]>
Commit | Line | Data |
---|---|---|
967eacca JY |
1 | /** @file\r |
2 | Implement TPM2 EnhancedAuthorization related command.\r | |
3 | \r | |
4 | Copyright (c) 2014, Intel Corporation. All rights reserved. <BR>\r | |
5 | This program and the accompanying materials\r | |
6 | are licensed and made available under the terms and conditions of the BSD License\r | |
7 | which accompanies this distribution. The full text of the license may be found at\r | |
8 | http://opensource.org/licenses/bsd-license.php\r | |
9 | \r | |
10 | THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r | |
11 | WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r | |
12 | \r | |
13 | **/\r | |
14 | \r | |
15 | #include <IndustryStandard/UefiTcgPlatform.h>\r | |
16 | #include <Library/Tpm2CommandLib.h>\r | |
17 | #include <Library/Tpm2DeviceLib.h>\r | |
18 | #include <Library/BaseMemoryLib.h>\r | |
19 | #include <Library/BaseLib.h>\r | |
20 | #include <Library/DebugLib.h>\r | |
21 | \r | |
22 | #pragma pack(1)\r | |
23 | \r | |
24 | typedef struct {\r | |
25 | TPM2_COMMAND_HEADER Header;\r | |
26 | TPMI_DH_ENTITY AuthHandle;\r | |
27 | TPMI_SH_POLICY PolicySession;\r | |
28 | UINT32 AuthSessionSize;\r | |
29 | TPMS_AUTH_COMMAND AuthSession;\r | |
30 | TPM2B_NONCE NonceTPM;\r | |
31 | TPM2B_DIGEST CpHashA;\r | |
32 | TPM2B_NONCE PolicyRef;\r | |
33 | INT32 Expiration;\r | |
34 | } TPM2_POLICY_SECRET_COMMAND;\r | |
35 | \r | |
36 | typedef struct {\r | |
37 | TPM2_RESPONSE_HEADER Header;\r | |
38 | UINT32 AuthSessionSize;\r | |
39 | TPM2B_TIMEOUT Timeout;\r | |
40 | TPMT_TK_AUTH PolicyTicket;\r | |
41 | TPMS_AUTH_RESPONSE AuthSession;\r | |
42 | } TPM2_POLICY_SECRET_RESPONSE;\r | |
43 | \r | |
a50e58f4 JY |
44 | typedef struct {\r |
45 | TPM2_COMMAND_HEADER Header;\r | |
46 | TPMI_SH_POLICY PolicySession;\r | |
47 | TPML_DIGEST HashList;\r | |
48 | } TPM2_POLICY_OR_COMMAND;\r | |
49 | \r | |
50 | typedef struct {\r | |
51 | TPM2_RESPONSE_HEADER Header;\r | |
52 | } TPM2_POLICY_OR_RESPONSE;\r | |
53 | \r | |
967eacca JY |
54 | typedef struct {\r |
55 | TPM2_COMMAND_HEADER Header;\r | |
56 | TPMI_SH_POLICY PolicySession;\r | |
57 | TPM_CC Code;\r | |
58 | } TPM2_POLICY_COMMAND_CODE_COMMAND;\r | |
59 | \r | |
60 | typedef struct {\r | |
61 | TPM2_RESPONSE_HEADER Header;\r | |
62 | } TPM2_POLICY_COMMAND_CODE_RESPONSE;\r | |
63 | \r | |
64 | typedef struct {\r | |
65 | TPM2_COMMAND_HEADER Header;\r | |
66 | TPMI_SH_POLICY PolicySession;\r | |
67 | } TPM2_POLICY_GET_DIGEST_COMMAND;\r | |
68 | \r | |
69 | typedef struct {\r | |
70 | TPM2_RESPONSE_HEADER Header;\r | |
71 | TPM2B_DIGEST PolicyHash;\r | |
72 | } TPM2_POLICY_GET_DIGEST_RESPONSE;\r | |
73 | \r | |
74 | #pragma pack()\r | |
75 | \r | |
76 | /**\r | |
77 | This command includes a secret-based authorization to a policy.\r | |
78 | The caller proves knowledge of the secret value using an authorization\r | |
79 | session using the authValue associated with authHandle.\r | |
80 | \r | |
81 | @param[in] AuthHandle Handle for an entity providing the authorization\r | |
82 | @param[in] PolicySession Handle for the policy session being extended.\r | |
83 | @param[in] AuthSession Auth Session context\r | |
84 | @param[in] NonceTPM The policy nonce for the session.\r | |
85 | @param[in] CpHashA Digest of the command parameters to which this authorization is limited.\r | |
86 | @param[in] PolicyRef A reference to a policy relating to the authorization.\r | |
87 | @param[in] Expiration Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.\r | |
88 | @param[out] Timeout Time value used to indicate to the TPM when the ticket expires.\r | |
89 | @param[out] PolicyTicket A ticket that includes a value indicating when the authorization expires.\r | |
90 | \r | |
91 | @retval EFI_SUCCESS Operation completed successfully.\r | |
