[mirror_edk2.git] / SecurityPkg / Include / Library / Tpm2CommandLib.h

/** @file\r
  This library is used by other modules to send TPM2 command.\r
\r
Copyright (c) 2013 - 2021, Intel Corporation. All rights reserved. <BR>\r
SPDX-License-Identifier: BSD-2-Clause-Patent\r
\r
**/\r
\r
#ifndef _TPM2_COMMAND_LIB_H_\r
#define _TPM2_COMMAND_LIB_H_\r
\r
#include <IndustryStandard/Tpm20.h>\r
\r
/**\r
  This command starts a hash or an Event sequence.\r
  If hashAlg is an implemented hash, then a hash sequence is started.\r
  If hashAlg is TPM_ALG_NULL, then an Event sequence is started.\r
\r
  @param[in]  HashAlg           The hash algorithm to use for the hash sequence\r
                                An Event sequence starts if this is TPM_ALG_NULL.\r
  @param[out] SequenceHandle    A handle to reference the sequence\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2HashSequenceStart (\r
  IN TPMI_ALG_HASH    HashAlg,\r
  OUT TPMI_DH_OBJECT  *SequenceHandle\r
  );\r
\r
/**\r
  This command is used to add data to a hash or HMAC sequence.\r
  The amount of data in buffer may be any size up to the limits of the TPM.\r
  NOTE: In all TPM, a buffer size of 1,024 octets is allowed.\r
\r
  @param[in] SequenceHandle    Handle for the sequence object\r
  @param[in] Buffer            Data to be added to hash\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2SequenceUpdate (\r
  IN TPMI_DH_OBJECT    SequenceHandle,\r
  IN TPM2B_MAX_BUFFER  *Buffer\r
  );\r
\r
/**\r
  This command adds the last part of data, if any, to an Event sequence and returns the result in a digest list.\r
  If pcrHandle references a PCR and not TPM_RH_NULL, then the returned digest list is processed in\r
  the same manner as the digest list input parameter to TPM2_PCR_Extend() with the pcrHandle in each\r
  bank extended with the associated digest value.\r
\r
  @param[in]  PcrHandle         PCR to be extended with the Event data\r
  @param[in]  SequenceHandle    Authorization for the sequence\r
  @param[in]  Buffer            Data to be added to the Event\r
  @param[out] Results           List of digests computed for the PCR\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2EventSequenceComplete (\r
  IN TPMI_DH_PCR          PcrHandle,\r
  IN TPMI_DH_OBJECT       SequenceHandle,\r
  IN TPM2B_MAX_BUFFER     *Buffer,\r
  OUT TPML_DIGEST_VALUES  *Results\r
  );\r
\r
/**\r
  This command adds the last part of data, if any, to a hash/HMAC sequence and returns the result.\r
\r
  @param[in]  SequenceHandle    Authorization for the sequence\r
  @param[in]  Buffer            Data to be added to the hash/HMAC\r
  @param[out] Result            The returned HMAC or digest in a sized buffer\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2SequenceComplete (\r
  IN TPMI_DH_OBJECT    SequenceHandle,\r
  IN TPM2B_MAX_BUFFER  *Buffer,\r
  OUT TPM2B_DIGEST     *Result\r
  );\r
\r
/**\r
  Send Startup command to TPM2.\r
\r
  @param[in] StartupType           TPM_SU_CLEAR or TPM_SU_STATE\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2Startup (\r
  IN      TPM_SU  StartupType\r
  );\r
\r
/**\r
  Send Shutdown command to TPM2.\r
\r
  @param[in] ShutdownType           TPM_SU_CLEAR or TPM_SU_STATE.\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2Shutdown (\r
  IN      TPM_SU  ShutdownType\r
  );\r
\r
/**\r
  This command causes the TPM to perform a test of its capabilities.\r
  If the fullTest is YES, the TPM will test all functions.\r
  If fullTest = NO, the TPM will only test those functions that have not previously been tested.\r
\r
  @param[in] FullTest    YES if full test to be performed\r
                         NO if only test of untested functions required\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2SelfTest (\r
  IN TPMI_YES_NO  FullTest\r
  );\r
\r
/**\r
  This command allows setting of the authorization policy for the platform hierarchy (platformPolicy), the\r
  storage hierarchy (ownerPolicy), and and the endorsement hierarchy (endorsementPolicy).\r
\r
  @param[in]  AuthHandle            TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP} parameters to be validated\r
  @param[in]  AuthSession           Auth Session context\r
  @param[in]  AuthPolicy            An authorization policy hash\r
  @param[in]  HashAlg               The hash algorithm to use for the policy\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2SetPrimaryPolicy (\r
