_PRESENCE_LIFETIME_LOCK 0x0080 /* Sets the physicalPresenceLifetimeLock to
578 TRUE */
579#define TPM_PHYSICAL_PRESENCE_HW_ENABLE 0x0040 /* Sets the physicalPresenceHWEnable to TRUE
580 */
581#define TPM_PHYSICAL_PRESENCE_CMD_ENABLE 0x0020 /* Sets the physicalPresenceCMDEnable to TRUE
582 */
583#define TPM_PHYSICAL_PRESENCE_NOTPRESENT 0x0010 /* Sets PhysicalPresence = FALSE */
584#define TPM_PHYSICAL_PRESENCE_PRESENT 0x0008 /* Sets PhysicalPresence = TRUE */
585#define TPM_PHYSICAL_PRESENCE_LOCK 0x0004 /* Sets PhysicalPresenceLock = TRUE */
586
587#define TPM_PHYSICAL_PRESENCE_MASK 0xfc03 /* ~ OR of all above bits */
588
589/* 4.10 TPM_MIGRATE_SCHEME rev 103
590
591 The scheme indicates how the StartMigrate command should handle the migration of the encrypted
592 blob.
593*/
594
595#define TPM_MS_MIGRATE 0x0001 /* A public key that can be used with all TPM
596 migration commands other than 'ReWrap' mode. */
597#define TPM_MS_REWRAP 0x0002 /* A public key that can be used for the ReWrap mode
598 of TPM_CreateMigrationBlob. */
599#define TPM_MS_MAINT 0x0003 /* A public key that can be used for the Maintenance
600 commands */
601#define TPM_MS_RESTRICT_MIGRATE 0x0004 /* The key is to be migrated to a Migration
602 Authority. */
603#define TPM_MS_RESTRICT_APPROVE 0x0005 /* The key is to be migrated to an entity approved by
604 a Migration Authority using double wrapping */
605
606/* 4.11 TPM_EK_TYPE rev 87
607
608 This structure indicates what type of information that the EK is dealing with.
609*/
610
611#define TPM_EK_TYPE_ACTIVATE 0x0001 /* The blob MUST be TPM_EK_BLOB_ACTIVATE */
612#define TPM_EK_TYPE_AUTH 0x0002 /* The blob MUST be TPM_EK_BLOB_AUTH */
613
614/* 4.12 TPM_PLATFORM_SPECIFIC rev 87
615
616 This enumerated type indicates the platform specific spec that the information relates to.
617*/
618
619#define TPM_PS_PC_11 0x0001 /* PC Specific version 1.1 */
620#define TPM_PS_PC_12 0x0002 /* PC Specific version 1.2 */
621#define TPM_PS_PDA_12 0x0003 /* PDA Specific version 1.2 */
622#define TPM_PS_Server_12 0x0004 /* Server Specific version 1.2 */
623#define TPM_PS_Mobile_12 0x0005 /* Mobil Specific version 1.2 */
624
625/* 5.8 TPM_KEY_USAGE rev 101
626
627 This table defines the types of keys that are possible. Each value defines for what operation
628 the key can be used. Most key usages can be CMKs. See 4.2, TPM_PAYLOAD_TYPE.
629
630 Each key has a setting defining the encryption and signature scheme to use. The selection of a
631 key usage value limits the choices of encryption and signature schemes.
632*/
633
634#define TPM_KEY_UNINITIALIZED 0x0000 /* NOTE: Added. This seems like a good place to indicate
635 that a TPM_KEY structure has not been initialized */
636
637#define TPM_KEY_SIGNING 0x0010 /* This SHALL indicate a signing key. The [private] key
638 SHALL be used for signing operations, only. This means
639 that it MUST be a leaf of the Protected Storage key
640 hierarchy. */
641
642#define TPM_KEY_STORAGE 0x0011 /* This SHALL indicate a storage key. The key SHALL be used
643 to wrap and unwrap other keys in the Protected Storage
644 hierarchy */
645
646#define TPM_KEY_IDENTITY 0x0012 /* This SHALL indicate an identity key. The key SHALL be
647 used for operations that require a TPM identity, only. */
648
649#define TPM_KEY_AUTHCHANGE 0X0013 /* This SHALL indicate an ephemeral key that is in use
650 during the ChangeAuthAsym process, only. */
651
652#define TPM_KEY_BIND 0x0014 /* This SHALL indicate a key that can be used for TPM_Bind
653 and TPM_Unbind operations only. */
654
655#define TPM_KEY_LEGACY 0x0015 /* This SHALL indicate a key that can perform signing and
656 binding operations. The key MAY be used for both signing
657 and binding operations. The TPM_KEY_LEGACY key type is to
658 allow for use by applications where both signing and
659 encryption operations occur with the same key. */
660
661#define TPM_KEY_MIGRATE 0x0016 /* This SHALL indicate a key in use for TPM_MigrateKey */
662
663/* 5.8.1 TPM_ENC_SCHEME Mandatory Key Usage Schemes rev 99
664
665 The TPM MUST check that the encryption scheme defined for use with the key is a valid scheme for
666 the key type, as follows:
667*/
668
669#define TPM_ES_NONE 0x0001
670#define TPM_ES_RSAESPKCSv15 0x0002
671#define TPM_ES_RSAESOAEP_SHA1_MGF1 0x0003
672#define TPM_ES_SYM_CTR 0x0004
673#define TPM_ES_SYM_OFB 0x0005
674
675/* 5.8.1 TPM_SIG_SCHEME Mandatory Key Usage Schemes rev 99
676
677 The TPM MUST check that the signature scheme defined for use with the key is a valid scheme for
678 the key type, as follows:
679*/
680
681#define TPM_SS_NONE 0x0001
682#define TPM_SS_RSASSAPKCS1v15_SHA1 0x0002
683#define TPM_SS_RSASSAPKCS1v15_DER 0x0003
684#define TPM_SS_RSASSAPKCS1v15_INFO 0x0004
685
686/* 5.9 TPM_AUTH_DATA_USAGE rev 110
687
688 The indication to the TPM when authorization sessions for an entity are required. Future
689 versions may allow for more complex decisions regarding AuthData checking.
690*/
691
692#define TPM_AUTH_NEVER 0x00 /* This SHALL indicate that usage of the key without
693 authorization is permitted. */
694
695#define TPM_AUTH_ALWAYS 0x01 /* This SHALL indicate that on each usage of the key the
696 authorization MUST be performed. */
697
698#define TPM_NO_READ_PUBKEY_AUTH 0x03 /* This SHALL indicate that on commands that require the TPM to
699 use the the key, the authorization MUST be performed. For
700 commands that cause the TPM to read the public portion of the
701 key, but not to use the key (e.g. TPM_GetPubKey), the
702 authorization may be omitted. */
703
704/* 5.10 TPM_KEY_FLAGS rev 110
705
706 This table defines the meanings of the bits in a TPM_KEY_FLAGS structure, used in
707 TPM_STORE_ASYMKEY and TPM_CERTIFY_INFO.
708
709 The value of TPM_KEY_FLAGS MUST be decomposed into individual mask values. The presence of a mask
710 value SHALL have the effect described in the above table
711
712 On input, all undefined bits MUST be zero. The TPM MUST return an error if any undefined bit is
713 set. On output, the TPM MUST set all undefined bits to zero.