92 | @retval EFI_DEVICE_ERROR The command was unsuccessful.\r | |
93 | **/\r | |
94 | EFI_STATUS\r | |
95 | EFIAPI\r | |
96 | Tpm2PolicySecret (\r | |
97 | IN TPMI_DH_ENTITY AuthHandle,\r | |
98 | IN TPMI_SH_POLICY PolicySession,\r | |
99 | IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL\r | |
100 | IN TPM2B_NONCE *NonceTPM,\r | |
101 | IN TPM2B_DIGEST *CpHashA,\r | |
102 | IN TPM2B_NONCE *PolicyRef,\r | |
103 | IN INT32 Expiration,\r | |
104 | OUT TPM2B_TIMEOUT *Timeout,\r | |
105 | OUT TPMT_TK_AUTH *PolicyTicket\r | |
106 | )\r | |
107 | {\r | |
108 | EFI_STATUS Status;\r | |
109 | TPM2_POLICY_SECRET_COMMAND SendBuffer;\r | |
110 | TPM2_POLICY_SECRET_RESPONSE RecvBuffer;\r | |
111 | UINT32 SendBufferSize;\r | |
112 | UINT32 RecvBufferSize;\r | |
113 | UINT8 *Buffer;\r | |
114 | UINT32 SessionInfoSize;\r | |
115 | \r | |
116 | //\r | |
117 | // Construct command\r | |
118 | //\r | |
119 | SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);\r | |
120 | SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicySecret);\r | |
121 | SendBuffer.AuthHandle = SwapBytes32 (AuthHandle);\r | |
122 | SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r | |
123 | \r | |
124 | //\r | |
125 | // Add in Auth session\r | |
126 | //\r | |
127 | Buffer = (UINT8 *)&SendBuffer.AuthSession;\r | |
128 | \r | |
129 | // sessionInfoSize\r | |
130 | SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);\r | |
131 | Buffer += SessionInfoSize;\r | |
132 | SendBuffer.AuthSessionSize = SwapBytes32(SessionInfoSize);\r | |
133 | \r | |
134 | //\r | |
135 | // Real data\r | |
136 | //\r | |
137 | WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(NonceTPM->size));\r | |
138 | Buffer += sizeof(UINT16);\r | |
139 | CopyMem (Buffer, NonceTPM->buffer, NonceTPM->size);\r | |
140 | Buffer += NonceTPM->size;\r | |
141 | \r | |
142 | WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(CpHashA->size));\r | |
143 | Buffer += sizeof(UINT16);\r | |
144 | CopyMem (Buffer, CpHashA->buffer, CpHashA->size);\r | |
145 | Buffer += CpHashA->size;\r | |
146 | \r | |
147 | WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(PolicyRef->size));\r | |
148 | Buffer += sizeof(UINT16);\r | |
149 | CopyMem (Buffer, PolicyRef->buffer, PolicyRef->size);\r | |
150 | Buffer += PolicyRef->size;\r | |
151 | \r | |
152 | WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32((UINT32)Expiration));\r | |
153 | Buffer += sizeof(UINT32);\r | |
154 | \r | |
155 | SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r | |
156 | SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r | |
157 | \r | |
158 | //\r | |
159 | // send Tpm command\r | |
160 | //\r | |
161 | RecvBufferSize = sizeof (RecvBuffer);\r | |
162 | Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r | |
163 | if (EFI_ERROR (Status)) {\r | |
164 | return Status;\r | |
165 | }\r | |
166 | \r | |
167 | if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r | |
168 | DEBUG ((EFI_D_ERROR, "Tpm2PolicySecret - RecvBufferSize Error - %x\n", RecvBufferSize));\r | |
169 | return EFI_DEVICE_ERROR;\r | |
170 | }\r | |
171 | if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r | |
172 | DEBUG ((EFI_D_ERROR, "Tpm2PolicySecret - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r | |
173 | return EFI_DEVICE_ERROR;\r | |
174 | }\r | |
175 | \r | |
176 | //\r | |
177 | // Return the response\r | |
178 | //\r | |
179 | Buffer = (UINT8 *)&RecvBuffer.Timeout;\r | |
180 | Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r | |
181 | Buffer += sizeof(UINT16);\r | |
182 | CopyMem (Timeout->buffer, Buffer, Timeout->size);\r | |
183 | \r | |
184 | PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r | |
185 | Buffer += sizeof(UINT16);\r | |
186 | PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffer));\r | |
187 | Buffer += sizeof(UINT32);\r | |
