[mirror_edk2.git] / SecurityPkg / Library / Tpm2CommandLib / Tpm2EnhancedAuthorization.c

/** @file\r
  Implement TPM2 EnhancedAuthorization related command.\r
\r
Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>\r
This program and the accompanying materials\r
are licensed and made available under the terms and conditions of the BSD License\r
which accompanies this distribution.  The full text of the license may be found at\r
http://opensource.org/licenses/bsd-license.php\r
\r
THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
\r
**/\r
\r
#include <IndustryStandard/UefiTcgPlatform.h>\r
#include <Library/Tpm2CommandLib.h>\r
#include <Library/Tpm2DeviceLib.h>\r
#include <Library/BaseMemoryLib.h>\r
#include <Library/BaseLib.h>\r
#include <Library/DebugLib.h>\r
\r
#pragma pack(1)\r
\r
typedef struct {\r
  TPM2_COMMAND_HEADER       Header;\r
  TPMI_DH_ENTITY            AuthHandle;\r
  TPMI_SH_POLICY            PolicySession;\r
  UINT32                    AuthSessionSize;\r
  TPMS_AUTH_COMMAND         AuthSession;\r
  TPM2B_NONCE               NonceTPM;\r
  TPM2B_DIGEST              CpHashA;\r
  TPM2B_NONCE               PolicyRef;\r
  INT32                     Expiration;\r
} TPM2_POLICY_SECRET_COMMAND;\r
\r
typedef struct {\r
  TPM2_RESPONSE_HEADER      Header;\r
  UINT32                    AuthSessionSize;\r
  TPM2B_TIMEOUT             Timeout;\r
  TPMT_TK_AUTH              PolicyTicket;\r
  TPMS_AUTH_RESPONSE        AuthSession;\r
} TPM2_POLICY_SECRET_RESPONSE;\r
\r
typedef struct {\r
  TPM2_COMMAND_HEADER       Header;\r
  TPMI_SH_POLICY            PolicySession;\r
  TPML_DIGEST               HashList;\r
} TPM2_POLICY_OR_COMMAND;\r
\r
typedef struct {\r
  TPM2_RESPONSE_HEADER      Header;\r
} TPM2_POLICY_OR_RESPONSE;\r
\r
typedef struct {\r
  TPM2_COMMAND_HEADER       Header;\r
  TPMI_SH_POLICY            PolicySession;\r
  TPM_CC                    Code;\r
} TPM2_POLICY_COMMAND_CODE_COMMAND;\r
\r
typedef struct {\r
  TPM2_RESPONSE_HEADER      Header;\r
} TPM2_POLICY_COMMAND_CODE_RESPONSE;\r
\r
typedef struct {\r
  TPM2_COMMAND_HEADER       Header;\r
  TPMI_SH_POLICY            PolicySession;\r
} TPM2_POLICY_GET_DIGEST_COMMAND;\r
\r
typedef struct {\r
  TPM2_RESPONSE_HEADER      Header;\r
  TPM2B_DIGEST              PolicyHash;\r
} TPM2_POLICY_GET_DIGEST_RESPONSE;\r
\r
#pragma pack()\r
\r
/**\r
  This command includes a secret-based authorization to a policy.\r
  The caller proves knowledge of the secret value using an authorization\r
  session using the authValue associated with authHandle.\r
\r
  @param[in]  AuthHandle         Handle for an entity providing the authorization\r
  @param[in]  PolicySession      Handle for the policy session being extended.\r
  @param[in]  AuthSession        Auth Session context\r
  @param[in]  NonceTPM           The policy nonce for the session.\r
  @param[in]  CpHashA            Digest of the command parameters to which this authorization is limited.\r
  @param[in]  PolicyRef          A reference to a policy relating to the authorization.\r
  @param[in]  Expiration         Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.\r
  @param[out] Timeout            Time value used to indicate to the TPM when the ticket expires.\r
  @param[out] PolicyTicket       A ticket that includes a value indicating when the authorization expires.\r