714*/
715
716#ifdef TPM_V12
717#define TPM_KEY_FLAGS_MASK 0x0000001f
718#else
719#define TPM_KEY_FLAGS_MASK 0x00000007
720#endif
721
722#define TPM_REDIRECTION 0x00000001 /* This mask value SHALL indicate the use of redirected
723 output. */
724
725#define TPM_MIGRATABLE 0x00000002 /* This mask value SHALL indicate that the key is
726 migratable. */
727
728#define TPM_ISVOLATILE 0x00000004 /* This mask value SHALL indicate that the key MUST be
729 unloaded upon execution of the
730 TPM_Startup(ST_Clear). This does not indicate that a
731 non-volatile key will remain loaded across
732 TPM_Startup(ST_Clear) events. */
733
734#define TPM_PCRIGNOREDONREAD 0x00000008 /* When TRUE the TPM MUST NOT check digestAtRelease or
735 localityAtRelease for commands that read the public
736 portion of the key (e.g., TPM_GetPubKey) and MAY NOT
737 check digestAtRelease or localityAtRelease for
738 commands that use the public portion of the key
739 (e.g. TPM_Seal)
740
741 When FALSE the TPM MUST check digestAtRelease and
742 localityAtRelease for commands that read or use the
743 public portion of the key */
744
745#define TPM_MIGRATEAUTHORITY 0x00000010 /* When set indicates that the key is under control of a
746 migration authority. The TPM MUST only allow the
747 creation of a key with this flag in
748 TPM_MA_CreateKey */
749
750/* 5.17 TPM_CMK_DELEGATE values rev 89
751
752 The bits of TPM_CMK_DELEGATE are flags that determine how the TPM responds to delegated requests
753 to manipulate a certified-migration-key, a loaded key with payload type TPM_PT_MIGRATE_RESTRICTED
754 or TPM_PT_MIGRATE_EXTERNAL..
755
756 26:0 reserved MUST be 0
757
758 The default value of TPM_CMK_Delegate is zero (0)
759*/
760
761#define TPM_CMK_DELEGATE_SIGNING 0x80000000 /* When set to 1, this bit SHALL indicate that a
762 delegated command may manipulate a CMK of
763 TPM_KEY_USAGE == TPM_KEY_SIGNING */
764#define TPM_CMK_DELEGATE_STORAGE 0x40000000 /* When set to 1, this bit SHALL indicate that a
765 delegated command may manipulate a CMK of
766 TPM_KEY_USAGE == TPM_KEY_STORAGE */
767#define TPM_CMK_DELEGATE_BIND 0x20000000 /* When set to 1, this bit SHALL indicate that a
768 delegated command may manipulate a CMK of
769 TPM_KEY_USAGE == TPM_KEY_BIND */
770#define TPM_CMK_DELEGATE_LEGACY 0x10000000 /* When set to 1, this bit SHALL indicate that a
771 delegated command may manipulate a CMK of
772 TPM_KEY_USAGE == TPM_KEY_LEGACY */
773#define TPM_CMK_DELEGATE_MIGRATE 0x08000000 /* When set to 1, this bit SHALL indicate that a
774 delegated command may manipulate a CMK of
775 TPM_KEY_USAGE == TPM_KEY_MIGRATE */
776
777/* 6. TPM_TAG (Command and Response Tags) rev 100
778
779 These tags indicate to the TPM the construction of the command either as input or as output. The
780 AUTH indicates that there are one or more AuthData values that follow the command
781 parameters.
782*/
783
784#define TPM_TAG_RQU_COMMAND 0x00C1 /* A command with no authentication. */
785#define TPM_TAG_RQU_AUTH1_COMMAND 0x00C2 /* An authenticated command with one authentication
786 handle */
787#define TPM_TAG_RQU_AUTH2_COMMAND 0x00C3 /* An authenticated command with two authentication
788 handles */
789#define TPM_TAG_RSP_COMMAND 0x00C4 /* A response from a command with no authentication
790 */
791#define TPM_TAG_RSP_AUTH1_COMMAND 0x00C5 /* An authenticated response with one authentication
792 handle */
793#define TPM_TAG_RSP_AUTH2_COMMAND 0x00C6 /* An authenticated response with two authentication
794 handles */
795
796/* TIS 7.2 PCR Attributes
797
798*/
799
800#define TPM_DEBUG_PCR 16
801#define TPM_LOCALITY_4_PCR 17
802#define TPM_LOCALITY_3_PCR 18
803#define TPM_LOCALITY_2_PCR 19
804#define TPM_LOCALITY_1_PCR 20
805
806/* 10.9 TPM_KEY_CONTROL rev 87
807
808 Attributes that can control various aspects of key usage and manipulation.
809
810 Allows for controlling of the key when loaded and how to handle TPM_Startup issues.
811*/
812
813#define TPM_KEY_CONTROL_OWNER_EVICT 0x00000001 /* Owner controls when the key is evicted
814 from the TPM. When set the TPM MUST
815 preserve key the key across all TPM_Init
816 invocations. */
817
818/* 13.1.1 TPM_TRANSPORT_ATTRIBUTES Definitions */
819
820#define TPM_TRANSPORT_ENCRYPT 0x00000001 /* The session will provide encryption using
821 the internal encryption algorithm */
822#define TPM_TRANSPORT_LOG 0x00000002 /* The session will provide a log of all
823 operations that occur in the session */
824#define TPM_TRANSPORT_EXCLUSIVE 0X00000004 /* The transport session is exclusive and
825 any command executed outside the
826 transport session causes the invalidation
827 of the session */
828
829/* 21.1 TPM_CAPABILITY_AREA rev 115
830
831 To identify a capability to be queried.
832*/
833
834#define TPM_CAP_ORD 0x00000001 /* Boolean value. TRUE indicates that the TPM supports
835 the ordinal. FALSE indicates that the TPM does not
836 support the ordinal. Unimplemented optional ordinals
837 and unused (unassigned) ordinals return FALSE. */
838#define TPM_CAP_ALG 0x00000002 /* Boolean value. TRUE means that the TPM supports the
839 asymmetric algorithm for TPM_Sign, TPM_Seal,
840 TPM_UnSeal and TPM_UnBind and related commands. FALSE
841 indicates that the asymmetric algorithm is not
842 supported for these types of commands. The TPM MAY
843 return TRUE or FALSE for other than asymmetric
bbd7b75d 844 algorithms that it supports. Unassigned and
a0098eda
CB		 845 unsupported algorithm IDs return FALSE.*/
846
847#define TPM_CAP_PID 0x00000003 /* Boolean value. TRUE indicates that the TPM supports
848 the protocol, FALSE indicates that the TPM does not
849 support the protocol. */
850#define TPM_CAP_FLAG 0x00000004 /* Return the TPM_PERMANENT_FLAGS structure or Return the
851 TPM_STCLEAR_FLAGS structure */
852#define TPM_CAP_PROPERTY 0x00000005 /* See following table for the subcaps */
853#define TPM_CAP_VERSION 0x00000006 /* TPM_STRUCT_VER structure. The Major and Minor must
854 indicate 1.1. The firmware revision MUST indicate
855 0.0 */
856#define TPM_CAP_KEY_HANDLE 0x00000007 /* A TPM_KEY_HANDLE_LIST structure that enumerates all
857 key handles loaded on the TPM. */
858#define TPM_CAP_CHECK_LOADED 0x00000008 /* A Boolean value. TRUE indicates that the TPM has
859 enough memory available to load a key of the type
860 specified by TPM_KEY_PARMS. FALSE indicates that the
861 TPM does not have enough memory. */
862#define TPM_CAP_SYM_MODE 0x00000009 /* Subcap TPM_SYM_MODE
863 A Boolean value. TRUE indicates that the TPM supports
864 the TPM_SYM_MODE, FALSE indicates the TPM does not
865 support the mode. */
866#define TPM_CAP_KEY_STATUS 0x0000000C /* Boolean value of ownerEvict. The handle MUST point to
867 a valid key handle.*/
868#define TPM_CAP_NV_LIST 0x0000000D /* A list of TPM_NV_INDEX values that are currently
869 allocated NV storage through TPM_NV_DefineSpace. */
870#define TPM_CAP_MFR 0x00000010 /* Manufacturer specific. The manufacturer may provide
871 any additional information regarding the TPM and the
872 TPM state but MUST not expose any sensitive
873 information. */
874#define TPM_CAP_NV_INDEX 0x00000011 /* A TPM_NV_DATA_PUBLIC structure that indicates the
875 values for the TPM_NV_INDEX. Returns TPM_BADINDEX if
876 the index is not in the TPM_CAP_NV_LIST list. */
877#define TPM_CAP_TRANS_ALG 0x00000012 /* Boolean value. TRUE means that the TPM supports the
878 algorithm for TPM_EstablishTransport,
879 TPM_ExecuteTransport and
880 TPM_ReleaseTransportSigned. FALSE indicates that for
881 these three commands the algorithm is not supported."