  IN  TPMI_RH_HIERARCHY_AUTH  AuthHandle,\r
  IN  TPMS_AUTH_COMMAND       *AuthSession,\r
  IN  TPM2B_DIGEST            *AuthPolicy,\r
  IN  TPMI_ALG_HASH           HashAlg\r
  );\r
\r
/**\r
  This command removes all TPM context associated with a specific Owner.\r
\r
  @param[in] AuthHandle        TPM_RH_LOCKOUT or TPM_RH_PLATFORM+{PP}\r
  @param[in] AuthSession       Auth Session context\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2Clear (\r
  IN TPMI_RH_CLEAR      AuthHandle,\r
  IN TPMS_AUTH_COMMAND  *AuthSession OPTIONAL\r
  );\r
\r
/**\r
  Disables and enables the execution of TPM2_Clear().\r
\r
  @param[in] AuthHandle        TPM_RH_LOCKOUT or TPM_RH_PLATFORM+{PP}\r
  @param[in] AuthSession       Auth Session context\r
  @param[in] Disable           YES if the disableOwnerClear flag is to be SET,\r
                               NO if the flag is to be CLEAR.\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2ClearControl (\r
  IN TPMI_RH_CLEAR      AuthHandle,\r
  IN TPMS_AUTH_COMMAND  *AuthSession  OPTIONAL,\r
  IN TPMI_YES_NO        Disable\r
  );\r
\r
/**\r
  This command allows the authorization secret for a hierarchy or lockout to be changed using the current\r
  authorization value as the command authorization.\r
\r
  @param[in] AuthHandle        TPM_RH_LOCKOUT, TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}\r
  @param[in] AuthSession       Auth Session context\r
  @param[in] NewAuth           New authorization secret\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2HierarchyChangeAuth (\r
  IN TPMI_RH_HIERARCHY_AUTH  AuthHandle,\r
  IN TPMS_AUTH_COMMAND       *AuthSession,\r
  IN TPM2B_AUTH              *NewAuth\r
  );\r
\r
/**\r
  This replaces the current EPS with a value from the RNG and sets the Endorsement hierarchy controls to\r
  their default initialization values.\r
\r
  @param[in] AuthHandle        TPM_RH_PLATFORM+{PP}\r
  @param[in] AuthSession       Auth Session context\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2ChangeEPS (\r
  IN TPMI_RH_PLATFORM   AuthHandle,\r
  IN TPMS_AUTH_COMMAND  *AuthSession\r
  );\r
\r
/**\r
  This replaces the current PPS with a value from the RNG and sets platformPolicy to the default\r
  initialization value (the Empty Buffer).\r
\r
  @param[in] AuthHandle        TPM_RH_PLATFORM+{PP}\r
  @param[in] AuthSession       Auth Session context\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2ChangePPS (\r
  IN TPMI_RH_PLATFORM   AuthHandle,\r
  IN TPMS_AUTH_COMMAND  *AuthSession\r
  );\r
\r
/**\r
  This command enables and disables use of a hierarchy.\r
\r
  @param[in] AuthHandle        TPM_RH_ENDORSEMENT, TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}\r
  @param[in] AuthSession       Auth Session context\r
  @param[in] Hierarchy         Hierarchy of the enable being modified\r
  @param[in] State             YES if the enable should be SET,\r
                               NO if the enable should be CLEAR\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2HierarchyControl (\r
  IN TPMI_RH_HIERARCHY  AuthHandle,\r
  IN TPMS_AUTH_COMMAND  *AuthSession,\r
  IN TPMI_RH_HIERARCHY  Hierarchy,\r
  IN TPMI_YES_NO        State\r
  );\r
\r
/**\r
  This command cancels the effect of a TPM lockout due to a number of successive authorization failures.\r
  If this command is properly authorized, the lockout counter is set to zero.\r
\r
  @param[in]  LockHandle            LockHandle\r
  @param[in]  AuthSession           Auth Session context\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2DictionaryAttackLockReset (\r
  IN  TPMI_RH_LOCKOUT    LockHandle,\r
  IN  TPMS_AUTH_COMMAND  *AuthSession\r
  );\r
\r
/**\r
  This command cancels the effect of a TPM lockout due to a number of successive authorization failures.\r
  If this command is properly authorized, the lockout counter is set to zero.\r
\r
  @param[in]  LockHandle            LockHandle\r
  @param[in]  AuthSession           Auth Session context\r
  @param[in]  NewMaxTries           Count of authorization failures before the lockout is imposed\r
  @param[in]  NewRecoveryTime       Time in seconds before the authorization failure count is automatically decremented\r
  @param[in]  LockoutRecovery       Time in seconds after a lockoutAuth failure before use of lockoutAuth is allowed\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2DictionaryAttackParameters (\r
