2 Implement TPM2 EnhancedAuthorization related command.
4 Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>
5 This program and the accompanying materials
6 are licensed and made available under the terms and conditions of the BSD License
7 which accompanies this distribution. The full text of the license may be found at
8 http://opensource.org/licenses/bsd-license.php
10 THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,
11 WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
15 #include <IndustryStandard/UefiTcgPlatform.h>
16 #include <Library/Tpm2CommandLib.h>
17 #include <Library/Tpm2DeviceLib.h>
18 #include <Library/BaseMemoryLib.h>
19 #include <Library/BaseLib.h>
20 #include <Library/DebugLib.h>
25 TPM2_COMMAND_HEADER Header
;
26 TPMI_DH_ENTITY AuthHandle
;
27 TPMI_SH_POLICY PolicySession
;
28 UINT32 AuthSessionSize
;
29 TPMS_AUTH_COMMAND AuthSession
;
32 TPM2B_NONCE PolicyRef
;
34 } TPM2_POLICY_SECRET_COMMAND
;
37 TPM2_RESPONSE_HEADER Header
;
38 UINT32 AuthSessionSize
;
39 TPM2B_TIMEOUT Timeout
;
40 TPMT_TK_AUTH PolicyTicket
;
41 TPMS_AUTH_RESPONSE AuthSession
;
42 } TPM2_POLICY_SECRET_RESPONSE
;
45 TPM2_COMMAND_HEADER Header
;
46 TPMI_SH_POLICY PolicySession
;
48 } TPM2_POLICY_OR_COMMAND
;
51 TPM2_RESPONSE_HEADER Header
;
52 } TPM2_POLICY_OR_RESPONSE
;
55 TPM2_COMMAND_HEADER Header
;
56 TPMI_SH_POLICY PolicySession
;
58 } TPM2_POLICY_COMMAND_CODE_COMMAND
;
61 TPM2_RESPONSE_HEADER Header
;
62 } TPM2_POLICY_COMMAND_CODE_RESPONSE
;
65 TPM2_COMMAND_HEADER Header
;
66 TPMI_SH_POLICY PolicySession
;
67 } TPM2_POLICY_GET_DIGEST_COMMAND
;
70 TPM2_RESPONSE_HEADER Header
;
71 TPM2B_DIGEST PolicyHash
;
72 } TPM2_POLICY_GET_DIGEST_RESPONSE
;
77 This command includes a secret-based authorization to a policy.
78 The caller proves knowledge of the secret value using an authorization
79 session using the authValue associated with authHandle.
81 @param[in] AuthHandle Handle for an entity providing the authorization
82 @param[in] PolicySession Handle for the policy session being extended.
83 @param[in] AuthSession Auth Session context
84 @param[in] NonceTPM The policy nonce for the session.
85 @param[in] CpHashA Digest of the command parameters to which this authorization is limited.
86 @param[in] PolicyRef A reference to a policy relating to the authorization.
87 @param[in] Expiration Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.
88 @param[out] Timeout Time value used to indicate to the TPM when the ticket expires.
89 @param[out] PolicyTicket A ticket that includes a value indicating when the authorization expires.
91 @retval EFI_SUCCESS Operation completed successfully.
92 @retval EFI_DEVICE_ERROR The command was unsuccessful.