882 */
883#define TPM_CAP_HANDLE 0x00000014 /* A TPM_KEY_HANDLE_LIST structure that enumerates all
884 handles currently loaded in the TPM for the given
885 resource type. */
886#define TPM_CAP_TRANS_ES 0x00000015 /* Boolean value. TRUE means the TPM supports the
887 encryption scheme in a transport session for at least
888 one algorithm.. */
889#define TPM_CAP_AUTH_ENCRYPT 0x00000017 /* Boolean value. TRUE indicates that the TPM supports
890 the encryption algorithm in OSAP encryption of
891 AuthData values */
892#define TPM_CAP_SELECT_SIZE 0x00000018 /* Boolean value. TRUE indicates that the TPM supports
893 the size for the given version. For instance a request
894 could ask for version 1.1 size 2 and the TPM would
895 indicate TRUE. For 1.1 size 3 the TPM would indicate
896 FALSE. For 1.2 size 3 the TPM would indicate TRUE. */
897#define TPM_CAP_DA_LOGIC 0x00000019 /* (OPTIONAL)
898 A TPM_DA_INFO or TPM_DA_INFO_LIMITED structure that
899 returns data according to the selected entity type
900 (e.g., TPM_ET_KEYHANDLE, TPM_ET_OWNER, TPM_ET_SRK,
901 TPM_ET_COUNTER, TPM_ET_OPERATOR, etc.). If the
902 implemented dictionary attack logic does not support
903 different secret types, the entity type can be
904 ignored. */
905#define TPM_CAP_VERSION_VAL 0x0000001A /* TPM_CAP_VERSION_INFO structure. The TPM fills in the
906 structure and returns the information indicating what
907 the TPM currently supports. */
908
909#define TPM_CAP_FLAG_PERMANENT 0x00000108 /* Return the TPM_PERMANENT_FLAGS structure */
910#define TPM_CAP_FLAG_VOLATILE 0x00000109 /* Return the TPM_STCLEAR_FLAGS structure */
911
912/* 21.2 CAP_PROPERTY Subcap values for CAP_PROPERTY rev 105
913
914 The TPM_CAP_PROPERTY capability has numerous subcap values. The definition for all subcap values
915 occurs in this table.
916
917 TPM_CAP_PROP_MANUFACTURER returns a vendor ID unique to each manufacturer. The same value is
918 returned as the TPM_CAP_VERSION_INFO -> tpmVendorID. A company abbreviation such as a null
919 terminated stock ticker is a typical choice. However, there is no requirement that the value
920 contain printable characters. The document "TCG Vendor Naming" lists the vendor ID values.
921
922 TPM_CAP_PROP_MAX_xxxSESS is a constant. At TPM_Startup(ST_CLEAR) TPM_CAP_PROP_xxxSESS ==
923 TPM_CAP_PROP_MAX_xxxSESS. As sessions are created on the TPM, TPM_CAP_PROP_xxxSESS decreases
924 toward zero. As sessions are terminated, TPM_CAP_PROP_xxxSESS increases toward
925 TPM_CAP_PROP_MAX_xxxSESS.
926
927 There is a similar relationship between the constants TPM_CAP_PROP_MAX_COUNTERS and
928 TPM_CAP_PROP_MAX_CONTEXT and the varying TPM_CAP_PROP_COUNTERS and TPM_CAP_PROP_CONTEXT.
929
930 In one typical implementation where authorization and transport sessions reside in separate
931 pools, TPM_CAP_PROP_SESSIONS will be the sum of TPM_CAP_PROP_AUTHSESS and TPM_CAP_PROP_TRANSESS.
932 In another typical implementation where authorization and transport sessions share the same pool,
933 TPM_CAP_PROP_SESSIONS, TPM_CAP_PROP_AUTHSESS, and TPM_CAP_PROP_TRANSESS will all be equal.
934*/
935
936#define TPM_CAP_PROP_PCR 0x00000101 /* uint32_t value. Returns the number of PCR
937 registers supported by the TPM */
938#define TPM_CAP_PROP_DIR 0x00000102 /* uint32_t. Deprecated. Returns the number of
939 DIR, which is now fixed at 1 */
940#define TPM_CAP_PROP_MANUFACTURER 0x00000103 /* uint32_t value. Returns the vendor ID
941 unique to each TPM manufacturer. */
942#define TPM_CAP_PROP_KEYS 0x00000104 /* uint32_t value. Returns the number of 2048-
943 bit RSA keys that can be loaded. This may
944 vary with time and circumstances. */
945#define TPM_CAP_PROP_MIN_COUNTER 0x00000107 /* uint32_t. The minimum amount of time in
946 10ths of a second that must pass between
947 invocations of incrementing the monotonic
948 counter. */
949#define TPM_CAP_PROP_AUTHSESS 0x0000010A /* uint32_t. The number of available
950 authorization sessions. This may vary with
951 time and circumstances. */
952#define TPM_CAP_PROP_TRANSESS 0x0000010B /* uint32_t. The number of available transport
953 sessions. This may vary with time and
954 circumstances. */
955#define TPM_CAP_PROP_COUNTERS 0x0000010C /* uint32_t. The number of available monotonic
956 counters. This may vary with time and
957 circumstances. */
958#define TPM_CAP_PROP_MAX_AUTHSESS 0x0000010D /* uint32_t. The maximum number of loaded
959 authorization sessions the TPM supports */
960#define TPM_CAP_PROP_MAX_TRANSESS 0x0000010E /* uint32_t. The maximum number of loaded
961 transport sessions the TPM supports. */
962#define TPM_CAP_PROP_MAX_COUNTERS 0x0000010F /* uint32_t. The maximum number of monotonic
963 counters under control of TPM_CreateCounter
964 */
965#define TPM_CAP_PROP_MAX_KEYS 0x00000110 /* uint32_t. The maximum number of 2048 RSA
966 keys that the TPM can support. The number
967 does not include the EK or SRK. */
968#define TPM_CAP_PROP_OWNER 0x00000111 /* BOOL. A value of TRUE indicates that the
969 TPM has successfully installed an owner. */
970#define TPM_CAP_PROP_CONTEXT 0x00000112 /* uint32_t. The number of available saved
971 session slots. This may vary with time and
972 circumstances. */
973#define TPM_CAP_PROP_MAX_CONTEXT 0x00000113 /* uint32_t. The maximum number of saved
974 session slots. */
975#define TPM_CAP_PROP_FAMILYROWS 0x00000114 /* uint32_t. The maximum number of rows in the
976 family table */
977#define TPM_CAP_PROP_TIS_TIMEOUT 0x00000115 /* A 4 element array of uint32_t values each
978 denoting the timeout value in microseconds
979 for the following in this order:
980
981 TIMEOUT_A, TIMEOUT_B, TIMEOUT_C, TIMEOUT_D
982
983 Where these timeouts are to be used is
984 determined by the platform specific TPM
985 Interface Specification. */
986#define TPM_CAP_PROP_STARTUP_EFFECT 0x00000116 /* The TPM_STARTUP_EFFECTS structure */
987#define TPM_CAP_PROP_DELEGATE_ROW 0x00000117 /* uint32_t. The maximum size of the delegate
988 table in rows. */
989#define TPM_CAP_PROP_MAX_DAASESS 0x00000119 /* uint32_t. The maximum number of loaded DAA
990 sessions (join or sign) that the TPM
991 supports */
992#define TPM_CAP_PROP_DAASESS 0x0000011A /* uint32_t. The number of available DAA
993 sessions. This may vary with time and
994 circumstances */
995#define TPM_CAP_PROP_CONTEXT_DIST 0x0000011B /* uint32_t. The maximum distance between
996 context count values. This MUST be at least
997 2^16-1. */
998#define TPM_CAP_PROP_DAA_INTERRUPT 0x0000011C /* BOOL. A value of TRUE indicates that the
999 TPM will accept ANY command while executing
1000 a DAA Join or Sign.