  \r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicySecret (\r
  IN      TPMI_DH_ENTITY            AuthHandle,\r
  IN      TPMI_SH_POLICY            PolicySession,\r
  IN      TPMS_AUTH_COMMAND         *AuthSession, OPTIONAL\r
  IN      TPM2B_NONCE               *NonceTPM,\r
  IN      TPM2B_DIGEST              *CpHashA,\r
  IN      TPM2B_NONCE               *PolicyRef,\r
  IN      INT32                     Expiration,\r
  OUT     TPM2B_TIMEOUT             *Timeout,\r
  OUT     TPMT_TK_AUTH              *PolicyTicket\r
  )\r
{\r
  EFI_STATUS                        Status;\r
  TPM2_POLICY_SECRET_COMMAND        SendBuffer;\r
  TPM2_POLICY_SECRET_RESPONSE       RecvBuffer;\r
  UINT32                            SendBufferSize;\r
  UINT32                            RecvBufferSize;\r
  UINT8                             *Buffer;\r
  UINT32                            SessionInfoSize;\r
\r
  //\r
  // Construct command\r
  //\r
  SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);\r
  SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicySecret);\r
  SendBuffer.AuthHandle = SwapBytes32 (AuthHandle);\r
  SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
  \r
  //\r
  // Add in Auth session\r
  //\r
  Buffer = (UINT8 *)&SendBuffer.AuthSession;\r
\r
  // sessionInfoSize\r
  SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);\r
  Buffer += SessionInfoSize;\r
  SendBuffer.AuthSessionSize = SwapBytes32(SessionInfoSize);\r
\r
  //\r
  // Real data\r
  //\r
  WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(NonceTPM->size));\r
  Buffer += sizeof(UINT16);\r
  CopyMem (Buffer, NonceTPM->buffer, NonceTPM->size);\r
  Buffer += NonceTPM->size;\r
\r
  WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(CpHashA->size));\r
  Buffer += sizeof(UINT16);\r
  CopyMem (Buffer, CpHashA->buffer, CpHashA->size);\r
  Buffer += CpHashA->size;\r
\r
  WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(PolicyRef->size));\r
  Buffer += sizeof(UINT16);\r
  CopyMem (Buffer, PolicyRef->buffer, PolicyRef->size);\r
  Buffer += PolicyRef->size;\r
  \r
  WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32((UINT32)Expiration));\r
  Buffer += sizeof(UINT32);\r
\r
  SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
\r
  //\r
  // send Tpm command\r
  //\r
  RecvBufferSize = sizeof (RecvBuffer);\r
  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
  if (EFI_ERROR (Status)) {\r
    goto Done;\r
  }\r
\r
  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
    DEBUG ((EFI_D_ERROR, "Tpm2PolicySecret - RecvBufferSize Error - %x\n", RecvBufferSize));\r
    Status = EFI_DEVICE_ERROR;\r
    goto Done;\r
  }\r
  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
    DEBUG ((EFI_D_ERROR, "Tpm2PolicySecret - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
    Status = EFI_DEVICE_ERROR;\r
    goto Done;\r
  }\r
\r
  //\r
  // Return the response\r
  //\r
  Buffer = (UINT8 *)&RecvBuffer.Timeout;\r
  Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r
  Buffer += sizeof(UINT16);\r
  CopyMem (Timeout->buffer, Buffer, Timeout->size);\r
\r
  PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r
  Buffer += sizeof(UINT16);\r
  PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffer));\r
  Buffer += sizeof(UINT32);\r
  PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r
  Buffer += sizeof(UINT16);\r
  CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);\r
\r
Done:\r
  //\r
  // Clear AuthSession Content\r
  //\r
  ZeroMem (&SendBuffer, sizeof(SendBuffer));\r
  ZeroMem (&RecvBuffer, sizeof(RecvBuffer));\r
  return Status;\r
}\r
\r
/**\r
  This command allows options in authorizations without requiring that the TPM evaluate all of the options.\r
  If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that\r
  satisfies the policy. This command will indicate that one of the required sets of conditions has been\r
  satisfied.\r
\r
  @param[in] PolicySession      Handle for the policy session being extended.\r
  @param[in] HashList           the list of hashes to check for a match.\r
  \r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyOR (\r
  IN TPMI_SH_POLICY           PolicySession,\r
  IN TPML_DIGEST              *HashList\r
  )\r
{\r
  EFI_STATUS                        Status;\r
  TPM2_POLICY_OR_COMMAND            SendBuffer;\r
  TPM2_POLICY_OR_RESPONSE           RecvBuffer;\r
  UINT32                            SendBufferSize;\r
  UINT32                            RecvBufferSize;\r
  UINT8                             *Buffer;\r
  UINTN                             Index;\r
\r
  //\r
  // Construct command\r
  //\r
  SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r
  SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyOR);\r
\r
  SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
  Buffer = (UINT8 *)&SendBuffer.HashList;\r
  WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32 (HashList->count));\r
  Buffer += sizeof(UINT32);\r
  for (Index = 0; Index < HashList->count; Index++) {\r
    WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (HashList->digests[Index].size));\r
    Buffer += sizeof(UINT16);\r
    CopyMem (Buffer, HashList->digests[Index].buffer, HashList->digests[Index].size);\r
    Buffer += HashList->digests[Index].size;\r
  }\r
\r
  SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
\r
  //\r
  // send Tpm command\r
  //\r
  RecvBufferSize = sizeof (RecvBuffer);\r
  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
    DEBUG ((EFI_D_ERROR, "Tpm2PolicyOR - RecvBufferSize Error - %x\n", RecvBufferSize));\r
    return EFI_DEVICE_ERROR;\r
  }\r
  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
    DEBUG ((EFI_D_ERROR, "Tpm2PolicyOR - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  This command indicates that the authorization will be limited to a specific command code.\r
\r
  @param[in]  PolicySession      Handle for the policy session being extended.\r
  @param[in]  Code               The allowed commandCode.\r
  \r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyCommandCode (\r
  IN      TPMI_SH_POLICY            PolicySession,\r
  IN      TPM_CC                    Code\r
  )\r
{\r
  EFI_STATUS                        Status;\r
  TPM2_POLICY_COMMAND_CODE_COMMAND  SendBuffer;\r
  TPM2_POLICY_COMMAND_CODE_RESPONSE RecvBuffer;\r
  UINT32                            SendBufferSize;\r
  UINT32                            RecvBufferSize;\r
\r
  //\r
  // Construct command\r
  //\r
  SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r
  SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyCommandCode);\r
\r
  SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
  SendBuffer.Code = SwapBytes32 (Code);\r