188 | PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r | |
189 | Buffer += sizeof(UINT16);\r | |
190 | CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);\r | |
191 | \r | |
192 | return EFI_SUCCESS;\r | |
193 | }\r | |
194 | \r | |
a50e58f4 JY |
195 | /**\r |
196 | This command allows options in authorizations without requiring that the TPM evaluate all of the options.\r | |
197 | If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that\r | |
198 | satisfies the policy. This command will indicate that one of the required sets of conditions has been\r | |
199 | satisfied.\r | |
200 | \r | |
201 | @param[in] PolicySession Handle for the policy session being extended.\r | |
202 | @param[in] HashList the list of hashes to check for a match.\r | |
203 | \r | |
204 | @retval EFI_SUCCESS Operation completed successfully.\r | |
205 | @retval EFI_DEVICE_ERROR The command was unsuccessful.\r | |
206 | **/\r | |
207 | EFI_STATUS\r | |
208 | EFIAPI\r | |
209 | Tpm2PolicyOR (\r | |
210 | IN TPMI_SH_POLICY PolicySession,\r | |
211 | IN TPML_DIGEST *HashList\r | |
212 | )\r | |
213 | {\r | |
214 | EFI_STATUS Status;\r | |
215 | TPM2_POLICY_OR_COMMAND SendBuffer;\r | |
216 | TPM2_POLICY_OR_RESPONSE RecvBuffer;\r | |
217 | UINT32 SendBufferSize;\r | |
218 | UINT32 RecvBufferSize;\r | |
219 | UINT8 *Buffer;\r | |
220 | UINTN Index;\r | |
221 | \r | |
222 | //\r | |
223 | // Construct command\r | |
224 | //\r | |
225 | SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r | |
226 | SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyOR);\r | |
227 | \r | |
228 | SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r | |
229 | Buffer = (UINT8 *)&SendBuffer.HashList;\r | |
230 | WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32 (HashList->count));\r | |
231 | Buffer += sizeof(UINT32);\r | |
232 | for (Index = 0; Index < HashList->count; Index++) {\r | |
233 | WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (HashList->digests[Index].size));\r | |
234 | Buffer += sizeof(UINT16);\r | |
235 | CopyMem (Buffer, HashList->digests[Index].buffer, HashList->digests[Index].size);\r | |
236 | Buffer += HashList->digests[Index].size;\r | |
237 | }\r | |
238 | \r | |
239 | SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r | |
240 | SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r | |
241 | \r | |
242 | //\r | |
243 | // send Tpm command\r | |
244 | //\r | |
245 | RecvBufferSize = sizeof (RecvBuffer);\r | |
246 | Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r | |
247 | if (EFI_ERROR (Status)) {\r | |
248 | return Status;\r | |
249 | }\r | |
250 | \r | |
251 | if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r | |
252 | DEBUG ((EFI_D_ERROR, "Tpm2PolicyOR - RecvBufferSize Error - %x\n", RecvBufferSize));\r | |
253 | return EFI_DEVICE_ERROR;\r | |
254 | }\r | |
255 | if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r | |
256 | DEBUG ((EFI_D_ERROR, "Tpm2PolicyOR - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r | |
257 | return EFI_DEVICE_ERROR;\r | |
258 | }\r | |
259 | \r | |
260 | return EFI_SUCCESS;\r | |
261 | }\r | |
262 | \r | |
967eacca JY |
263 | /**\r |
264 | This command indicates that the authorization will be limited to a specific command code.\r | |
265 | \r | |
266 | @param[in] PolicySession Handle for the policy session being extended.\r | |
267 | @param[in] Code The allowed commandCode.\r | |
268 | \r | |
269 | @retval EFI_SUCCESS Operation completed successfully.\r | |
270 | @retval EFI_DEVICE_ERROR The command was unsuccessful.\r | |
271 | **/\r | |
272 | EFI_STATUS\r | |
273 | EFIAPI\r | |
274 | Tpm2PolicyCommandCode (\r | |
275 | IN TPMI_SH_POLICY PolicySession,\r | |
276 | IN TPM_CC Code\r | |
277 | )\r | |
278 | {\r | |
279 | EFI_STATUS Status;\r | |
280 | TPM2_POLICY_COMMAND_CODE_COMMAND SendBuffer;\r | |