1001
1002 A value of FALSE indicates that the TPM
1003 will invalidate the DAA Join or Sign upon
1004 the receipt of any command other than the
1005 next join/sign in the session or a
1006 TPM_SaveContext */
1007#define TPM_CAP_PROP_SESSIONS 0X0000011D /* uint32_t. The number of available sessions
1008 from the pool. This MAY vary with time and
1009 circumstances. Pool sessions include
1010 authorization and transport sessions. */
1011#define TPM_CAP_PROP_MAX_SESSIONS 0x0000011E /* uint32_t. The maximum number of sessions
1012 the TPM supports. */
1013#define TPM_CAP_PROP_CMK_RESTRICTION 0x0000011F /* uint32_t TPM_Permanent_Data ->
1014 restrictDelegate
1015 */
1016#define TPM_CAP_PROP_DURATION 0x00000120 /* A 3 element array of uint32_t values each
1017 denoting the duration value in microseconds
1018 of the duration of the three classes of
1019 commands: Small, Medium and Long in the
1020 following in this order: SMALL_DURATION,
1021 MEDIUM_DURATION, LONG_DURATION */
1022#define TPM_CAP_PROP_ACTIVE_COUNTER 0x00000122 /* TPM_COUNT_ID. The id of the current
1023 counter. 0xff..ff if no counter is active
1024 */
1025#define TPM_CAP_PROP_MAX_NV_AVAILABLE 0x00000123 /*uint32_t. Deprecated. The maximum number
1026 of NV space that can be allocated, MAY
1027 vary with time and circumstances. This
1028 capability was not implemented
1029 consistently, and is replaced by
1030 TPM_NV_INDEX_TRIAL. */
1031#define TPM_CAP_PROP_INPUT_BUFFER 0x00000124 /* uint32_t. The maximum size of the TPM
1032 input buffer or output buffer in
1033 bytes. */
1034
1035/* 21.4 Set_Capability Values rev 107
1036 */
1037
1038#define TPM_SET_PERM_FLAGS 0x00000001 /* The ability to set a value is field specific and
1039 a review of the structure will disclose the
1040 ability and requirements to set a value */
1041#define TPM_SET_PERM_DATA 0x00000002 /* The ability to set a value is field specific and
1042 a review of the structure will disclose the
1043 ability and requirements to set a value */
1044#define TPM_SET_STCLEAR_FLAGS 0x00000003 /* The ability to set a value is field specific and
1045 a review of the structure will disclose the
1046 ability and requirements to set a value */
1047#define TPM_SET_STCLEAR_DATA 0x00000004 /* The ability to set a value is field specific and
1048 a review of the structure will disclose the
1049 ability and requirements to set a value */
1050#define TPM_SET_STANY_FLAGS 0x00000005 /* The ability to set a value is field specific and
1051 a review of the structure will disclose the
1052 ability and requirements to set a value */
1053#define TPM_SET_STANY_DATA 0x00000006 /* The ability to set a value is field specific and
1054 a review of the structure will disclose the
1055 ability and requirements to set a value */
1056#define TPM_SET_VENDOR 0x00000007 /* This area allows the vendor to set specific areas
1057 in the TPM according to the normal shielded
1058 location requirements */
1059
1060/* Set Capability sub caps */
1061
1062/* TPM_PERMANENT_FLAGS */
1063
1064#define TPM_PF_DISABLE 1
1065#define TPM_PF_OWNERSHIP 2
1066#define TPM_PF_DEACTIVATED 3
1067#define TPM_PF_READPUBEK 4
1068#define TPM_PF_DISABLEOWNERCLEAR 5
1069#define TPM_PF_ALLOWMAINTENANCE 6
1070#define TPM_PF_PHYSICALPRESENCELIFETIMELOCK 7
1071#define TPM_PF_PHYSICALPRESENCEHWENABLE 8
1072#define TPM_PF_PHYSICALPRESENCECMDENABLE 9
1073#define TPM_PF_CEKPUSED 10
1074#define TPM_PF_TPMPOST 11
1075#define TPM_PF_TPMPOSTLOCK 12
1076#define TPM_PF_FIPS 13
1077#define TPM_PF_OPERATOR 14
1078#define TPM_PF_ENABLEREVOKEEK 15
1079#define TPM_PF_NV_LOCKED 16
1080#define TPM_PF_READSRKPUB 17
1081#define TPM_PF_TPMESTABLISHED 18
1082#define TPM_PF_MAINTENANCEDONE 19
1083#define TPM_PF_DISABLEFULLDALOGICINFO 20
1084
1085/* TPM_STCLEAR_FLAGS */
1086
1087#define TPM_SF_DEACTIVATED 1
1088#define TPM_SF_DISABLEFORCECLEAR 2
1089#define TPM_SF_PHYSICALPRESENCE 3
1090#define TPM_SF_PHYSICALPRESENCELOCK 4
1091#define TPM_SF_BGLOBALLOCK 5
1092
1093/* TPM_STANY_FLAGS */
1094
1095#define TPM_AF_POSTINITIALISE 1
1096#define TPM_AF_LOCALITYMODIFIER 2
1097#define TPM_AF_TRANSPORTEXCLUSIVE 3
1098#define TPM_AF_TOSPRESENT 4
1099
1100/* TPM_PERMANENT_DATA */
1101
1102#define TPM_PD_REVMAJOR 1
1103#define TPM_PD_REVMINOR 2
1104#define TPM_PD_TPMPROOF 3
1105#define TPM_PD_OWNERAUTH 4
1106#define TPM_PD_OPERATORAUTH 5
1107#define TPM_PD_MANUMAINTPUB 6
1108#define TPM_PD_ENDORSEMENTKEY 7
1109#define TPM_PD_SRK 8
1110#define TPM_PD_DELEGATEKEY 9
1111#define TPM_PD_CONTEXTKEY 10
1112#define TPM_PD_AUDITMONOTONICCOUNTER 11
1113#define TPM_PD_MONOTONICCOUNTER 12
1114#define TPM_PD_PCRATTRIB 13
1115#define TPM_PD_ORDINALAUDITSTATUS 14
1116#define TPM_PD_AUTHDIR 15
1117#define TPM_PD_RNGSTATE 16
1118#define TPM_PD_FAMILYTABLE 17
1119#define TPM_DELEGATETABLE 18
1120#define TPM_PD_EKRESET 19
1121#define TPM_PD_LASTFAMILYID 21
1122#define TPM_PD_NOOWNERNVWRITE 22
1123#define TPM_PD_RESTRICTDELEGATE 23
1124#define TPM_PD_TPMDAASEED 24
1125#define TPM_PD_DAAPROOF 25
1126
1127/* TPM_STCLEAR_DATA */
1128
1129#define TPM_SD_CONTEXTNONCEKEY 1
1130#define TPM_SD_COUNTID 2
1131#define TPM_SD_OWNERREFERENCE 3
1132#define TPM_SD_DISABLERESETLOCK 4
1133#define TPM_SD_PCR 5
1134#define TPM_SD_DEFERREDPHYSICALPRESENCE 6
1135
1136/* TPM_STCLEAR_DATA -> deferredPhysicalPresence bits */
1137
1138#define TPM_DPP_UNOWNED_FIELD_UPGRADE 0x00000001 /* bit 0 TPM_FieldUpgrade */
1139
1140/* TPM_STANY_DATA */
1141
1142#define TPM_AD_CONTEXTNONCESESSION 1
1143#define TPM_AD_AUDITDIGEST 2
1144#define TPM_AD_CURRENTTICKS 3
1145#define TPM_AD_CONTEXTCOUNT 4
1146#define TPM_AD_CONTEXTLIST 5
1147#define TPM_AD_SESSIONS 6
1148
1149/* 17. Ordinals rev 110
1150
1151 Ordinals are 32 bit values of type TPM_COMMAND_CODE. The upper byte contains values that serve
1152 as flag indicators, the next byte contains values indicating what committee designated the
1153 ordinal, and the final two bytes contain the Command Ordinal Index.