97 IN TPMI_DH_ENTITY AuthHandle
,
98 IN TPMI_SH_POLICY PolicySession
,
99 IN TPMS_AUTH_COMMAND
*AuthSession
, OPTIONAL
100 IN TPM2B_NONCE
*NonceTPM
,
101 IN TPM2B_DIGEST
*CpHashA
,
102 IN TPM2B_NONCE
*PolicyRef
,
104 OUT TPM2B_TIMEOUT
*Timeout
,
105 OUT TPMT_TK_AUTH
*PolicyTicket
109 TPM2_POLICY_SECRET_COMMAND SendBuffer
;
110 TPM2_POLICY_SECRET_RESPONSE RecvBuffer
;
111 UINT32 SendBufferSize
;
112 UINT32 RecvBufferSize
;
114 UINT32 SessionInfoSize
;
119 SendBuffer
.Header
.tag
= SwapBytes16(TPM_ST_SESSIONS
);
120 SendBuffer
.Header
.commandCode
= SwapBytes32(TPM_CC_PolicySecret
);
121 SendBuffer
.AuthHandle
= SwapBytes32 (AuthHandle
);
122 SendBuffer
.PolicySession
= SwapBytes32 (PolicySession
);
125 // Add in Auth session
127 Buffer
= (UINT8
*)&SendBuffer
.AuthSession
;
130 SessionInfoSize
= CopyAuthSessionCommand (AuthSession
, Buffer
);
131 Buffer
+= SessionInfoSize
;
132 SendBuffer
.AuthSessionSize
= SwapBytes32(SessionInfoSize
);
137 WriteUnaligned16 ((UINT16
*)Buffer
, SwapBytes16(NonceTPM
->size
));
138 Buffer
+= sizeof(UINT16
);
139 CopyMem (Buffer
, NonceTPM
->buffer
, NonceTPM
->size
);
140 Buffer
+= NonceTPM
->size
;
142 WriteUnaligned16 ((UINT16
*)Buffer
, SwapBytes16(CpHashA
->size
));
143 Buffer
+= sizeof(UINT16
);
144 CopyMem (Buffer
, CpHashA
->buffer
, CpHashA
->size
);
145 Buffer
+= CpHashA
->size
;
147 WriteUnaligned16 ((UINT16
*)Buffer
, SwapBytes16(PolicyRef
->size
));
148 Buffer
+= sizeof(UINT16
);
149 CopyMem (Buffer
, PolicyRef
->buffer
, PolicyRef
->size
);
150 Buffer
+= PolicyRef
->size
;
152 WriteUnaligned32 ((UINT32
*)Buffer
, SwapBytes32((UINT32
)Expiration
));
153 Buffer
+= sizeof(UINT32
);
155 SendBufferSize
= (UINT32
)((UINTN
)Buffer
- (UINTN
)&SendBuffer
);
156 SendBuffer
.Header
.paramSize
= SwapBytes32 (SendBufferSize
);
161 RecvBufferSize
= sizeof (RecvBuffer
);
162 Status
= Tpm2SubmitCommand (SendBufferSize
, (UINT8
*)&SendBuffer
, &RecvBufferSize
, (UINT8
*)&RecvBuffer
);
163 if (EFI_ERROR (Status
)) {
167 if (RecvBufferSize
< sizeof (TPM2_RESPONSE_HEADER
)) {
168 DEBUG ((EFI_D_ERROR
, "Tpm2PolicySecret - RecvBufferSize Error - %x\n", RecvBufferSize
));
169 Status
= EFI_DEVICE_ERROR
;
172 if (SwapBytes32(RecvBuffer
.Header
.responseCode
) != TPM_RC_SUCCESS
) {
173 DEBUG ((EFI_D_ERROR
, "Tpm2PolicySecret - responseCode - %x\n", SwapBytes32(RecvBuffer
.Header
.responseCode
)));
174 Status
= EFI_DEVICE_ERROR
;
179 // Return the response
181 Buffer
= (UINT8
*)&RecvBuffer
.Timeout
;
182 Timeout
->size
= SwapBytes16(ReadUnaligned16 ((UINT16
*)Buffer
));
183 Buffer
+= sizeof(UINT16
);
184 CopyMem (Timeout
->buffer
, Buffer
, Timeout
->size
);
186 PolicyTicket
->tag
= SwapBytes16(ReadUnaligned16 ((UINT16
*)Buffer
));
187 Buffer
+= sizeof(UINT16
);
188 PolicyTicket
->hierarchy
= SwapBytes32(ReadUnaligned32 ((UINT32
*)Buffer
));
189 Buffer
+= sizeof(UINT32
);
190 PolicyTicket
->digest
.size
= SwapBytes16(ReadUnaligned16 ((UINT16
*)Buffer
));
191 Buffer
+= sizeof(UINT16
);
192 CopyMem (PolicyTicket
->digest
.buffer
, Buffer
, PolicyTicket
->digest
.size
);
196 // Clear AuthSession Content
198 ZeroMem (&SendBuffer
, sizeof(SendBuffer
));
199 ZeroMem (&RecvBuffer
, sizeof(RecvBuffer
));