  IN  TPMI_RH_LOCKOUT    LockHandle,\r
  IN  TPMS_AUTH_COMMAND  *AuthSession,\r
  IN  UINT32             NewMaxTries,\r
  IN  UINT32             NewRecoveryTime,\r
  IN  UINT32             LockoutRecovery\r
  );\r
\r
/**\r
  This command is used to read the public area and Name of an NV Index.\r
\r
  @param[in]  NvIndex            The NV Index.\r
  @param[out] NvPublic           The public area of the index.\r
  @param[out] NvName             The Name of the nvIndex.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2NvReadPublic (\r
  IN      TPMI_RH_NV_INDEX  NvIndex,\r
  OUT     TPM2B_NV_PUBLIC   *NvPublic,\r
  OUT     TPM2B_NAME        *NvName\r
  );\r
\r
/**\r
  This command defines the attributes of an NV Index and causes the TPM to\r
  reserve space to hold the data associated with the index.\r
  If a definition already exists at the index, the TPM will return TPM_RC_NV_DEFINED.\r
\r
  @param[in]  AuthHandle         TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}.\r
  @param[in]  AuthSession        Auth Session context\r
  @param[in]  Auth               The authorization data.\r
  @param[in]  NvPublic           The public area of the index.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
  @retval EFI_ALREADY_STARTED    The command was returned successfully, but NvIndex is already defined.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2NvDefineSpace (\r
  IN      TPMI_RH_PROVISION  AuthHandle,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession  OPTIONAL,\r
  IN      TPM2B_AUTH         *Auth,\r
  IN      TPM2B_NV_PUBLIC    *NvPublic\r
  );\r
\r
/**\r
  This command removes an index from the TPM.\r
\r
  @param[in]  AuthHandle         TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}.\r
  @param[in]  NvIndex            The NV Index.\r
  @param[in]  AuthSession        Auth Session context\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
  @retval EFI_NOT_FOUND          The command was returned successfully, but NvIndex is not found.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2NvUndefineSpace (\r
  IN      TPMI_RH_PROVISION  AuthHandle,\r
  IN      TPMI_RH_NV_INDEX   NvIndex,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession OPTIONAL\r
  );\r
\r
/**\r
  This command reads a value from an area in NV memory previously defined by TPM2_NV_DefineSpace().\r
\r
  @param[in]     AuthHandle         the handle indicating the source of the authorization value.\r
  @param[in]     NvIndex            The index to be read.\r
  @param[in]     AuthSession        Auth Session context\r
  @param[in]     Size               Number of bytes to read.\r
  @param[in]     Offset             Byte offset into the area.\r
  @param[in,out] OutData            The data read.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
  @retval EFI_NOT_FOUND          The command was returned successfully, but NvIndex is not found.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2NvRead (\r
  IN      TPMI_RH_NV_AUTH    AuthHandle,\r
  IN      TPMI_RH_NV_INDEX   NvIndex,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession  OPTIONAL,\r
  IN      UINT16             Size,\r
  IN      UINT16             Offset,\r
  IN OUT  TPM2B_MAX_BUFFER   *OutData\r
  );\r
\r
/**\r
  This command writes a value to an area in NV memory that was previously defined by TPM2_NV_DefineSpace().\r
\r
  @param[in]  AuthHandle         the handle indicating the source of the authorization value.\r
  @param[in]  NvIndex            The NV Index of the area to write.\r
  @param[in]  AuthSession        Auth Session context\r
  @param[in]  InData             The data to write.\r
  @param[in]  Offset             The offset into the NV Area.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
  @retval EFI_NOT_FOUND          The command was returned successfully, but NvIndex is not found.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2NvWrite (\r
  IN      TPMI_RH_NV_AUTH    AuthHandle,\r
  IN      TPMI_RH_NV_INDEX   NvIndex,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession  OPTIONAL,\r
  IN      TPM2B_MAX_BUFFER   *InData,\r
  IN      UINT16             Offset\r
  );\r
\r
/**\r
  This command may be used to prevent further reads of the Index until the next TPM2_Startup (TPM_SU_CLEAR).\r