\r
  SendBufferSize = (UINT32) sizeof (SendBuffer);\r
  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
\r
  //\r
  // send Tpm command\r
  //\r
  RecvBufferSize = sizeof (RecvBuffer);\r
  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
    DEBUG ((EFI_D_ERROR, "Tpm2PolicyCommandCode - RecvBufferSize Error - %x\n", RecvBufferSize));\r
    return EFI_DEVICE_ERROR;\r
  }\r
  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
    DEBUG ((EFI_D_ERROR, "Tpm2PolicyCommandCode - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  return EFI_SUCCESS;\r
}\r
\r
/**\r
  This command returns the current policyDigest of the session. This command allows the TPM\r
  to be used to perform the actions required to precompute the authPolicy for an object.\r
\r
  @param[in]  PolicySession      Handle for the policy session.\r
  @param[out] PolicyHash         the current value of the policyHash of policySession.\r
  \r
  @retval EFI_SUCCESS            Operation completed successfully.\r
  @retval EFI_DEVICE_ERROR       The command was unsuccessful.\r
**/\r
EFI_STATUS\r
EFIAPI\r
Tpm2PolicyGetDigest (\r
  IN      TPMI_SH_POLICY            PolicySession,\r
     OUT  TPM2B_DIGEST              *PolicyHash\r
  )\r
{\r
  EFI_STATUS                        Status;\r
  TPM2_POLICY_GET_DIGEST_COMMAND    SendBuffer;\r
  TPM2_POLICY_GET_DIGEST_RESPONSE   RecvBuffer;\r
  UINT32                            SendBufferSize;\r
  UINT32                            RecvBufferSize;\r
\r
  //\r
  // Construct command\r
  //\r
  SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r
  SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyGetDigest);\r
\r
  SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
\r
  SendBufferSize = (UINT32) sizeof (SendBuffer);\r
  SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
\r
  //\r
  // send Tpm command\r
  //\r
  RecvBufferSize = sizeof (RecvBuffer);\r
  Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 *)&SendBuffer, &RecvBufferSize, (UINT8 *)&RecvBuffer);\r
  if (EFI_ERROR (Status)) {\r
    return Status;\r
  }\r
\r
  if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
    DEBUG ((EFI_D_ERROR, "Tpm2PolicyGetDigest - RecvBufferSize Error - %x\n", RecvBufferSize));\r
    return EFI_DEVICE_ERROR;\r
  }\r
  if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
    DEBUG ((EFI_D_ERROR, "Tpm2PolicyGetDigest - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
    return EFI_DEVICE_ERROR;\r
  }\r
\r
  //\r
  // Return the response\r
  //\r
  PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);\r
  CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);\r
\r
  return EFI_SUCCESS;\r
}\r
Commit	Line	Data
967eacca JY	1	/** @file\r
	2	Implement TPM2 EnhancedAuthorization related command.\r
	3	\r
7ae130da	4	Copyright (c) 2014 - 2016, Intel Corporation. All rights reserved. <BR>\r
967eacca JY	5	This program and the accompanying materials\r
	6	are licensed and made available under the terms and conditions of the BSD License\r
	7	which accompanies this distribution. The full text of the license may be found at\r
	8	http://opensource.org/licenses/bsd-license.php\r
	9	\r
	10	THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS,\r
	11	WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.\r
	12	\r
	13	**/\r
	14	\r
	15	#include <IndustryStandard/UefiTcgPlatform.h>\r