281 | TPM2_POLICY_COMMAND_CODE_RESPONSE RecvBuffer;\r | |
282 | UINT32 SendBufferSize;\r | |
283 | UINT32 RecvBufferSize;\r | |
284 | \r | |
285 | //\r | |
286 | // Construct command\r | |
287 | //\r | |
288 | SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r | |
289 | SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyCommandCode);\r | |
290 | \r | |
291 | SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r | |
292 | SendBuffer.Code = SwapBytes32 (Code);\r | |
293 | \r | |
294 | SendBufferSize = (UINT32) sizeof (SendBuffer);\r | |
295 | SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r | |
296 | \r | |
297 | //\r | |
298 | // send Tpm command\r | |
299 | //\r | |
300 | RecvBufferSize = sizeof (RecvBuffer);\r | |
301 | Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r | |
302 | if (EFI_ERROR (Status)) {\r | |
303 | return Status;\r | |
304 | }\r | |
305 | \r | |
306 | if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r | |
307 | DEBUG ((EFI_D_ERROR, "Tpm2PolicyCommandCode - RecvBufferSize Error - %x\n", RecvBufferSize));\r | |
308 | return EFI_DEVICE_ERROR;\r | |
309 | }\r | |
310 | if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r | |
311 | DEBUG ((EFI_D_ERROR, "Tpm2PolicyCommandCode - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r | |
312 | return EFI_DEVICE_ERROR;\r | |
313 | }\r | |
314 | \r | |
315 | return EFI_SUCCESS;\r | |
316 | }\r | |
317 | \r | |
318 | /**\r | |
319 | This command returns the current policyDigest of the session. This command allows the TPM\r | |
320 | to be used to perform the actions required to precompute the authPolicy for an object.\r | |
321 | \r | |
322 | @param[in] PolicySession Handle for the policy session.\r | |
323 | @param[out] PolicyHash the current value of the policyHash of policySession.\r | |
324 | \r | |
325 | @retval EFI_SUCCESS Operation completed successfully.\r | |
326 | @retval EFI_DEVICE_ERROR The command was unsuccessful.\r | |
327 | **/\r | |
328 | EFI_STATUS\r | |
329 | EFIAPI\r | |
330 | Tpm2PolicyGetDigest (\r | |
331 | IN TPMI_SH_POLICY PolicySession,\r | |
332 | OUT TPM2B_DIGEST *PolicyHash\r | |
333 | )\r | |
334 | {\r | |
335 | EFI_STATUS Status;\r | |
336 | TPM2_POLICY_GET_DIGEST_COMMAND SendBuffer;\r | |
337 | TPM2_POLICY_GET_DIGEST_RESPONSE RecvBuffer;\r | |
338 | UINT32 SendBufferSize;\r | |
339 | UINT32 RecvBufferSize;\r | |
340 | \r | |
341 | //\r | |
342 | // Construct command\r | |
343 | //\r | |
344 | SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r | |
345 | SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyGetDigest);\r | |
346 | \r | |
347 | SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r | |
348 | \r | |
349 | SendBufferSize = (UINT32) sizeof (SendBuffer);\r | |
350 | SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r | |
351 | \r | |
352 | //\r | |
353 | // send Tpm command\r | |
354 | //\r | |
355 | RecvBufferSize = sizeof (RecvBuffer);\r | |
356 | Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r | |
357 | if (EFI_ERROR (Status)) {\r | |
358 | return Status;\r | |
359 | }\r | |
360 | \r | |
361 | if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r | |
362 | DEBUG ((EFI_D_ERROR, "Tpm2PolicyGetDigest - RecvBufferSize Error - %x\n", RecvBufferSize));\r | |
363 | return EFI_DEVICE_ERROR;\r | |
364 | }\r | |
365 | if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r | |
366 | DEBUG ((EFI_D_ERROR, "Tpm2PolicyGetDigest - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r | |
367 | return EFI_DEVICE_ERROR;\r | |
368 | }\r | |
369 | \r | |
370 | //\r | |
371 | // Return the response\r | |
372 | //\r | |
373 | PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);\r | |
374 | CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);\r | |
375 | \r | |
376 | return EFI_SUCCESS;\r | |
377 | }\r |