\r
  @param[in]  AuthHandle         the handle indicating the source of the authorization value.\r
  @param[in]  NvIndex            The NV Index of the area to lock.\r
  @param[in]  AuthSession        Auth Session context\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
  @retval EFI_NOT_FOUND          The command was returned successfully, but NvIndex is not found.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2NvReadLock (\r
  IN      TPMI_RH_NV_AUTH    AuthHandle,\r
  IN      TPMI_RH_NV_INDEX   NvIndex,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession OPTIONAL\r
  );\r
\r
/**\r
  This command may be used to inhibit further writes of the Index.\r
\r
  @param[in]  AuthHandle         the handle indicating the source of the authorization value.\r
  @param[in]  NvIndex            The NV Index of the area to lock.\r
  @param[in]  AuthSession        Auth Session context\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
  @retval EFI_NOT_FOUND          The command was returned successfully, but NvIndex is not found.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2NvWriteLock (\r
  IN      TPMI_RH_NV_AUTH    AuthHandle,\r
  IN      TPMI_RH_NV_INDEX   NvIndex,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession OPTIONAL\r
  );\r
\r
/**\r
  The command will SET TPMA_NV_WRITELOCKED for all indexes that have their TPMA_NV_GLOBALLOCK attribute SET.\r
\r
  @param[in]  AuthHandle         TPM_RH_OWNER or TPM_RH_PLATFORM+{PP}.\r
  @param[in]  AuthSession        Auth Session context\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
  @retval EFI_NOT_FOUND          The command was returned successfully, but NvIndex is not found.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2NvGlobalWriteLock (\r
  IN      TPMI_RH_PROVISION  AuthHandle,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession OPTIONAL\r
  );\r
\r
/**\r
  This command is used to cause an update to the indicated PCR.\r
  The digests parameter contains one or more tagged digest value identified by an algorithm ID.\r
  For each digest, the PCR associated with pcrHandle is Extended into the bank identified by the tag (hashAlg).\r
\r
  @param[in] PcrHandle   Handle of the PCR\r
  @param[in] Digests     List of tagged digest values to be extended\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PcrExtend (\r
  IN      TPMI_DH_PCR         PcrHandle,\r
  IN      TPML_DIGEST_VALUES  *Digests\r
  );\r
\r
/**\r
  This command is used to cause an update to the indicated PCR.\r
  The data in eventData is hashed using the hash algorithm associated with each bank in which the\r
  indicated PCR has been allocated. After the data is hashed, the digests list is returned. If the pcrHandle\r
  references an implemented PCR and not TPM_ALG_NULL, digests list is processed as in\r
  TPM2_PCR_Extend().\r
  A TPM shall support an Event.size of zero through 1,024 inclusive.\r
\r
  @param[in]  PcrHandle   Handle of the PCR\r
  @param[in]  EventData   Event data in sized buffer\r
  @param[out] Digests     List of digest\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PcrEvent (\r
  IN      TPMI_DH_PCR         PcrHandle,\r
  IN      TPM2B_EVENT         *EventData,\r
  OUT     TPML_DIGEST_VALUES  *Digests\r
  );\r
\r
/**\r
  This command returns the values of all PCR specified in pcrSelect.\r
\r
  @param[in]  PcrSelectionIn     The selection of PCR to read.\r
  @param[out] PcrUpdateCounter   The current value of the PCR update counter.\r
  @param[out] PcrSelectionOut    The PCR in the returned list.\r
  @param[out] PcrValues          The contents of the PCR indicated in pcrSelect.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PcrRead (\r
  IN   TPML_PCR_SELECTION  *PcrSelectionIn,\r
  OUT  UINT32              *PcrUpdateCounter,\r
  OUT  TPML_PCR_SELECTION  *PcrSelectionOut,\r
  OUT  TPML_DIGEST         *PcrValues\r
  );\r
\r
/**\r
  This command is used to set the desired PCR allocation of PCR and algorithms.\r
\r
  @param[in]  AuthHandle         TPM_RH_PLATFORM+{PP}\r
  @param[in]  AuthSession        Auth Session context\r
  @param[in]  PcrAllocation      The requested allocation\r
  @param[out] AllocationSuccess  YES if the allocation succeeded\r
  @param[out] MaxPCR             maximum number of PCR that may be in a bank\r
  @param[out] SizeNeeded         number of octets required to satisfy the request\r