	16	#include <Library/Tpm2CommandLib.h>\r
	17	#include <Library/Tpm2DeviceLib.h>\r
	18	#include <Library/BaseMemoryLib.h>\r
	19	#include <Library/BaseLib.h>\r
	20	#include <Library/DebugLib.h>\r
	21	\r
	22	#pragma pack(1)\r
	23	\r
	24	typedef struct {\r
	25	TPM2_COMMAND_HEADER Header;\r
	26	TPMI_DH_ENTITY AuthHandle;\r
	27	TPMI_SH_POLICY PolicySession;\r
	28	UINT32 AuthSessionSize;\r
	29	TPMS_AUTH_COMMAND AuthSession;\r
	30	TPM2B_NONCE NonceTPM;\r
	31	TPM2B_DIGEST CpHashA;\r
	32	TPM2B_NONCE PolicyRef;\r
	33	INT32 Expiration;\r
	34	} TPM2_POLICY_SECRET_COMMAND;\r
	35	\r
	36	typedef struct {\r
	37	TPM2_RESPONSE_HEADER Header;\r
	38	UINT32 AuthSessionSize;\r
	39	TPM2B_TIMEOUT Timeout;\r
	40	TPMT_TK_AUTH PolicyTicket;\r
	41	TPMS_AUTH_RESPONSE AuthSession;\r
	42	} TPM2_POLICY_SECRET_RESPONSE;\r
	43	\r
a50e58f4 JY	44	typedef struct {\r
	45	TPM2_COMMAND_HEADER Header;\r
	46	TPMI_SH_POLICY PolicySession;\r
	47	TPML_DIGEST HashList;\r
	48	} TPM2_POLICY_OR_COMMAND;\r
	49	\r
	50	typedef struct {\r
	51	TPM2_RESPONSE_HEADER Header;\r
	52	} TPM2_POLICY_OR_RESPONSE;\r
	53	\r
967eacca JY	54	typedef struct {\r
	55	TPM2_COMMAND_HEADER Header;\r
	56	TPMI_SH_POLICY PolicySession;\r
	57	TPM_CC Code;\r
	58	} TPM2_POLICY_COMMAND_CODE_COMMAND;\r
	59	\r
	60	typedef struct {\r
	61	TPM2_RESPONSE_HEADER Header;\r
	62	} TPM2_POLICY_COMMAND_CODE_RESPONSE;\r
	63	\r
	64	typedef struct {\r
	65	TPM2_COMMAND_HEADER Header;\r
	66	TPMI_SH_POLICY PolicySession;\r
	67	} TPM2_POLICY_GET_DIGEST_COMMAND;\r
	68	\r
	69	typedef struct {\r
	70	TPM2_RESPONSE_HEADER Header;\r
	71	TPM2B_DIGEST PolicyHash;\r
	72	} TPM2_POLICY_GET_DIGEST_RESPONSE;\r
	73	\r
	74	#pragma pack()\r
	75	\r
	76	/**\r
	77	This command includes a secret-based authorization to a policy.\r
	78	The caller proves knowledge of the secret value using an authorization\r
	79	session using the authValue associated with authHandle.\r
	80	\r
	81	@param[in] AuthHandle Handle for an entity providing the authorization\r
	82	@param[in] PolicySession Handle for the policy session being extended.\r
	83	@param[in] AuthSession Auth Session context\r
	84	@param[in] NonceTPM The policy nonce for the session.\r
	85	@param[in] CpHashA Digest of the command parameters to which this authorization is limited.\r
	86	@param[in] PolicyRef A reference to a policy relating to the authorization.\r
	87	@param[in] Expiration Time when authorization will expire, measured in seconds from the time that nonceTPM was generated.\r
	88	@param[out] Timeout Time value used to indicate to the TPM when the ticket expires.\r
	89	@param[out] PolicyTicket A ticket that includes a value indicating when the authorization expires.\r
	90	\r
	91	@retval EFI_SUCCESS Operation completed successfully.\r
	92	@retval EFI_DEVICE_ERROR The command was unsuccessful.\r
	93	**/\r
	94	EFI_STATUS\r
	95	EFIAPI\r
	96	Tpm2PolicySecret (\r
	97	IN TPMI_DH_ENTITY AuthHandle,\r
	98	IN TPMI_SH_POLICY PolicySession,\r
	99	IN TPMS_AUTH_COMMAND *AuthSession, OPTIONAL\r
	100	IN TPM2B_NONCE *NonceTPM,\r
	101	IN TPM2B_DIGEST *CpHashA,\r
	102	IN TPM2B_NONCE *PolicyRef,\r
	103	IN INT32 Expiration,\r
	104	OUT TPM2B_TIMEOUT *Timeout,\r
	105	OUT TPMT_TK_AUTH *PolicyTicket\r
	106	)\r
	107	{\r
	108	EFI_STATUS Status;\r
	109	TPM2_POLICY_SECRET_COMMAND SendBuffer;\r
	110	TPM2_POLICY_SECRET_RESPONSE RecvBuffer;\r
	111	UINT32 SendBufferSize;\r