204 This command allows options in authorizations without requiring that the TPM evaluate all of the options.
205 If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that
206 satisfies the policy. This command will indicate that one of the required sets of conditions has been
209 @param[in] PolicySession Handle for the policy session being extended.
210 @param[in] HashList the list of hashes to check for a match.
212 @retval EFI_SUCCESS Operation completed successfully.
213 @retval EFI_DEVICE_ERROR The command was unsuccessful.
218 IN TPMI_SH_POLICY PolicySession
,
219 IN TPML_DIGEST
*HashList
223 TPM2_POLICY_OR_COMMAND SendBuffer
;
224 TPM2_POLICY_OR_RESPONSE RecvBuffer
;
225 UINT32 SendBufferSize
;
226 UINT32 RecvBufferSize
;
233 SendBuffer
.Header
.tag
= SwapBytes16(TPM_ST_NO_SESSIONS
);
234 SendBuffer
.Header
.commandCode
= SwapBytes32(TPM_CC_PolicyOR
);
236 SendBuffer
.PolicySession
= SwapBytes32 (PolicySession
);
237 Buffer
= (UINT8
*)&SendBuffer
.HashList
;
238 WriteUnaligned32 ((UINT32
*)Buffer
, SwapBytes32 (HashList
->count
));
239 Buffer
+= sizeof(UINT32
);
240 for (Index
= 0; Index
< HashList
->count
; Index
++) {
241 WriteUnaligned16 ((UINT16
*)Buffer
, SwapBytes16 (HashList
->digests
[Index
].size
));
242 Buffer
+= sizeof(UINT16
);
243 CopyMem (Buffer
, HashList
->digests
[Index
].buffer
, HashList
->digests
[Index
].size
);
244 Buffer
+= HashList
->digests
[Index
].size
;
247 SendBufferSize
= (UINT32
)((UINTN
)Buffer
- (UINTN
)&SendBuffer
);
248 SendBuffer
.Header
.paramSize
= SwapBytes32 (SendBufferSize
);
253 RecvBufferSize
= sizeof (RecvBuffer
);
254 Status
= Tpm2SubmitCommand (SendBufferSize
, (UINT8
*)&SendBuffer
, &RecvBufferSize
, (UINT8
*)&RecvBuffer
);
255 if (EFI_ERROR (Status
)) {
259 if (RecvBufferSize
< sizeof (TPM2_RESPONSE_HEADER
)) {
260 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyOR - RecvBufferSize Error - %x\n", RecvBufferSize
));
261 return EFI_DEVICE_ERROR
;
263 if (SwapBytes32(RecvBuffer
.Header
.responseCode
) != TPM_RC_SUCCESS
) {
264 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyOR - responseCode - %x\n", SwapBytes32(RecvBuffer
.Header
.responseCode
)));
265 return EFI_DEVICE_ERROR
;
272 This command indicates that the authorization will be limited to a specific command code.
274 @param[in] PolicySession Handle for the policy session being extended.
275 @param[in] Code The allowed commandCode.
277 @retval EFI_SUCCESS Operation completed successfully.
278 @retval EFI_DEVICE_ERROR The command was unsuccessful.