  @param[out] SizeAvailable      Number of octets available. Computed before the allocation\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PcrAllocate (\r
  IN  TPMI_RH_PLATFORM    AuthHandle,\r
  IN  TPMS_AUTH_COMMAND   *AuthSession,\r
  IN  TPML_PCR_SELECTION  *PcrAllocation,\r
  OUT TPMI_YES_NO         *AllocationSuccess,\r
  OUT UINT32              *MaxPCR,\r
  OUT UINT32              *SizeNeeded,\r
  OUT UINT32              *SizeAvailable\r
  );\r
\r
/**\r
  Alloc PCR data.\r
\r
  @param[in]  PlatformAuth      platform auth value. NULL means no platform auth change.\r
  @param[in]  SupportedPCRBanks Supported PCR banks\r
  @param[in]  PCRBanks          PCR banks\r
\r
  @retval EFI_SUCCESS Operation completed successfully.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PcrAllocateBanks (\r
  IN TPM2B_AUTH  *PlatformAuth   OPTIONAL,\r
  IN UINT32      SupportedPCRBanks,\r
  IN UINT32      PCRBanks\r
  );\r
\r
/**\r
  This command returns various information regarding the TPM and its current state.\r
\r
  The capability parameter determines the category of data returned. The property parameter\r
  selects the first value of the selected category to be returned. If there is no property\r
  that corresponds to the value of property, the next higher value is returned, if it exists.\r
  The moreData parameter will have a value of YES if there are more values of the requested\r
  type that were not returned.\r
  If no next capability exists, the TPM will return a zero-length list and moreData will have\r
  a value of NO.\r
\r
  NOTE:\r
  To simplify this function, leave returned CapabilityData for caller to unpack since there are\r
  many capability categories and only few categories will be used in firmware. It means the caller\r
  need swap the byte order for the fields in CapabilityData.\r
\r
  @param[in]  Capability         Group selection; determines the format of the response.\r
  @param[in]  Property           Further definition of information.\r
  @param[in]  PropertyCount      Number of properties of the indicated type to return.\r
  @param[out] MoreData           Flag to indicate if there are more values of this type.\r
  @param[out] CapabilityData     The capability data.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapability (\r
  IN      TPM_CAP               Capability,\r
  IN      UINT32                Property,\r
  IN      UINT32                PropertyCount,\r
  OUT     TPMI_YES_NO           *MoreData,\r
  OUT     TPMS_CAPABILITY_DATA  *CapabilityData\r
  );\r
\r
/**\r
  This command returns the information of TPM Family.\r
\r
  This function parse the value got from TPM2_GetCapability and return the Family.\r
\r
  @param[out] Family             The Family of TPM. (a 4-octet character string)\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityFamily (\r
  OUT     CHAR8  *Family\r
  );\r
\r
/**\r
  This command returns the information of TPM manufacture ID.\r
\r
  This function parse the value got from TPM2_GetCapability and return the TPM manufacture ID.\r
\r
  @param[out] ManufactureId      The manufacture ID of TPM.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityManufactureID (\r
  OUT     UINT32  *ManufactureId\r
  );\r
\r
/**\r
  This command returns the information of TPM FirmwareVersion.\r
\r
  This function parse the value got from TPM2_GetCapability and return the TPM FirmwareVersion.\r
\r
  @param[out] FirmwareVersion1   The FirmwareVersion1.\r
  @param[out] FirmwareVersion2   The FirmwareVersion2.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityFirmwareVersion (\r
  OUT     UINT32  *FirmwareVersion1,\r
  OUT     UINT32  *FirmwareVersion2\r
  );\r
\r
/**\r
  This command returns the information of the maximum value for commandSize and responseSize in a command.\r
\r
  This function parse the value got from TPM2_GetCapability and return the max command size and response size\r
\r
  @param[out] MaxCommandSize     The maximum value for commandSize in a command.\r
  @param[out] MaxResponseSize    The maximum value for responseSize in a command.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityMaxCommandResponseSize (\r
  OUT UINT32  *MaxCommandSize,\r
  OUT UINT32  *MaxResponseSize\r
  );\r
\r
/**\r
  This command returns Returns a list of TPMS_ALG_PROPERTIES. Each entry is an\r