	112	UINT32 RecvBufferSize;\r
	113	UINT8 *Buffer;\r
	114	UINT32 SessionInfoSize;\r
	115	\r
	116	//\r
	117	// Construct command\r
118	//\r
119	SendBuffer.Header.tag = SwapBytes16(TPM_ST_SESSIONS);\r
120	SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicySecret);\r
121	SendBuffer.AuthHandle = SwapBytes32 (AuthHandle);\r
122	SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
123	\r
124	//\r
125	// Add in Auth session\r
126	//\r
127	Buffer = (UINT8 *)&SendBuffer.AuthSession;\r
128	\r
129	// sessionInfoSize\r
130	SessionInfoSize = CopyAuthSessionCommand (AuthSession, Buffer);\r
131	Buffer += SessionInfoSize;\r
132	SendBuffer.AuthSessionSize = SwapBytes32(SessionInfoSize);\r
133	\r
134	//\r
135	// Real data\r
136	//\r
137	WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(NonceTPM->size));\r
138	Buffer += sizeof(UINT16);\r
139	CopyMem (Buffer, NonceTPM->buffer, NonceTPM->size);\r
140	Buffer += NonceTPM->size;\r
141	\r
142	WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(CpHashA->size));\r
143	Buffer += sizeof(UINT16);\r
144	CopyMem (Buffer, CpHashA->buffer, CpHashA->size);\r
145	Buffer += CpHashA->size;\r
146	\r
147	WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16(PolicyRef->size));\r
148	Buffer += sizeof(UINT16);\r
149	CopyMem (Buffer, PolicyRef->buffer, PolicyRef->size);\r
150	Buffer += PolicyRef->size;\r
151	\r
152	WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32((UINT32)Expiration));\r
153	Buffer += sizeof(UINT32);\r
154	\r
155	SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
156	SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
157	\r
158	//\r
159	// send Tpm command\r
160	//\r
161	RecvBufferSize = sizeof (RecvBuffer);\r
162	Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 )&SendBuffer, &RecvBufferSize, (UINT8 )&RecvBuffer);\r
163	if (EFI_ERROR (Status)) {\r
7ae130da	164	goto Done;\r
967eacca JY	165	}\r
	166	\r
	167	if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
	168	DEBUG ((EFI_D_ERROR, "Tpm2PolicySecret - RecvBufferSize Error - %x\n", RecvBufferSize));\r
7ae130da JY	169	Status = EFI_DEVICE_ERROR;\r
7ae130da JY	170	goto Done;\r
967eacca JY	171	}\r
	172	if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
	173	DEBUG ((EFI_D_ERROR, "Tpm2PolicySecret - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
7ae130da JY	174	Status = EFI_DEVICE_ERROR;\r
7ae130da JY	175	goto Done;\r
967eacca JY	176	}\r
	177	\r
	178	//\r
	179	// Return the response\r
	180	//\r
	181	Buffer = (UINT8 *)&RecvBuffer.Timeout;\r
	182	Timeout->size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r
	183	Buffer += sizeof(UINT16);\r
	184	CopyMem (Timeout->buffer, Buffer, Timeout->size);\r
	185	\r
	186	PolicyTicket->tag = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r
	187	Buffer += sizeof(UINT16);\r
	188	PolicyTicket->hierarchy = SwapBytes32(ReadUnaligned32 ((UINT32 *)Buffer));\r
	189	Buffer += sizeof(UINT32);\r
	190	PolicyTicket->digest.size = SwapBytes16(ReadUnaligned16 ((UINT16 *)Buffer));\r
	191	Buffer += sizeof(UINT16);\r
	192	CopyMem (PolicyTicket->digest.buffer, Buffer, PolicyTicket->digest.size);\r
	193	\r
7ae130da JY	194	Done:\r
	195	//\r
	196	// Clear AuthSession Content\r
	197	//\r
	198	ZeroMem (&SendBuffer, sizeof(SendBuffer));\r
	199	ZeroMem (&RecvBuffer, sizeof(RecvBuffer));\r
	200	return Status;\r
967eacca JY	201	}\r
967eacca JY	202	\r