282 Tpm2PolicyCommandCode (
283 IN TPMI_SH_POLICY PolicySession
,
288 TPM2_POLICY_COMMAND_CODE_COMMAND SendBuffer
;
289 TPM2_POLICY_COMMAND_CODE_RESPONSE RecvBuffer
;
290 UINT32 SendBufferSize
;
291 UINT32 RecvBufferSize
;
296 SendBuffer
.Header
.tag
= SwapBytes16(TPM_ST_NO_SESSIONS
);
297 SendBuffer
.Header
.commandCode
= SwapBytes32(TPM_CC_PolicyCommandCode
);
299 SendBuffer
.PolicySession
= SwapBytes32 (PolicySession
);
300 SendBuffer
.Code
= SwapBytes32 (Code
);
302 SendBufferSize
= (UINT32
) sizeof (SendBuffer
);
303 SendBuffer
.Header
.paramSize
= SwapBytes32 (SendBufferSize
);
308 RecvBufferSize
= sizeof (RecvBuffer
);
309 Status
= Tpm2SubmitCommand (SendBufferSize
, (UINT8
*)&SendBuffer
, &RecvBufferSize
, (UINT8
*)&RecvBuffer
);
310 if (EFI_ERROR (Status
)) {
314 if (RecvBufferSize
< sizeof (TPM2_RESPONSE_HEADER
)) {
315 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyCommandCode - RecvBufferSize Error - %x\n", RecvBufferSize
));
316 return EFI_DEVICE_ERROR
;
318 if (SwapBytes32(RecvBuffer
.Header
.responseCode
) != TPM_RC_SUCCESS
) {
319 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyCommandCode - responseCode - %x\n", SwapBytes32(RecvBuffer
.Header
.responseCode
)));
320 return EFI_DEVICE_ERROR
;
327 This command returns the current policyDigest of the session. This command allows the TPM
328 to be used to perform the actions required to precompute the authPolicy for an object.
330 @param[in] PolicySession Handle for the policy session.
331 @param[out] PolicyHash the current value of the policyHash of policySession.
333 @retval EFI_SUCCESS Operation completed successfully.
334 @retval EFI_DEVICE_ERROR The command was unsuccessful.
338 Tpm2PolicyGetDigest (
339 IN TPMI_SH_POLICY PolicySession
,
340 OUT TPM2B_DIGEST
*PolicyHash
344 TPM2_POLICY_GET_DIGEST_COMMAND SendBuffer
;
345 TPM2_POLICY_GET_DIGEST_RESPONSE RecvBuffer
;
346 UINT32 SendBufferSize
;
347 UINT32 RecvBufferSize
;
352 SendBuffer
.Header
.tag
= SwapBytes16(TPM_ST_NO_SESSIONS
);
353 SendBuffer
.Header
.commandCode
= SwapBytes32(TPM_CC_PolicyGetDigest
);
355 SendBuffer
.PolicySession
= SwapBytes32 (PolicySession
);
357 SendBufferSize
= (UINT32
) sizeof (SendBuffer
);
358 SendBuffer
.Header
.paramSize
= SwapBytes32 (SendBufferSize
);
363 RecvBufferSize
= sizeof (RecvBuffer
);
364 Status
= Tpm2SubmitCommand (SendBufferSize
, (UINT8
*)&SendBuffer
, &RecvBufferSize
, (UINT8
*)&RecvBuffer
);
365 if (EFI_ERROR (Status
)) {
369 if (RecvBufferSize
< sizeof (TPM2_RESPONSE_HEADER
)) {
370 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyGetDigest - RecvBufferSize Error - %x\n", RecvBufferSize
));
371 return EFI_DEVICE_ERROR
;
373 if (SwapBytes32(RecvBuffer
.Header
.responseCode
) != TPM_RC_SUCCESS
) {
374 DEBUG ((EFI_D_ERROR
, "Tpm2PolicyGetDigest - responseCode - %x\n", SwapBytes32(RecvBuffer
.Header
.responseCode
)));
375 return EFI_DEVICE_ERROR
;
379 // Return the response
381 PolicyHash
->size
= SwapBytes16 (RecvBuffer
.PolicyHash
.size
);
382 CopyMem (PolicyHash
->buffer
, &RecvBuffer
.PolicyHash
.buffer
, PolicyHash
->size
);