  algorithm ID and a set of properties of the algorithm.\r
\r
  This function parse the value got from TPM2_GetCapability and return the list.\r
\r
  @param[out] AlgList      List of algorithm.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilitySupportedAlg (\r
  OUT TPML_ALG_PROPERTY  *AlgList\r
  );\r
\r
/**\r
  This command returns the information of TPM LockoutCounter.\r
\r
  This function parse the value got from TPM2_GetCapability and return the LockoutCounter.\r
\r
  @param[out] LockoutCounter     The LockoutCounter of TPM.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityLockoutCounter (\r
  OUT     UINT32  *LockoutCounter\r
  );\r
\r
/**\r
  This command returns the information of TPM LockoutInterval.\r
\r
  This function parse the value got from TPM2_GetCapability and return the LockoutInterval.\r
\r
  @param[out] LockoutInterval    The LockoutInterval of TPM.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityLockoutInterval (\r
  OUT     UINT32  *LockoutInterval\r
  );\r
\r
/**\r
  This command returns the information of TPM InputBufferSize.\r
\r
  This function parse the value got from TPM2_GetCapability and return the InputBufferSize.\r
\r
  @param[out] InputBufferSize    The InputBufferSize of TPM.\r
                                 the maximum size of a parameter (typically, a TPM2B_MAX_BUFFER)\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityInputBufferSize (\r
  OUT     UINT32  *InputBufferSize\r
  );\r
\r
/**\r
  This command returns the information of TPM PCRs.\r
\r
  This function parse the value got from TPM2_GetCapability and return the PcrSelection.\r
\r
  @param[out] Pcrs    The Pcr Selection\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityPcrs (\r
  OUT TPML_PCR_SELECTION  *Pcrs\r
  );\r
\r
/**\r
  This function will query the TPM to determine which hashing algorithms\r
  are supported and which PCR banks are currently active.\r
\r
  @param[out]  TpmHashAlgorithmBitmap A bitmask containing the algorithms supported by the TPM.\r
  @param[out]  ActivePcrBanks         A bitmask containing the PCRs currently allocated.\r
\r
  @retval     EFI_SUCCESS   TPM was successfully queried and return values can be trusted.\r
  @retval     Others        An error occurred, likely in communication with the TPM.\r
\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilitySupportedAndActivePcrs (\r
  OUT UINT32  *TpmHashAlgorithmBitmap,\r
  OUT UINT32  *ActivePcrBanks\r
  );\r
\r
/**\r
  This command returns the information of TPM AlgorithmSet.\r
\r
  This function parse the value got from TPM2_GetCapability and return the AlgorithmSet.\r
\r
  @param[out] AlgorithmSet    The AlgorithmSet of TPM.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityAlgorithmSet (\r
  OUT     UINT32  *AlgorithmSet\r
  );\r
\r
/**\r
  This function will query if the command is supported.\r
\r
  @param[In]  Command         TPM_CC command starts from TPM_CC_FIRST.\r
  @param[out] IsCmdImpl       The command is supported or not.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2GetCapabilityIsCommandImplemented (\r
  IN      TPM_CC   Command,\r
  OUT     BOOLEAN  *IsCmdImpl\r
  );\r
\r
/**\r
  This command is used to check to see if specific combinations of algorithm parameters are supported.\r
\r
  @param[in]  Parameters              Algorithm parameters to be validated\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2TestParms (\r
  IN  TPMT_PUBLIC_PARMS  *Parameters\r
  );\r
\r
/**\r
  This command allows the platform to change the set of algorithms that are used by the TPM.\r
  The algorithmSet setting is a vendor-dependent value.\r
\r
  @param[in]  AuthHandle              TPM_RH_PLATFORM\r
  @param[in]  AuthSession             Auth Session context\r
  @param[in]  AlgorithmSet            A TPM vendor-dependent value indicating the\r
                                      algorithm set selection\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2SetAlgorithmSet (\r
  IN  TPMI_RH_PLATFORM   AuthHandle,\r
  IN  TPMS_AUTH_COMMAND  *AuthSession,\r
  IN  UINT32             AlgorithmSet\r
  );\r
\r
/**\r
  This command is used to start an authorization session using alternative methods of\r
  establishing the session key (sessionKey) that is used for authorization and encrypting value.\r
\r
  @param[in]  TpmKey             Handle of a loaded decrypt key used to encrypt salt.\r