a50e58f4 JY	203	/**\r
	204	This command allows options in authorizations without requiring that the TPM evaluate all of the options.\r
	205	If a policy may be satisfied by different sets of conditions, the TPM need only evaluate one set that\r
	206	satisfies the policy. This command will indicate that one of the required sets of conditions has been\r
	207	satisfied.\r
	208	\r
	209	@param[in] PolicySession Handle for the policy session being extended.\r
	210	@param[in] HashList the list of hashes to check for a match.\r
	211	\r
	212	@retval EFI_SUCCESS Operation completed successfully.\r
	213	@retval EFI_DEVICE_ERROR The command was unsuccessful.\r
	214	**/\r
	215	EFI_STATUS\r
	216	EFIAPI\r
	217	Tpm2PolicyOR (\r
	218	IN TPMI_SH_POLICY PolicySession,\r
	219	IN TPML_DIGEST *HashList\r
	220	)\r
	221	{\r
	222	EFI_STATUS Status;\r
	223	TPM2_POLICY_OR_COMMAND SendBuffer;\r
	224	TPM2_POLICY_OR_RESPONSE RecvBuffer;\r
	225	UINT32 SendBufferSize;\r
	226	UINT32 RecvBufferSize;\r
	227	UINT8 *Buffer;\r
	228	UINTN Index;\r
	229	\r
	230	//\r
	231	// Construct command\r
	232	//\r
	233	SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r
	234	SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyOR);\r
	235	\r
	236	SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
	237	Buffer = (UINT8 *)&SendBuffer.HashList;\r
	238	WriteUnaligned32 ((UINT32 *)Buffer, SwapBytes32 (HashList->count));\r
	239	Buffer += sizeof(UINT32);\r
	240	for (Index = 0; Index < HashList->count; Index++) {\r
	241	WriteUnaligned16 ((UINT16 *)Buffer, SwapBytes16 (HashList->digests[Index].size));\r
	242	Buffer += sizeof(UINT16);\r
	243	CopyMem (Buffer, HashList->digests[Index].buffer, HashList->digests[Index].size);\r
	244	Buffer += HashList->digests[Index].size;\r
	245	}\r
	246	\r
	247	SendBufferSize = (UINT32)((UINTN)Buffer - (UINTN)&SendBuffer);\r
	248	SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
	249	\r
	250	//\r
	251	// send Tpm command\r
	252	//\r
	253	RecvBufferSize = sizeof (RecvBuffer);\r
	254	Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 )&SendBuffer, &RecvBufferSize, (UINT8 )&RecvBuffer);\r
	255	if (EFI_ERROR (Status)) {\r
	256	return Status;\r
	257	}\r
	258	\r
	259	if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
	260	DEBUG ((EFI_D_ERROR, "Tpm2PolicyOR - RecvBufferSize Error - %x\n", RecvBufferSize));\r
	261	return EFI_DEVICE_ERROR;\r
	262	}\r
	263	if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
	264	DEBUG ((EFI_D_ERROR, "Tpm2PolicyOR - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
	265	return EFI_DEVICE_ERROR;\r
	266	}\r
267	\r
268	return EFI_SUCCESS;\r
269	}\r
270	\r
967eacca JY	271	/**\r
	272	This command indicates that the authorization will be limited to a specific command code.\r
	273	\r
	274	@param[in] PolicySession Handle for the policy session being extended.\r
	275	@param[in] Code The allowed commandCode.\r
	276	\r
	277	@retval EFI_SUCCESS Operation completed successfully.\r
	278	@retval EFI_DEVICE_ERROR The command was unsuccessful.\r
	279	**/\r
	280	EFI_STATUS\r
	281	EFIAPI\r
	282	Tpm2PolicyCommandCode (\r
	283	IN TPMI_SH_POLICY PolicySession,\r
	284	IN TPM_CC Code\r
	285	)\r
	286	{\r
	287	EFI_STATUS Status;\r
	288	TPM2_POLICY_COMMAND_CODE_COMMAND SendBuffer;\r
	289	TPM2_POLICY_COMMAND_CODE_RESPONSE RecvBuffer;\r
	290	UINT32 SendBufferSize;\r
	291	UINT32 RecvBufferSize;\r