1154
1155 3 2 1
1156 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
1157 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1158 |P|C|V| Reserved| Purview | Command Ordinal Index |
1159 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1160
1161 Where:
1162
1163 P is Protected/Unprotected command. When 0 the command is a Protected command, when 1 the
1164 command is an Unprotected command.
1165
1166 C is Non-Connection/Connection related command. When 0 this command passes through to either the
1167 protected (TPM) or unprotected (TSS) components.
1168
1169 V is TPM/Vendor command. When 0 the command is TPM defined, when 1 the command is vendor
1170 defined.
1171
1172 All reserved area bits are set to 0.
1173*/
1174
1175/* The following masks are created to allow for the quick definition of the commands */
1176
1177#define TPM_PROTECTED_COMMAND 0x00000000 /* TPM protected command, specified in main specification
1178 */
1179#define TPM_UNPROTECTED_COMMAND 0x80000000 /* TSS command, specified in the TSS specification */
1180#define TPM_CONNECTION_COMMAND 0x40000000 /* TSC command, protected connection commands are
1181 specified in the main specification Unprotected
1182 connection commands are specified in the TSS */
1183#define TPM_VENDOR_COMMAND 0x20000000 /* Command that is vendor specific for a given TPM or
1184 TSS. */
1185
1186
1187/* The following Purviews have been defined: */
1188
1189#define TPM_MAIN 0x00 /* Command is from the main specification */
1190#define TPM_PC 0x01 /* Command is specific to the PC */
1191#define TPM_PDA 0x02 /* Command is specific to a PDA */
1192#define TPM_CELL_PHONE 0x03 /* Command is specific to a cell phone */
1193#define TPM_SERVER 0x04 /* Command is specific to servers */
1194#define TPM_PERIPHERAL 0x05 /* Command is specific to peripherals */
1195#define TPM_TSS 0x06 /* Command is specific to TSS */
1196
1197/* Combinations for the main specification would be: */
1198
1199#define TPM_PROTECTED_ORDINAL (TPM_PROTECTED_COMMAND | TPM_MAIN)
1200#define TPM_UNPROTECTED_ORDINAL (TPM_UNPROTECTED_COMMAND | TPM_MAIN)
1201#define TPM_CONNECTION_ORDINAL (TPM_CONNECTION_COMMAND | TPM_MAIN)
1202
1203/* Command ordinals */
1204
1205#define TPM_ORD_ActivateIdentity 0x0000007A
1206#define TPM_ORD_AuthorizeMigrationKey 0x0000002B
1207#define TPM_ORD_CertifyKey 0x00000032
1208#define TPM_ORD_CertifyKey2 0x00000033
1209#define TPM_ORD_CertifySelfTest 0x00000052
1210#define TPM_ORD_ChangeAuth 0x0000000C
1211#define TPM_ORD_ChangeAuthAsymFinish 0x0000000F
1212#define TPM_ORD_ChangeAuthAsymStart 0x0000000E
1213#define TPM_ORD_ChangeAuthOwner 0x00000010
1214#define TPM_ORD_CMK_ApproveMA 0x0000001D
1215#define TPM_ORD_CMK_ConvertMigration 0x00000024
1216#define TPM_ORD_CMK_CreateBlob 0x0000001B
1217#define TPM_ORD_CMK_CreateKey 0x00000013
1218#define TPM_ORD_CMK_CreateTicket 0x00000012
1219#define TPM_ORD_CMK_SetRestrictions 0x0000001C
1220#define TPM_ORD_ContinueSelfTest 0x00000053
1221#define TPM_ORD_ConvertMigrationBlob 0x0000002A
1222#define TPM_ORD_CreateCounter 0x000000DC
1223#define TPM_ORD_CreateEndorsementKeyPair 0x00000078
1224#define TPM_ORD_CreateMaintenanceArchive 0x0000002C
1225#define TPM_ORD_CreateMigrationBlob 0x00000028
1226#define TPM_ORD_CreateRevocableEK 0x0000007F
1227#define TPM_ORD_CreateWrapKey 0x0000001F
1228#define TPM_ORD_DAA_Join 0x00000029
1229#define TPM_ORD_DAA_Sign 0x00000031
1230#define TPM_ORD_Delegate_CreateKeyDelegation 0x000000D4
1231#define TPM_ORD_Delegate_CreateOwnerDelegation 0x000000D5
1232#define TPM_ORD_Delegate_LoadOwnerDelegation 0x000000D8
1233#define TPM_ORD_Delegate_Manage 0x000000D2
1234#define TPM_ORD_Delegate_ReadTable 0x000000DB
1235#define TPM_ORD_Delegate_UpdateVerification 0x000000D1
1236#define TPM_ORD_Delegate_VerifyDelegation 0x000000D6
1237#define TPM_ORD_DirRead 0x0000001A
1238#define TPM_ORD_DirWriteAuth 0x00000019
1239#define TPM_ORD_DisableForceClear 0x0000005E
1240#define TPM_ORD_DisableOwnerClear 0x0000005C
1241#define TPM_ORD_DisablePubekRead 0x0000007E
1242#define TPM_ORD_DSAP 0x00000011
1243#define TPM_ORD_EstablishTransport 0x000000E6
1244#define TPM_ORD_EvictKey 0x00000022
1245#define TPM_ORD_ExecuteTransport 0x000000E7
1246#define TPM_ORD_Extend 0x00000014
1247#define TPM_ORD_FieldUpgrade 0x000000AA
1248#define TPM_ORD_FlushSpecific 0x000000BA
1249#define TPM_ORD_ForceClear 0x0000005D
1250#define TPM_ORD_GetAuditDigest 0x00000085
1251#define TPM_ORD_GetAuditDigestSigned 0x00000086
1252#define TPM_ORD_GetAuditEvent 0x00000082
1253#define TPM_ORD_GetAuditEventSigned 0x00000083
1254#define TPM_ORD_GetCapability 0x00000065
1255#define TPM_ORD_GetCapabilityOwner 0x00000066
1256#define TPM_ORD_GetCapabilitySigned 0x00000064
1257#define TPM_ORD_GetOrdinalAuditStatus 0x0000008C
1258#define TPM_ORD_GetPubKey 0x00000021
1259#define TPM_ORD_GetRandom 0x00000046
1260#define TPM_ORD_GetTestResult 0x00000054
1261#define TPM_ORD_GetTicks 0x000000F1
1262#define TPM_ORD_IncrementCounter 0x000000DD
1263#define TPM_ORD_Init 0x00000097
1264#define TPM_ORD_KeyControlOwner 0x00000023
1265#define TPM_ORD_KillMaintenanceFeature 0x0000002E
1266#define TPM_ORD_LoadAuthContext 0x000000B7
1267#define TPM_ORD_LoadContext 0x000000B9
1268#define TPM_ORD_LoadKey 0x00000020