  @param[in]  Bind               Entity providing the authValue.\r
  @param[in]  NonceCaller        Initial nonceCaller, sets nonce size for the session.\r
  @param[in]  Salt               Value encrypted according to the type of tpmKey.\r
  @param[in]  SessionType        Indicates the type of the session.\r
  @param[in]  Symmetric          The algorithm and key size for parameter encryption.\r
  @param[in]  AuthHash           Hash algorithm to use for the session.\r
  @param[out] SessionHandle      Handle for the newly created session.\r
  @param[out] NonceTPM           The initial nonce from the TPM, used in the computation of the sessionKey.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2StartAuthSession (\r
  IN      TPMI_DH_OBJECT          TpmKey,\r
  IN      TPMI_DH_ENTITY          Bind,\r
  IN      TPM2B_NONCE             *NonceCaller,\r
  IN      TPM2B_ENCRYPTED_SECRET  *Salt,\r
  IN      TPM_SE                  SessionType,\r
  IN      TPMT_SYM_DEF            *Symmetric,\r
  IN      TPMI_ALG_HASH           AuthHash,\r
  OUT  TPMI_SH_AUTH_SESSION       *SessionHandle,\r
  OUT  TPM2B_NONCE                *NonceTPM\r
  );\r
\r
/**\r
  This command causes all context associated with a loaded object or session to be removed from TPM memory.\r
\r
  @param[in]  FlushHandle        The handle of the item to flush.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2FlushContext (\r
  IN      TPMI_DH_CONTEXT  FlushHandle\r
  );\r
\r
/**\r
  This command includes a secret-based authorization to a policy.\r
  The caller proves knowledge of the secret value using an authorization\r
  session using the authValue associated with authHandle.\r
\r
  @param[in]  AuthHandle         Handle for an entity providing the authorization\r
  @param[in]  PolicySession      Handle for the policy session being extended.\r
  @param[in]  AuthSession        Auth Session context\r
  @param[in]  NonceTPM           The policy nonce for the session.\r
  @param[in]  CpHashA            Digest of the command parameters to which this authorization is limited.\r
  @param[in]  PolicyRef          A reference to a policy relating to the authorization.\r
  @param[in]  Expiration         Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.\r
  @param[out] Timeout            Time value used to indicate to the TPM when the ticket expires.\r
  @param[out] PolicyTicket       A ticket that includes a value indicating when the authorization expires.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicySecret (\r
  IN      TPMI_DH_ENTITY     AuthHandle,\r
  IN      TPMI_SH_POLICY     PolicySession,\r
  IN      TPMS_AUTH_COMMAND  *AuthSession  OPTIONAL,\r
  IN      TPM2B_NONCE        *NonceTPM,\r
  IN      TPM2B_DIGEST       *CpHashA,\r
  IN      TPM2B_NONCE        *PolicyRef,\r
  IN      INT32              Expiration,\r
  OUT     TPM2B_TIMEOUT      *Timeout,\r
  OUT     TPMT_TK_AUTH       *PolicyTicket\r
  );\r
\r
/**\r
  This command allows options in authorizations without requiring that the TPM evaluate all of the options.\r
  If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that\r
  satisfies the policy. This command will indicate that one of the required sets of conditions has been\r
  satisfied.\r
\r
  @param[in] PolicySession      Handle for the policy session being extended.\r
  @param[in] HashList           the list of hashes to check for a match.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyOR (\r
  IN TPMI_SH_POLICY  PolicySession,\r
  IN TPML_DIGEST     *HashList\r
  );\r
\r
/**\r
  This command indicates that the authorization will be limited to a specific command code.\r
\r
  @param[in]  PolicySession      Handle for the policy session being extended.\r
  @param[in]  Code               The allowed commandCode.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyCommandCode (\r
  IN      TPMI_SH_POLICY  PolicySession,\r
  IN      TPM_CC          Code\r
  );\r
\r
/**\r
  This command returns the current policyDigest of the session. This command allows the TPM\r
  to be used to perform the actions required to precompute the authPolicy for an object.\r
\r
  @param[in]  PolicySession      Handle for the policy session.\r
  @param[out] PolicyHash         the current value of the policyHash of policySession.\r
\r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyGetDigest (\r