	292	\r
	293	//\r
	294	// Construct command\r
	295	//\r
	296	SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r
	297	SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyCommandCode);\r
	298	\r
	299	SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
	300	SendBuffer.Code = SwapBytes32 (Code);\r
	301	\r
	302	SendBufferSize = (UINT32) sizeof (SendBuffer);\r
	303	SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
	304	\r
	305	//\r
	306	// send Tpm command\r
	307	//\r
	308	RecvBufferSize = sizeof (RecvBuffer);\r
	309	Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 )&SendBuffer, &RecvBufferSize, (UINT8 )&RecvBuffer);\r
	310	if (EFI_ERROR (Status)) {\r
	311	return Status;\r
	312	}\r
	313	\r
	314	if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
	315	DEBUG ((EFI_D_ERROR, "Tpm2PolicyCommandCode - RecvBufferSize Error - %x\n", RecvBufferSize));\r
	316	return EFI_DEVICE_ERROR;\r
	317	}\r
	318	if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
	319	DEBUG ((EFI_D_ERROR, "Tpm2PolicyCommandCode - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
	320	return EFI_DEVICE_ERROR;\r
	321	}\r
	322	\r
	323	return EFI_SUCCESS;\r
	324	}\r
	325	\r
	326	/**\r
	327	This command returns the current policyDigest of the session. This command allows the TPM\r
	328	to be used to perform the actions required to precompute the authPolicy for an object.\r
	329	\r
	330	@param[in] PolicySession Handle for the policy session.\r
	331	@param[out] PolicyHash the current value of the policyHash of policySession.\r
	332	\r
	333	@retval EFI_SUCCESS Operation completed successfully.\r
	334	@retval EFI_DEVICE_ERROR The command was unsuccessful.\r
335	**/\r
336	EFI_STATUS\r
337	EFIAPI\r
338	Tpm2PolicyGetDigest (\r
339	IN TPMI_SH_POLICY PolicySession,\r
340	OUT TPM2B_DIGEST *PolicyHash\r
341	)\r
342	{\r
343	EFI_STATUS Status;\r
344	TPM2_POLICY_GET_DIGEST_COMMAND SendBuffer;\r
345	TPM2_POLICY_GET_DIGEST_RESPONSE RecvBuffer;\r
346	UINT32 SendBufferSize;\r
347	UINT32 RecvBufferSize;\r
348	\r
349	//\r
350	// Construct command\r
351	//\r
352	SendBuffer.Header.tag = SwapBytes16(TPM_ST_NO_SESSIONS);\r
353	SendBuffer.Header.commandCode = SwapBytes32(TPM_CC_PolicyGetDigest);\r
354	\r
355	SendBuffer.PolicySession = SwapBytes32 (PolicySession);\r
356	\r
357	SendBufferSize = (UINT32) sizeof (SendBuffer);\r
358	SendBuffer.Header.paramSize = SwapBytes32 (SendBufferSize);\r
359	\r
360	//\r
361	// send Tpm command\r
362	//\r
363	RecvBufferSize = sizeof (RecvBuffer);\r
364	Status = Tpm2SubmitCommand (SendBufferSize, (UINT8 )&SendBuffer, &RecvBufferSize, (UINT8 )&RecvBuffer);\r
365	if (EFI_ERROR (Status)) {\r
366	return Status;\r
367	}\r
368	\r
369	if (RecvBufferSize < sizeof (TPM2_RESPONSE_HEADER)) {\r
370	DEBUG ((EFI_D_ERROR, "Tpm2PolicyGetDigest - RecvBufferSize Error - %x\n", RecvBufferSize));\r
371	return EFI_DEVICE_ERROR;\r
372	}\r
373	if (SwapBytes32(RecvBuffer.Header.responseCode) != TPM_RC_SUCCESS) {\r
374	DEBUG ((EFI_D_ERROR, "Tpm2PolicyGetDigest - responseCode - %x\n", SwapBytes32(RecvBuffer.Header.responseCode)));\r
375	return EFI_DEVICE_ERROR;\r
376	}\r
377	\r
378	//\r
379	// Return the response\r
380	//\r
381	PolicyHash->size = SwapBytes16 (RecvBuffer.PolicyHash.size);\r
382	CopyMem (PolicyHash->buffer, &RecvBuffer.PolicyHash.buffer, PolicyHash->size);\r
383	\r
384	return EFI_SUCCESS;\r
385	}\r