1269#define TPM_ORD_LoadKey2 0x00000041
1270#define TPM_ORD_LoadKeyContext 0x000000B5
1271#define TPM_ORD_LoadMaintenanceArchive 0x0000002D
1272#define TPM_ORD_LoadManuMaintPub 0x0000002F
1273#define TPM_ORD_MakeIdentity 0x00000079
1274#define TPM_ORD_MigrateKey 0x00000025
1275#define TPM_ORD_NV_DefineSpace 0x000000CC
1276#define TPM_ORD_NV_ReadValue 0x000000CF
1277#define TPM_ORD_NV_ReadValueAuth 0x000000D0
1278#define TPM_ORD_NV_WriteValue 0x000000CD
1279#define TPM_ORD_NV_WriteValueAuth 0x000000CE
1280#define TPM_ORD_OIAP 0x0000000A
1281#define TPM_ORD_OSAP 0x0000000B
1282#define TPM_ORD_OwnerClear 0x0000005B
1283#define TPM_ORD_OwnerReadInternalPub 0x00000081
1284#define TPM_ORD_OwnerReadPubek 0x0000007D
1285#define TPM_ORD_OwnerSetDisable 0x0000006E
1286#define TPM_ORD_PCR_Reset 0x000000C8
1287#define TPM_ORD_PcrRead 0x00000015
1288#define TPM_ORD_PhysicalDisable 0x00000070
1289#define TPM_ORD_PhysicalEnable 0x0000006F
1290#define TPM_ORD_PhysicalSetDeactivated 0x00000072
1291#define TPM_ORD_Quote 0x00000016
1292#define TPM_ORD_Quote2 0x0000003E
1293#define TPM_ORD_ReadCounter 0x000000DE
1294#define TPM_ORD_ReadManuMaintPub 0x00000030
1295#define TPM_ORD_ReadPubek 0x0000007C
1296#define TPM_ORD_ReleaseCounter 0x000000DF
1297#define TPM_ORD_ReleaseCounterOwner 0x000000E0
1298#define TPM_ORD_ReleaseTransportSigned 0x000000E8
1299#define TPM_ORD_Reset 0x0000005A
1300#define TPM_ORD_ResetLockValue 0x00000040
1301#define TPM_ORD_RevokeTrust 0x00000080
1302#define TPM_ORD_SaveAuthContext 0x000000B6
1303#define TPM_ORD_SaveContext 0x000000B8
1304#define TPM_ORD_SaveKeyContext 0x000000B4
1305#define TPM_ORD_SaveState 0x00000098
1306#define TPM_ORD_Seal 0x00000017
1307#define TPM_ORD_Sealx 0x0000003D
1308#define TPM_ORD_SelfTestFull 0x00000050
1309#define TPM_ORD_SetCapability 0x0000003F
1310#define TPM_ORD_SetOperatorAuth 0x00000074
1311#define TPM_ORD_SetOrdinalAuditStatus 0x0000008D
1312#define TPM_ORD_SetOwnerInstall 0x00000071
1313#define TPM_ORD_SetOwnerPointer 0x00000075
1314#define TPM_ORD_SetRedirection 0x0000009A
1315#define TPM_ORD_SetTempDeactivated 0x00000073
1316#define TPM_ORD_SHA1Complete 0x000000A2
1317#define TPM_ORD_SHA1CompleteExtend 0x000000A3
1318#define TPM_ORD_SHA1Start 0x000000A0
1319#define TPM_ORD_SHA1Update 0x000000A1
1320#define TPM_ORD_Sign 0x0000003C
1321#define TPM_ORD_Startup 0x00000099
1322#define TPM_ORD_StirRandom 0x00000047
1323#define TPM_ORD_TakeOwnership 0x0000000D
1324#define TPM_ORD_Terminate_Handle 0x00000096
1325#define TPM_ORD_TickStampBlob 0x000000F2
1326#define TPM_ORD_UnBind 0x0000001E
1327#define TPM_ORD_Unseal 0x00000018
1328
1329#define TSC_ORD_PhysicalPresence 0x4000000A
1330#define TSC_ORD_ResetEstablishmentBit 0x4000000B
1331
1332/* 19. NV storage structures */
1333
1334/* 19.1 TPM_NV_INDEX rev 110
1335
1336 The index provides the handle to identify the area of storage. The reserved bits allow for a
1337 segregation of the index name space to avoid name collisions.
1338
1339 The TPM may check the resvd bits for zero. Thus, applications should set the bits to zero.
1340
1341 The TCG defines the space where the high order bits (T, P, U) are 0. The other spaces are
1342 controlled by the indicated entity.
1343
1344 T is the TPM manufacturer reserved bit. 0 indicates a TCG defined value. 1 indicates a TPM
1345 manufacturer specific value.
1346
1347 P is the platform manufacturer reserved bit. 0 indicates a TCG defined value. 1 indicates that
1348 the index is controlled by the platform manufacturer.
1349
1350 U is for the platform user. 0 indicates a TCG defined value. 1 indicates that the index is
1351 controlled by the platform user.
1352
1353 The TPM_NV_INDEX is a 32-bit value.
1354 3 2 1
1355 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
1356 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1357 |T|P|U|D| resvd | Purview | Index |
1358 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1359
1360 Where:
1361
1362 1. The TPM MAY return an error if the reserved area bits are not set to 0.
1363
1364 2. The TPM MUST accept all values for T, P, and U
1365
1366 3. D indicates defined. 1 indicates that the index is permanently defined and that any
1367 TPM_NV_DefineSpace operation will fail after nvLocked is set TRUE.
1368
1369 a. TCG reserved areas MAY have D set to 0 or 1
1370
1371 4. Purview is the value used to indicate the platform specific area. This value is the
1372 same as used for command ordinals.
1373
1374 a. The TPM MUST reject purview values that the TPM cannot support. This means that an
1375 index value for a PDA MUST be rejected by a TPM designed to work only on the PC Client.
1376*/
1377
1378#define TPM_NV_INDEX_T_BIT 0x80000000
1379#define TPM_NV_INDEX_P_BIT 0x40000000
1380#define TPM_NV_INDEX_U_BIT 0x20000000
1381#define TPM_NV_INDEX_D_BIT 0x10000000
1382/* added kgold */
1383#define TPM_NV_INDEX_RESVD 0x0f000000
1384#define TPM_NV_INDEX_PURVIEW_BIT 16
1385#define TPM_NV_INDEX_PURVIEW_MASK 0x00ff0000
1386
1387/* 19.1.1 Required TPM_NV_INDEX values rev 97
1388
1389 The required index values must be found on each TPM regardless of platform. These areas are
1390 always present and do not require a TPM_DefineSpace command to allocate.