  IN      TPMI_SH_POLICY  PolicySession,\r
  OUT  TPM2B_DIGEST       *PolicyHash\r
  );\r
\r
/**\r
  This command allows access to the public area of a loaded object.\r
\r
  @param[in]  ObjectHandle            TPM handle of an object\r
  @param[out] OutPublic               Structure containing the public area of an object\r
  @param[out] Name                    Name of the object\r
  @param[out] QualifiedName           The Qualified Name of the object\r
\r
  @retval EFI_SUCCESS      Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR Unexpected device behavior.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2ReadPublic (\r
  IN  TPMI_DH_OBJECT  ObjectHandle,\r
  OUT TPM2B_PUBLIC    *OutPublic,\r
  OUT TPM2B_NAME      *Name,\r
  OUT TPM2B_NAME      *QualifiedName\r
  );\r
\r
//\r
// Help function\r
//\r
\r
/**\r
  Copy AuthSessionIn to TPM2 command buffer.\r
\r
  @param [in]  AuthSessionIn   Input AuthSession data\r
  @param [out] AuthSessionOut  Output AuthSession data in TPM2 command buffer\r
\r
  @return AuthSession size\r
**/\r
UINT32\r
EFIAPI\r
CopyAuthSessionCommand (\r
  IN      TPMS_AUTH_COMMAND  *AuthSessionIn  OPTIONAL,\r
  OUT     UINT8              *AuthSessionOut\r
  );\r
\r
/**\r
  Copy AuthSessionIn from TPM2 response buffer.\r
\r
  @param [in]  AuthSessionIn   Input AuthSession data in TPM2 response buffer\r
  @param [out] AuthSessionOut  Output AuthSession data\r
\r
  @return AuthSession size\r
**/\r
UINT32\r
EFIAPI\r
CopyAuthSessionResponse (\r
  IN      UINT8               *AuthSessionIn,\r
  OUT     TPMS_AUTH_RESPONSE  *AuthSessionOut OPTIONAL\r
  );\r
\r
/**\r
  Return size of digest.\r
\r
  @param[in] HashAlgo  Hash algorithm\r
\r
  @return size of digest\r
**/\r
UINT16\r
EFIAPI\r
GetHashSizeFromAlgo (\r
  IN TPMI_ALG_HASH  HashAlgo\r
  );\r
\r
/**\r
  Get hash mask from algorithm.\r
\r
  @param[in] HashAlgo   Hash algorithm\r
\r
  @return Hash mask\r
**/\r
UINT32\r
EFIAPI\r
GetHashMaskFromAlgo (\r
  IN TPMI_ALG_HASH  HashAlgo\r
  );\r
\r
/**\r
  Return if hash alg is supported in HashAlgorithmMask.\r
\r
  @param HashAlg            Hash algorithm to be checked.\r
  @param HashAlgorithmMask  Bitfield of allowed hash algorithms.\r
\r
  @retval TRUE  Hash algorithm is supported.\r
  @retval FALSE Hash algorithm is not supported.\r
**/\r
BOOLEAN\r
EFIAPI\r
IsHashAlgSupportedInHashAlgorithmMask (\r
  IN TPMI_ALG_HASH  HashAlg,\r
  IN UINT32         HashAlgorithmMask\r
  );\r
\r
/**\r
  Copy TPML_DIGEST_VALUES into a buffer\r
\r
  @param[in,out] Buffer             Buffer to hold copied TPML_DIGEST_VALUES compact binary.\r
  @param[in]     DigestList         TPML_DIGEST_VALUES to be copied.\r
  @param[in]     HashAlgorithmMask  HASH bits corresponding to the desired digests to copy.\r
\r
  @return The end of buffer to hold TPML_DIGEST_VALUES.\r
**/\r
VOID *\r
EFIAPI\r
CopyDigestListToBuffer (\r
  IN OUT VOID            *Buffer,\r
  IN TPML_DIGEST_VALUES  *DigestList,\r
  IN UINT32              HashAlgorithmMask\r
  );\r
\r
/**\r
  Get TPML_DIGEST_VALUES data size.\r
\r
  @param[in]     DigestList    TPML_DIGEST_VALUES data.\r
\r
  @return TPML_DIGEST_VALUES data size.\r
**/\r
UINT32\r
EFIAPI\r
GetDigestListSize (\r
  IN TPML_DIGEST_VALUES  *DigestList\r
  );\r
\r
/**\r
  This function get digest from digest list.\r
\r
  @param[in]  HashAlg       Digest algorithm\r
  @param[in]  DigestList    Digest list\r
  @param[out] Digest        Digest\r
\r
  @retval EFI_SUCCESS       Digest is found and returned.\r
  @retval EFI_NOT_FOUND     Digest is not found.\r
**/\r
EFI_STATUS\r
EFIAPI\r
GetDigestFromDigestList (\r
  IN TPMI_ALG_HASH       HashAlg,\r
  IN TPML_DIGEST_VALUES  *DigestList,\r
  OUT VOID               *Digest\r
  );\r
\r
/**\r
   This function will query the TPM to determine which hashing algorithms and\r
   get the digests of all active and supported PCR banks of a specific PCR register.\r
\r
   @param[in]     PcrHandle     The index of the PCR register to be read.\r
   @param[out]    HashList      List of digests from PCR register being read.\r
\r
   @retval EFI_SUCCESS           The Pcr was read successfully.\r
   @retval EFI_DEVICE_ERROR      The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PcrReadForActiveBank (\r
  IN      TPMI_DH_PCR  PcrHandle,\r
  OUT     TPML_DIGEST  *HashList\r
  );\r
\r
#endif\r