1391
1392 A platform specific specification may add additional required index values for the platform.
1393
1394 The TPM MUST reserve the space as indicated for the required index values
1395*/
1396
1397#define TPM_NV_INDEX_LOCK 0xFFFFFFFF /* This value turns on the NV authorization
1398 protections. Once executed all NV areas use the
1399 protections as defined. This value never resets.
1400
1401 Attempting to execute TPM_NV_DefineSpace on this value
1402 with non-zero size MAY result in a TPM_BADINDEX
1403 response.
1404 */
1405
1406#define TPM_NV_INDEX0 0x00000000 /* This value allows for the setting of the bGlobalLock
1407 flag, which is only reset on TPM_Startup(ST_Clear)
1408
1409 Attempting to execute TPM_NV_WriteValue with a size other
1410 than zero MAY result in the TPM_BADINDEX error code.
1411 */
1412
1413#define TPM_NV_INDEX_DIR 0x10000001 /* Size MUST be 20. This index points to the deprecated DIR
1414 command area from 1.1. The TPM MUST map this reserved
1415 space to be the area operated on by the 1.1 DIR commands.
1416 */
1417
1418/* 19.1.2 Reserved Index values rev 116
1419
1420 The reserved values are defined to avoid index collisions. These values are not in each and every
1421 TPM.
1422
1423 1. The reserved index values are to avoid index value collisions.
1424 2. These index values require a TPM_DefineSpace to have the area for the index allocated
1425 3. A platform specific specification MAY indicate that reserved values are required.
1426 4. The reserved index values MAY have their D bit set by the TPM vendor to permanently
1427*/
1428
1429#define TPM_NV_INDEX_TPM 0x0000Fxxx /* Reserved for TPM use */
1430#define TPM_NV_INDEX_EKCert 0x0000F000 /* The Endorsement credential */
1431
1432#define TPM_NV_INDEX_TPM_CC 0x0000F001 /* The TPM Conformance credential */
1433#define TPM_NV_INDEX_PlatformCert 0x0000F002 /* The platform credential */
1434#define TPM_NV_INDEX_Platform_CC 0x0000F003 /* The Platform conformance credential */
1435#define TPM_NV_INDEX_TRIAL 0x0000F004 /* To try TPM_NV_DefineSpace without
1436 actually allocating NV space */
1437
1438#if 0
1439#define TPM_NV_INDEX_PC 0x0001xxxx /* Reserved for PC Client use */
1440#define TPM_NV_INDEX_GPIO_xx 0x000116xx /* Reserved for GPIO pins */
1441#define TPM_NV_INDEX_PDA 0x0002xxxx /* Reserved for PDA use */
1442#define TPM_NV_INDEX_MOBILE 0x0003xxxx /* Reserved for mobile use */
1443#define TPM_NV_INDEX_SERVER 0x0004xxxx /* Reserved for Server use */
1444#define TPM_NV_INDEX_PERIPHERAL 0x0005xxxx /* Reserved for peripheral use */
1445#define TPM_NV_INDEX_TSS 0x0006xxxx /* Reserved for TSS use */
1446#define TPM_NV_INDEX_GROUP_RESV 0x00xxxxxx /* Reserved for TCG WG use */
1447#endif
1448
1449#define TPM_NV_INDEX_GPIO_00 0x00011600 /* GPIO-Express-00 */
1450
1451#define TPM_NV_INDEX_GPIO_START 0x00011600 /* Reserved for GPIO pins */
1452#define TPM_NV_INDEX_GPIO_END 0x000116ff /* Reserved for GPIO pins */
1453
1454/* 19.2 TPM_NV_ATTRIBUTES rev 99
1455
1456 The attributes TPM_NV_PER_AUTHREAD and TPM_NV_PER_OWNERREAD cannot both be set to TRUE.
1457 Similarly, the attributes TPM_NV_PER_AUTHWRITE and TPM_NV_PER_OWNERWRITE cannot both be set to
1458 TRUE.
1459*/
1460
1461#define TPM_NV_PER_READ_STCLEAR 0x80000000 /* 31: The value can be read until locked by a
1462 read with a data size of 0. It can only be
1463 unlocked by TPM_Startup(ST_Clear) or a
1464 successful write. Lock held for each area in
1465 bReadSTClear. */
1466/* #define 30:19 Reserved */
1467#define TPM_NV_PER_AUTHREAD 0x00040000 /* 18: The value requires authorization to read
1468 */
1469#define TPM_NV_PER_OWNERREAD 0x00020000 /* 17: The value requires TPM Owner authorization
1470 to read. */
1471#define TPM_NV_PER_PPREAD 0x00010000 /* 16: The value requires physical presence to
1472 read */
1473#define TPM_NV_PER_GLOBALLOCK 0x00008000 /* 15: The value is writable until a write to
1474 index 0 is successful. The lock of this
1475 attribute is reset by
1476 TPM_Startup(ST_CLEAR). Lock held by SF ->
1477 bGlobalLock */
1478#define TPM_NV_PER_WRITE_STCLEAR 0x00004000 /* 14: The value is writable until a write to
1479 the specified index with a datasize of 0 is
1480 successful. The lock of this attribute is
1481 reset by TPM_Startup(ST_CLEAR). Lock held for
1482 each area in bWriteSTClear. */
1483#define TPM_NV_PER_WRITEDEFINE 0x00002000 /* 13: Lock set by writing to the index with a
1484 datasize of 0. Lock held for each area in
1485 bWriteDefine. This is a persistent lock. */
1486#define TPM_NV_PER_WRITEALL 0x00001000 /* 12: The value must be written in a single
1487 operation */
1488/* #define 11:3 Reserved for write additions */
1489#define TPM_NV_PER_AUTHWRITE 0x00000004 /* 2: The value requires authorization to write
1490 */
1491#define TPM_NV_PER_OWNERWRITE 0x00000002 /* 1: The value requires TPM Owner authorization
1492 to write */
1493#define TPM_NV_PER_PPWRITE 0x00000001 /* 0: The value requires physical presence to
1494 write */
1495
1496/* 20.2.1 Owner Permission Settings rev 87 */
1497
1498/* Per1 bits */
1499
1500#define TPM_DELEGATE_PER1_MASK 0xffffffff /* mask of legal bits */
1501#define TPM_DELEGATE_KeyControlOwner 31
1502#define TPM_DELEGATE_SetOrdinalAuditStatus 30
1503#define TPM_DELEGATE_DirWriteAuth 29
1504#define TPM_DELEGATE_CMK_ApproveMA 28
1505#define TPM_DELEGATE_NV_WriteValue 27
1506#define TPM_DELEGATE_CMK_CreateTicket 26
1507#define TPM_DELEGATE_NV_ReadValue 25
1508#define TPM_DELEGATE_Delegate_LoadOwnerDelegation 24
1509#define TPM_DELEGATE_DAA_Join 23
1510#define TPM_DELEGATE_AuthorizeMigrationKey 22
1511#define TPM_DELEGATE_CreateMaintenanceArchive 21
1512#define TPM_DELEGATE_LoadMaintenanceArchive 20
1513#define TPM_DELEGATE_KillMaintenanceFeature 19
1514#define TPM_DELEGATE_OwnerReadInternalPub 18
1515#define TPM_DELEGATE_ResetLockValue 17
1516#define TPM_DELEGATE_OwnerClear 16
1517#define TPM_DELEGATE_DisableOwnerClear 15
1518#define TPM_DELEGATE_NV_DefineSpace 14
1519#define TPM_DELEGATE_OwnerSetDisable 13
1520#define TPM_DELEGATE_SetCapability 12
1521#define TPM_DELEGATE_MakeIdentity 11
1522#define TPM_DELEGATE_ActivateIdentity 10
1523#define TPM_DELEGATE_OwnerReadPubek 9
1524#define TPM_DELEGATE_DisablePubekRead 8
1525#define TPM_DELEGATE_SetRedirection 7
1526#define TPM_DELEGATE_FieldUpgrade 6
1527#define TPM_DELEGATE_Delegate_UpdateVerification 5
1528#define TPM_DELEGATE_CreateCounter 4
1529#define TPM_DELEGATE_ReleaseCounterOwner 3
1530#define TPM_DELEGATE_Delegate_Manage 2
1531#define TPM_DELEGATE_Delegate_CreateOwnerDelegation 1
1532#define TPM_DELEGATE_DAA_Sign 0
1533
1534/* Per2 bits */
1535#define TPM_DELEGATE_PER2_MASK 0x00000000 /* mask of legal bits */
1536/* All reserved */
1537
1538/* 20.2.3 Key Permission settings rev 85 */
1539
1540/* Per1 bits */
1541
1542#define TPM_KEY_DELEGATE_PER1_MASK 0x1fffffff /* mask of legal bits */
1543#define TPM_KEY_DELEGATE_CMK_ConvertMigration 28
1544#define TPM_KEY_DELEGATE_TickStampBlob 27
1545#define TPM_KEY_DELEGATE_ChangeAuthAsymStart 26
1546#define TPM_KEY_DELEGATE_ChangeAuthAsymFinish 25
1547#define TPM_KEY_DELEGATE_CMK_CreateKey 24
1548#define TPM_KEY_DELEGATE_MigrateKey 23
1549#define TPM_KEY_DELEGATE_LoadKey2 22
1550#define TPM_KEY_DELEGATE_EstablishTransport 21
1551#define TPM_KEY_DELEGATE_ReleaseTransportSigned 20
1552#define TPM_KEY_DELEGATE_Quote2 19
1553#define TPM_KEY_DELEGATE_Sealx 18
1554#define TPM_KEY_DELEGATE_MakeIdentity 17
1555#define TPM_KEY_DELEGATE_ActivateIdentity 16
1556#define TPM_KEY_DELEGATE_GetAuditDigestSigned 15
1557#define TPM_KEY_DELEGATE_Sign 14
1558#define TPM_KEY_DELEGATE_CertifyKey2 13
1559#define TPM_KEY_DELEGATE_CertifyKey 12
1560#define TPM_KEY_DELEGATE_CreateWrapKey 11
1561#define TPM_KEY_DELEGATE_CMK_CreateBlob 10
1562#define TPM_KEY_DELEGATE_CreateMigrationBlob 9
1563#define TPM_KEY_DELEGATE_ConvertMigrationBlob 8
1564#define TPM_KEY_DELEGATE_Delegate_CreateKeyDelegation 7
1565#define TPM_KEY_DELEGATE_ChangeAuth 6
1566#define TPM_KEY_DELEGATE_GetPubKey 5
1567#define TPM_KEY_DELEGATE_UnBind 4
1568#define TPM_KEY_DELEGATE_Quote 3
1569#define TPM_KEY_DELEGATE_Unseal 2
1570#define TPM_KEY_DELEGATE_Seal 1
1571#define TPM_KEY_DELEGATE_LoadKey 0
1572
1573/* Per2 bits */
1574#define TPM_KEY_DELEGATE_PER2_MASK 0x00000000 /* mask of legal bits */
1575/* All reserved */
1576
1577/* 20.3 TPM_FAMILY_FLAGS rev 87
1578
1579 These flags indicate the operational state of the delegation and family table. These flags
1580 are additions to TPM_PERMANENT_FLAGS and are not stand alone values.
1581*/
1582
1583#define TPM_DELEGATE_ADMIN_LOCK 0x00000002 /* TRUE: Some TPM_Delegate_XXX commands are locked and
1584 return TPM_DELEGATE_LOCK
1585
1586 FALSE: TPM_Delegate_XXX commands are available
1587
1588 Default is FALSE */
1589#define TPM_FAMFLAG_ENABLED 0x00000001 /* When TRUE the table is enabled. The default value is
1590 FALSE. */
1591
1592/* 20.14 TPM_FAMILY_OPERATION Values rev 87
1593
1594 These are the opFlag values used by TPM_Delegate_Manage.
1595*/
1596
1597#define TPM_FAMILY_CREATE 0x00000001 /* Create a new family */
1598#define TPM_FAMILY_ENABLE 0x00000002 /* Set or reset the enable flag for this family. */
1599#define TPM_FAMILY_ADMIN 0x00000003 /* Prevent administration of this family. */
1600#define TPM_FAMILY_INVALIDATE 0x00000004 /* Invalidate a specific family row. */
1601
1602/* 21.9 TPM_DA_STATE rev 100
1603
1604 TPM_DA_STATE enumerates the possible states of the dictionary attack mitigation logic.
1605*/
1606
1607#define TPM_DA_STATE_INACTIVE 0x00 /* The dictionary attack mitigation logic is currently
1608 inactive */
1609#define TPM_DA_STATE_ACTIVE 0x01 /* The dictionary attack mitigation logic is
1610 active. TPM_DA_ACTION_TYPE (21.10) is in progress. */
1611
1612/* 21.10 TPM_DA_ACTION_TYPE rev 100
1613 */
1614
1615/* 31-4 Reserved No information and MUST be FALSE */
1616
1617#define TPM_DA_ACTION_FAILURE_MODE 0x00000008 /* bit 3: The TPM is in failure mode. */
1618#define TPM_DA_ACTION_DEACTIVATE 0x00000004 /* bit 2: The TPM is in the deactivated state. */
1619#define TPM_DA_ACTION_DISABLE 0x00000002 /* bit 1: The TPM is in the disabled state. */
1620#define TPM_DA_ACTION_TIMEOUT 0x00000001 /* bit 0: The TPM will be in a locked state for
1621 TPM_DA_INFO -> actionDependValue seconds. This
1622 value is dynamic, depending on the time the
1623 lock has been active. */
1624
1625/* 22. DAA Structures rev 91
1626
1627 All byte and bit areas are byte arrays treated as large integers
1628*/
1629
1630#define DAA_SIZE_r0 43
1631#define DAA_SIZE_r1 43
1632#define DAA_SIZE_r2 128
1633#define DAA_SIZE_r3 168
1634#define DAA_SIZE_r4 219
1635#define DAA_SIZE_NT 20
1636#define DAA_SIZE_v0 128
1637#define DAA_SIZE_v1 192
1638#define DAA_SIZE_NE 256
1639#define DAA_SIZE_w 256
1640#define DAA_SIZE_issuerModulus 256
1641
1642/* check that DAA_SIZE_issuerModulus will fit in DAA_scratch */
1643#if (DAA_SIZE_issuerModulus != 256)
1644#error "DAA_SIZE_issuerModulus must be 256"
1645#endif
1646
1647/* 22.2 Constant definitions rev 91 */
1648
1649#define DAA_power0 104
1650#define DAA_power1 1024
1651
1652#endif
Software TPM Library